1. 01 Feb, 2019 1 commit
  2. 15 Jan, 2019 1 commit
  3. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  4. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  5. 29 Oct, 2018 1 commit
    • Soby Mathew's avatar
      PIE: Position Independant Executable support for BL31 · 931f7c61
      Soby Mathew authored
      
      
      This patch introduces Position Independant Executable(PIE) support
      in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
      dynamic linker is implemented which supports fixing up Global Offset
      Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
      helper function implements this linker and this needs to be called
      early in the boot sequence prior to invoking C functions. The GOT is
      placed in the RO section of BL31 binary for improved security and the
      BL31 linker script is modified to export the appropriate symbols
      required for the dynamic linker.
      
      The C compiler always generates PC relative addresses to linker symbols
      and hence referencing symbols exporting constants are a problem when
      relocating the binary. Hence the reference to the
      `__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
      at runtime based on start and end addresses.
      
      Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      931f7c61
  6. 26 Oct, 2018 1 commit
  7. 04 Oct, 2018 1 commit
  8. 28 Sep, 2018 1 commit
  9. 22 Aug, 2018 1 commit
  10. 12 Jun, 2018 1 commit
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.3 Part 1 · d3775d46
      Daniel Boulby authored
      
      
      Conflict with function name and variable name within that function.
      Change the name of the function from image_size to get_image_size
      to remove conflict and make the function fit the normal project
      naming convention.
      
      Rule 5.3:  An identifier declared in an inner scope shall not
                 hide an identifier declared in an outer scope
      
      Fixed For:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      d3775d46
  11. 18 May, 2018 1 commit
  12. 27 Mar, 2018 1 commit
    • Joel Hutton's avatar
      Clean usage of void pointers to access symbols · 9f85f9e3
      Joel Hutton authored
      
      
      Void pointers have been used to access linker symbols, by declaring an
      extern pointer, then taking the address of it. This limits symbols
      values to aligned pointer values. To remove this restriction an
      IMPORT_SYM macro has been introduced, which declares it as a char
      pointer and casts it to the required type.
      
      Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
      Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9f85f9e3
  13. 28 Feb, 2018 2 commits
  14. 26 Feb, 2018 1 commit
  15. 05 Dec, 2017 1 commit
    • Soby Mathew's avatar
      Unify cache flush code path after image load · 76163b3a
      Soby Mathew authored
      
      
      Previously the cache flush happened in 2 different places in code
      depending on whether TRUSTED_BOARD_BOOT is enabled or not. This
      patch unifies this code path for both the cases. The `load_image()`
      function is now made an internal static function.
      
      Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      76163b3a
  16. 03 May, 2017 1 commit
  17. 29 Apr, 2017 1 commit
    • Scott Branden's avatar
      Move defines in utils.h to utils_def.h to fix shared header compile issues · 53d9c9c8
      Scott Branden authored
      
      
      utils.h is included in various header files for the defines in it.
      Some of the other header files only contain defines.  This allows the
      header files to be shared between host and target builds for shared defines.
      
      Recently types.h has been included in utils.h as well as some function
      prototypes.
      
      Because of the inclusion of types.h conflicts exist building host tools
      abd these header files now.  To solve this problem,
      move the defines to utils_def.h and have this included by utils.h and
      change header files to only include utils_def.h and not pick up the new
      types.h being introduced.
      
      Fixes ARM-software/tf-issues#461
      Signed-off-by: default avatarScott Branden <scott.branden@broadcom.com>
      
      Remove utils_def.h from utils.h
      
      This patch removes utils_def.h from utils.h as it is not required.
      And also makes a minor change to ensure Juno platform compiles.
      
      Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
      53d9c9c8
  18. 27 Mar, 2017 1 commit
    • Soby Mathew's avatar
      Re-factor header files for easier PSCI library integration · 5dffb46c
      Soby Mathew authored
      
      
      This patch re-factors the following headers to make it easier to
      integrate the PSCI library with an AArch32 Secure Payload :
      
        *  bl_common.h : The entry point information and the param
           header data structures are factored out into separate
           headers ep_info.h and param_headers.h
        *  psci.h : The PSCI library interfaces are factored out
           into the new header psci_lib.h
        *  context_mgmt.h : The header file is modified to not include
           arch.h when compiled for AArch32 mode.
      
      No functional changes are introduced by this patch.
      
      Change-Id: I5e21a843c0af2ba8e47dee4e577cf95929be8cd4
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      5dffb46c
  19. 23 Jan, 2017 1 commit
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
  20. 20 Dec, 2016 1 commit
  21. 22 Sep, 2016 1 commit
    • Soby Mathew's avatar
      PSCI: Introduce PSCI Library argument structure · f426fc05
      Soby Mathew authored
      This patch introduces a `psci_lib_args_t` structure which must be
      passed into `psci_setup()` which is then used to initialize the PSCI
      library. The `psci_lib_args_t` is a versioned structure so as to enable
      compatibility checks during library initialization. Both BL31 and SP_MIN
      are modified to use the new structure.
      
      SP_MIN is also modified to add version string and build message as part
      of its cold boot log just like the other BLs in Trusted Firmware.
      
      NOTE: Please be aware that this patch modifies the prototype of
      `psci_setup()`, which breaks compatibility with EL3 Runtime Firmware
      (excluding BL31 and SP_MIN) integrated with the PSCI Library.
      
      Change-Id: Ic3761db0b790760a7ad664d8a437c72ea5edbcd6
      f426fc05
  22. 20 Sep, 2016 1 commit
    • Yatharth Kochar's avatar
      Add new version of image loading. · 72600226
      Yatharth Kochar authored
      This patch adds capability to load BL images based on image
      descriptors instead of hard coded way of loading BL images.
      This framework is designed such that it can be readily adapted
      by any BL stage that needs to load images.
      
      In order to provide the above capability the following new
      platform functions are introduced:
      
        bl_load_info_t *plat_get_bl_image_load_info(void);
          This function returns pointer to the list of images that the
          platform has populated to load.
      
        bl_params_t *plat_get_next_bl_params(void);
          This function returns a pointer to the shared memory that the
          platform has kept aside to pass trusted firmware related
          information that next BL image needs.
      
        void plat_flush_next_bl_params(void);
          This function flushes to main memory all the params that
          are passed to next image.
      
        int bl2_plat_handle_post_image_load(unsigned int image_id)
          This function can be used by the platforms to update/use
          image information for given `image_id`.
      
      `desc_image_load.c` contains utility functions which can be used
      by the platforms to generate, load and executable, image list
      based on the registered image descriptors.
      
      This patch also adds new version of `load_image/load_auth_image`
      functions in-order to achieve the above capability.
      
      Following are the changes for the new version as compared to old:
        - Refactor the signature and only keep image_id and image_info_t
          arguments. Removed image_base argument as it is already passed
          through image_info_t. Given that the BL image base addresses and
          limit/size are already provided by the platforms, the meminfo_t
          and entry_point_info arguments are not needed to provide/reserve
          the extent of free memory for the given BL image.
      
        - Added check for the image size against the defined max size.
          This is needed because the image size could come from an
          unauthenticated source (e.g. the FIP header).
          To make this check, new member is added to the image_info_t
          struct for identifying the image maximum size.
      
      New flag `LOAD_IMAGE_V2` is added in the Makefile.
      Default value is 0.
      
      NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when
            `LOAD_IMAGE_V2` is enabled.
      
      Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
      72600226
  23. 10 Aug, 2016 1 commit
    • Soby Mathew's avatar
      AArch32: Add support in TF libraries · e33b78a6
      Soby Mathew authored
      This patch adds AArch32 support to cpu ops, context management,
      per-cpu data and spinlock libraries. The `entrypoint_info`
      structure is modified to add support for AArch32 register
      arguments. The CPU operations for AEM generic cpu in AArch32
      mode is also added.
      
      Change-Id: I1e52e79f498661d8f31f1e7b3a29e222bc7a4483
      e33b78a6
  24. 18 Jul, 2016 1 commit
    • Soby Mathew's avatar
      Rework type usage in Trusted Firmware · 4c0d0390
      Soby Mathew authored
      This patch reworks type usage in generic code, drivers and ARM platform files
      to make it more portable. The major changes done with respect to
      type usage are as listed below:
      
      * Use uintptr_t for storing address instead of uint64_t or unsigned long.
      * Review usage of unsigned long as it can no longer be assumed to be 64 bit.
      * Use u_register_t for register values whose width varies depending on
        whether AArch64 or AArch32.
      * Use generic C types where-ever possible.
      
      In addition to the above changes, this patch also modifies format specifiers
      in print invocations so that they are AArch64/AArch32 agnostic. Only files
      related to upcoming feature development have been reworked.
      
      Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
      4c0d0390
  25. 08 Jul, 2016 2 commits
    • Sandrine Bailleux's avatar
      Introduce SEPARATE_CODE_AND_RODATA build flag · 5d1c104f
      Sandrine Bailleux authored
      At the moment, all BL images share a similar memory layout: they start
      with their code section, followed by their read-only data section.
      The two sections are contiguous in memory. Therefore, the end of the
      code section and the beginning of the read-only data one might share
      a memory page. This forces both to be mapped with the same memory
      attributes. As the code needs to be executable, this means that the
      read-only data stored on the same memory page as the code are
      executable as well. This could potentially be exploited as part of
      a security attack.
      
      This patch introduces a new build flag called
      SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
      on separate memory pages. This in turn allows independent control of
      the access permissions for the code and read-only data.
      
      This has an impact on memory footprint, as padding bytes need to be
      introduced between the code and read-only data to ensure the
      segragation of the two. To limit the memory cost, the memory layout
      of the read-only section has been changed in this case.
      
       - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
         the read-only section still looks like this (padding omitted):
      
         |        ...        |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script provides the limits of the whole
         read-only section.
      
       - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
         read-only data are swapped, such that the code and exception
         vectors are contiguous, followed by the read-only data. This
         gives the following new layout (padding omitted):
      
         |        ...        |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script now exports 2 sets of addresses
         instead: the limits of the code and the limits of the read-only
         data. Refer to the Firmware Design guide for more details. This
         provides platform code with a finer-grained view of the image
         layout and allows it to map these 2 regions with the appropriate
         access permissions.
      
      Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
      
      Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
      5d1c104f
    • Sandrine Bailleux's avatar
      Introduce utils.h header file · ed81f3eb
      Sandrine Bailleux authored
      This patch introduces a new header file: include/lib/utils.h.
      Its purpose is to provide generic macros and helper functions that
      are independent of any BL image, architecture, platform and even
      not specific to Trusted Firmware.
      
      For now, it contains only 2 macros: ARRAY_SIZE() and
      IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
      xlat_tables.c respectively.
      
      bl_common.h includes utils.h to retain compatibility for platforms
      that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
      platform ports that use this macro have been updated to include
      utils.h.
      
      Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
      ed81f3eb
  26. 22 Feb, 2016 1 commit
    • Yatharth Kochar's avatar
      Fix the inconsistencies in bl1_tbbr_image_descs[] · 843ddee4
      Yatharth Kochar authored
      This patch fixes inconsistencies in bl1_tbbr_image_descs[]
      and miscellaneous fixes in Firmware Update code.
      
      Following are the changes:
      * As part of the original FWU changes, a `copied_size`
        field was added to `image_info_t`. This was a subtle binary
        compatibility break because it changed the size of the
        `bl31_params_t` struct, which could cause problems if
        somebody used different versions of BL2 or BL31, one with
        the old `image_info_t` and one with the new version.
        This patch put the `copied_size` within the `image_desc_t`.
      * EXECUTABLE flag is now stored in `ep_info.h.attr` in place
        of `image_info.h.attr`, associating it to an entrypoint.
      * The `image_info.image_base` is only relevant for secure
        images that are copied from non-secure memory into secure
        memory. This patch removes initializing `image_base` for
        non secure images in the bl1_tbbr_image_descs[].
      * A new macro `SET_STATIC_PARAM_HEAD` is added for populating
        bl1_tbbr_image_descs[].ep_info/image_info.h members statically.
        The version, image_type and image attributes are now
        populated using this new macro.
      * Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct
        usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c.
      * Refactoring of code/macros related to SECURE and EXECUTABLE flags.
      
      NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t`
            OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr`
            OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE
            BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY.
      
      Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d
      843ddee4
  27. 13 Jan, 2016 1 commit
    • Soby Mathew's avatar
      Rearrange fields in TF data structures to reduce padding · b313d755
      Soby Mathew authored
      This patch rearranges fields of the `image_desc_t` & `auth_img_desc_t`
      data structures to reduce padding between the fields and thereby
      save memory.
      
      NOTE: Platform ports which anonymously initialize these structures
      should be aware of the rearrangement and do the required
      modification.
      
      Change-Id: I428b5429632797b31d5bd306174599c07e24c060
      b313d755
  28. 14 Dec, 2015 1 commit
  29. 09 Dec, 2015 5 commits
    • Yatharth Kochar's avatar
      FWU: Add Generic BL2U FWU image support in BL2 · 9003fa0b
      Yatharth Kochar authored
      The Firmware Update (FWU) feature needs support for an optional
      secure world image, BL2U, to allow additional secure world
      initialization required by FWU, for example DDR initialization.
      
      This patch adds generic framework support to create BL2U.
      
      NOTE: A platform makefile must supply additional `BL2U_SOURCES`
            to build the bl2u target. A subsequent patch adds bl2u
            support for ARM platforms.
      
      Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413
      9003fa0b
    • Yatharth Kochar's avatar
      FWU: Add Generic Firmware Update framework support in BL1 · 48bfb88e
      Yatharth Kochar authored
      Firmware update(a.k.a FWU) feature is part of the TBB architecture.
      BL1 is responsible for carrying out the FWU process if platform
      specific code detects that it is needed.
      
      This patch adds support for FWU feature support in BL1 which is
      included by enabling `TRUSTED_BOARD_BOOT` compile time flag.
      
      This patch adds bl1_fwu.c which contains all the core operations
      of FWU, which are; SMC handler, image copy, authentication, execution
      and resumption. It also adds bl1.h introducing #defines for all
      BL1 SMCs.
      
      Following platform porting functions are introduced:
      
      int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
      unsigned int flags);
      	This function can be used to add platform specific memory checks
      	for the provided base/size for the given security state.
      	The weak definition will invoke `assert()` and return -ENOMEM.
      
      __dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
      	This function can be used to initiate platform specific procedure
      	to mark completion of the FWU process.
      	The weak definition waits forever calling `wfi()`.
      
      plat_bl1_common.c contains weak definitions for above functions.
      
      FWU process starts when platform detects it and return the image_id
      other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
      `bl1_main()`.
      
      NOTE: User MUST provide platform specific real definition for
      bl1_plat_mem_check() in order to use it for Firmware update.
      
      Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
      48bfb88e
    • Yatharth Kochar's avatar
      Add descriptor based image management support in BL1 · 7baff11f
      Yatharth Kochar authored
      As of now BL1 loads and execute BL2 based on hard coded information
      provided in BL1. But due to addition of support for upcoming Firmware
      Update feature, BL1 now require more flexible approach to load and
      run different images using information provided by the platform.
      
      This patch adds new mechanism to load and execute images based on
      platform provided image id's. BL1 now queries the platform to fetch
      the image id of the next image to be loaded and executed. In order
      to achieve this, a new struct image_desc_t was added which holds the
      information about images, such as: ep_info and image_info.
      
      This patch introduces following platform porting functions:
      
      unsigned int bl1_plat_get_next_image_id(void);
      	This is used to identify the next image to be loaded
      	and executed by BL1.
      
      struct image_desc *bl1_plat_get_image_desc(unsigned int image_id);
      	This is used to retrieve the image_desc for given image_id.
      
      void bl1_plat_set_ep_info(unsigned int image_id,
      struct entry_point_info *ep_info);
      	This function allows platforms to update ep_info for given
      	image_id.
      
      The plat_bl1_common.c file provides default weak implementations of
      all above functions, the `bl1_plat_get_image_desc()` always return
      BL2 image descriptor, the `bl1_plat_get_next_image_id()` always return
      BL2 image ID and `bl1_plat_set_ep_info()` is empty and just returns.
      These functions gets compiled into all BL1 platforms by default.
      
      Platform setup in BL1, using `bl1_platform_setup()`, is now done
      _after_ the initialization of authentication module. This change
      provides the opportunity to use authentication while doing the
      platform setup in BL1.
      
      In order to store secure/non-secure context, BL31 uses percpu_data[]
      to store context pointer for each core. In case of BL1 only the
      primary CPU will be active hence percpu_data[] is not required to
      store the context pointer.
      
      This patch introduce bl1_cpu_context[] and bl1_cpu_context_ptr[] to
      store the context and context pointers respectively. It also also
      re-defines cm_get_context() and cm_set_context() for BL1 in
      bl1/bl1_context_mgmt.c.
      
      BL1 now follows the BL31 pattern of using SP_EL0 for the C runtime
      environment, to support resuming execution from a previously saved
      context.
      
      NOTE: THE `bl1_plat_set_bl2_ep_info()` PLATFORM PORTING FUNCTION IS
            NO LONGER CALLED BY BL1 COMMON CODE. PLATFORMS THAT OVERRIDE
            THIS FUNCTION MAY NEED TO IMPLEMENT `bl1_plat_set_ep_info()`
            INSTEAD TO MAINTAIN EXISTING BEHAVIOUR.
      
      Change-Id: Ieee4c124b951c2e9bc1c1013fa2073221195d881
      7baff11f
    • Yatharth Kochar's avatar
      Move context management code to common location · bbf8f6f9
      Yatharth Kochar authored
      The upcoming Firmware Update feature needs transitioning across
      Secure/Normal worlds to complete the FWU process and hence requires
      context management code to perform this task.
      
      Currently context management code is part of BL31 stage only.
      This patch moves the code from (include)/bl31 to (include)/common.
      Some function declarations/definitions and macros have also moved
      to different files to help code sharing.
      
      Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
      bbf8f6f9
    • Yatharth Kochar's avatar
      Remove `RUN_IMAGE` usage as opcode passed to next EL. · 5698c5b3
      Yatharth Kochar authored
      The primary usage of `RUN_IMAGE` SMC function id, used by BL2 is to
      make a request to BL1 to execute BL31. But BL2 also uses it as
      opcode to check if it is allowed to execute which is not the
      intended usage of `RUN_IMAGE` SMC.
      
      This patch removes the usage of `RUN_IMAGE` as opcode passed to
      next EL to check if it is allowed to execute.
      
      Change-Id: I6aebe0415ade3f43401a4c8a323457f032673657
      5698c5b3
  30. 02 Nov, 2015 1 commit
    • Sandrine Bailleux's avatar
      Introduce print_entry_point_info() function · 68a68c92
      Sandrine Bailleux authored
      This patch introduces a new function called 'print_entry_point_info'
      that prints an entry_point_t structure for debugging purposes.
      As such, it can be used to display the entry point address, SPSR and
      arguments passed from a firmware image to the next one.
      
      This function is now called in the following images transitions:
       - BL1 to BL2
       - BL1 to BL31
       - BL31 to the next image (typically BL32 or BL33)
      
      The following changes have been introduced:
      
       - Fix the output format of the SPSR value : SPSR is a 32-bit value,
         not a 64-bit one.
      
       - Print all arguments values.
         The entry_point_info_t structure allows to pass up to 8 arguments.
         In most cases, only the first 2 arguments were printed.
         print_entry_point_info() now prints all of them as 'VERBOSE'
         traces.
      
      Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
      68a68c92
  31. 23 Oct, 2015 1 commit
    • Juan Castillo's avatar
      Use standard errno definitions in load_auth_image() · 78460a05
      Juan Castillo authored
      This patch replaces custom definitions used as return values for
      the load_auth_image() function with standard error codes defined
      in errno.h. The custom definitions have been removed.
      
      It also replaces the usage of IO framework error custom definitions,
      which have been deprecated. Standard errno definitions are used
      instead.
      
      Change-Id: I1228477346d3876151c05b470d9669c37fd231be
      78460a05
  32. 02 Sep, 2015 1 commit
    • Vikram Kanigiri's avatar
      Ensure BL2 security state is secure · a2f8b166
      Vikram Kanigiri authored
      BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
      run in secure world otherwise BL3-1/BL3-2 have to execute from
      non-secure memory. Hence, This patch removes the change_security_state()
      call in bl1_run_bl2() and replaces it with an assert to confirm
      the BL2 as secure.
      
      Fixes ARM-software/tf-issues#314
      
      Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
      a2f8b166
  33. 20 Aug, 2015 1 commit
    • Juan Castillo's avatar
      TBB: abort boot if BL3-2 cannot be authenticated · fedbc049
      Juan Castillo authored
      BL3-2 image (Secure Payload) is optional. If the image cannot be
      loaded a warning message is printed and the boot process continues.
      According to the TBBR document, this behaviour should not apply in
      case of an authentication error, where the boot process should be
      aborted.
      
      This patch modifies the load_auth_image() function to distinguish
      between a load error and an authentication error. The caller uses
      the return value to abort the boot process or continue.
      
      In case of authentication error, the memory region used to store
      the image is wiped clean.
      
      Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
      fedbc049
  34. 25 Jun, 2015 1 commit
    • Juan Castillo's avatar
      TBB: switch to the new authentication framework · 1779ba6b
      Juan Castillo authored
      This patch modifies the Trusted Board Boot implementation to use
      the new authentication framework, making use of the authentication
      module, the cryto module and the image parser module to
      authenticate the images in the Chain of Trust.
      
      A new function 'load_auth_image()' has been implemented. When TBB
      is enabled, this function will call the authentication module to
      authenticate parent images following the CoT up to the root of
      trust to finally load and authenticate the requested image.
      
      The platform is responsible for picking up the right makefiles to
      build the corresponding cryptographic and image parser libraries.
      ARM platforms use the mbedTLS based libraries.
      
      The platform may also specify what key algorithm should be used
      to sign the certificates. This is done by declaring the 'KEY_ALG'
      variable in the platform makefile. FVP and Juno use ECDSA keys.
      
      On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
      each to accommodate the ECDSA code.
      
      REMOVED BUILD OPTIONS:
      
        * 'AUTH_MOD'
      
      Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
      1779ba6b