1. 24 May, 2017 1 commit
    • Antonio Nino Diaz's avatar
      mbedtls: Use `MBEDTLS_SHA256_SMALLER` in ARM platforms · d77b98ca
      Antonio Nino Diaz authored
      
      
      This options enables an implementation of SHA-256 that has a smaller
      code footprint (~1.6 KB less) but is also ~30% slower. For ARM
      platforms, code size is currently considered more important than
      execution speed in the mbed TLS crypto module.
      
      Added a small note about this option to the documentation of the
      authentication framework.
      
      Change-Id: I4c0b221ea5d3466465261316ba07b627fa01b233
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      d77b98ca
  2. 16 May, 2017 1 commit
  3. 15 May, 2017 2 commits
  4. 12 May, 2017 2 commits
  5. 11 May, 2017 1 commit
  6. 04 May, 2017 1 commit
    • Jeenu Viswambharan's avatar
      Introduce ARM SiP service to switch execution state · b10d4499
      Jeenu Viswambharan authored
      
      
      In AArch64, privileged exception levels control the execution state
      (a.k.a. register width) of the immediate lower Exception Level; i.e.
      whether the lower exception level executes in AArch64 or AArch32 state.
      For an exception level to have its execution state changed at run time,
      it must request the change by raising a synchronous exception to the
      higher exception level.
      
      This patch implements and adds such a provision to the ARM SiP service,
      by which an immediate lower exception level can request to switch its
      execution state. The execution state is switched if the request is:
      
        - raised from non-secure world;
      
        - raised on the primary CPU, before any secondaries are brought online
          with CPU_ON PSCI call;
      
        - raised from an exception level immediately below EL3: EL2, if
          implemented; otherwise NS EL1.
      
      If successful, the SMC doesn't return to the caller, but to the entry
      point supplied with the call. Otherwise, the caller will observe the SMC
      returning with STATE_SW_E_DENIED code. If ARM Trusted Firmware is built
      for AArch32, the feature is not supported, and the call will always
      fail.
      
      For the ARM SiP service:
      
        - Add SMC function IDs for both AArch32 and AArch64;
        - Increment the SiP service minor version to 2;
        - Adjust the number of supported SiP service calls.
      
      Add documentation for ARM SiP service.
      
      Fixes ARM-software/tf-issues#436
      
      Change-Id: I4347f2d6232e69fbfbe333b340fcd0caed0a4cea
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      b10d4499
  7. 03 May, 2017 1 commit
  8. 02 May, 2017 1 commit
  9. 29 Apr, 2017 1 commit
    • Scott Branden's avatar
      Move defines in utils.h to utils_def.h to fix shared header compile issues · 53d9c9c8
      Scott Branden authored
      
      
      utils.h is included in various header files for the defines in it.
      Some of the other header files only contain defines.  This allows the
      header files to be shared between host and target builds for shared defines.
      
      Recently types.h has been included in utils.h as well as some function
      prototypes.
      
      Because of the inclusion of types.h conflicts exist building host tools
      abd these header files now.  To solve this problem,
      move the defines to utils_def.h and have this included by utils.h and
      change header files to only include utils_def.h and not pick up the new
      types.h being introduced.
      
      Fixes ARM-software/tf-issues#461
      Signed-off-by: default avatarScott Branden <scott.branden@broadcom.com>
      
      Remove utils_def.h from utils.h
      
      This patch removes utils_def.h from utils.h as it is not required.
      And also makes a minor change to ensure Juno platform compiles.
      
      Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
      53d9c9c8
  10. 24 Apr, 2017 1 commit
    • Soby Mathew's avatar
      CSS: Allow system suspend only via PSCI SYSTEM_SUSPEND API · abd2aba9
      Soby Mathew authored
      
      
      The CSS power management layer previously allowed to suspend system
      power domain level via both PSCI CPU_SUSPEND and PSCI SYSTEM_SUSPEND
      APIs. System suspend via PSCI CPU_SUSPEND was always problematic to
      support because of issues with targeting wakeup interrupts to
      suspended cores before the per-cpu GIC initialization is done. This
      is not the case for PSCI SYSTEM_SUSPEND API because all the other
      cores are expected to be offlined prior to issuing system suspend and
      PSCI CPU_ON explicit calls will be made to power them on. Hence the Juno
      platform used to downgrade the PSCI CPU_SUSPEND request for system
      power domain level to cluster level by overriding the default
      `plat_psci_pm_ops` exported by CSS layer.
      
      Given the direction the new CSS platforms are evolving, it is best to
      limit the system suspend only via PSCI SYSTEM_SUSPEND API for all
      CSS platforms. This patch makes changes to allow system suspend
      only via PSCI SYSTEM_SUSPEND API. The override of `plat_psci_ops`
      for Juno is removed.
      
      Change-Id: Idb30eaad04890dd46074e9e888caeedc50a4b533
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      abd2aba9
  11. 20 Apr, 2017 3 commits
    • Yatharth Kochar's avatar
      AArch32: Add SP_MIN support for JUNO · 6f249345
      Yatharth Kochar authored
      
      
      This patch adds support for SP_MIN on JUNO platform.
      The changes include addition of AArch32 assembly files,
      JUNO specific SP_MIN make file and miscellaneous changes
      in ARM platform files to enable support for SP_MIN.
      
      Change-Id: Id1303f422fc9b98b9362c757b1a4225a16fffc0b
      Signed-off-by: default avatarYatharth Kochar <yatharth.kochar@arm.com>
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      6f249345
    • Yatharth Kochar's avatar
      Changes to support execution in AArch32 state for JUNO · 07570d59
      Yatharth Kochar authored
      
      
      Following steps are required to boot JUNO in AArch32 state:
      1> BL1, in AArch64 state, loads BL2.
      2> BL2, in AArch64 state, initializes DDR.
        Loads SP_MIN & BL33 (AArch32 executable)images.
        Calls RUN_IMAGE SMC to go back to BL1.
      3> BL1 writes AArch32 executable opcodes, to load and branch
        at the entrypoint address of SP_MIN, at HI-VECTOR address and
        then request for warm reset in AArch32 state using RMR_EL3.
      
      This patch makes following changes to facilitate above steps:
      * Added assembly function to carry out step 3 above.
      * Added region in TZC that enables Secure access to the
        HI-VECTOR(0xFFFF0000) address space.
      * AArch32 image descriptor is used, in BL2, to load
        SP_MIN and BL33 AArch32 executable images.
      
      A new flag `JUNO_AARCH32_EL3_RUNTIME` is introduced that
      controls above changes. By default this flag is disabled.
      
      NOTE: BL1 and BL2 are not supported in AArch32 state for JUNO.
      
      Change-Id: I091d56a0e6d36663e6d9d2bb53c92c672195d1ec
      Signed-off-by: default avatarYatharth Kochar <yatharth.kochar@arm.com>
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      07570d59
    • dp-arm's avatar
      css: Ensure PSCI system off/reset is not interrupted · 0498343a
      dp-arm authored
      
      
      If there is a pending interrupt, it is possible for the AP to come out
      of the final WFI before SCP has a chance to act on it.  Prevent this
      by disabling the GIC CPU interface before issuing a WFI.
      
      Previously, SCP would not wait on WFI before taking an action but
      would shut down the core or system regardless.
      
      Change-Id: Ib0bcf69a515d540ed4f73c11e40ec7c863e39c92
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      0498343a
  12. 19 Apr, 2017 1 commit
    • Antonio Nino Diaz's avatar
      ARM platforms: Add option to use xlat tables lib v1 · 3b211ff5
      Antonio Nino Diaz authored
      
      
      ARM platforms have migrated to the translation tables library v2.
      However, for testing purposes, it can be useful to temporarily switch
      back to the old version.
      
      This patch introduces the option `ARM_XLAT_TABLES_LIB_V1`, that switches
      to v1 of the library when is set to 1. By default, it is 0, so that ARM
      platforms use the new version unless specifically stated.
      
      Updated User Guide.
      
      Change-Id: I53d3c8dd97706f6af9c6fca0364a88ef341efd31
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      3b211ff5
  13. 05 Apr, 2017 1 commit
    • Masahiro Yamada's avatar
      Build: add generic way to include SCP_BL2 into FIP image · 4d045d0e
      Masahiro Yamada authored
      
      
      If SCP_BL2 is passed in from the command line, it is recognized by
      make_helpers/tbbr/tbbr_tools.mk, and the cert_create tool generates
      the corresponding key and content certificates.
      
      On the other hand, the top-level Makefile does not care SCP_BL2, so
      the --scp-fw option is not passed to the fiptool.  As far as I see
      plat/arm/css/common/css_common.mk, it looks like a platform's job to
      add $(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw)).
      
      We can make the top-level Makefile kind enough to take care of it.
      This is useful when we want to have optional SCP_BL2 firmware.
      
      Adjust css_common.mk so that Juno still requires SCP_BL2 by default.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      4d045d0e
  14. 03 Apr, 2017 1 commit
    • Douglas Raillard's avatar
      Fix ARM_BL31_IN_DRAM build · f9608bc8
      Douglas Raillard authored
      
      
      Some header files using the ULL() macro were not directly including
      utils.h where the macro definition resides. As a consequence, a linker
      script with values using this macro did not see the macro definition
      and kept the "ULL(<value>)" call in the preprocessed file, which lead to
      link error.
      
      Files using ULL() macro now include utils.h directly.
      
      Change-Id: I433a7f36bd21a156c20e69bc2a2bb406140ebdf9
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      f9608bc8
  15. 31 Mar, 2017 4 commits
    • dp-arm's avatar
      Juno: Initialize stack protector canary from the trusted entropy source · e6d2aea1
      dp-arm authored
      
      
      Change-Id: I7f3e4bfd46613c6311ba4015d56705414fd6feab
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      e6d2aea1
    • dp-arm's avatar
      Juno: Introduce juno_getentropy(void *buf, size_t len) · df9a39ea
      dp-arm authored
      
      
      This function fills the buffer (first argument) with the specified
      number of bytes (second argument) from the trusted entropy source.
      
      This function will be used to initialize the stack protector canary.
      
      Change-Id: Iff15aaf4778c13fa883ecb5528fcf9b8479d4489
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      df9a39ea
    • Douglas Raillard's avatar
      Add support for GCC stack protection · 51faada7
      Douglas Raillard authored
      
      
      Introduce new build option ENABLE_STACK_PROTECTOR. It enables
      compilation of all BL images with one of the GCC -fstack-protector-*
      options.
      
      A new platform function plat_get_stack_protector_canary() is introduced.
      It returns a value that is used to initialize the canary for stack
      corruption detection. Returning a random value will prevent an attacker
      from predicting the value and greatly increase the effectiveness of the
      protection.
      
      A message is printed at the ERROR level when a stack corruption is
      detected.
      
      To be effective, the global data must be stored at an address
      lower than the base of the stacks. Failure to do so would allow an
      attacker to overwrite the canary as part of an attack which would void
      the protection.
      
      FVP implementation of plat_get_stack_protector_canary is weak as
      there is no real source of entropy on the FVP. It therefore relies on a
      timer's value, which could be predictable.
      
      Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      51faada7
    • Antonio Nino Diaz's avatar
      Add and use plat_crash_console_flush() API · 801cf93c
      Antonio Nino Diaz authored
      
      
      This API makes sure that all the characters sent to the crash console
      are output before returning from it.
      
      Porting guide updated.
      
      Change-Id: I1785f970a40f6aacfbe592b6a911b1f249bb2735
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      801cf93c
  16. 30 Mar, 2017 1 commit
  17. 27 Mar, 2017 1 commit
    • Summer Qin's avatar
      ARM platforms: Add support for MT bit in MPIDR · d8d6cf24
      Summer Qin authored
      
      
      This patch modifies some of the functions in ARM platform layer to cater
      for the case when multi-threading `MT` is set in MPIDR. A new build flag
      `ARM_PLAT_MT` is added, and when enabled, the functions accessing MPIDR
      now assume that the `MT` bit is set for the platform and access the bit
      fields accordingly.
      
      Also, a new API plat_arm_get_cpu_pe_count is added when `ARM_PLAT_MT` is
      enabled, returning the PE count within the physical cpu corresponding to
      `mpidr`.
      
      Change-Id: I04ccf212ac3054a60882761f4087bae299af13cb
      Signed-off-by: default avatarSummer Qin <summer.qin@arm.com>
      d8d6cf24
  18. 20 Mar, 2017 2 commits
    • dp-arm's avatar
      Move plat/common source file definitions to generic Makefiles · 75311203
      dp-arm authored
      
      
      These source file definitions should be defined in generic
      Makefiles so that all platforms can benefit. Ensure that the
      symbols are properly marked as weak so they can be overridden
      by platforms.
      
      NOTE: This change is a potential compatibility break for
      non-upstream platforms.
      
      Change-Id: I7b892efa9f2d6d216931360dc6c436e1d10cffed
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      75311203
    • Andre Przywara's avatar
      Add workaround for ARM Cortex-A53 erratum 855873 · b75dc0e4
      Andre Przywara authored
      
      
      ARM erratum 855873 applies to all Cortex-A53 CPUs.
      The recommended workaround is to promote "data cache clean"
      instructions to "data cache clean and invalidate" instructions.
      For core revisions of r0p3 and later this can be done by setting a bit
      in the CPUACTLR_EL1 register, so that hardware takes care of the promotion.
      As CPUACTLR_EL1 is both IMPLEMENTATION DEFINED and can be trapped to EL3,
      we set the bit in firmware.
      Also we dump this register upon crashing to provide more debug
      information.
      
      Enable the workaround for the Juno boards.
      
      Change-Id: I3840114291958a406574ab6c49b01a9d9847fec8
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      b75dc0e4
  19. 08 Mar, 2017 2 commits
    • Antonio Nino Diaz's avatar
      ARM platforms: Enable xlat tables lib v2 · bf75a371
      Antonio Nino Diaz authored
      
      
      Modify ARM common makefile to use version 2 of the translation tables
      library and include the new header in C files.
      
      Simplify header dependencies related to this library to simplify the
      change.
      
      The following table contains information about the size increase in
      bytes for BL1 after applying this patch. The code has been compiled for
      different configurations of FVP in AArch64 mode with compiler GCC 4.9.3
      20150413. The sizes have been calculated with the output of `nm` by
      adding the size of all regions and comparing the total size before and
      after the change. They are sumarized in the table below:
      
                                     text   bss   data  total
              Release                +660   -20    +88   +728
              Debug                  +740   -20   +242   +962
              Debug (LOG_LEVEL=50)  +1120   -20   +317  +1417
      
      Change-Id: I539e307f158ab71e3a8b771640001fc1bf431b29
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      bf75a371
    • Antonio Nino Diaz's avatar
      Apply workaround for errata 813419 of Cortex-A57 · ccbec91c
      Antonio Nino Diaz authored
      
      
      TLBI instructions for EL3 won't have the desired effect under specific
      circumstances in Cortex-A57 r0p0. The workaround is to execute DSB and
      TLBI twice each time.
      
      Even though this errata is only needed in r0p0, the current errata
      framework is not prepared to apply run-time workarounds. The current one
      is always applied if compiled in, regardless of the CPU or its revision.
      
      This errata has been enabled for Juno.
      
      The `DSB` instruction used when initializing the translation tables has
      been changed to `DSB ISH` as an optimization and to be consistent with
      the barriers used for the workaround.
      
      Change-Id: Ifc1d70b79cb5e0d87e90d88d376a59385667d338
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ccbec91c
  20. 15 Feb, 2017 1 commit
    • dp-arm's avatar
      Juno: Disable SPIDEN in release builds · 09fad498
      dp-arm authored
      
      
      On Juno, the secure privileged invasive debug authentication signal
      (SPIDEN) is controlled by board SCC registers, which by default enable
      SPIDEN.  Disable secure privileged external debug in release builds by
      programming the appropriate Juno SoC registers.
      
      Change-Id: I61045f09a47dc647bbe95e1b7a60e768f5499f49
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      09fad498
  21. 13 Feb, 2017 1 commit
    • dp-arm's avatar
      PSCI: Decouple PSCI stat residency calculation from PMF · 04c1db1e
      dp-arm authored
      
      
      This patch introduces the following three platform interfaces:
      
      * void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting before entering a low power state.  This
        typically involves capturing a timestamp.
      
      * void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting after exiting from a low power state.  This
        typically involves capturing a timestamp.
      
      * u_register_t plat_psci_stat_get_residency(unsigned int lvl,
      	const psci_power_state_t *state_info,
      	unsigned int last_cpu_index)
      
        This is an optional hook that platforms can implement in order
        to calculate the PSCI stat residency.
      
      If any of these interfaces are overridden by the platform, it is
      recommended that all of them are.
      
      By default `ENABLE_PSCI_STAT` is disabled.  If `ENABLE_PSCI_STAT`
      is set but `ENABLE_PMF` is not set then an alternative PSCI stat
      collection backend must be provided.  If both are set, then default
      weak definitions of these functions are provided, using PMF to
      calculate the residency.
      
      NOTE: Previously, platforms did not have to explicitly set
      `ENABLE_PMF` since this was automatically done by the top-level
      Makefile.
      
      Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      04c1db1e
  22. 06 Feb, 2017 2 commits
    • Douglas Raillard's avatar
      Replace some memset call by zeromem · 32f0d3c6
      Douglas Raillard authored
      
      
      Replace all use of memset by zeromem when zeroing moderately-sized
      structure by applying the following transformation:
      memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
      
      As the Trusted Firmware is compiled with -ffreestanding, it forbids the
      compiler from using __builtin_memset and forces it to generate calls to
      the slow memset implementation. Zeromem is a near drop in replacement
      for this use case, with a more efficient implementation on both AArch32
      and AArch64.
      
      Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      32f0d3c6
    • Douglas Raillard's avatar
      Introduce unified API to zero memory · 308d359b
      Douglas Raillard authored
      
      
      Introduce zeromem_dczva function on AArch64 that can handle unaligned
      addresses and make use of DC ZVA instruction to zero a whole block at a
      time. This zeroing takes place directly in the cache to speed it up
      without doing external memory access.
      
      Remove the zeromem16 function on AArch64 and replace it with an alias to
      zeromem. This zeromem16 function is now deprecated.
      
      Remove the 16-bytes alignment constraint on __BSS_START__ in
      firmware-design.md as it is now not mandatory anymore (it used to comply
      with zeromem16 requirements).
      
      Change the 16-bytes alignment constraints in SP min's linker script to a
      8-bytes alignment constraint as the AArch32 zeromem implementation is now
      more efficient on 8-bytes aligned addresses.
      
      Introduce zero_normalmem and zeromem helpers in platform agnostic header
      that are implemented this way:
      * AArch32:
      	* zero_normalmem: zero using usual data access
      	* zeromem: alias for zero_normalmem
      * AArch64:
      	* zero_normalmem: zero normal memory  using DC ZVA instruction
      	                  (needs MMU enabled)
      	* zeromem: zero using usual data access
      
      Usage guidelines: in most cases, zero_normalmem should be preferred.
      
      There are 2 scenarios where zeromem (or memset) must be used instead:
      * Code that must run with MMU disabled (which means all memory is
        considered device memory for data accesses).
      * Code that fills device memory with null bytes.
      
      Optionally, the following rule can be applied if performance is
      important:
      * Code zeroing small areas (few bytes) that are not secrets should use
        memset to take advantage of compiler optimizations.
      
        Note: Code zeroing security-related critical information should use
        zero_normalmem/zeromem instead of memset to avoid removal by
        compilers' optimizations in some cases or misbehaving versions of GCC.
      
      Fixes ARM-software/tf-issues#408
      
      Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      308d359b
  23. 26 Jan, 2017 1 commit
    • David Cunado's avatar
      Resolve build errors flagged by GCC 6.2 · 9edac047
      David Cunado authored
      
      
      With GCC 6.2 compiler, more C undefined behaviour is being flagged as
      warnings, which result in build errors in ARM TF build.
      
      The specific issue that this patch resolves is the use of (1 << 31),
      which is predominantly used in case statements, where 1 is represented
      as a signed int. When shifted to msb the behaviour is undefined.
      
      The resolution is to specify 1 as an unsigned int using a convenience
      macro ULL(). A duplicate macro MAKE_ULL() is replaced.
      
      Fixes ARM-software/tf-issues#438
      
      Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      9edac047
  24. 23 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Use #ifdef for AARCH32 instead of #if · 6af03f9c
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      For AARCH32/AARCH64, these macros are defined in the top-level
      Makefile as follows:
      
      ifeq (${ARCH},aarch32)
              $(eval $(call add_define,AARCH32))
      else
              $(eval $(call add_define,AARCH64))
      endif
      
      This means only one of the two is defined.  So, AARCH32/AARCH64
      belongs to the latter group where we should use #ifdef or #ifndef.
      The conditionals are mostly coded correctly, but I see some mistakes.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      6af03f9c
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
  25. 18 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Move BL_COHERENT_RAM_BASE/END defines to common_def.h · 47497053
      Masahiro Yamada authored
      
      
      We have lots of duplicated defines (and comment blocks too).
      Move them to include/plat/common/common_def.h.
      
      While we are here, suffix the end address with _END instead of
      _LIMIT.  The _END is a better fit to indicate the linker-derived
      real end address.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      47497053
    • Masahiro Yamada's avatar
      Use *_END instead of *_LIMIT for linker derived end addresses · ecdc898d
      Masahiro Yamada authored
      
      
      The usage of _LIMIT seems odd here, so rename as follows:
        BL_CODE_LIMIT     --> BL_CODE_END
        BL_RO_DATA_LIMIT  --> BL_RO_DATA_END
        BL1_CODE_LIMIT    --> BL1_CODE_END
        BL1_RO_DATA_LIMIT --> BL1_RO_DATA_END
      
      Basically, we want to use _LIMIT and _END properly as follows:
        *_SIZE + *_MAX_SIZE = *_LIMIT
        *_SIZE + *_SIZE     = *_END
      
      The _LIMIT is generally defined by platform_def.h to indicate the
      platform-dependent memory constraint.  So, its typical usage is
        ASSERT(. <= BL31_LIMIT, "BL31 image has exceeded its limit.")
      in a linker script.
      
      On the other hand, _END is used to indicate the end address of the
      compiled image, i.e. we do not know it until the image is linked.
      
      Here, all of these macros belong to the latter, so should be
      suffixed with _END.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      ecdc898d
  26. 20 Dec, 2016 1 commit
    • Sandrine Bailleux's avatar
      Fix integer overflows in BL1 FWU code · 949a52d2
      Sandrine Bailleux authored
      
      
      Before adding a base address and a size to compute the end
      address of an image to copy or authenticate, check this
      won't result in an integer overflow. If it does then consider
      the input arguments are invalid.
      
      As a result, bl1_plat_mem_check() can now safely assume the
      end address (computed as the sum of the base address and size
      of the memory region) doesn't overflow, as the validation is
      done upfront in bl1_fwu_image_copy/auth(). A debug assertion
      has been added nonetheless in the ARM implementation in order
      to help catching such problems, should bl1_plat_mem_check()
      be called in a different context in the future.
      
      Fixes TFV-1: Malformed Firmware Update SMC can result in copy
      of unexpectedly large data into secure memory
      
      Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      949a52d2
  27. 19 Dec, 2016 1 commit
  28. 15 Dec, 2016 1 commit
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored
      
      
      The previous code required that a certificate be signed with the ROT
      key before the platform's NV counter could be updated with the value
      in the certificate.  This implies that the Non-Trusted NV counter was
      not being updated for Non-Trusted content certificates, as they cannot
      be signed with the ROT key in the TBBR CoT scheme.
      
      The code is reworked to only allow updating the platform's Trusted NV
      counter when a certificate protected by the Trusted NV counter is
      signed with the ROT key.
      
      Content certificates protected by the Non-Trusted NV counter are
      allowed to update the platform's Non-Trusted NV counter, assuming
      that the certificate value is higher than the platform's value.
      
      A new optional platform API has been introduced, named
      plat_set_nv_ctr2().  Platforms may choose to implement it and perform
      additional checks based on the authentication image descriptor before
      modifying the NV counters.  A default weak implementation is available
      that just calls into plat_set_nv_ctr().
      
      Fixes ARM-software/tf-issues#426
      
      Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23