1. 17 Aug, 2016 1 commit
    • Dan Handley's avatar
      Remove dcache invalidation after image authentication · ad4494dc
      Dan Handley authored
      At the end of successful image authentication in load_auth_image(),
      the data cache for the virtual address range corresponding to the
      image is invalidated (by a call to inv_dcache_range()). The intent
      seems to be to ensure the data caches do not contain any sensitive
      data used during authentication, which subsequent code can read.
      However, this same address range is already flushed (cleaned and
      invalidated by a call to flush_dcache_range()) at the end of
      load_image(), and the subsequent invalidate has no functional
      effect.
      
      This patch removes the redundant call to inv_dcache_range(). It
      also moves the flush_dcache_range() call from the end of load_image()
      to the end of load_auth_image(), so the image data will remain in
      the caches during authentication, improving performance.
      
      This also improves the comments that explain the rationale for
      calling flush_dcache_range() after image loading/authentication.
      
      Change-Id: I14f17ad2935075ef6f3d1327361c5088bfb2d284
      ad4494dc
  2. 26 Jul, 2016 1 commit
    • Soby Mathew's avatar
      Improve debug assertion for runtime svc number · 5e5e4162
      Soby Mathew authored
      This patch improves the debug assertion for runtime svc number
       - Remove useless comparison ensuring that the number of descriptors
         is a positive number. The variable is an unsigned integer so can't
         be negative.
       - Check that the end address of the descriptors is sane relative
         to the start address.
      
      Change-Id: Iea7be6b34e33b8b1cbd394eb923cc834ea964831
      5e5e4162
  3. 25 Jul, 2016 3 commits
    • Sandrine Bailleux's avatar
      Ensure addresses in is_mem_free() don't overflow · 7b6d330c
      Sandrine Bailleux authored
      This patch adds some runtime checks to prevent some potential
      pointer overflow issues in the is_mem_free() function. The overflow
      could happen in the case where the end addresses, computed as the
      sum of a base address and a size, results in a value large enough
      to wrap around. This, in turn, could lead to unpredictable behaviour.
      
      If such an overflow is detected, the is_mem_free() function will now
      declare the memory region as not free. The overflow is detected using
      a new macro, called check_uptr_overflow().
      
      This patch also modifies all other places in the 'bl_common.c' file
      where an end address was computed as the sum of a base address and a
      size and instead keeps the two values separate. This avoids the need
      to handle pointer overflows everywhere. The code doesn't actually need
      to compute any end address before the is_mem_free() function is called
      other than to print information message to the serial output.
      
      This patch also introduces 2 slight changes to the reserve_mem()
      function:
      
       - It fixes the end addresses passed to choose_mem_pos(). It was
         incorrectly passing (base + size) instead of (base + size - 1).
      
       - When the requested allocation size is 0, the function now exits
         straight away and says so using a warning message.
         Previously, it used to actually reserve some memory. A zero-byte
         allocation was not considered as a special case so the function
         was using the same top/bottom allocation mechanism as for any
         other allocation. As a result, the smallest area of memory starting
         from the requested base address within the free region was
         reserved.
      
      Change-Id: I0e695f961e24e56ffe000718014e0496dc6e1ec6
      7b6d330c
    • Sandrine Bailleux's avatar
      Make runtime_svc_init() function more robust · 3a26a28c
      Sandrine Bailleux authored
       - Added some debug assertions checking that the runtime services
         indexes computed by get_unique_oen() are sane.
      
       - Do not print the name of the service when its descriptor is
         invalid. If the descriptor is corrupted then its name field
         could be corrupted as well and we would end up reading an
         arbitrary amount of invalid memory.
      
      Change-Id: I16f61065277d01fe1555d5a9cf743f7b52ccaa60
      3a26a28c
    • Sandrine Bailleux's avatar
      Improvements to runtime service init code · 9d24d353
      Sandrine Bailleux authored
      Light refactoring of the code in runtime_svc.c file.
      
       - Declare validate_rt_svc_desc()'s argument as const.
      
       - Remove 'goto' path in runtime_svc_init(). It was used in one
         place only.
      
       - Improve code readability by declaring a local variable holding the
         service pointer.
      
      Change-Id: I3b15c5adb9f37b786b5b993a9be70ea9dd017a83
      9d24d353
  4. 18 Jul, 2016 2 commits
    • Soby Mathew's avatar
      Introduce `el3_runtime` and `PSCI` libraries · 532ed618
      Soby Mathew authored
      This patch moves the PSCI services and BL31 frameworks like context
      management and per-cpu data into new library components `PSCI` and
      `el3_runtime` respectively. This enables PSCI to be built independently from
      BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
      PSCI library sources and gets included by `bl31.mk`. Other changes which
      are done as part of this patch are:
      
      * The runtime services framework is now moved to the `common/` folder to
        enable reuse.
      * The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
        specific folder.
      * The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
        to `plat/common` folder. The original file location now has a stub which
        just includes the file from new location to maintain platform compatibility.
      
      Most of the changes wouldn't affect platform builds as they just involve
      changes to the generic bl1.mk and bl31.mk makefiles.
      
      NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
      THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
      MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
      
      Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
      532ed618
    • Soby Mathew's avatar
      Rework type usage in Trusted Firmware · 4c0d0390
      Soby Mathew authored
      This patch reworks type usage in generic code, drivers and ARM platform files
      to make it more portable. The major changes done with respect to
      type usage are as listed below:
      
      * Use uintptr_t for storing address instead of uint64_t or unsigned long.
      * Review usage of unsigned long as it can no longer be assumed to be 64 bit.
      * Use u_register_t for register values whose width varies depending on
        whether AArch64 or AArch32.
      * Use generic C types where-ever possible.
      
      In addition to the above changes, this patch also modifies format specifiers
      in print invocations so that they are AArch64/AArch32 agnostic. Only files
      related to upcoming feature development have been reworked.
      
      Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
      4c0d0390
  5. 07 Jun, 2016 1 commit
    • Sandrine Bailleux's avatar
      Update comments in load_image() · a6b995fb
      Sandrine Bailleux authored
      - Fix the function documentation.
        Since commit 16948ae1, load_image() uses image IDs rather than image
        names.
      
      - Clarify the consequences of a null entry point argument.
      
      - Slightly reorganize the code to remove an unnecessary 'if' statement.
      
      Change-Id: Iebea3149a37f23d3b847a37a206ed23f7e8ec717
      a6b995fb
  6. 03 Jun, 2016 1 commit
    • Soby Mathew's avatar
      Build option to include AArch32 registers in cpu context · 8cd16e6b
      Soby Mathew authored
      The system registers that are saved and restored in CPU context include
      AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
      DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
      AArch64-only (i.e. on hardware that does not implement AArch32, or at
      least not at EL1 and higher ELs) platform leads to an exception. This patch
      introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
      include these AArch32 systems registers in the cpu context or not. By default
      this build option is set to 1 to ensure compatibility. AArch64-only platforms
      must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
      verify this.
      
      Fixes ARM-software/tf-issues#386
      
      Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
      8cd16e6b
  7. 26 May, 2016 1 commit
    • Sandrine Bailleux's avatar
      Introduce some helper macros for exception vectors · e0ae9fab
      Sandrine Bailleux authored
      This patch introduces some assembler macros to simplify the
      declaration of the exception vectors. It abstracts the section
      the exception code is put into as well as the alignments
      constraints mandated by the ARMv8 architecture. For all TF images,
      the exception code has been updated to make use of these macros.
      
      This patch also updates some invalid comments in the exception
      vector code.
      
      Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
      e0ae9fab
  8. 18 Apr, 2016 1 commit
  9. 13 Apr, 2016 1 commit
    • Soby Mathew's avatar
      Refactor the xlat_tables library code · 3ca9928d
      Soby Mathew authored
      The AArch32 long descriptor format and the AArch64 descriptor format
      correspond to each other which allows possible sharing of xlat_tables
      library code between AArch64 and AArch32. This patch refactors the
      xlat_tables library code to seperate the common functionality from
      architecture specific code. Prior to this patch, all of the xlat_tables
      library code were in `lib/aarch64/xlat_tables.c` file. The refactored code
      is now in `lib/xlat_tables/` directory. The AArch64 specific programming
      for xlat_tables is in `lib/xlat_tables/aarch64/xlat_tables.c` and the rest
      of the code common to AArch64 and AArch32 is in
      `lib/xlat_tables/xlat_tables_common.c`. Also the data types used in
      xlat_tables library APIs are reworked to make it compatible between AArch64
      and AArch32.
      
      The `lib/aarch64/xlat_tables.c` file now includes the new xlat_tables
      library files to retain compatibility for existing platform ports.
      The macros related to xlat_tables library are also moved from
      `include/lib/aarch64/arch.h` to the header `include/lib/xlat_tables.h`.
      
      NOTE: THE `lib/aarch64/xlat_tables.c` FILE IS DEPRECATED AND PLATFORM PORTS
      ARE EXPECTED TO INCLUDE THE NEW XLAT_TABLES LIBRARY FILES IN THEIR MAKEFILES.
      
      Change-Id: I3d17217d24aaf3a05a4685d642a31d4d56255a0f
      3ca9928d
  10. 07 Apr, 2016 1 commit
    • Soby Mathew's avatar
      Differentiate `long` and `long long` formats in tf_printf · f2f5a7bd
      Soby Mathew authored
      This patch adds support to differentiate between `long` and `long long`
      format specifiers in tf_printf(). In AArch64, they are the same which is
      a 64-bit word. But, in AArch32 they are different and tf_printf() needs
      to handle these format specifiers separately. This patch also fixes the
      type of variables used to generic C types.
      
      Change-Id: If3bbb0245cd0183acbe13bc1fe0d9743f417578f
      f2f5a7bd
  11. 30 Mar, 2016 1 commit
    • Gerald Lejeune's avatar
      Enable asynchronous abort exceptions during boot · adb4fcfb
      Gerald Lejeune authored
      
      
      Asynchronous abort exceptions generated by the platform during cold boot are
      not taken in EL3 unless SCR_EL3.EA is set.
      
      Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture
      initialisation. Further write accesses to SCR_EL3 preserve these bits during
      cold boot.
      
      A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions
      being trapped by EL3 after cold boot or not.
      
      For further reference SError Interrupts are also known as asynchronous external
      aborts.
      
      On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in
      EL3 whatever the SCR_EL3.EA value is.
      
      Fixes arm-software/tf-issues#368
      Signed-off-by: default avatarGerald Lejeune <gerald.lejeune@st.com>
      adb4fcfb
  12. 23 Mar, 2016 1 commit
    • Scott Branden's avatar
      Add support for %z in tf_print() · bda77010
      Scott Branden authored
      Add support for %z format specific in tf_printf() to support
      printing data of type size_t
      
      Fixes ARM-software/tf-issues#380
      
      Signed-off-by Scott Branden <scott.branden@broadcom.com>
      bda77010
  13. 14 Mar, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Remove all non-configurable dead loops · 1c3ea103
      Antonio Nino Diaz authored
      Added a new platform porting function plat_panic_handler, to allow
      platforms to handle unexpected error situations. It must be
      implemented in assembly as it may be called before the C environment
      is initialized. A default implementation is provided, which simply
      spins.
      
      Corrected all dead loops in generic code to call this function
      instead. This includes the dead loop that occurs at the end of the
      call to panic().
      
      All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
      been removed.
      
      Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
      1c3ea103
  14. 18 Feb, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Add support for %p in tf_printf() · f0dd061a
      Antonio Nino Diaz authored
      This patch adds support for the `%p` format specifier in tf_printf()
      following the example of the printf implementation of the stdlib used
      in the trusted firmware.
      
      Fixes ARM-software/tf-issues#292
      
      Change-Id: I0b3230c783f735d3e039be25a9405f00023420da
      f0dd061a
  15. 21 Dec, 2015 1 commit
  16. 14 Dec, 2015 1 commit
  17. 09 Dec, 2015 1 commit
    • Yatharth Kochar's avatar
      Move context management code to common location · bbf8f6f9
      Yatharth Kochar authored
      The upcoming Firmware Update feature needs transitioning across
      Secure/Normal worlds to complete the FWU process and hence requires
      context management code to perform this task.
      
      Currently context management code is part of BL31 stage only.
      This patch moves the code from (include)/bl31 to (include)/common.
      Some function declarations/definitions and macros have also moved
      to different files to help code sharing.
      
      Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
      bbf8f6f9
  18. 02 Nov, 2015 2 commits
    • Juan Castillo's avatar
      Remove deprecated IO return definitions · e098e244
      Juan Castillo authored
      Patch 7e26fe1f deprecates IO specific return definitions in favour
      of standard errno codes. This patch removes those definitions
      and its usage from the IO framework, IO drivers and IO platform
      layer. Following this patch, standard errno codes must be used
      when checking the return value of an IO function.
      
      Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
      e098e244
    • Sandrine Bailleux's avatar
      Introduce print_entry_point_info() function · 68a68c92
      Sandrine Bailleux authored
      This patch introduces a new function called 'print_entry_point_info'
      that prints an entry_point_t structure for debugging purposes.
      As such, it can be used to display the entry point address, SPSR and
      arguments passed from a firmware image to the next one.
      
      This function is now called in the following images transitions:
       - BL1 to BL2
       - BL1 to BL31
       - BL31 to the next image (typically BL32 or BL33)
      
      The following changes have been introduced:
      
       - Fix the output format of the SPSR value : SPSR is a 32-bit value,
         not a 64-bit one.
      
       - Print all arguments values.
         The entry_point_info_t structure allows to pass up to 8 arguments.
         In most cases, only the first 2 arguments were printed.
         print_entry_point_info() now prints all of them as 'VERBOSE'
         traces.
      
      Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
      68a68c92
  19. 23 Oct, 2015 1 commit
    • Juan Castillo's avatar
      Use standard errno definitions in load_auth_image() · 78460a05
      Juan Castillo authored
      This patch replaces custom definitions used as return values for
      the load_auth_image() function with standard error codes defined
      in errno.h. The custom definitions have been removed.
      
      It also replaces the usage of IO framework error custom definitions,
      which have been deprecated. Standard errno definitions are used
      instead.
      
      Change-Id: I1228477346d3876151c05b470d9669c37fd231be
      78460a05
  20. 02 Sep, 2015 1 commit
    • Vikram Kanigiri's avatar
      Ensure BL2 security state is secure · a2f8b166
      Vikram Kanigiri authored
      BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
      run in secure world otherwise BL3-1/BL3-2 have to execute from
      non-secure memory. Hence, This patch removes the change_security_state()
      call in bl1_run_bl2() and replaces it with an assert to confirm
      the BL2 as secure.
      
      Fixes ARM-software/tf-issues#314
      
      Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
      a2f8b166
  21. 20 Aug, 2015 1 commit
    • Juan Castillo's avatar
      TBB: abort boot if BL3-2 cannot be authenticated · fedbc049
      Juan Castillo authored
      BL3-2 image (Secure Payload) is optional. If the image cannot be
      loaded a warning message is printed and the boot process continues.
      According to the TBBR document, this behaviour should not apply in
      case of an authentication error, where the boot process should be
      aborted.
      
      This patch modifies the load_auth_image() function to distinguish
      between a load error and an authentication error. The caller uses
      the return value to abort the boot process or continue.
      
      In case of authentication error, the memory region used to store
      the image is wiped clean.
      
      Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
      fedbc049
  22. 25 Jun, 2015 5 commits
    • Juan Castillo's avatar
      TBB: delete deprecated PolarSSL authentication module · 962f7c51
      Juan Castillo authored
      After updating the main authentication module to use the transport
      and crypto modules and the CoT description, the PolarSSL
      authentication module is no longer required. This patch deletes it.
      
      Change-Id: I8ba1e13fc1cc7b2fa9df14ff59eb798f0460b878
      962f7c51
    • Juan Castillo's avatar
      TBB: switch to the new authentication framework · 1779ba6b
      Juan Castillo authored
      This patch modifies the Trusted Board Boot implementation to use
      the new authentication framework, making use of the authentication
      module, the cryto module and the image parser module to
      authenticate the images in the Chain of Trust.
      
      A new function 'load_auth_image()' has been implemented. When TBB
      is enabled, this function will call the authentication module to
      authenticate parent images following the CoT up to the root of
      trust to finally load and authenticate the requested image.
      
      The platform is responsible for picking up the right makefiles to
      build the corresponding cryptographic and image parser libraries.
      ARM platforms use the mbedTLS based libraries.
      
      The platform may also specify what key algorithm should be used
      to sign the certificates. This is done by declaring the 'KEY_ALG'
      variable in the platform makefile. FVP and Juno use ECDSA keys.
      
      On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
      each to accommodate the ECDSA code.
      
      REMOVED BUILD OPTIONS:
      
        * 'AUTH_MOD'
      
      Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
      1779ba6b
    • Juan Castillo's avatar
      Use numbers to identify images instead of names · 16948ae1
      Juan Castillo authored
      The Trusted firmware code identifies BL images by name. The platform
      port defines a name for each image e.g. the IO framework uses this
      mechanism in the platform function plat_get_image_source(). For
      a given image name, it returns the handle to the image file which
      involves comparing images names. In addition, if the image is
      packaged in a FIP, a name comparison is required to find the UUID
      for the image. This method is not optimal.
      
      This patch changes the interface between the generic and platform
      code with regard to identifying images. The platform port must now
      allocate a unique number (ID) for every image. The generic code will
      use the image ID instead of the name to access its attributes.
      
      As a result, the plat_get_image_source() function now takes an image
      ID as an input parameter. The organisation of data structures within
      the IO framework has been rationalised to use an image ID as an index
      into an array which contains attributes of the image such as UUID and
      name. This prevents the name comparisons.
      
      A new type 'io_uuid_spec_t' has been introduced in the IO framework
      to specify images identified by UUID (i.e. when the image is contained
      in a FIP file). There is no longer need to maintain a look-up table
      [iname_name --> uuid] in the io_fip driver code.
      
      Because image names are no longer mandatory in the platform port, the
      debug messages in the generic code will show the image identifier
      instead of the file name. The platforms that support semihosting to
      load images (i.e. FVP) must provide the file names as definitions
      private to the platform.
      
      The ARM platform ports and documentation have been updated accordingly.
      All ARM platforms reuse the image IDs defined in the platform common
      code. These IDs will be used to access other attributes of an image in
      subsequent patches.
      
      IMPORTANT: applying this patch breaks compatibility for platforms that
      use TF BL1 or BL2 images or the image loading code. The platform port
      must be updated to match the new interface.
      
      Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
      16948ae1
    • Juan Castillo's avatar
      TBB: replace assert() with runtime checks in PolarSSL module · d5e0a933
      Juan Castillo authored
      Using assert() to check the length of keys and hashes included in
      a certificate is not a safe approach because assert() only applies
      to debug builds. A malformed certificate could exploit security
      flaws in release binaries due to buffer overflows.
      
      This patch replaces assert() with runtime checkings in the PolarSSL
      authentication module, so malformed certificates can not cause a
      memory overflow.
      
      Change-Id: I42ba912020595752c806cbd242fe3c74077d993b
      d5e0a933
    • Juan Castillo's avatar
      TBB: use ASN.1 type DigestInfo to represent hashes · c3da66b1
      Juan Castillo authored
      The cert_create tool calculates the hash of each BL image and includes
      it as an ASN.1 OCTET STRING in the corresponding certificate extension.
      Without additional information, the firmware running on the platform
      has to know in advance the algorithm used to generate the hash.
      
      This patch modifies the cert_create tool so the certificate extensions
      that include an image hash are generated according to the following
      ASN.1 structure:
      
          DigestInfo ::= SEQUENCE {
              digestAlgorithm  AlgorithmIdentifier,
              digest           OCTET STRING
          }
      
          AlgorithmIdentifier ::=  SEQUENCE  {
              algorithm        OBJECT IDENTIFIER,
              parameters       ANY DEFINED BY algorithm OPTIONAL
          }
      
      The PolarSSL module has been updated to extract the image hash
      from the certificate extension according to this structure.
      
      Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
      c3da66b1
  23. 27 Apr, 2015 1 commit
    • Dan Handley's avatar
      Fix type mismatches in verbose logging · 1b70db06
      Dan Handley authored
      Commit dad25049 adds support for type checking in printf-like
      functions. Some of the VERBOSE logging statements were not updated
      at that time.
      
      Fix the type mismatches in the verbose logging statements.
      
      Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
      1b70db06
  24. 08 Apr, 2015 1 commit
    • Kévin Petit's avatar
      Add support to indicate size and end of assembly functions · 8b779620
      Kévin Petit authored
      
      
      In order for the symbol table in the ELF file to contain the size of
      functions written in assembly, it is necessary to report it to the
      assembler using the .size directive.
      
      To fulfil the above requirements, this patch introduces an 'endfunc'
      macro which contains the .endfunc and .size directives. It also adds
      a .func directive to the 'func' assembler macro.
      
      The .func/.endfunc have been used so the assembler can fail if
      endfunc is omitted.
      
      Fixes ARM-Software/tf-issues#295
      
      Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
      Signed-off-by: default avatarKévin Petit <kevin.petit@arm.com>
      8b779620
  25. 11 Mar, 2015 1 commit
    • Juan Castillo's avatar
      TBB: remove PolarSSL SHA1 functions from the binary · 81ee0983
      Juan Castillo authored
      Commit ea4ec3aa ("TBB: use SHA256 to generate the certificate
      signatures") updated the cert_create tool to generate the
      signatures using SHA256 instead of SHA1. Therefore, SHA1 is no
      longer required.
      
      This patch removes the SHA1 option from the PolarSSL configuration
      file. The source file sha1.c is no longer needed and has been
      excluded from the build. The SHA1 functions are no longer included
      in the binary, reducing the memory footprint of BL1 and BL2 by
      approximately 6 KB.
      
      Change-Id: I72ea2cff03c0964c3eaadce148ec2ad2c6dde2e3
      81ee0983
  26. 05 Mar, 2015 1 commit
    • Sandrine Bailleux's avatar
      Fix violations to the coding style · ba592e28
      Sandrine Bailleux authored
      All coding style violations have been fixed in a previous patch and
      since then, each individual patch has been checked in this regard.
      However, the latest version of the checkpatch.pl script from the Linux
      kernel is more advanced and it is able to flag new errors in the
      Trusted Firmware codebase. This patch fixes them.
      
      Change-Id: I1f332f2440984be85d36b231bb83260368987077
      ba592e28
  27. 28 Jan, 2015 3 commits
    • Juan Castillo's avatar
      TBB: add authentication module interface · 40febc3a
      Juan Castillo authored
      This patch provides an API to access the authentication module that
      will be used to verify the authenticity of the images loaded into
      memory as part of the Trusted Board Boot process.
      
      To include the authentication module as part of the build, set the
      boolean build option TRUSTED_BOARD_BOOT. One single authentication
      module must be registered at build time by setting the build option
      AUTH_MOD=<mod_name>. All authentication modules will be located in
      'common/auth/<mod_name>' and must present the <mod_name>.mk file that
      will be included by the build system to compile the module sources.
      
      To create an authentication module, an instance of auth_mod_t called
      'auth_mod' must be declared in the module sources. The initialization
      and verification functions provided by the module will be exported
      through the function pointers specified when declaring this instance.
      
      If an authentication module includes third party sources that do not
      adhere to the C99 standard, the -pedantic option may be removed from
      the build options by setting the flag DISABLE_PEDANTIC in the module
      file <mod_name>.mk.
      
      Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
      40febc3a
    • Juan Castillo's avatar
      TBB: add PolarSSL based authentication module · db6071c9
      Juan Castillo authored
      This patch implements an authentication module based on the
      PolarSSL library (v1.3.9) to verify the Chain of Trust when
      Trusted Boot is enabled.
      
      PolarSSL sources must be fetched separately. The POLARSSL_DIR
      build option may be used to indicate the path to the PolarSSL
      main directory (this directory must contain the 'include' and
      'library' subdirectories).
      
      To be able to build PolarSSL sources as a part of the Trusted
      Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
      will tell the build system to remove the -pedantic option from
      the CFLAGS.
      
      Inclusion of PolarSSL increases the memory requirements of the BL1
      and BL2 images. The following are the changes made to the FVP and
      Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
      defined:
      
      Changes on FVP:
      
        - BL1 and BL2 stacks have been increased to 4 KB
        - BL1(rw) section has been increased to 32 KB.
        - BL2 memory region has been increased to 112 KB
      
      Changes on Juno:
      
        - BL1 and BL2 stacks have been increased to 4 KB
        - BL1(rw) section has been increased to 32 KB.
        - Trusted ROM region in Flash has been increased to 128 KB.
        - BL2 memory region has been increased to 116 KB
      
      Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
      db6071c9
    • Juan Castillo's avatar
      Skip reserving memory for non-executable and BL3-0 images · c5fb47c3
      Juan Castillo authored
      This patch adds support to not reserve the memory where an image is
      loaded if the image is:
      
        1. A non-executable image e.g. a certificate
        2. An executable image which is not meant to run on the
           application CPU (e.g. BL3-0)
      
      Both types of images are characterized by a NULL entrypoint argument
      to the load_image() function. It is used to distinguish them from
      other type of images.
      
      Important: Use this feature carefully. The caller is responsible for
      providing a valid entrypoint while loading images which will execute
      on the application CPU to prevent a potential overwrite of the
      corresponding memory region.
      
      Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
      c5fb47c3
  28. 19 Aug, 2014 1 commit
    • Soby Mathew's avatar
      Rework use of labels in assembly macros. · aecc0840
      Soby Mathew authored
      This patch provides a workaround for the ASM_ASSERT label issue
      and also reworks the use of labels in assembly macros.
      If the caller of the ASM_ASSERT macro happened to use the
      label '1' to jump past the ASM_ASSERT macro, it would not have
      worked since the ASM_ASSERT macro internally used the same label.
      Hence, as a workaround, this patch makes the label a high
      number in the expectation that the caller will never use it.
      
      Also updated the other assembly macros using numerical labels to
      named lables.
      
      Change-Id: Iec892359db84f2391ad2a83a92141c4d7049776a
      aecc0840
  29. 12 Aug, 2014 1 commit
    • Dan Handley's avatar
      Rationalize console log output · 6ad2e461
      Dan Handley authored
      Fix the following issues with the console log output:
      
      * Make sure the welcome string is the first thing in the log output
      (during normal boot).
      * Prefix each message with the BL image name so it's clear which
      BL the output is coming from.
      * Ensure all output is wrapped in one of the log output macros so it can
      be easily compiled out if necessary. Change some of the INFO() messages
      to VERBOSE(), especially in the TSP.
      * Create some extra NOTICE() and INFO() messages during cold boot.
      * Remove all usage of \r in log output.
      
      Fixes ARM-software/tf-issues#231
      
      Change-Id: Ib24f7acb36ce64bbba549f204b9cde2dbb46c8a3
      6ad2e461
  30. 28 Jul, 2014 1 commit
    • Juan Castillo's avatar
      Rework incorrect use of assert() and panic() in codebase · d3280beb
      Juan Castillo authored
      Assert a valid security state using the macro sec_state_is_valid().
      Replace assert() with panic() in those cases that might arise
      because of runtime errors and not programming errors.
      Replace panic() with assert() in those cases that might arise
      because of programming errors.
      
      Fixes ARM-software/tf-issues#96
      
      Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
      d3280beb