Commits · 68758dd60a582fb05e472d7ceceb18fca4ea880d · adam.huang / Arm Trusted Firmware

15 Jun, 2020 1 commit

tbbr: add chain of trust for Secure Partitions · 68758dd6

Manish Pandey authored Jun 10, 2020

with sha 44f1aa8e

, support for Silicon Provider(SiP) owned Secure
Partition(SP) was added for dualroot CoT. This patch extends this
support for tbbr CoT.

Earlier tbbr CoT for SPs was left to avoid adding new image types in
TBBR which could possibly be seen as deviation from specification.
But with further discussions it is understood that TBBR being a
*minimal* set of requirements that can be extended as long as we don't
violate any of the musts, which is the case with adding SP support.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1b9e3ebdd7d653f1fd4cc3bd910a69871b55ecbb

68758dd6

11 Jun, 2020 1 commit

cert_create: extend Secure partition support for tbbr CoT · a8818bbf

Manish Pandey authored Jun 10, 2020

with sha 0792dd7d

, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f

a8818bbf

09 Jun, 2020 10 commits

Merge "GICv3: GIC-600: Detect GIC-600 at runtime" into integration · 10640d24
Madhukar Pappireddy authored Jun 09, 2020

10640d24
Merge "cpus: denver: disable cycle counter when event counting is prohibited" into integration · e5f3812e
Madhukar Pappireddy authored Jun 09, 2020

e5f3812e

cpus: denver: disable cycle counter when event counting is prohibited · c5c1af0d

Varun Wadekar authored May 24, 2020



The Denver CPUs implement support for PMUv3 for ARMv8.1 and expect the
PMCR_EL0 to be saved in non-secure context.

This patch disables cycle counter when event counting is prohibited
immediately on entering the secure world to avoid leaking useful
information about the PMU counters. The context saving code later
saves the value of PMCR_EL0 to the non-secure world context.

Verified with 'PMU Leakage' test suite.

 ******************************* Summary *******************************
 > Test suite 'PMU Leakage'
                                                                 Passed
 =================================
 Tests Skipped : 2
 Tests Passed  : 2
 Tests Failed  : 0
 Tests Crashed : 0
 Total tests   : 4
 =================================
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I3675e2b99b44ed23d86e29a5af1b496e80324875

c5c1af0d

Merge changes from topic "sp_secure_boot" into integration · 02383c28

Manish Pandey authored Jun 09, 2020

* changes:
  dualroot: add chain of trust for secure partitions
  sptool: append cert_tool arguments.
  cert_create: add SiP owned secure partitions support

02383c28

Merge "plat/fvp: Add support for dynamic description of secure interrupts" into integration · caf24c49
Mark Dykes authored Jun 09, 2020

caf24c49

plat/fvp: Add support for dynamic description of secure interrupts · 452d5e5e

Madhukar Pappireddy authored Jun 02, 2020

Using the fconf framework, the Group 0 and Group 1 secure interrupt
descriptors are moved to device tree and retrieved in runtime. This
feature is enabled by the build flag SEC_INT_DESC_IN_FCONF.

Change-Id: I360c63a83286c7ecc2426cd1ff1b4746d61e633c
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

452d5e5e

GICv3: GIC-600: Detect GIC-600 at runtime · b4ad365a

Andre Przywara authored Mar 25, 2020

The only difference between GIC-500 and GIC-600 relevant to TF-A is the
differing power management sequence.
A certain GIC implementation is detectable at runtime, for instance by
checking the IIDR register. Let's add that test before initiating the
GIC-600 specific sequence, so the code can be used on both GIC-600 and
GIC-500 chips alike, without deciding on a GIC chip at compile time.

This means that the GIC-500 "driver" is now redundant. To allow minimal
platform support, add a switch to disable GIC-600 support.

Change-Id: I17ea97d9fb05874772ebaa13e6678b4ba3415557
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

b4ad365a

dualroot: add chain of trust for secure partitions · 44f1aa8e

Manish Pandey authored May 27, 2020



A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.

To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.

The CoT for secure partition look like below.
+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key       |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| Trusted World    |------>| SiP owned SPs     |
| Public Key       |       | Content Cert      |
+------------------+       | (Auth Image)      |
                        /   +-------------------+
                       /                      |
                      /                      v|
+------------------+ L     +-------------------+
| SP_PKG1 Hash     |------>| SP_PKG1           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
        .                           .
        .                           .
        .                           .
+------------------+       +-------------------+
| SP_PKG8 Hash     |------>| SP_PKG8           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f

44f1aa8e

Merge "plat/arm: do not include export header directly" into integration · 16af48e4
Sandrine Bailleux authored Jun 09, 2020

16af48e4
Merge "rockchip: increase FDT buffer size" into integration · a7ad4919
Madhukar Pappireddy authored Jun 09, 2020

a7ad4919

08 Jun, 2020 10 commits

Merge changes from topic "fix-agilex-initialization" into integration · 141568da

Manish Pandey authored Jun 08, 2020

* changes:
  plat: intel: Additional instruction required to enable global timer
  plat: intel: Fix CCU initialization for Agilex
  plat: intel: Add FPGAINTF configuration to when configuring pinmux
  plat: intel: set DRVSEL and SMPLSEL for DWMMC
  plat: intel: Fix clock configuration bugs

141568da

plat: intel: Additional instruction required to enable global timer · 811af8b7

Tien Hock Loh authored May 11, 2020



There are additional instruction needed to enable the global timer.
This fixes the global timer initialization
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Idaf2d23359aacc417e2b7d8cdf1688b5cd17ca98

811af8b7

plat: intel: Fix CCU initialization for Agilex · 27cd1a47

Tien Hock Loh authored May 11, 2020



The CCU initialization loop uses the wrong units, this fixes that. This
also fixes snoop filter register set bits should be used instead of
overwriting the register
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Ia15eeeae5569b00ad84120182170d353ee221b31

27cd1a47

rockchip: increase FDT buffer size · 8109f738

Hugh Cole-Baker authored Jun 08, 2020



The size of buffer currently used to store the FDT passed from U-Boot as
a platform parameter is not large enough to store some RK3399 device
trees. The largest RK3399 device tree currently in U-Boot (for the
Pinebook Pro) is about 70KB in size when passed to TF-A, so increase the
buffer size to 128K which gives some headroom for possibly larger FDTs
in future.
Signed-off-by: Hugh Cole-Baker <sigmaris@gmail.com>
Change-Id: I414caf20683cd47c02ee470dfa988544f3809919

8109f738

plat: intel: Add FPGAINTF configuration to when configuring pinmux · e734ecd6

Tien Hock Loh authored May 11, 2020



FPGAINTF wasn't enabled when configuring pinmux. This fixes the issue.
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: I5a6aacd504901b8f7327b2f4854b8a77d0c37019

e734ecd6

plat: intel: set DRVSEL and SMPLSEL for DWMMC · aea772dd

Tien Hock Loh authored May 11, 2020

DRVSEL and SMPLSEL needs to be set so that it can properly go into full
speed mode. This needs to be done in EL3 as the registers are secured.
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Ia2f348e7742ff7b76da74d392ef1ce71e2f41677

aea772dd

plat: intel: Fix clock configuration bugs · fa09d544

Tien Hock Loh authored May 11, 2020



This fixes a few issues on the Agilex clock configuration:
- Set clock manager into boot mode before configuring clock
- Fix wrong divisor used when calculating vcocalib
- PLL sync configuration should be read and then written
- Wait PLL lock after PLL sync configuration is done
- Clear interrupt bits instead of set interrupt bits after configuration
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: I54c1dc5fe9b102e3bbc1237a92d8471173b8af70

fa09d544

sptool: append cert_tool arguments. · 07c44475

Manish Pandey authored May 26, 2020



To support secure boot of SP's update cert tool arguments while
generating sp_gen.mk which in turn is consumed by build system.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I2293cee9b7c684c27d387aba18e0294c701fb1cc

07c44475

cert_create: add SiP owned secure partitions support · 0792dd7d

Manish Pandey authored May 22, 2020



Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.

A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.

Following new options added to cert_tool:
 --sip-sp-cert --> SiP owned Secure Partition Content Certificate
 --sp-pkg1 --> Secure Partition Package1 file
 --sp-pkg2
 .....
 --sp-pkg8

Trusted world key pair is used for signing.

Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d

0792dd7d

plat/arm: do not include export header directly · 81de5bf7

Manish Pandey authored Jun 08, 2020



As per "include/export/README", TF-A code should never include export
headers directly. Instead, it should include a wrapper header that
ensures the export header is included in the right manner.

"tbbr_img_def_exp.h" is directly included in TF-A code, this patch
replaces it with its  wrapper header "tbbr_img_def.h".
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I31c1a42e6a7bcac4c396bb17e8548567ecd8147d

81de5bf7

05 Jun, 2020 3 commits
- Merge "ti: k3: common: Make UART number configurable" into integration · 967a6d16
  Madhukar Pappireddy authored Jun 05, 2020
  
  967a6d16
- Merge "rockchip: rk3368: increase MAX_MMAP_REGIONS" into integration · 06fdb3f0
  Madhukar Pappireddy authored Jun 05, 2020
  
  06fdb3f0
- rockchip: rk3368: increase MAX_MMAP_REGIONS · a7e0be55
  Heiko Stuebner authored Jun 05, 2020
```
Current value is 16, count the MAP_REGION calls gets us at least 17,
so increase the max value to 20 to have a bit of a margin.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: I93d0324f3d483758366e758f8f663545d365e03f
```
  a7e0be55
04 Jun, 2020 2 commits
- Merge "xlat_tables_v2: add base table section name parameter for spm_mm" into integration · f2c3b1ba
  Lauren Wehrmeister authored Jun 04, 2020
  
  f2c3b1ba
- Merge "dts: stm32mp157c: fix etzpc node location in DTSI file" into integration · b53139c3
  Manish Pandey authored Jun 04, 2020
  
  b53139c3
03 Jun, 2020 13 commits

Merge "ti: k3: common: Implement stub system_off" into integration · 9ea4fe6a
Manish Pandey authored Jun 03, 2020

9ea4fe6a
Merge "Rename Cortex-Hercules to Cortex-A78" into integration · 23751114
Madhukar Pappireddy authored Jun 03, 2020

23751114
Merge "Rename Cortex Hercules Files to Cortex A78" into integration · 578d2e9d
Madhukar Pappireddy authored Jun 03, 2020

578d2e9d

dts: stm32mp157c: fix etzpc node location in DTSI file · bca652a2

Etienne Carriere authored Jun 03, 2020

Fix etzpc node location in stm32mp157c DTSI file as requested during the
patch review. The comment was addressed then fixup change discarded while
rebasing.

Change-Id: Ie53531fec7da224de0b86c968a66aec441bfc25d
Fixes: 627298d4

 ("dts: stm32mp157c: add etzpc node")
Reported-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

bca652a2

Merge "qemu/qemu_sbsa: increase size to handle fdt" into integration · 5ea6a661
Manish Pandey authored Jun 03, 2020

5ea6a661

qemu/qemu_sbsa: increase size to handle fdt · d7f5be8e

Masahisa Kojima authored May 19, 2020



64KB was not enouth to handle fdt, bl2 shows
following error message.

"ERROR:   Invalid Device Tree at 0x10000000000: error -3"

This patch increases the size to 1MB to address above error.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Change-Id: I0726a0cea95087175451da0dba7410acd27df808

d7f5be8e

Merge "marvell: drivers: mochi: specify stream ID for SD/MMC" into integration · 79fa0edf
Manish Pandey authored Jun 03, 2020

79fa0edf

Merge changes from topic "stm32-etzpc" into integration · 34a66d80

Manish Pandey authored Jun 03, 2020

* changes:
  plat/stm32mp1: sp_min relies on etzpc driver
  dts: stm32mp157c: add etzpc node
  drivers: introduce ST ETZPC driver

34a66d80

Merge changes from topic "jb/8.6-features" into integration · 737e7e74
Manish Pandey authored Jun 03, 2020
```
* changes:
  Enable ARMv8.6-ECV Self-Synch when booting to EL2
  Enable ARMv8.6-FGT when booting to EL2
```
737e7e74

plat/stm32mp1: sp_min relies on etzpc driver · 7b3a46f0

Etienne Carriere authored Apr 10, 2020



Use ETZPC driver to configure secure aware interfaces to assign
them to non-secure world. Sp_min also configures BootROM resources
and SYSRAM to assign both to secure world only.

Define stm32mp15 SoC identifiers for the platform specific DECPROT
instances.

Change-Id: I3bec9f47b04bcba3929e4df886ddb1d5ff843089
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

7b3a46f0

dts: stm32mp157c: add etzpc node · 627298d4

Etienne Carriere authored Dec 08, 2019



Add a node for the ETZPC device so that driver initializes during
stm32mp15* boot sequence.

Change-Id: I84bf10572e5df7b8f450163c79bcfe6956fc838f
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

627298d4

drivers: introduce ST ETZPC driver · 77d0504e

Etienne Carriere authored Dec 08, 2019



ETZPC stands for Extended TrustZone Protection Controller. It is a
resource conditional access device. It is mainly based on Arm TZPC.

ST ETZPC exposes memory mapped DECPROT cells to set access permissions
to SoC peripheral interfaces as I2C, SPI, DDR controllers, and some
of the SoC internal memories.

ST ETZPC exposes memory mapped TZMA cells to set access permissions
to some SoC internal memories.

Change-Id: I47ce20ffcfb55306dab923153b71e1bcbe2a5570
Co-developed-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

77d0504e

marvell: drivers: mochi: specify stream ID for SD/MMC · 2d1d2f05

Marcin Wojtas authored May 12, 2020



This patch enables the stream ID for the SD/MMC
controllers via dedicated unit register. Thanks to this
change it is possible to configure properly the
IOMMU in OS and use the SD/MMC interface in a guest
Virtual Machine.

Change-Id: I99cbd2c9882eb558ba01405d3d8a3e969f06e082
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: Tomasz Nowicki <tn@semihalf.com>

2d1d2f05