1. 21 Jul, 2020 1 commit
  2. 25 Mar, 2020 1 commit
  3. 06 Mar, 2020 1 commit
  4. 12 Sep, 2019 2 commits
    • Justin Chadwell's avatar
      Remove RSA PKCS#1 v1.5 support from cert_tool · 6a415a50
      Justin Chadwell authored
      Support for PKCS#1 v1.5 was deprecated in SHA 1001202d and fully removed
      in SHA fe199e3b
      
      , however, cert_tool is still able to generate
      certificates in that form. This patch fully removes the ability for
      cert_tool to generate these certificates.
      
      Additionally, this patch also fixes a bug where the issuing certificate
      was a RSA and the issued certificate was EcDSA. In this case, the issued
      certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
      PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
      that PKCS#1 v1.5 support is removed, all certificates that are signed
      with RSA now use the more modern padding scheme.
      
      Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      6a415a50
    • Justin Chadwell's avatar
      Support larger RSA key sizes when using MBEDTLS · aacff749
      Justin Chadwell authored
      
      
      Previously, TF-A could not support large RSA key sizes as the
      configuration options passed to MBEDTLS prevented storing and performing
      calculations with the larger, higher-precision numbers required. With
      these changes to the arguments passed to MBEDTLS, TF-A now supports
      using 3072 (3K) and 4096 (4K) keys in certificates.
      
      Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      aacff749
  5. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  6. 28 Sep, 2018 1 commit
  7. 03 Aug, 2018 2 commits
  8. 18 Jun, 2018 1 commit
  9. 18 Jan, 2018 1 commit
  10. 03 May, 2017 1 commit
  11. 05 Jan, 2016 1 commit
    • Sandrine Bailleux's avatar
      Always build with '-pedantic' · aa856917
      Sandrine Bailleux authored
      By default ARM TF is built with the '-pedantic' compiler flag, which
      helps detecting violations of the C standard. However, the mbed TLS
      library and its associated authentication module in TF used to fail
      building with this compiler flag. As a workaround, the mbed TLS
      authentication module makefile used to set the 'DISABLE_PEDANTIC'
      TF build flag.
      
      The compiler errors flagged by '-pedantic' in the mbed TLS library
      have been fixed between versions 1.3.9 and 2.2.0 and the library now
      properly builds with this compiler flag.
      
      This patch fixes the remaining compiler errors in the mbed TLS
      authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
      build flag. This means that TF is now always built with '-pedantic'.
      
      In particular, this patch:
      
       * Removes the final semi-colon in REGISTER_COT() macro.
      
         This semi-colon was causing the following error message:
      
         drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
         extra ';' outside of a function [-Werror=pedantic]
      
         This has been fixed both in the mbed TLS authentication module
         as well as in the certificate generation tool. Note that the latter
         code didn't need fixing since it is not built with '-pedantic' but
         the change has been propagated for consistency.
      
         Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
         which were suffering from the same issue.
      
       * Fixes a pointer type.
      
         It was causing the following error message:
      
         drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
         drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
         type 'void *' used in arithmetic [-Werror=pointer-arith]
      
      Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
      aa856917
  12. 10 Dec, 2015 1 commit
    • Juan Castillo's avatar
      Move up to mbed TLS 2.x · 649dbf6f
      Juan Castillo authored
      The mbed TLS library has introduced some changes in the API from
      the 1.3.x to the 2.x releases. Using the 2.x releases requires
      some changes to the crypto and transport modules.
      
      This patch updates both modules to the mbed TLS 2.x API.
      
      All references to the mbed TLS library in the code or documentation
      have been updated to 'mbed TLS'. Old references to PolarSSL have
      been updated to 'mbed TLS'.
      
      User guide updated to use mbed TLS 2.2.0.
      
      NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
      Applying this patch will require an mbed TLS 2.x release to be used.
      Also note that the mbed TLS license changed to Apache version 2.0.
      
      Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
      649dbf6f
  13. 25 Jun, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add mbedTLS authentication related libraries · 7d37aa17
      Juan Castillo authored
      This patch adds the following mbedTLS based libraries:
      
      * Cryptographic library
      
      It is used by the crypto module to verify a digital signature
      and a hash. This library relies on mbedTLS to perform the
      cryptographic operations. mbedTLS sources must be obtained
      separately.
      
      Two key algorithms are currently supported:
      
          * RSA-2048
          * ECDSA-SECP256R1
      
      The platform is responsible for picking up the required
      algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the
      platform makefile. Available options are:
      
          * 'rsa' (for RSA-2048) (default option)
          * 'ecdsa' (for ECDSA-SECP256R1)
      
      Hash algorithm currently supported is SHA-256.
      
      * Image parser library
      
      Used by the image parser module to extract the authentication
      parameters stored in X509v3 certificates.
      
      Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
      7d37aa17
  14. 11 Mar, 2015 1 commit
    • Juan Castillo's avatar
      TBB: remove PolarSSL SHA1 functions from the binary · 81ee0983
      Juan Castillo authored
      Commit ea4ec3aa ("TBB: use SHA256 to generate the certificate
      signatures") updated the cert_create tool to generate the
      signatures using SHA256 instead of SHA1. Therefore, SHA1 is no
      longer required.
      
      This patch removes the SHA1 option from the PolarSSL configuration
      file. The source file sha1.c is no longer needed and has been
      excluded from the build. The SHA1 functions are no longer included
      in the binary, reducing the memory footprint of BL1 and BL2 by
      approximately 6 KB.
      
      Change-Id: I72ea2cff03c0964c3eaadce148ec2ad2c6dde2e3
      81ee0983
  15. 28 Jan, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add PolarSSL based authentication module · db6071c9
      Juan Castillo authored
      This patch implements an authentication module based on the
      PolarSSL library (v1.3.9) to verify the Chain of Trust when
      Trusted Boot is enabled.
      
      PolarSSL sources must be fetched separately. The POLARSSL_DIR
      build option may be used to indicate the path to the PolarSSL
      main directory (this directory must contain the 'include' and
      'library' subdirectories).
      
      To be able to build PolarSSL sources as a part of the Trusted
      Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
      will tell the build system to remove the -pedantic option from
      the CFLAGS.
      
      Inclusion of PolarSSL increases the memory requirements of the BL1
      and BL2 images. The following are the changes made to the FVP and
      Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
      defined:
      
      Changes on FVP:
      
        - BL1 and BL2 stacks have been increased to 4 KB
        - BL1(rw) section has been increased to 32 KB.
        - BL2 memory region has been increased to 112 KB
      
      Changes on Juno:
      
        - BL1 and BL2 stacks have been increased to 4 KB
        - BL1(rw) section has been increased to 32 KB.
        - Trusted ROM region in Flash has been increased to 128 KB.
        - BL2 memory region has been increased to 116 KB
      
      Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
      db6071c9
  16. 26 Nov, 2014 1 commit
    • Sandrine Bailleux's avatar
      Fix problem of dependencies on the fiptool makefile target · 07deed40
      Sandrine Bailleux authored
      The 'fiptool' target doesn't depend on fip_create's source files,
      neither directly nor indirectly. As a result, the FIP tool is not
      rebuilt whenever its source files change.
      
      This patch makes the ${FIPTOOL} target into a phony target so that the
      FIP tool's sub-makefile is always called. The sub-makefile correctly
      handles the dependencies. It also moves the completion message into
      the sub-makefile so that it is only displayed when the tool is
      actually recompiled.
      
      Fixes ARM-software/tf-issues#278
      
      Change-Id: Ia027519fe51d3c42be30665d1ad20a7b89fa350f
      07deed40
  17. 20 Feb, 2014 1 commit
    • Jeenu Viswambharan's avatar
      Cleanup FIP build targets and messages · 2f2cef46
      Jeenu Viswambharan authored
      At present the fip.bin depends on phony targets for BL images, resulting
      in unconditional remake of fip.bin. Also the build messages doesn't
      match with the rest of build system.
      
      This patch modifies the fip.bin dependencies to the actual BL binary
      images so that fip.bin is remade only when the component images are
      rebuilt/modified. The build messages and FIP Makefile are modified to
      match the style of rest of the build system.
      
      Change-Id: I8dd08666ff766d106820a5b4b037c2161bcf140f
      2f2cef46
  18. 17 Feb, 2014 1 commit
    • Harry Liebel's avatar
      Add Firmware Image Package creation tool · f58ad36f
      Harry Liebel authored
      This tool can be used to create a Firmware Image Packages (FIP). These
      FIPs store a combined set of firmware images with a Table of Contents
      (ToC) that can be loaded by the firmware from platform storage.
      
      - Add uuid.h from FreeBSD.
      - Use symbolic links to shared headers otherwise unwanted headers and
        definitions are pulled in.
      - A FIP is created as part of the default FVP build.
      - A BL3-3 image(e.g. UEFI) must be provided.
      
      Change-Id: Ib73feee181df2dba68bf6abec115a83cfa5e26cb
      f58ad36f
  19. 20 Jan, 2014 2 commits
  20. 17 Jan, 2014 1 commit
  21. 20 Dec, 2013 1 commit
    • Harry Liebel's avatar
      Create local C library implementation (1/2) · c81b1d0f
      Harry Liebel authored
      - This change is split into two separate patches in order to
        simplify the history as interpreted by 'git'. The split is
        between the move/rename and addition of new files.
      - Remove dependency on toolchain C library headers and functions in
        order to ensure behavioural compatibility between toolchains.
      - Use FreeBSD as reference for C library implementation.
      - Do not let GCC use default library include paths.
      - Remove unused definitions in modified headers and implementations.
      - Move C library files to 'lib/stdlib' and 'include/stdlib'.
      - Break std.c functions out into separate files.
      
      Change-Id: I91cddfb3229775f770ad781589670c57d347a154
      c81b1d0f
  22. 05 Dec, 2013 1 commit
    • Dan Handley's avatar
      Enable third party contributions · ab2d31ed
      Dan Handley authored
      - Add instructions for contributing to ARM Trusted Firmware.
      
      - Update copyright text in all files to acknowledge contributors.
      
      Change-Id: I9311aac81b00c6c167d2f8c889aea403b84450e5
      ab2d31ed
  23. 25 Oct, 2013 1 commit