1. 20 Feb, 2020 1 commit
    • Manish Pandey's avatar
      SPMD: generate and add Secure Partition blobs into FIP · ce2b1ec6
      Manish Pandey authored
      
      
      Till now TF-A allows limited number of external images to be made part
      of FIP. With SPM coming along, there may exist multiple SP packages
      which need to be inserted into FIP. To achieve this we need a more
      scalable approach to feed SP packages to FIP.
      
      This patch introduces changes in build system to generate and add SP
      packages into FIP based on information provided by platform.
      Platform provides information in form of JSON which contains layout
      description of available Secure Partitions.
      JSON parser script is invoked by build system early on and generates
      a makefile which updates FIP, SPTOOL and FDT arguments which will be
      used by build system later on for final packaging.
      
      "SP_LAYOUT_FILE" passed as a build argument and can be outside of TF-A
      tree. This option will be used only when SPD=spmd.
      
      For each SP, generated makefile will have following entries
           - FDT_SOURCES	+=	sp1.dts
           - SPTOOL_ARGS	+= 	-i sp1.img:sp1.dtb -o sp1.pkg
           - FIP_ARGS		+=	--blob uuid=XXXX-XXX...,file=SP1.pkg
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ib6a9c064400caa3cd825d9886008a3af67741af7
      ce2b1ec6
  2. 07 Feb, 2020 2 commits
    • Alexei Fedorov's avatar
      Make PAC demangling more generic · 68c76088
      Alexei Fedorov authored
      
      
      At the moment, address demangling is only used by the backtrace
      functionality. However, at some point, other parts of the TF-A
      codebase may want to use it.
      The 'demangle_address' function is replaced with a single XPACI
      instruction which is also added in 'do_crash_reporting()'.
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec
      68c76088
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
  3. 06 Feb, 2020 2 commits
    • Max Shvetsov's avatar
      Adds option to read ROTPK from registers for FVP · a6ffddec
      Max Shvetsov authored
      
      
      Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
      Removes hard-coded developer keys. Instead, setting
      ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
      In case of ROT_KEY specified - generates a new hash and replaces the
      original.
      
      Note: Juno board was tested by original feature author and was not tested
      for this patch since we don't have access to the private key. Juno
      implementation was moved to board-specific file without changing
      functionality. It is not known whether byte-swapping is still needed
      for this platform.
      
      Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
      Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      a6ffddec
    • Paul Beesley's avatar
      doc: Split and expand coding style documentation · e63f5d12
      Paul Beesley authored
      
      
      This patch expands the coding style documentation, splitting it
      into two documents: the core style rules and extended guidelines.
      Note that it does not redefine or change the coding style (aside
      from section 4.6.2) - generally, it is only documenting the
      existing style in more detail.
      
      The aim is for the coding style to be more readable and, in turn,
      for it to be followed by more people. We can use this as a more
      concrete reference when discussing the accepted style with external
      contributors.
      
      Change-Id: I87405ace9a879d7f81e6b0b91b93ca69535e50ff
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      e63f5d12
  4. 03 Feb, 2020 1 commit
    • Imre Kis's avatar
      doc: Remove backquotes from external hyperlinks · 8d52e16b
      Imre Kis authored
      
      
      Since Sphinx 2.3.0 backquotes are replaced to \textasciigrave{} during
      building latexpdf. Using this element in a \sphinxhref{} breaks the
      build. In order to avoid this error backquotes must not be used in
      external hyperlinks.
      Signed-off-by: default avatarImre Kis <imre.kis@arm.com>
      Change-Id: Ie3cf454427e3d5a7b7f9829b42be45aebda7f0dd
      8d52e16b
  5. 29 Jan, 2020 2 commits
  6. 28 Jan, 2020 1 commit
  7. 24 Jan, 2020 2 commits
  8. 17 Jan, 2020 1 commit
  9. 10 Jan, 2020 2 commits
    • Madhukar Pappireddy's avatar
      docs: GCC toolchain upgrade to version 9.2-2019.12 · f35e5ab3
      Madhukar Pappireddy authored
      
      
      This toolchain provides multiple cross compilers and are publicly
      available on developer.arm.com
      
      We build TF-A in CI using:
      AArch32 bare-metal target (arm-none-eabi)
      AArch64 ELF bare-metal target (aarch64-none-elf)
      
      Change-Id: I910200174d5bad985504d1af4a1ae5819b524003
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      f35e5ab3
    • Deepika Bhavnani's avatar
      Unify type of "cpu_idx" across PSCI module. · 5b33ad17
      Deepika Bhavnani authored
      
      
      NOTE for platform integrators:
         API `plat_psci_stat_get_residency()` third argument
         `last_cpu_idx` is changed from "signed int" to the
         "unsigned int" type.
      
      Issue / Trouble points
      1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
      with typecasting at some places leading to coverity issues.
      
      2. Underlying platform API's return cpu_idx as `unsigned int`
      and comparison is performed with platform specific defines
      `PLAFORM_xxx` which is not consistent
      
      Misra Rule 10.4:
      The value of a complex expression of integer type may only be cast to
      a type that is narrower and of the same signedness as the underlying
      type of the expression.
      
      Based on above points, cpu_idx is kept as `unsigned int` to match
      the API's and low-level functions and platform defines are updated
      where ever required
      Signed-off-by: default avatarDeepika Bhavnani <deepika.bhavnani@arm.com>
      Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
      5b33ad17
  10. 08 Jan, 2020 1 commit
  11. 03 Jan, 2020 1 commit
  12. 29 Dec, 2019 1 commit
    • Samuel Holland's avatar
      bl31: Split into two separate memory regions · f8578e64
      Samuel Holland authored
      
      
      Some platforms are extremely memory constrained and must split BL31
      between multiple non-contiguous areas in SRAM. Allow the NOBITS
      sections (.bss, stacks, page tables, and coherent memory) to be placed
      in a separate region of RAM from the loaded firmware image.
      
      Because the NOBITS region may be at a lower address than the rest of
      BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
      region, or el3_entrypoint_common would attempt to invalidate the dcache
      for the entire address space. New symbols __NOBITS_{START,END}__ are
      added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
      NOBITS region is invalidated separately.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
      f8578e64
  13. 20 Dec, 2019 2 commits
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  14. 18 Dec, 2019 1 commit
  15. 17 Dec, 2019 1 commit
  16. 11 Dec, 2019 1 commit
  17. 02 Dec, 2019 1 commit
    • zelalem-aweke's avatar
      Enable Link Time Optimization in GCC · edbce9aa
      zelalem-aweke authored
      
      
      This patch enables LTO for TF-A when compiled with GCC.
      LTO is disabled by default and is enabled by
      ENABLE_LTO=1 build option.
      
      LTO is enabled only for aarch64 as there seem to be
      a bug in the aarch32 compiler when LTO is enabled.
      
      The changes in the makefiles include:
      - Adding -flto and associated flags to enable LTO.
      - Using gcc as a wrapper at link time instead of ld.
        This is recommended when using LTO as gcc internally
        takes care of invoking the necessary plugins for LTO.
      - Adding switches to pass options to ld.
      - Adding a flag to disable fix for erratum cortex-a53-843419
        unless explicitly enabled. This is needed because GCC
        seem to automatically add the erratum fix when used
        as a wrapper for LD.
      
      Additionally, this patch updates the TF-A user guide with
      the new build option.
      Signed-off-by: default avatarzelalem-aweke <zelalem.aweke@arm.com>
      Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
      edbce9aa
  18. 27 Nov, 2019 1 commit
    • Paul Beesley's avatar
      doc: Split the User Guide into multiple files · 43f35ef5
      Paul Beesley authored
      
      
      The User Guide document has grown organically over time and
      now covers a wide range of topics, making it difficult to
      skim read and extract information from. Currently, it covers
      these topics and maybe a couple more:
      
      - Requirements (hardware, tools, libs)
      - Checking out the repo
      - Basic build instructions
      - A comprehensive list of build flags
      - FIP packaging
      - Building specifically for Juno
      - Firmware update images
      - EL3 payloads
      - Preloaded BL33 boot flow
      - Running on FVPs
      - Running on Juno
      
      I have separated these out into a few groups that become new
      documents. Broadly speaking, build instructions for the tools,
      for TF-A generally, and for specific scenarios are separated.
      Content relating to specific platforms (Juno and the FVPs are
      Arm-specific platforms, essentially) has been moved into the
      documentation that is specific to those platforms, under
      docs/plat/arm.
      
      Change-Id: Ica87c52d8cd4f577332be0b0738998ea3ba3bbec
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      43f35ef5
  19. 26 Nov, 2019 1 commit
  20. 22 Oct, 2019 1 commit
  21. 15 Oct, 2019 1 commit
    • Artsem Artsemenka's avatar
      Fix documentation · 434d93d9
      Artsem Artsemenka authored
      
      
      User guide:
      1. Remove obsolete note saying only FVP is supported with AArch32
      2. Switch compiler for Juno AArch32 to arm-eabi
      3. Mention SOFTWARE folder in Juno Linaro release
      
      Index.rst:
      1. Switch default FVP model to Version 11.6 Build 45
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      Change-Id: Ib47a2ea314e2b8394a20189bf91796de0e17de53
      434d93d9
  22. 11 Oct, 2019 1 commit
  23. 09 Oct, 2019 1 commit
  24. 08 Oct, 2019 1 commit
    • Paul Beesley's avatar
      doc: Convert internal links to RST format · 34760951
      Paul Beesley authored
      
      
      Currently links between documents are using the format:
      
      <path/to/><filename>.rst
      
      This was required for services like GitHub because they render each
      document in isolation - linking to another document is like linking
      to any other file, just provide the full path.
      
      However, with the new approach, the .rst files are only the raw
      source for the documents. Once the documents have been rendered
      the output is now in another format (HTML in our case) and so,
      when linking to another document, the link must point to the
      rendered version and not the .rst file.
      
      The RST spec provides a few methods for linking between content.
      The parent of this patch enabled the automatic creation of anchors
      for document titles - we will use these anchors as the targets for
      our links. Additional anchors can be added by hand if needed, on
      section and sub-section titles, for example.
      
      An example of this new format, for a document with the title
      "Firmware Design" is :ref:`Firmware Design`.
      
      One big advantage of this is that anchors are not dependent on
      paths. We can then move documents around, even between directories,
      without breaking any links between documents. Links will need to be
      updated only if the title of a document changes.
      
      Change-Id: I9e2340a61dd424cbd8fd1ecc2dc166f460d81703
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      34760951
  25. 04 Oct, 2019 1 commit
    • Soby Mathew's avatar
      Fix the CAS spinlock implementation · c97cba4e
      Soby Mathew authored
      
      
      Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
      on a platform build option. The CAS-based implementation used to be
      unconditionally selected for all ARM8.1+ platforms.
      
      The previous CAS spinlock implementation had a bug wherein the spin_unlock()
      implementation had an `sev` after `stlr` which is not sufficient. A dsb is
      needed to ensure that the stlr completes prior to the sev. Having a dsb is
      heavyweight and a better solution would be to use load exclusive semantics
      to monitor the lock and wake up from wfe when a store happens to the lock.
      The patch implements the same.
      
      Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      c97cba4e
  26. 02 Oct, 2019 1 commit
  27. 30 Sep, 2019 1 commit
  28. 26 Sep, 2019 1 commit
  29. 18 Sep, 2019 1 commit
  30. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  31. 12 Sep, 2019 3 commits
    • Justin Chadwell's avatar
      Remove RSA PKCS#1 v1.5 support from cert_tool · 6a415a50
      Justin Chadwell authored
      Support for PKCS#1 v1.5 was deprecated in SHA 1001202d and fully removed
      in SHA fe199e3b
      
      , however, cert_tool is still able to generate
      certificates in that form. This patch fully removes the ability for
      cert_tool to generate these certificates.
      
      Additionally, this patch also fixes a bug where the issuing certificate
      was a RSA and the issued certificate was EcDSA. In this case, the issued
      certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
      PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
      that PKCS#1 v1.5 support is removed, all certificates that are signed
      with RSA now use the more modern padding scheme.
      
      Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      6a415a50
    • Justin Chadwell's avatar
      Add documentation for new KEY_SIZE option · f29213d9
      Justin Chadwell authored
      
      
      This patch adds documentation for the new KEY_SIZE build option that is
      exposed by cert_create, and instructions on how to use it.
      
      Change-Id: I09b9b052bfdeeaca837e0f0026e2b01144f2472c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      f29213d9
    • Hadi Asyrafi's avatar
      Invalidate dcache build option for bl2 entry at EL3 · b90f207a
      Hadi Asyrafi authored
      
      
      Some of the platform (ie. Agilex) make use of CCU IPs which will only be
      initialized during bl2_el3_early_platform_setup. Any operation to the
      cache beforehand will crash the platform. Hence, this will provide an
      option to skip the data cache invalidation upon bl2 entry at EL3
      Signed-off-by: default avatarHadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
      Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06
      b90f207a
  32. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979