- 12 May, 2017 2 commits
-
-
David Cunado authored
This patch renames MBEDTLS_KEY_ALG to TF_MBEDTLS_KEY_ALG. This completes the migration of TF specific macros so that they do not have the MBEDTLS_ suffix (see arm-trusted-firmware#874). Change-Id: Iad7632477e220b0af987c4db3cf52229fb127d00 Signed-off-by: David Cunado <david.cunado@arm.com>
-
David Cunado authored
An earlier patch (arm-trusted-firmware#874) migrated MBEDTLS_ suffixed macros to have a TBBR_ suffix to avoid any potential clash with future mbedtls macros. But on reflection the TBBR_ suffix could be confusing as the macros are used to drive TF-specific configuration of mbedtls. As such this patch migrates these macros from TBBR_suffix to TF_MBEDTLS_ suffix which more accurately conveys their use. Change-Id: Ic87642b653ceeaa03d62f724976abd5e12e867d4 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 21 Apr, 2017 1 commit
-
-
Varun Wadekar authored
This patch removes the code that touched UART_FCR, from console_core_putc(). The check for whether transmit FIFO is full is sufficient before writing to UART TX FIFO. In fact setting UARTFCR_TXCLR immediately after a byte is written to FIFO might even result in loss of that byte, if UART hasn't sent that byte out yet. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 20 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
Many asserts depend on code that is conditionally compiled based on the DEBUG define. This patch modifies the conditional inclusion of such code so that it is based on the ENABLE_ASSERTIONS build option. Change-Id: I6406674788aa7e1ad7c23d86ce94482ad3c382bd Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 18 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
C files shouldn't be included into others. This file only contains some macros and functions that can be made `static inline`, so it is ok to convert it into a header file. This is the only occurrence of a C file being included in another one in the codebase instead of using a header, other occurrences are a way of achieving backwards-compatibility. Functions therein have been qualified as `inline`. Change-Id: I88fe300f6d85a7f0740ef14c9cb8fa54849218e6 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
The amount of console output is controlled by the LOG_LEVEL build option. Using tf_printf without any #ifdef depending on the LOG_LEVEL doesn't give the user that flexibility. This patch replaces all occurrences of tf_printf that prints error, but aren't dependent on LOG_LEVEL, with the ERROR macro. Change-Id: Ib5147f14fc1579398a11f19ddd0e840ff6692831 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 31 Mar, 2017 2 commits
-
-
Antonio Nino Diaz authored
It is needed to add placeholders for this function because, as this is not a `plat_xxx()` function, there aren't weak definitions of it in any file. If `console_flush()` is used and there isn't an implementation of `console_core_flush()` in any file, the compilation will fail. Change-Id: I50eb56d085c4c9fbc85d40c343e86af6412f3020 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
This function ensures that console output is flushed, for example before shutting down or use by another component In line with other console APIs, console_flush() wraps console_core_flush(). Also implement console_core_flush() for PL011. Change-Id: I3db365065e4de04a454a5c2ce21be335a23a01e4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 22 Mar, 2017 1 commit
-
-
dp-arm authored
These macros are not part of mbed TLS so they should not be prefixed with `MBEDTLS_` to avoid potential collision in the future. Use the `TBBR_` suffix to highlight that they only used in TF. `MBEDTLS_KEY_ALG` was not modified because that is documented and used by platforms to select the key algorithm. Change-Id: Ief224681715c481691c80810501830ce16e210b0 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 02 Mar, 2017 1 commit
-
-
Soby Mathew authored
Due to incorrect conditional compilation checks, bakery locks were excluded from the CCN driver and the power controller driver for FVP when BL32 was built as the EL3 Runtime Software in AArch32 mode. This patch corrects the same. Change-Id: Ib1f163d9167a5c38e4d622232c4835cad9c235aa Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 01 Mar, 2017 1 commit
-
-
Soby Mathew authored
The GIC driver data is initialized by the primary CPU with caches enabled. When the secondary CPU boots up, it initializes the GICC/GICR interface with the caches disabled and there is a chance that the driver data is not yet written back to the memory. This patch fixes this problem by flushing the driver data after they have been initialized. Change-Id: Ie9477029683846209593ff005d2bac559bb8f5e6 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 22 Feb, 2017 1 commit
-
-
Jeenu Viswambharan authored
Static checks flag an assert added in commit 1f786b0f that compares unsigned value to 0, which will never fail. Change-Id: I4b02031c2cfbd9a25255d12156919dda7d4805a0 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 16 Feb, 2017 1 commit
-
-
Antonio Nino Diaz authored
This reverts commit b621fb50 . Because of the Trusted Firmware design, timing-safe functions are not needed. Using them may be misleading as it could be interpreted as being a protection against private data leakage, which isn't the case here. For each image, the SHA-256 hash is calculated. Some padding is appended and the result is encrypted with a private key using RSA-2048. This is the signature of the image. The public key is stored along with BL1 in read-only memory and the encrypted hash is stored in the FIP. When authenticating an image, the TF decrypts the hash stored in the FIP and recalculates the hash of the image. If they don't match, the boot sequence won't continue. A constant-time comparison does not provide additional security as all the data involved in this process is already known to any attacker. There is no private data that can leaked through a timing attack when authenticating an image. `timingsafe_bcmp()` is kept in the codebase because it could be useful in the future. Change-Id: I44bdcd58faa586a050cc89447e38c142508c9888 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 14 Feb, 2017 2 commits
-
-
dp-arm authored
cppcheck highlighted variables that were initialized but then later reassigned. Change-Id: Ie12742c01fd3bf48b2d6c05a3b448da91d57a2e4 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
Jeenu Viswambharan authored
The memmap IO driver doesn't perform bounds check when reading, writing, or seeking. The onus to vet parameters is on the caller, and this patch asserts that: - non-negative size is specified for for backing memory; - valid parameters are passed into the driver for read, write and seek operations. Change-Id: I6518c4065817e640e9e7e39a8a4577655f2680f7 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Replace all use of memset by zeromem when zeroing moderately-sized structure by applying the following transformation: memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x)) As the Trusted Firmware is compiled with -ffreestanding, it forbids the compiler from using __builtin_memset and forces it to generate calls to the slow memset implementation. Zeromem is a near drop in replacement for this use case, with a more efficient implementation on both AArch32 and AArch64. Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 24 Jan, 2017 1 commit
-
-
Antonio Nino Diaz authored
To avoid timing side-channel attacks, it is needed to use a constant time memory comparison function when comparing hashes. The affected code only cheks for equality so it isn't needed to use any variant of memcmp(), bcmp() is enough. Also, timingsafe_bcmp() is as fast as memcmp() when the two compared regions are equal, so this change incurrs no performance hit in said case. In case they are unequal, the boot sequence wouldn't continue as normal, so performance is not an issue. Change-Id: I1c7c70ddfa4438e6031c8814411fef79fd3bb4df Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 23 Jan, 2017 2 commits
-
-
Masahiro Yamada authored
One nasty part of ATF is some of boolean macros are always defined as 1 or 0, and the rest of them are only defined under certain conditions. For the former group, "#if FOO" or "#if !FOO" must be used because "#ifdef FOO" is always true. (Options passed by $(call add_define,) are the cases.) For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because checking the value of an undefined macro is strange. Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like follows: $(eval IMAGE := IMAGE_BL$(call uppercase,$(3))) $(OBJ): $(2) @echo " CC $$<" $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@ This means, IMAGE_BL* is defined when building the corresponding image, but *undefined* for the other images. So, IMAGE_BL* belongs to the latter group where we should use #ifdef or #ifndef. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Haojian Zhuang authored
Support Designware eMMC driver. It's based on both IO block and eMMC driver. Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
-
- 19 Jan, 2017 1 commit
-
-
Antonio Nino Diaz authored
In mbedtls_x509_parser.c there are some static arrays that are filled during the integrity check and then read whenever an authentication parameter is requested. However, they aren't cleared in case of an integrity check failure, which can be problematic from a security point of view. This patch clears these arrays in the case of failure. Change-Id: I9d48f5bc71fa13e5a75d6c45b5e34796ef13aaa2 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Jan, 2017 1 commit
-
-
Masahiro Yamada authored
We are duplicating this macro define, and it is useful enough to be placed in the common place. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 10 Jan, 2017 1 commit
-
-
Nishanth Menon authored
tbz check for RDR status is to check for a bit being zero. Unfortunately, we are using a mask rather than the bit position. Further as per http://www.ti.com/lit/ds/symlink/pc16550d.pdf (page 17), LSR register bit 0 is Data ready status (RDR), not bit position 2. Update the same to match the specification. Reported-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: Nishanth Menon <nm@ti.com>
-
- 06 Jan, 2017 1 commit
-
-
Masahiro Yamada authored
This comment block says the default algorithm is ESDSA, while the code obviously sets the default to RSA: ifeq (${MBEDTLS_KEY_ALG},) MBEDTLS_KEY_ALG := rsa endif The git log of commit 7d37aa17 ("TBB: add mbedTLS authentication related libraries") states available options are: * 'rsa' (for RSA-2048) (default option) * 'ecdsa' (for ECDSA-SECP256R1) So, my best guess is the comment block is wrong. The mismatch between the code and the comment is confusing. Fix it. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 15 Dec, 2016 2 commits
-
-
dp-arm authored
The previous code required that a certificate be signed with the ROT key before the platform's NV counter could be updated with the value in the certificate. This implies that the Non-Trusted NV counter was not being updated for Non-Trusted content certificates, as they cannot be signed with the ROT key in the TBBR CoT scheme. The code is reworked to only allow updating the platform's Trusted NV counter when a certificate protected by the Trusted NV counter is signed with the ROT key. Content certificates protected by the Non-Trusted NV counter are allowed to update the platform's Non-Trusted NV counter, assuming that the certificate value is higher than the platform's value. A new optional platform API has been introduced, named plat_set_nv_ctr2(). Platforms may choose to implement it and perform additional checks based on the authentication image descriptor before modifying the NV counters. A default weak implementation is available that just calls into plat_set_nv_ctr(). Fixes ARM-software/tf-issues#426 Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
Jeenu Viswambharan authored
Some GICv3 implementations have provision for power management operations at Redistributor level. This patch introduces and provides place-holders for Redistributor power management. The default implementations are empty stubs, but are weakly bound so as to enable implementation-specific drivers to override them. Change-Id: I4fec1358693d3603ca5dce242a2f7f0e730516d8 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 01 Dec, 2016 1 commit
-
-
Yatharth Kochar authored
This patch makes following miscellaneous fixes: * pl011_console.S: Fixed the bit mask used to check if the transmit FIFO is full or empty. * smcc_macros.S: Added `_fsxc` suffix while updating the SPSR. By default the assembler assumes `_fc` suffix which does not update all the fields in SPSR. By adding `_fsxc` suffix all the fields gets updated. * platform_helpers.S: Removed the weak definition for `plat_my_core_pos()` as this is a mandatory function which needs to be defined by all platforms. Change-Id: I8302292533c943686fff8d7c749a07132c052a3b Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
-
- 20 Sep, 2016 1 commit
-
-
Haojian Zhuang authored
Now only support GPT partition table. MBR partition table isn't supported yet. Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
-
- 12 Sep, 2016 1 commit
-
-
Yatharth Kochar authored
Currently the GICv3 driver mandates that platform populate both G1S and G0 interrupts. However, it is possible that a given platform is not interested in both the groups and just needs to specify either one of them. This patch modifies the `gicv3_rdistif_init()` & `gicv3_distif_init()` functions to allow either G1S or G0 interrupts to be configured. Fixes ARM-software/tf-issues#400 Change-Id: I43572b0e08ae30bed5af9334f25d35bf439b0d2b
-
- 12 Aug, 2016 1 commit
-
-
Haojian Zhuang authored
Support CMD23. When CMD23 is used, CMD12 could be avoided. Two scenarios: 1. CMD17 for single block, CMD18 + CMD12 for multiple blocks. 2. CMD23 + CMD18 for both single block and multiple blocks. The emmc_init() should initialize whether CMD23 is supported or not. Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
-
- 11 Aug, 2016 1 commit
-
-
Sudeep Holla authored
As per the GICv3 specification, to power down a processor using GICv3 and allow automatic power-on if an interrupt must be sent to a processor, software must set Enable to zero for all interrupt groups(by writing to GICC_CTLR or ICC_IGRPEN{0,1}_EL1/3 as appropriate. Also, NonSecure EL1 software may not be aware of the CPU power state details and fail to choose right states that require quiescing the CPU interface. So it's preferred that the PSCI implementation handles it as it is fully aware of the CPU power states. This patch adds disabling of Group1 NonSecure interrupts during processor power down along with Group0 and Group1 Secure interrupts so that all the interrupt groups are handled at once as per specification. Change-Id: Ib564d773c9c4c41f2ca9471451c030e3de75e641
-
- 10 Aug, 2016 2 commits
-
-
Soby Mathew authored
This patch adds console drivers including the pl011 driver for the AArch32 mode. Change-Id: Ifd22520d370fca3e73dbbf6f2d97d6aee65b67dd
-
Soby Mathew authored
This patch modifies GICv3 and TZC drivers to add AArch32 support. No modifications are required for the GICv2 driver for AArch32 support. The TZC driver assumes that the secure world is running in Little-Endian mode to do 64 bit manipulations. Assertions are present to validate the assumption. Note: The legacy GICv3 driver is not supported for AArch32. Change-Id: Id1bc75a9f5dafb9715c9500ca77b4606eb1e2458
-
- 09 Aug, 2016 1 commit
-
-
Soby Mathew authored
This patch moves the various assembly console drivers into `aarch64` architecture specific folder. Stub files, which include files from new location, are retained at the original location for platform compatibility reasons. Change-Id: I0069b6c1c0489ca47f5204d4e26e3bc3def533a8
-
- 04 Aug, 2016 1 commit
-
-
Haojian Zhuang authored
If buffer address parameter isn't aligned, it may cause DMA issue in block device driver, as eMMC. Now check the buffer address. If it's not aligned, use temporary buffer in io block driver instead. Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
-
- 27 Jul, 2016 1 commit
-
-
Soby Mathew authored
This patch fixes the offset of GICD_IROUTER register defined in gicv3.h. Although the GICv3 documention mentions that the offset for this register is 0x6100-0x7FD8, the offset calculation for an interrupt id `n` is : 0x6000 + 8n, where n >= 32 This requires the offset for GICD_IROUTER to be defined as 0x6000. Fixes ARM-software/tf-issues#410 Change-Id: If9e91e30d946afe7f1f60fea4f065c7567093fa8
-
- 18 Jul, 2016 1 commit
-
-
Soby Mathew authored
This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
-
- 07 Jul, 2016 1 commit
-
-
Soby Mathew authored
The legacy GIC driver assumes that the SGIs and PPIs are Group0 during initialization. This is true if the driver is the first one to initialize the GIC hardware after reset. But in some cases, earlier BL stages could have already initialized the GIC hardware which means that SGI and PPI configuration are not the expected reset values causing assertion failure in `gicd_set_ipriorityr()`. This patch explicitly resets the SGI and PPI to Group0 prior to their initialization in the driver. The same patch is not done in the GICv2-only driver because unlike in the legacy driver, `gicd_set_ipriorityr()` of GICv2 driver doesn't enforce this policy and the appropriate group is set irrespective of the initial value. Fixes ARM-software/tf-issues#396 Change-Id: I521d35caa37470ce542c796c2ba99716e4763105
-
- 03 Jun, 2016 1 commit
-
-
Soby Mathew authored
A production ROM with TBB enabled must have the ability to boot test software before a real ROTPK is deployed (e.g. manufacturing mode). Previously the function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed. This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags` parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK in certificate is used without verifying against the platform value. Fixes ARM-software/tf-issues#381 Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
-
- 27 May, 2016 1 commit
-
-
Caesar Wang authored
On some platform gpio can set/get pull status when input, add these function so we can set/get gpio pull status when need it. And they are optional function.
-