1. 22 Mar, 2020 1 commit
    • Mustafa Yigit Bilgen's avatar
      spd: tlkd: support new TLK SMCs for RPMB service · bd0c2f8d
      Mustafa Yigit Bilgen authored
      
      
      This patch adds support to handle following TLK SMCs:
      {TLK_SET_BL_VERSION, TLK_LOCK_BL_INTERFACE, TLK_BL_RPMB_SERVICE}
      
      These SMCs need to be supported in ATF in order to forward them to
      TLK. Otherwise, these functionalities won't work.
      
      Brief:
      TLK_SET_BL_VERSION: This SMC is issued by the bootloader to supply its
      version to TLK. TLK can use this to prevent rollback attacks.
      
      TLK_LOCK_BL_INTERFACE: This SMC is issued by bootloader before handing off
      execution to the OS. This allows preventing sensitive SMCs being used
      by the OS.
      
      TLK_BL_RPMB_SERVICE: bootloader issues this SMC to sign or verify RPMB
      frames.
      
      Tested by: Tests TLK can receive the new SMCs issued by bootloader
      
      Change-Id: I57c2d189a5f7a77cea26c3f8921866f2a6f0f944
      Signed-off-by: default avatarMustafa Yigit Bilgen <mbilgen@nvidia.com>
      bd0c2f8d
  2. 19 Mar, 2020 2 commits
  3. 17 Mar, 2020 2 commits
  4. 12 Mar, 2020 1 commit
  5. 11 Mar, 2020 7 commits
    • Varun Wadekar's avatar
      spd: tlkd: secure timer interrupt handler · d205cda6
      Varun Wadekar authored
      
      
      This patch adds an interrupt handler for TLK. On receiving an
      interrupt, the source of the interrupt is determined and the
      interrupt is marked complete. The IRQ number is passed to
      TLK along with a special SMC function ID. TLK issues an SMC
      to notify completion of the interrupt handler in the S-EL1
      world.
      
      Change-Id: I76f28cee6537245c5e448d2078f86312219cea1a
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      d205cda6
    • Madhukar Pappireddy's avatar
      fconf: necessary modifications to support fconf in BL31 & SP_MIN · 26d1e0c3
      Madhukar Pappireddy authored
      
      
      Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN.
      Created few populator() functions which parse HW_CONFIG device tree
      and registered them with fconf framework. Many of the changes are
      only applicable for fvp platform.
      
      This patch:
      1. Adds necessary symbols and sections in BL31, SP_MIN linker script
      2. Adds necessary memory map entry for translation in BL31, SP_MIN
      3. Creates an abstraction layer for hardware configuration based on
         fconf framework
      4. Adds necessary changes to build flow (makefiles)
      5. Minimal callback to read hw_config dtb for capturing properties
         related to GIC(interrupt-controller node)
      6. updates the fconf documentation
      
      Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      26d1e0c3
    • Madhukar Pappireddy's avatar
      Use Speculation Barrier instruction for v8.5 cores · ccfb5c81
      Madhukar Pappireddy authored
      
      
      Change-Id: Ie1018bfbae2fe95c699e58648665baa75e862000
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      ccfb5c81
    • Madhukar Pappireddy's avatar
      fconf: enhancements to firmware configuration framework · 25d740c4
      Madhukar Pappireddy authored
      
      
      A populate() function essentially captures the value of a property,
      defined by a platform, into a fconf related c structure. Such a
      callback is usually platform specific and is associated to a specific
      configuration source.
      For example, a populate() function which captures the hardware topology
      of the platform can only parse HW_CONFIG DTB. Hence each populator
      function must be registered with a specific 'config_type' identifier.
      It broadly represents a logical grouping of configuration properties
      which is usually a device tree source file.
      
      Example:
      > TB_FW: properties related to trusted firmware such as IO policies,
      	 base address of other DTBs, mbedtls heap info etc.
      > HW_CONFIG: properties related to hardware configuration of the SoC
      	 such as topology, GIC controller, PSCI hooks, CPU ID etc.
      
      This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
      to register and invoke the appropriate callbacks selectively based on
      configuration type.
      
      Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      25d740c4
    • Masahiro Yamada's avatar
      Factor xlat_table sections in linker scripts out into a header file · 665e71b8
      Masahiro Yamada authored
      
      
      TF-A has so many linker scripts, at least one linker script for each BL
      image, and some platforms have their own ones. They duplicate quite
      similar code (and comments).
      
      When we add some changes to linker scripts, we end up with touching
      so many files. This is not nice in the maintainability perspective.
      
      When you look at Linux kernel, the common code is macrofied in
      include/asm-generic/vmlinux.lds.h, which is included from each arch
      linker script, arch/*/kernel/vmlinux.lds.S
      
      TF-A can follow this approach. Let's factor out the common code into
      include/common/bl_common.ld.h
      
      As a start point, this commit factors out the xlat_table section.
      
      Change-Id: Ifa369e9b48e8e12702535d721cc2a16d12397895
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      665e71b8
    • Masahiro Yamada's avatar
      xlat_tables_v2: use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC · e2822458
      Masahiro Yamada authored
      
      
      With this, it is clearer that .base_table_entries and .tables_num
      are the array size of .base_table and .tables, respectively.
      
      Change-Id: I634e65aba835ab9908cc3919355df6bc6e18d42a
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      e2822458
    • Masahiro Yamada's avatar
      xlat_tables_v2: merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE} · 363830df
      Masahiro Yamada authored
      
      
      xlat_tables_v2_helpers.h defines two quite similar macros,
      REGISTER_XLAT_CONTEXT_FULL_SPEC and REGISTER_XLAT_CONTEXT_RO_BASE_TABLE.
      
      Only the difference is the section of _ctx_name##_base_xlat_table.
      
      Parameterize it and unify these two macros.
      
      The base xlat table goes into the .bss section by default.
      If PLAT_RO_XLAT_TABLES is defined, it goes into the .rodata section.
      
      Change-Id: I8b02f4da98f0c272e348a200cebd89f479099c55
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      363830df
  6. 10 Mar, 2020 1 commit
  7. 06 Mar, 2020 3 commits
    • Alexei Fedorov's avatar
      Fix crash dump for lower EL · b4292bc6
      Alexei Fedorov authored
      
      
      This patch provides a fix for incorrect crash dump data for
      lower EL when TF-A is built with HANDLE_EA_EL3_FIRST=1 option
      which enables routing of External Aborts and SErrors to EL3.
      
      Change-Id: I9d5e6775e6aad21db5b78362da6c3a3d897df977
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      b4292bc6
    • Sumit Garg's avatar
      TBB: Add an IO abstraction layer to load encrypted firmwares · 2be57b86
      Sumit Garg authored
      
      
      TBBR spec advocates for optional encryption of firmwares (see optional
      requirement: R060_TBBR_FUNCTION). So add an IO abstaction layer to
      support firmware decryption that can be stacked above any underlying IO/
      packaging layer like FIP etc. It aims to provide a framework to load any
      encrypted IO payload.
      
      Also, add plat_get_enc_key_info() to be implemented in a platform
      specific manner as handling of encryption key may vary from one platform
      to another.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I9892e0ddf00ebecb8981301dbfa41ea23e078b03
      2be57b86
    • Sumit Garg's avatar
      drivers: crypto: Add authenticated decryption framework · 7cda17bb
      Sumit Garg authored
      
      
      Add framework for autheticated decryption of data. Currently this
      patch optionally imports mbedtls library as a backend if build option
      "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption
      using AES-GCM algorithm.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
      7cda17bb
  8. 04 Mar, 2020 1 commit
    • Manish Pandey's avatar
      SPMD: loading Secure Partition payloads · cb3b5344
      Manish Pandey authored
      
      
      This patch implements loading of Secure Partition packages using
      existing framework of loading other bl images.
      
      The current framework uses a statically defined array to store all the
      possible image types and at run time generates a link list and traverse
      through it to load different images.
      
      To load SPs, a new array of fixed size is introduced which will be
      dynamically populated based on number of SPs available in the system
      and it will be appended to the loadable images list.
      
      Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      cb3b5344
  9. 03 Mar, 2020 4 commits
  10. 02 Mar, 2020 1 commit
  11. 01 Mar, 2020 1 commit
  12. 27 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Fix misra issues · 845db722
      Louis Mayencourt authored
      
      
      MISRA C-2012 Rule 20.7:
      Macro parameter expands into an expression without being wrapped by parentheses.
      
      MISRA C-2012 Rule 12.1:
      Missing explicit parentheses on sub-expression.
      
      MISRA C-2012 Rule 18.4:
      Essential type of the left hand operand is not the same as that of the right
      operand.
      
      Include does not provide any needed symbols.
      
      Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      845db722
  13. 25 Feb, 2020 9 commits
  14. 24 Feb, 2020 3 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      plat/arm: Pass cookie argument down to arm_get_rotpk_info() · 88005701
      Sandrine Bailleux authored
      
      
      The cookie will be leveraged in the next commit.
      
      Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      88005701
    • Sandrine Bailleux's avatar
      Introduce a new "dualroot" chain of trust · 5ab8b717
      Sandrine Bailleux authored
      
      
      This new chain of trust defines 2 independent signing domains:
      
      1) One for the silicon firmware (BL1, BL2, BL31) and optionally the
         Trusted OS. It is rooted in the Silicon ROTPK, just as in the TBBR
         CoT.
      
      2) One for the Normal World Bootloader (BL33). It is rooted in a new key
         called Platform ROTPK, or PROTPK for short.
      
      In terms of certificates chain,
      
      - Signing domain 1) is similar to what TBBR advocates (see page 21 of
        the TBBR specification), except that the Non-Trusted World Public Key
        has been removed from the Trusted Key Certificate.
      
      - Signing domain 2) only contains the Non-Trusted World Content
        certificate, which provides the hash of the Non-Trusted World
        Bootloader. Compared to the TBBR CoT, there's no Non-Trusted World
        Key certificate for simplicity.
      
      Change-Id: I62f1e952522d84470acc360cf5ee63e4c4b0b4d9
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      5ab8b717
  15. 21 Feb, 2020 1 commit
    • Yann Gautier's avatar
      el3_entrypoint_common: avoid overwriting arg3 · 30f31005
      Yann Gautier authored
      
      
      At each BL entry point, the registers r9 to r12 are used to save info from
      the previous BL parameters put in r0 to r3. But zeromem uses r12, leading
      to a corruption of arg3. Therefore this change copies r12 to r7 before
      zeromem() call and restores r12 afterwards. It may be better to save it
      in r7 in el3_arch_init_common and not at the entrypoint as r7 could be used
      in other functions, especially platform ones.
      This is a fix for Task T661.
      
      Change-Id: Icc11990c69b5d4c542d08aca1a77b1f754b61a53
      Signed-off-by: default avatarYann Gautier <yann.gautier@st.com>
      30f31005
  16. 20 Feb, 2020 2 commits
    • Varun Wadekar's avatar
      Tegra: delay_timer: support for physical secure timer · dd4f0885
      Varun Wadekar authored
      
      
      This patch modifies the delay timer driver to switch to the ARM
      secure physical timer instead of using Tegra's on-chip uS timer.
      
      The secure timer is not accessible to the NS world and so eliminates
      an important attack vector, where the Tegra timer source gets switched
      off from the NS world leading to a DoS attack for the trusted world.
      
      This timer is shared with the S-EL1 layer for now, but later patches
      will mark it as exclusive to the EL3 exception mode.
      
      Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      dd4f0885
    • Varun Wadekar's avatar
      include: move MHZ_TICKS_PER_SEC to utils_def.h · d4b29105
      Varun Wadekar authored
      
      
      This patch moves the MHZ_TICKS_PER_SEC macro to utils_def.h
      for other platforms to use.
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      Change-Id: I6c4dc733f548d73cfdb3515ec9ad89a9efaf4407
      d4b29105