1. 06 Mar, 2020 2 commits
    • Sumit Garg's avatar
      Makefile: Add support to optionally encrypt BL31 and BL32 · c6ba9b45
      Sumit Garg authored
      
      
      Following build flags have been added to support optional firmware
      encryption:
      
      - FW_ENC_STATUS: Top level firmware's encryption numeric flag, values:
          0: Encryption is done with Secret Symmetric Key (SSK) which is
             common for a class of devices.
          1: Encryption is done with Binding Secret Symmetric Key (BSSK) which
             is unique per device.
      
      - ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It
          could be SSK or BSSK depending on FW_ENC_STATUS flag.
      
      - ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector
          (IV) in hex string format.
      
      - ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware.
      
      - ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload.
      
      Similar flags can be added to encrypt other firmwares as well depending
      on use-cases.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
      c6ba9b45
    • Sumit Garg's avatar
      drivers: crypto: Add authenticated decryption framework · 7cda17bb
      Sumit Garg authored
      
      
      Add framework for autheticated decryption of data. Currently this
      patch optionally imports mbedtls library as a backend if build option
      "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption
      using AES-GCM algorithm.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
      7cda17bb
  2. 03 Mar, 2020 1 commit
  3. 02 Mar, 2020 1 commit
  4. 27 Feb, 2020 1 commit
  5. 24 Feb, 2020 2 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      Build system: Changes to drive cert_create for dualroot CoT · 53b985a0
      Sandrine Bailleux authored
      
      
      The build system needs to drive the cert_create tool in a slightly
      different manner when using the dualroot chain of trust.
      
       - It needs to pass it the platform root of trust key file.
      
       - It must not try to generate the Non-Trusted Firmware Key Certificate,
         which is not part of the dualroot CoT.
      
      Change-Id: Ibcc821c5735765523730f861ae8230208f41302b
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      53b985a0
  6. 18 Feb, 2020 1 commit
  7. 07 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
  8. 29 Jan, 2020 1 commit
  9. 28 Jan, 2020 1 commit
  10. 24 Jan, 2020 1 commit
    • Masahiro Yamada's avatar
      Build: support per-BL LDFLAGS · d986bae4
      Masahiro Yamada authored
      
      
      make_helpers/build_macros.mk supports per-BL CFLAGS. For example,
      you can pass compiler flags only to BL31 by using BL31_CFLAGS.
      
      This commit adds per-BL LDFLAGS support, which is useful as well.
      
      My main motivation of this addition is to use it for ENABLE_PIE.
      When ENABLE_PIE is enabled, some linker flags are added to TF_LDFLAGS,
      which affects all the TF images. It will make more sense to pass the
      relevant options only to BL images that support it.
      
      Change-Id: I203acaab0091db5ae0ea6e66460ee7dc8d9c4d75
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      d986bae4
  11. 14 Jan, 2020 1 commit
    • Balint Dobszay's avatar
      Replace dts includes with C preprocessor syntax · 2d51b55e
      Balint Dobszay authored
      
      
      Using the /include/ syntax, the include was evaluated by dtc, only after running
      the preprocessor, therefore the .dtsi files were not preprocessed. This patch
      adds the #include syntax instead. Evaluating this and preprocessing the files
      now happens in a single step, done by the C preprocessor.
      
      Change-Id: I6d0104b6274316fc736e84973502a4d6c2c9d6e0
      Signed-off-by: default avatarBalint Dobszay <balint.dobszay@arm.com>
      2d51b55e
  12. 29 Dec, 2019 1 commit
    • Samuel Holland's avatar
      bl31: Split into two separate memory regions · f8578e64
      Samuel Holland authored
      
      
      Some platforms are extremely memory constrained and must split BL31
      between multiple non-contiguous areas in SRAM. Allow the NOBITS
      sections (.bss, stacks, page tables, and coherent memory) to be placed
      in a separate region of RAM from the loaded firmware image.
      
      Because the NOBITS region may be at a lower address than the rest of
      BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
      region, or el3_entrypoint_common would attempt to invalidate the dcache
      for the entire address space. New symbols __NOBITS_{START,END}__ are
      added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
      NOBITS region is invalidated separately.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
      f8578e64
  13. 20 Dec, 2019 2 commits
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  14. 17 Dec, 2019 1 commit
    • Olivier Deprez's avatar
      debugfs: add 9p device interface · 0ca3913d
      Olivier Deprez authored
      
      
      The 9p interface provides abstraction layers allowing the software
      that uses devices to be independent from the hardware.
      
      This patch provides a file system abstraction to link drivers to their
      devices and propose a common interface to expose driver operations to
      higher layers. This file system can be used to access and configure a
      device by doing read/write operations.
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
      0ca3913d
  15. 02 Dec, 2019 1 commit
    • zelalem-aweke's avatar
      Enable Link Time Optimization in GCC · edbce9aa
      zelalem-aweke authored
      
      
      This patch enables LTO for TF-A when compiled with GCC.
      LTO is disabled by default and is enabled by
      ENABLE_LTO=1 build option.
      
      LTO is enabled only for aarch64 as there seem to be
      a bug in the aarch32 compiler when LTO is enabled.
      
      The changes in the makefiles include:
      - Adding -flto and associated flags to enable LTO.
      - Using gcc as a wrapper at link time instead of ld.
        This is recommended when using LTO as gcc internally
        takes care of invoking the necessary plugins for LTO.
      - Adding switches to pass options to ld.
      - Adding a flag to disable fix for erratum cortex-a53-843419
        unless explicitly enabled. This is needed because GCC
        seem to automatically add the erratum fix when used
        as a wrapper for LD.
      
      Additionally, this patch updates the TF-A user guide with
      the new build option.
      Signed-off-by: default avatarzelalem-aweke <zelalem.aweke@arm.com>
      Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
      edbce9aa
  16. 04 Oct, 2019 1 commit
    • Soby Mathew's avatar
      Fix the CAS spinlock implementation · c97cba4e
      Soby Mathew authored
      
      
      Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
      on a platform build option. The CAS-based implementation used to be
      unconditionally selected for all ARM8.1+ platforms.
      
      The previous CAS spinlock implementation had a bug wherein the spin_unlock()
      implementation had an `sev` after `stlr` which is not sufficient. A dsb is
      needed to ensure that the stlr completes prior to the sev. Having a dsb is
      heavyweight and a better solution would be to use load exclusive semantics
      to monitor the lock and wake up from wfe when a store happens to the lock.
      The patch implements the same.
      
      Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      c97cba4e
  17. 12 Sep, 2019 2 commits
  18. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  19. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  20. 01 Aug, 2019 2 commits
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  21. 28 Jun, 2019 1 commit
  22. 26 Jun, 2019 1 commit
  23. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  24. 02 May, 2019 1 commit
    • Christoph Müllner's avatar
      build_macros: Add mechanism to prevent bin generation. · 9e4609f1
      Christoph Müllner authored
      
      
      On certain platforms it does not make sense to generate
      TF-A binary images. For example a platform could make use of serveral
      memory areas, which are non-continuous and the resulting binary
      therefore would suffer from the padding-bytes.
      Typically these platforms use the ELF image.
      
      This patch introduces a variable DISABLE_BIN_GENERATION, which
      can be set to '1' in the platform makefile to prevent the binary
      generation.
      Signed-off-by: default avatarChristoph Müllner <christophm30@gmail.com>
      Change-Id: I62948e88bab685bb055fe6167d9660d14e604462
      9e4609f1
  25. 28 Feb, 2019 1 commit
  26. 27 Feb, 2019 3 commits
    • Varun Wadekar's avatar
      Tegra: Support for scatterfile for the BL31 image · c2ad38ce
      Varun Wadekar authored
      
      
      This patch provides support for using the scatterfile format as
      the linker script with the 'armlink' linker for Tegra platforms.
      
      In order to enable the scatterfile usage the following changes
      have been made:
      
      * provide mapping for ld.S symbols in bl_common.h
      * include bl_common.h from all the affected files
      * update the makefile rules to use the scatterfile and armlink
        to compile BL31
      * update pubsub.h to add sections to the scatterfile
      
      NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.
      
      Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      c2ad38ce
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored
      
      
      ARMv8.3-PAuth adds functionality that supports address authentication of
      the contents of a register before that register is used as the target of
      an indirect branch, or as a load.
      
      This feature is supported only in AArch64 state.
      
      This feature is mandatory in ARMv8.3 implementations.
      
      This feature adds several registers to EL1. A new option called
      CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
      them during Non-secure <-> Secure world switches. This option must be
      enabled if the hardware has the registers or the values will be leaked
      during world switches.
      
      To prevent leaks, this patch also disables pointer authentication in the
      Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
      be trapped in EL3.
      
      Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
  27. 19 Feb, 2019 1 commit
  28. 08 Feb, 2019 1 commit
  29. 05 Feb, 2019 1 commit
  30. 30 Jan, 2019 1 commit
  31. 24 Jan, 2019 1 commit
    • Manish Pandey's avatar
      Make device tree pre-processing similar to U-boot/Linux · 7e94a699
      Manish Pandey authored
      
      
      Following changes are done to make DT pre-processing similar to that of
      U-boot/Linux kernel.
      
      1. Creating seperate CPPFLAGS for DT preprocessing so that compiler
      options specific to it can be accommodated.
      e.g: "-undef" compiler option avoids replacing "linux" string(used in
      device trees) with "1" as "linux" is a pre-defined macro in gnu99
      standard.
      
      2. Replace CPP with PP for DT pre-processing, as CPP in U-boot/Linux is
      exported as "${CROSS_COMPILE}gcc -E" while in TF-A it is exported as
      "${CROSS_COMPILE}cpp".
      
      Change-Id: If4c61a249d51614d9f53ae30b602036d50c02349
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      7e94a699
  32. 22 Jan, 2019 1 commit
  33. 10 Jan, 2019 1 commit