1. 20 Dec, 2016 4 commits
    • Sandrine Bailleux's avatar
      Fix integer overflows in BL1 FWU code · 949a52d2
      Sandrine Bailleux authored
      
      
      Before adding a base address and a size to compute the end
      address of an image to copy or authenticate, check this
      won't result in an integer overflow. If it does then consider
      the input arguments are invalid.
      
      As a result, bl1_plat_mem_check() can now safely assume the
      end address (computed as the sum of the base address and size
      of the memory region) doesn't overflow, as the validation is
      done upfront in bl1_fwu_image_copy/auth(). A debug assertion
      has been added nonetheless in the ARM implementation in order
      to help catching such problems, should bl1_plat_mem_check()
      be called in a different context in the future.
      
      Fixes TFV-1: Malformed Firmware Update SMC can result in copy
      of unexpectedly large data into secure memory
      
      Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      949a52d2
    • Sandrine Bailleux's avatar
      Add some debug assertions in BL1 FWU copy code · 1bfb7068
      Sandrine Bailleux authored
      
      
      These debug assertions sanity check the state of the internal
      FWU state machine data when resuming an incomplete image copy
      operation.
      
      Change-Id: I38a125b0073658c3e2b4b1bdc623ec221741f43e
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      1bfb7068
    • Sandrine Bailleux's avatar
      bl1_fwu_image_copy() refactoring · b38a9e5c
      Sandrine Bailleux authored
      
      
      This patch refactors the code of the function handling a FWU_AUTH_COPY
      SMC in BL1. All input validation has been moved upfront so it is now
      shared between the RESET and COPYING states.
      
      Change-Id: I6a86576b9ce3243c401c2474fe06f06687a70e2f
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      b38a9e5c
    • Sandrine Bailleux's avatar
      Minor refactoring of BL1 FWU code · 9f1489e4
      Sandrine Bailleux authored
      
      
      This patch introduces no functional change, it just changes
      the serial console output.
      
       - Improve accuracy of error messages by decoupling some
         error cases;
      
       - Improve comments;
      
       - Move declaration of 'mem_layout' local variable closer to
         where it is used and make it const;
      
       - Rename a local variable to clarify whether it is a source
         or a destination address (base_addr -> dest_addr).
      
      Change-Id: I349fcf053e233f316310892211d49e35ef2c39d9
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      9f1489e4
  2. 14 Dec, 2016 1 commit
  3. 22 Feb, 2016 1 commit
    • Yatharth Kochar's avatar
      Fix the inconsistencies in bl1_tbbr_image_descs[] · 843ddee4
      Yatharth Kochar authored
      This patch fixes inconsistencies in bl1_tbbr_image_descs[]
      and miscellaneous fixes in Firmware Update code.
      
      Following are the changes:
      * As part of the original FWU changes, a `copied_size`
        field was added to `image_info_t`. This was a subtle binary
        compatibility break because it changed the size of the
        `bl31_params_t` struct, which could cause problems if
        somebody used different versions of BL2 or BL31, one with
        the old `image_info_t` and one with the new version.
        This patch put the `copied_size` within the `image_desc_t`.
      * EXECUTABLE flag is now stored in `ep_info.h.attr` in place
        of `image_info.h.attr`, associating it to an entrypoint.
      * The `image_info.image_base` is only relevant for secure
        images that are copied from non-secure memory into secure
        memory. This patch removes initializing `image_base` for
        non secure images in the bl1_tbbr_image_descs[].
      * A new macro `SET_STATIC_PARAM_HEAD` is added for populating
        bl1_tbbr_image_descs[].ep_info/image_info.h members statically.
        The version, image_type and image attributes are now
        populated using this new macro.
      * Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct
        usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c.
      * Refactoring of code/macros related to SECURE and EXECUTABLE flags.
      
      NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t`
            OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr`
            OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE
            BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY.
      
      Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d
      843ddee4
  4. 15 Dec, 2015 2 commits
    • Dan Handley's avatar
      FWU: Pass client cookie to FWU_SMC_UPDATE_DONE · 1f37b944
      Dan Handley authored
      The current FWU_SMC_UPDATE_DONE implementation incorrectly passes
      an unused framework cookie through to the 1st argument in the
      platform function `bl1_plat_fwu_done`. The intent is to allow
      the SMC caller to pass a cookie through to this function.
      
      This patch fixes FWU_SMC_UPDATE_DONE to pass x1 from the caller
      through to `bl1_plat_fwu_done`. The argument names are updated
      for clarity.
      
      Upstream platforms currently do not use this argument so no
      impact is expected.
      
      Change-Id: I107f4b51eb03e7394f66d9a534ffab1cbc09a9b2
      1f37b944
    • Dan Handley's avatar
      FWU: Remove image_id arg from FWU_SMC_IMAGE_RESUME · 28955d57
      Dan Handley authored
      The current implementation of FWU_SMC_IMAGE_RESUME when called
      from the normal world, uses the provided image_id argument to
      determine which secure image to resume into. This implies that
      the normal world has a choice of which secure image to resume
      into when in fact it is only possible to resume into the
      previously interrupted secure image.
      
      This patch removes the argument, tightens up the pre-conditions
      for the SMC and adds additional asserts.
      
      The pre-conditions for FWU_SMC_SEC_IMAGE_DONE are also
      tightened up.
      
      Change-Id: Ia5a46753bb01e8f8dad8a2999314f90db8f300e8
      28955d57
  5. 14 Dec, 2015 1 commit
    • Dan Handley's avatar
      FWU: Fix secure memory check in image auth · 03131c85
      Dan Handley authored
      The implementation of FWU_SMC_IMAGE_AUTH performs a number of
      pre-condition checks before authenticating the image. One of
      these checks calls `bl1_plat_mem_check()` to ensure the image
      source is mapped in when authenticating an image in place.
      The framework incorrectly passes the security state of the
      caller into this function instead of the security state of
      the source image.
      
      This patch corrects the defect. The defect would only
      manifest itself for secure world callers authenticating
      non-secure images in place, which is not done by current
      upstream platforms.
      
      Change-Id: I617c7b43e02ac7149f266aeaf3874316e62f3003
      03131c85
  6. 09 Dec, 2015 1 commit
    • Yatharth Kochar's avatar
      FWU: Add Generic Firmware Update framework support in BL1 · 48bfb88e
      Yatharth Kochar authored
      Firmware update(a.k.a FWU) feature is part of the TBB architecture.
      BL1 is responsible for carrying out the FWU process if platform
      specific code detects that it is needed.
      
      This patch adds support for FWU feature support in BL1 which is
      included by enabling `TRUSTED_BOARD_BOOT` compile time flag.
      
      This patch adds bl1_fwu.c which contains all the core operations
      of FWU, which are; SMC handler, image copy, authentication, execution
      and resumption. It also adds bl1.h introducing #defines for all
      BL1 SMCs.
      
      Following platform porting functions are introduced:
      
      int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
      unsigned int flags);
      	This function can be used to add platform specific memory checks
      	for the provided base/size for the given security state.
      	The weak definition will invoke `assert()` and return -ENOMEM.
      
      __dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
      	This function can be used to initiate platform specific procedure
      	to mark completion of the FWU process.
      	The weak definition waits forever calling `wfi()`.
      
      plat_bl1_common.c contains weak definitions for above functions.
      
      FWU process starts when platform detects it and return the image_id
      other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
      `bl1_main()`.
      
      NOTE: User MUST provide platform specific real definition for
      bl1_plat_mem_check() in order to use it for Firmware update.
      
      Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
      48bfb88e