1. 31 Mar, 2017 2 commits
  2. 22 Mar, 2017 1 commit
    • dp-arm's avatar
      mbedtls: Namespace TF specific macros · 66b4c166
      dp-arm authored
      
      
      These macros are not part of mbed TLS so they should not be prefixed
      with `MBEDTLS_` to avoid potential collision in the future. Use the
      `TBBR_` suffix to highlight that they only used in TF.
      
      `MBEDTLS_KEY_ALG` was not modified because that is documented and used
      by platforms to select the key algorithm.
      
      Change-Id: Ief224681715c481691c80810501830ce16e210b0
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      66b4c166
  3. 02 Mar, 2017 1 commit
  4. 01 Mar, 2017 1 commit
    • Soby Mathew's avatar
      Flush the GIC driver data after init · 311b1773
      Soby Mathew authored
      
      
      The GIC driver data is initialized by the primary CPU with caches
      enabled. When the secondary CPU boots up, it initializes the
      GICC/GICR interface with the caches disabled and there is a chance that
      the driver data is not yet written back to the memory. This patch fixes
      this problem by flushing the driver data after they have been
      initialized.
      
      Change-Id: Ie9477029683846209593ff005d2bac559bb8f5e6
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      311b1773
  5. 22 Feb, 2017 1 commit
  6. 16 Feb, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Revert "tbbr: Use constant-time bcmp() to compare hashes" · fabd21ad
      Antonio Nino Diaz authored
      This reverts commit b621fb50
      
      .
      
      Because of the Trusted Firmware design, timing-safe functions are not
      needed. Using them may be misleading as it could be interpreted as being
      a protection against private data leakage, which isn't the case here.
      
      For each image, the SHA-256 hash is calculated. Some padding is appended
      and the result is encrypted with a private key using RSA-2048. This is
      the signature of the image. The public key is stored along with BL1 in
      read-only memory and the encrypted hash is stored in the FIP.
      
      When authenticating an image, the TF decrypts the hash stored in the FIP
      and recalculates the hash of the image. If they don't match, the boot
      sequence won't continue.
      
      A constant-time comparison does not provide additional security as all
      the data involved in this process is already known to any attacker.
      There is no private data that can leaked through a timing attack when
      authenticating an image.
      
      `timingsafe_bcmp()` is kept in the codebase because it could be useful
      in the future.
      
      Change-Id: I44bdcd58faa586a050cc89447e38c142508c9888
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      fabd21ad
  7. 14 Feb, 2017 2 commits
  8. 06 Feb, 2017 1 commit
    • Douglas Raillard's avatar
      Replace some memset call by zeromem · 32f0d3c6
      Douglas Raillard authored
      
      
      Replace all use of memset by zeromem when zeroing moderately-sized
      structure by applying the following transformation:
      memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
      
      As the Trusted Firmware is compiled with -ffreestanding, it forbids the
      compiler from using __builtin_memset and forces it to generate calls to
      the slow memset implementation. Zeromem is a near drop in replacement
      for this use case, with a more efficient implementation on both AArch32
      and AArch64.
      
      Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      32f0d3c6
  9. 24 Jan, 2017 1 commit
    • Antonio Nino Diaz's avatar
      tbbr: Use constant-time bcmp() to compare hashes · b621fb50
      Antonio Nino Diaz authored
      
      
      To avoid timing side-channel attacks, it is needed to use a constant
      time memory comparison function when comparing hashes. The affected
      code only cheks for equality so it isn't needed to use any variant of
      memcmp(), bcmp() is enough.
      
      Also, timingsafe_bcmp() is as fast as memcmp() when the two compared
      regions are equal, so this change incurrs no performance hit in said
      case. In case they are unequal, the boot sequence wouldn't continue as
      normal, so performance is not an issue.
      
      Change-Id: I1c7c70ddfa4438e6031c8814411fef79fd3bb4df
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b621fb50
  10. 23 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
    • Haojian Zhuang's avatar
      drivers: add designware emmc driver · 5dbdb7da
      Haojian Zhuang authored
      
      
      Support Designware eMMC driver. It's based on both IO block
      and eMMC driver.
      Signed-off-by: default avatarHaojian Zhuang <haojian.zhuang@linaro.org>
      5dbdb7da
  11. 19 Jan, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Clear static variables in X509 parser on error · 51c5e1a2
      Antonio Nino Diaz authored
      
      
      In mbedtls_x509_parser.c there are some static arrays that are filled
      during the integrity check and then read whenever an authentication
      parameter is requested. However, they aren't cleared in case of an
      integrity check failure, which can be problematic from a security
      point of view. This patch clears these arrays in the case of failure.
      
      Change-Id: I9d48f5bc71fa13e5a75d6c45b5e34796ef13aaa2
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      51c5e1a2
  12. 12 Jan, 2017 1 commit
  13. 10 Jan, 2017 1 commit
  14. 06 Jan, 2017 1 commit
    • Masahiro Yamada's avatar
      TBB: fix comment about MBEDTLS_KEY_ALG default · a56f87c8
      Masahiro Yamada authored
      This comment block says the default algorithm is ESDSA, while the
      code obviously sets the default to RSA:
      
        ifeq (${MBEDTLS_KEY_ALG},)
            MBEDTLS_KEY_ALG            :=      rsa
        endif
      
      The git log of commit 7d37aa17
      
       ("TBB: add mbedTLS authentication
      related libraries") states available options are:
      
        * 'rsa' (for RSA-2048) (default option)
        * 'ecdsa' (for ECDSA-SECP256R1)
      
      So, my best guess is the comment block is wrong.
      
      The mismatch between the code and the comment is confusing. Fix it.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      a56f87c8
  15. 15 Dec, 2016 2 commits
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored
      
      
      The previous code required that a certificate be signed with the ROT
      key before the platform's NV counter could be updated with the value
      in the certificate.  This implies that the Non-Trusted NV counter was
      not being updated for Non-Trusted content certificates, as they cannot
      be signed with the ROT key in the TBBR CoT scheme.
      
      The code is reworked to only allow updating the platform's Trusted NV
      counter when a certificate protected by the Trusted NV counter is
      signed with the ROT key.
      
      Content certificates protected by the Non-Trusted NV counter are
      allowed to update the platform's Non-Trusted NV counter, assuming
      that the certificate value is higher than the platform's value.
      
      A new optional platform API has been introduced, named
      plat_set_nv_ctr2().  Platforms may choose to implement it and perform
      additional checks based on the authentication image descriptor before
      modifying the NV counters.  A default weak implementation is available
      that just calls into plat_set_nv_ctr().
      
      Fixes ARM-software/tf-issues#426
      
      Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23
    • Jeenu Viswambharan's avatar
      GICv3: Introduce power management APIs for Redistributor · d780699b
      Jeenu Viswambharan authored
      
      
      Some GICv3 implementations have provision for power management
      operations at Redistributor level. This patch introduces and provides
      place-holders for Redistributor power management. The default
      implementations are empty stubs, but are weakly bound so as to enable
      implementation-specific drivers to override them.
      
      Change-Id: I4fec1358693d3603ca5dce242a2f7f0e730516d8
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      d780699b
  16. 01 Dec, 2016 1 commit
    • Yatharth Kochar's avatar
      AArch32: Miscellaneous fixes in the AArch32 code · 69d59e0c
      Yatharth Kochar authored
      
      
      This patch makes following miscellaneous fixes:
      * pl011_console.S: Fixed the bit mask used to check if the
        transmit FIFO is full or empty.
      * smcc_macros.S: Added `_fsxc` suffix while updating the SPSR.
        By default the assembler assumes `_fc` suffix which does not
        update all the fields in SPSR. By adding `_fsxc` suffix all
        the fields gets updated.
      * platform_helpers.S: Removed the weak definition for
        `plat_my_core_pos()` as this is a mandatory function which
        needs to be defined by all platforms.
      
      Change-Id: I8302292533c943686fff8d7c749a07132c052a3b
      Signed-off-by: default avatarYatharth Kochar <yatharth.kochar@arm.com>
      69d59e0c
  17. 20 Sep, 2016 1 commit
  18. 12 Sep, 2016 1 commit
    • Yatharth Kochar's avatar
      GICv3: Allow either G1S or G0 interrupts to be configured · 6083c841
      Yatharth Kochar authored
      Currently the GICv3 driver mandates that platform populate
      both G1S and G0 interrupts. However, it is possible that a
      given platform is not interested in both the groups and
      just needs to specify either one of them.
      
      This patch modifies the `gicv3_rdistif_init()` & `gicv3_distif_init()`
      functions to allow either G1S or G0 interrupts to be configured.
      
      Fixes ARM-software/tf-issues#400
      
      Change-Id: I43572b0e08ae30bed5af9334f25d35bf439b0d2b
      6083c841
  19. 12 Aug, 2016 1 commit
    • Haojian Zhuang's avatar
      emmc: support CMD23 · 445b1e70
      Haojian Zhuang authored
      
      
      Support CMD23. When CMD23 is used, CMD12 could be avoided.
      
      Two scenarios:
      1. CMD17 for single block, CMD18 + CMD12 for multiple blocks.
      2. CMD23 + CMD18 for both single block and multiple blocks.
      
      The emmc_init() should initialize whether CMD23 is supported
      or not.
      Signed-off-by: default avatarHaojian Zhuang <haojian.zhuang@linaro.org>
      445b1e70
  20. 11 Aug, 2016 1 commit
    • Sudeep Holla's avatar
      gicv3: disable Group1 NonSecure interrupts during core powerdown · 65d68ca6
      Sudeep Holla authored
      As per the GICv3 specification, to power down a processor using GICv3
      and allow automatic power-on if an interrupt must be sent to a processor,
      software must set Enable to zero for all interrupt groups(by writing to
      GICC_CTLR or ICC_IGRPEN{0,1}_EL1/3 as appropriate.
      
      Also, NonSecure EL1 software may not be aware of the CPU power state
      details and fail to choose right states that require quiescing the CPU
      interface. So it's preferred that the PSCI implementation handles it as
      it is fully aware of the CPU power states.
      
      This patch adds disabling of Group1 NonSecure interrupts during processor
      power down along with Group0 and Group1 Secure interrupts so that all the
      interrupt groups are handled at once as per specification.
      
      Change-Id: Ib564d773c9c4c41f2ca9471451c030e3de75e641
      65d68ca6
  21. 10 Aug, 2016 2 commits
    • Soby Mathew's avatar
      AArch32: Add console driver · 66be868e
      Soby Mathew authored
      This patch adds console drivers including the pl011 driver
      for the AArch32 mode.
      
      Change-Id: Ifd22520d370fca3e73dbbf6f2d97d6aee65b67dd
      66be868e
    • Soby Mathew's avatar
      AArch32: Enable GIC and TZC support · 367d0ffb
      Soby Mathew authored
      This patch modifies GICv3 and TZC drivers to add AArch32 support.
      No modifications are required for the GICv2 driver for AArch32 support.
      The TZC driver assumes that the secure world is running in Little-Endian
      mode to do 64 bit manipulations. Assertions are present to validate the
      assumption.
      
      Note: The legacy GICv3 driver is not supported for AArch32.
      
      Change-Id: Id1bc75a9f5dafb9715c9500ca77b4606eb1e2458
      367d0ffb
  22. 09 Aug, 2016 1 commit
    • Soby Mathew's avatar
      Move console drivers to AArch64 folder · 9c94d3b3
      Soby Mathew authored
      This patch moves the various assembly console drivers
      into `aarch64` architecture specific folder. Stub files,
      which include files from new location, are retained at the
      original location for platform compatibility reasons.
      
      Change-Id: I0069b6c1c0489ca47f5204d4e26e3bc3def533a8
      9c94d3b3
  23. 04 Aug, 2016 1 commit
  24. 27 Jul, 2016 1 commit
    • Soby Mathew's avatar
      GICv3: Fix the GICD_IROUTER offset · 61e30277
      Soby Mathew authored
      This patch fixes the offset of GICD_IROUTER register defined in gicv3.h.
      Although the GICv3 documention mentions that the offset for this register
      is 0x6100-0x7FD8, the offset calculation for an interrupt id `n` is :
      
         0x6000 + 8n, where n >= 32
      
      This requires the offset for GICD_IROUTER to be defined as 0x6000.
      
      Fixes ARM-software/tf-issues#410
      
      Change-Id: If9e91e30d946afe7f1f60fea4f065c7567093fa8
      61e30277
  25. 18 Jul, 2016 1 commit
    • Soby Mathew's avatar
      Rework type usage in Trusted Firmware · 4c0d0390
      Soby Mathew authored
      This patch reworks type usage in generic code, drivers and ARM platform files
      to make it more portable. The major changes done with respect to
      type usage are as listed below:
      
      * Use uintptr_t for storing address instead of uint64_t or unsigned long.
      * Review usage of unsigned long as it can no longer be assumed to be 64 bit.
      * Use u_register_t for register values whose width varies depending on
        whether AArch64 or AArch32.
      * Use generic C types where-ever possible.
      
      In addition to the above changes, this patch also modifies format specifiers
      in print invocations so that they are AArch64/AArch32 agnostic. Only files
      related to upcoming feature development have been reworked.
      
      Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
      4c0d0390
  26. 07 Jul, 2016 1 commit
    • Soby Mathew's avatar
      GIC: Ensure SGIs and PPIs are Group0 before setup · 47c6876a
      Soby Mathew authored
      The legacy GIC driver assumes that the SGIs and PPIs are Group0 during
      initialization. This is true if the driver is the first one to initialize
      the GIC hardware after reset. But in some cases, earlier BL stages could
      have already initialized the GIC hardware which means that SGI and PPI
      configuration are not the expected reset values causing assertion failure
      in `gicd_set_ipriorityr()`. This patch explicitly resets the SGI and PPI
      to Group0 prior to their initialization in the driver. The same patch is
      not done in the GICv2-only driver because unlike in the legacy driver,
      `gicd_set_ipriorityr()` of GICv2 driver doesn't enforce this policy and
      the appropriate group is set irrespective of the initial value.
      
      Fixes ARM-software/tf-issues#396
      
      Change-Id: I521d35caa37470ce542c796c2ba99716e4763105
      47c6876a
  27. 03 Jun, 2016 1 commit
    • Soby Mathew's avatar
      Allow dynamic overriding of ROTPK verification · 04943d33
      Soby Mathew authored
      A production ROM with TBB enabled must have the ability to boot test software
      before a real ROTPK is deployed (e.g. manufacturing mode). Previously the
      function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed.
      This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags`
      parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK
      in certificate is used without verifying against the platform value.
      
      Fixes ARM-software/tf-issues#381
      
      Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
      04943d33
  28. 27 May, 2016 1 commit
    • Caesar Wang's avatar
      gpio: support gpio set/get pull status · 19588982
      Caesar Wang authored
      On some platform gpio can set/get pull status when input, add these
      function so we can set/get gpio pull status when need it. And they are
      optional function.
      19588982
  29. 25 May, 2016 1 commit
    • Soby Mathew's avatar
      CCN: Add API to query the PART0 ID from CCN · 6331a31a
      Soby Mathew authored
      This patch adds the API `ccn_get_part0_id` to query the PART0 ID from the
      PERIPHERAL_ID 0 register in the CCN driver. This ID allows to distinguish
      the variant of CCN present on the system and possibly enable dynamic
      configuration of the IP based on the variant. Also added an assert in
      `ccn_master_to_rn_id_map()` to ensure that the master map bitfield provided
      by the platform is within the expected interface id.
      
      Change-Id: I92d2db7bd93a9be8a7fbe72a522cbcba0aba2d0e
      6331a31a
  30. 20 May, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Implement generic delay timer · 0bcedb22
      Antonio Nino Diaz authored
      Add delay timer implementation based on the system generic counter.
      This either uses the platform's implementation of
      `plat_get_syscnt_freq()` or explicit clock multiplier/divider values
      provided by the platform.
      
      The current implementation of udelay has been modified to avoid
      unnecessary calculations while waiting on the loop and to make it
      easier to check for overflows.
      
      Change-Id: I9062e1d506dc2f68367fd9289250b93444721732
      0bcedb22
  31. 12 May, 2016 1 commit
  32. 27 Apr, 2016 2 commits
    • Haojian Zhuang's avatar
      drivers: add emmc stack · 2da36042
      Haojian Zhuang authored
      
      
      In a lot of embedded platforms, eMMC device is the only one storage
      device. So loading content from eMMC device is required in ATF.
      
      Create the emmc stack that could co-work with IO block driver.
      Support to read/write/erase eMMC blocks on both rpmb and normal
      user area. Support to change the IO speed and bus width.
      Signed-off-by: default avatarHaojian Zhuang <haojian.zhuang@linaro.org>
      2da36042
    • Haojian Zhuang's avatar
      IO: support block device type · 9da7a653
      Haojian Zhuang authored
      
      
      FIP is accessed as memory-mapped type. eMMC is block device type.
      In order to support FIP based on eMMC, add the new io_block layer.
      
      io_block always access eMMC device as block size. And it'll only
      copy the required data into buffer in io_block driver. So preparing
      an temporary buffer is required.
      
      When use io_block device, MAX_IO_BLOCK_DEVICES should be declared
      in platform_def.h. It's used to support multiple block devices.
      Signed-off-by: default avatarHaojian Zhuang <haojian.zhuang@linaro.org>
      9da7a653
  33. 12 Apr, 2016 1 commit
    • Yatharth Kochar's avatar
      Use unsigned long long instead of uintptr_t in TZC400/DMC500 drivers · 9fbdb802
      Yatharth Kochar authored
      Currently the `tzc400_configure_region` and `tzc_dmc500_configure_region`
      functions uses uintptr_t as the data type for `region_top` and `region_base`
      variables, which will be converted to 32/64 bits for AArch32/AArch64
      respectively. But the expectation is to keep these addresses at least 64 bit.
      
      This patch modifies the data types to make it at least 64 bit by using
      unsigned long long instead of uintptr_t for the `region_top` and
      `region_base` variables. It also modifies the associated macros
      `_tzc##fn_name##_write_region_xxx` accordingly.
      
      Change-Id: I4e3c6a8a39ad04205cf0f3bda336c3970b15a28b
      9fbdb802
  34. 01 Apr, 2016 1 commit