1. 24 Feb, 2017 21 commits
  2. 31 Jan, 2017 1 commit
  3. 26 Jan, 2017 1 commit
    • David Cunado's avatar
      Resolve build errors flagged by GCC 6.2 · 9edac047
      David Cunado authored
      
      
      With GCC 6.2 compiler, more C undefined behaviour is being flagged as
      warnings, which result in build errors in ARM TF build.
      
      The specific issue that this patch resolves is the use of (1 << 31),
      which is predominantly used in case statements, where 1 is represented
      as a signed int. When shifted to msb the behaviour is undefined.
      
      The resolution is to specify 1 as an unsigned int using a convenience
      macro ULL(). A duplicate macro MAKE_ULL() is replaced.
      
      Fixes ARM-software/tf-issues#438
      
      Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      9edac047
  4. 24 Jan, 2017 4 commits
  5. 23 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Use #ifdef for AARCH32 instead of #if · 6af03f9c
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      For AARCH32/AARCH64, these macros are defined in the top-level
      Makefile as follows:
      
      ifeq (${ARCH},aarch32)
              $(eval $(call add_define,AARCH32))
      else
              $(eval $(call add_define,AARCH64))
      endif
      
      This means only one of the two is defined.  So, AARCH32/AARCH64
      belongs to the latter group where we should use #ifdef or #ifndef.
      The conditionals are mostly coded correctly, but I see some mistakes.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      6af03f9c
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
  6. 18 Jan, 2017 3 commits
  7. 14 Jan, 2017 1 commit
  8. 12 Jan, 2017 1 commit
  9. 06 Jan, 2017 1 commit
  10. 04 Jan, 2017 1 commit
  11. 20 Dec, 2016 2 commits
    • Masahiro Yamada's avatar
      zynqmp: add "override" directive to mandatory options · 34071d6a
      Masahiro Yamada authored
      
      
      The platform.mk sets build options required for ZynqMP, but users
      can still change them from the command line, like:
      
        make PLAT=zynqmp RESET_TO_BL31=0 CROSS_COMPILE=...
      
      Then, the makefile shows an error message in that case:
        Using BL31 as the reset vector is only one option supported on ZynqMP.
        Please set RESET_TO_BL31 to 1.
      
      If the option is not user-configurable, the makefile can specify
      "override" to prevent users from changing it.  We do not need the
      error message for the case that never happens.
      
      Likewise, ENABLE_PLAT_COMPAT := 0 and PROGRAMMABLE_RESET_ADDRESS := 1
      are mandatory to avoid build error.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: default avatarSoren Brinkmann <soren.brinkmann@xilinx.com>
      34071d6a
    • Sandrine Bailleux's avatar
      Fix integer overflows in BL1 FWU code · 949a52d2
      Sandrine Bailleux authored
      
      
      Before adding a base address and a size to compute the end
      address of an image to copy or authenticate, check this
      won't result in an integer overflow. If it does then consider
      the input arguments are invalid.
      
      As a result, bl1_plat_mem_check() can now safely assume the
      end address (computed as the sum of the base address and size
      of the memory region) doesn't overflow, as the validation is
      done upfront in bl1_fwu_image_copy/auth(). A debug assertion
      has been added nonetheless in the ARM implementation in order
      to help catching such problems, should bl1_plat_mem_check()
      be called in a different context in the future.
      
      Fixes TFV-1: Malformed Firmware Update SMC can result in copy
      of unexpectedly large data into secure memory
      
      Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      949a52d2
  12. 19 Dec, 2016 1 commit
  13. 15 Dec, 2016 1 commit
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored
      
      
      The previous code required that a certificate be signed with the ROT
      key before the platform's NV counter could be updated with the value
      in the certificate.  This implies that the Non-Trusted NV counter was
      not being updated for Non-Trusted content certificates, as they cannot
      be signed with the ROT key in the TBBR CoT scheme.
      
      The code is reworked to only allow updating the platform's Trusted NV
      counter when a certificate protected by the Trusted NV counter is
      signed with the ROT key.
      
      Content certificates protected by the Non-Trusted NV counter are
      allowed to update the platform's Non-Trusted NV counter, assuming
      that the certificate value is higher than the platform's value.
      
      A new optional platform API has been introduced, named
      plat_set_nv_ctr2().  Platforms may choose to implement it and perform
      additional checks based on the authentication image descriptor before
      modifying the NV counters.  A default weak implementation is available
      that just calls into plat_set_nv_ctr().
      
      Fixes ARM-software/tf-issues#426
      
      Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23