Adds a common function to poll for interrupt status which reports errors
and returns error codes
Signed-off-by: Anand Saminathan <anans@google.com>
Change-Id: Ie5df036dc979e984871de4ae7e974b994296ca4c
-fix1: size of struct instead of pointer during reply_size check
-fix2: update the out_vec length with the actual length from reply
message (e.g. in case of an output buffer, the returned output
data length remained the size of the buffer and was not updated
with the size of the actual data in it)
Change-Id: Ibed5520ca1fb05df358de4bdf85ace219183866c
Signed-off-by: David Vincze <david.vincze@arm.com>
Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract the
extension data. This is error prone and caused TFV-10 (CVE-2022-47630).
A simpler approach is to have get_ext() be responsible for all extension
parsing, and to treat a NULL OID as an indicator that get_ext() is only
being called for validation. cert_parse() checks that get_ext() returns
IMG_PARSER_OK and fails otherwise.
Change-Id: I65a2ff053a188351ba54799827a2b7bd833bb037
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
mmc_enumerate() is the only caller of mmc_send_op_cond().
mmc_enumerate() calls mmc_reset_to_idle() just before calling
mmc_send_op_cond(). No need to do that again in mmc_send_op_cond().
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Change-Id: Ib8c8ed1a559e3fecb315245f91bb3dc1f547d820
commit (a8eadc51a refactor(mbedtls): avoid including
MBEDTLS_CONFIG_FILE) avoids using config file directly and relies on
config file usage from mbedtls version.h
But we could build trusted boot without mbedtls dir so guard version.h
include in cot_def.h with availability of config file.
Also we refactored in same commit to break dependencies between
auth_mod.h and cot_def.h, So add cot_def.h include in nxp tbbr
cot file.
Change-Id: I4779e90c18f04c73d2121c88df6420b4b1109c8b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
The previous code was correct but unnecessarily verbose.
Change-Id: Ia19c667811a7c3b6957a0274d36076b0b16e36b7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The unique IDs are handled identically, so just use a for loop to get
both of them.
Change-Id: I44baaa4747ca7f314d364a79dfcbce97315f5a92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The PRDT length field contains the count of the entries in the PRDT. See
JEDEC Standard No. 223E, section 6.1.1, "UTP Transfer Request
Descriptor," page 66. Previously we were setting the PRDT length field
to the number of bytes in the PRDT divided by four (the size in units of
32 bits). This was incorrect according to the spec.
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I960771e6ce57002872392993042fae9ec505447e
Previously, if the image being read exceeded 12,800 KB (or 50 PRDT
entries of size 256 KB), the UFS driver would not flush the entire
Physical Region Descriptor Table (PRDT). This would cause the UFS host
controller to read empty PRDT entries, which eventually would make the
system crash. This change updates the UFS driver to flush the entire
PRDT, irrespective of the size of the image being read.
This change also throws an error if the memory allocated for UFS
descriptors is not sufficient to hold the entire Physical Region
Descriptor Table (PRDT).
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I291dc62748992481be3cc156ce1474a6e3990ea9
Currently the UFS driver places the Command UPIU, Response UPIU, and
PRDT immediately after the UTP Transfer Request Descriptor. This space
would normally be reserved for other slots in the UTP Transfer Request
List, but because we always use slot zero, the other slots in the UTP
Transfer Request List are never used and this is okay.
Because the Command UPIU, Response UPIU, and PRDT are placed inside the
UTP Transfer Request List, the UFS driver would break if two or more
slots were used at the same time. Therefore, in a sense the
get_empty_slot() function is misleading. It gives developers the
illusion that they can use two or more slots simultaneously but in
reality they cannot.
This change deletes the get_empty_slot() function and replaces it with
is_slot_available() so that only one slot can be used.
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I57f316640a1cdd56493505ede61f3012ceb2f305
TF-A support for mbedtls3.x has been overdue by number of releases.
As per mbedtls support it was advised to use latest and greatest
mbedtls-3.3. But mbedtls-3.x breaks API compatibility with
mbedtls-2.x
To maintain comptability for mbedtls-2.x and enable mbedtls-3.x
support add a functionality into makefile to determine the major version
of mbedtls and use that to selective include or compile files
that are present.
With mbedtls-3.x numerous other config changes have been done.
Some of the config options deprecated or enabled by default.
Thus we decided to introduce a new 3.x config file part of this
change for building TF-A with mbedtls-3.3.
For futher information on migrating to mbedtls 3.x refer to:
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/3.0-migration-guide.md
Change-Id: Ia8106d6f526809df927d608db27fe149623258ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
In preparation for supporting mbedtls 3.3, usage of
mbedtls_pk_rsassa_pss_options[1] is made private and is broken on 3.3
However looking closely into the usage in 'verify_signature' function
is no hard reason behind usage of this struct and they could be easily
replaced with independent variables.
This Minor refactor to avoid using the struct mbedtls_pk_rsassa_pss_options
and use independent variable will provide compatibility with both 2.x
and 3.x
[1]: https://github.com/Mbed-TLS/mbedtls/issues/7040
Change-Id: If0107d860d11d13cba7fd5d7941e7142e70c7b11
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Currently we include MBEDTLS_CONFIG_FILE directly and if a custom
config file is used it will included.
However from mbedtls-3.x onwards it discourages usage of
MBEDTLS_CONFIG_FILE include directly, so to resolve this and keep 2.28
compatibility include version.h which would include the custom config
file if present and also would expose us with mbedtls-major-version
number which could be used for selecting features and functions for
mbedtls 2.28 or 3.3
Change-Id: I029992311be2a38b588ebbb350875b03ea29acdb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
The Device Present (DP) field is set to '1' after host controller
receive 'SUCCESS' return code on the response of the DME_LINKSTARTUP UIC
CMD during host controller initialization.
JEDEC Standard No. 223E
Page 28
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I9db0374c1df3530d64187b9e449cde3b27d63072
The Allwinner AXP driver was using a private implementation of that
function, remove that in favour of our now common implementation.
Change-Id: I7bd311d73060d4bc83f93cff6bedf6c78dddd3ca
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
console_state is only used in multi_console.c, it is then declared as
static. console_list is used by several files, declare it as extern.
This corrects the 2 sparse warnings:
drivers/console/multi_console.c:13:11: warning: symbol 'console_list'
was not declared. Should it be static?
drivers/console/multi_console.c:14:9: warning: symbol 'console_state'
was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id1891595906c258e8cb8aa325226f0a43723ca0e
This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I392316c2a81ef8da7597e35f136e038f152d19d1
The ops->read and ops->write existence was checked with 0, change it
to NULL.
This corrects sparse issues:
drivers/io/io_block.c:272:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I039050a645107523d8263ddf820e539c260d956c
get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number). The fix makes the loop to pass INTID in range 0, 4, 8, 12, ...
Signed-off-by: Sylwester Garncarek <sylwester.garncarek@sciopta.com>
Change-Id: Iaa975f6af49f5826c2811161f55242844c28ea81
This makes the code a little bit smaller. No functional change
intended.
Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Certificates must not allow trailing junk after them.
Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.
Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.
Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This reduces the likelihood of future problems later.
Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Digests must not have padding after the SEQUENCE or OCTET STRING.
Change-Id: Id25ab23111781f8c8a97c2c3c8edf1cc4a4384c0
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The extensions must use all remaining bytes in the TBSCertificate.
Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This driver was used when STM32MP_USE_STM32IMAGE was enabled. This flag
is now removed, so the ST io_mmc driver can now be removed.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I3c1280dec8926b921534c81e143e86cfe6d4ee0d
The functions stm32_pka_get_platdata() and stm32_saes_get_platdata()
are not used. They can be removed as we always use DT to retrieve
the device configuration.
This issue was triggered by sparse tool or when enabling warning
-Wmissing-prototypes.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I5cce9a0765144d694e8ddece37361ccbb85d1734
with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
Wrap the assert for the d-cache enabled check in CONDITIONAL_CMO and
plat_can_cmo calls to allow booting with d-cache disabled.
Signed-off-by: Channagoud kadabi <kadabi@google.com>
Change-Id: I80153df493d1ec9e5e354c7c2e6a14322d22c446
This corrects MISRA C2012-10.6:
The value of a composite expression shall not be assigned to an object
with wider essential type.
While at it change all the shift values to unsigned.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Idf9915313af965db2106095df7cb48a84f50c519
Fix MISRA C2012-10.3:
The value of an expression shall not be assigned to an object with
a narrower essential type or of a different essential type category.
Check buffer size is less than 4GB before casting the command argument.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Iac1afcfe905c99b22cb39dc4104d351b0e647e5d
This corrects MISRA C2012-18.4:
The +, -, += and -= operators should not be applied to an expression
of pointer type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9128f567a7c83d8e3381428b07e6bd785be2703b
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I4c331b0225af975fd022ffe9e5fd1d536ed59879
This corrects MISRA C2012-16.6:
Every switch statement shall have at least two switch-clauses.
While at it, remove useless rate variable.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I123784e7184dbf4146fd0d7faeffd6a0382fc6a1
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id217d3da223caf75cd0439d7ce11c9efab87b4d2
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Iacc58349cc3ab558fb4ffe0605a623e84e21e035
This corrects MISRA C2012-20.7:
Expressions resulting from the expansion of macro parameters shall be
enclosed in parentheses.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9989a5aaacf17f6f7a65381c8d41f21a35f6ddd9
This corrects MISRA C2012-18.4:
The +, -, += and -= operators should not be applied to an expression
of pointer type.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ie1a196b875eae2eff9242cf83abfc1a79bdee6f3
This corrects the MISRA violation C2012-12.1:
The precedence of operators within expressions should be made explicit.
This is done either by adding parentheses, or by creating dedicated
variables.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8312442222ba848ac1f5e38df1bed0a367646a7
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I4f8da6b0ce73df65b2b45ba10d4ca16ed8b70113
This corrects MISRA C2012-20.7
Expressions resulting from the expansion of macro parameters shall be
enclosed in parentheses.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9269d7a5b6aa4573bc0ca55b3054c3475dc4b6b2
This corrects MISRA C2012 10.3: The value of an expression shall not be
assigned to an object with a narrower essential type or of a different
essential type category.
Set part_config to be an unsigned char everywhere it is used.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9cf87848fb016a5630b3c8091290419e3bc62b91
Anand Saminathan
Elyes Haouas
David Vincze
Demi Marie Obenour
Baruch Siach
Govindraj Raja
Jorge Troncoso
Andre Przywara
Yann Gautier
Sylwester Garncarek
Channagoud kadabi