TF-A is no more in charge of configuring OP-TEE shared memory.
Set the STM32MP15_OPTEE_RSV_SHM flag as deprecated (as well as the code
depending on it).
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I863d9a1e45e0bfc2f45d9bd84b90d626738934ab
OP-TEE manages its own memory, and can open some areas through TZC400.
There is no need to configure this shared memory in TF-A.
Just assure that CFG_CORE_RESERVED_SHM=n for OP-TEE compilation.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ib54acd60d9ec243d6ef9cc6b74937b4183d9ffa5
* changes:
feat(versal-net): retrieval of console information from dtb
feat(versal): retrieval of console information from dtb
refactor(xilinx): create generic function for clock retrieval
feat(zynqmp): retrieval of console information from dtb
Removing ARM_ROTPK_KEY_LEN definition and comparison in full key .S
files since there is little value in comparing the defined value with a
static size. This becomes more maintenance than value addition.
Removing defines no longer required and general clean up of .S full key
files.
Change-Id: Id286b7078ab9e190e37a43804e2a8d1b0934c235
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Setting default KEY_SIZE to 256 for ECDSA since it is currently being
set to 2048 by make_helpers/defaults.mk, which is an invalid size for
ECDSA
Change-Id: I4c0edf714dcd2a31d5e50ea060b1b5348167387d
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Adding the possible key sizes for the ecdsa key algorithm.
Change-Id: I58947bc749fed911766a1462a0c2ba520b8f7c69
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Add full key support for ECDSA P384 and P256.
New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID.
Change-Id: I578b257eca41070bb4f4791ef429f2b8a66b1eb3
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Adding the PK_DER_LEN option for 384 key size when adding ECDSA P384 key
support
Change-Id: I0f19aebad20d1c552976dc3c22ed396d79614769
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Use KEY_SIZE 384 to enable ECDSA P384 key support by
setting MBEDTLS_ECP_DP_SECP384R1_ENABLED.
Selected by setting KEY_ALG=ecdsa and KEY_SIZE=384.
Change-Id: I382f34fc4da98f166a2aada5d16fdf44632b47f5
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
* changes:
feat(rdn2): introduce platform handler for Group0 interrupt
feat(rdn2): add plat hook for memory transaction
feat(rdn2): introduce accessor function to obtain datastore
feat(spm): separate StMM SP specifics to add support for a S-EL0 SP
feat(rdn2): add defines needed for spmc-el3
feat(ras): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(bl31): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(arm): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(el3-spmc): add a flag to enable support to load SEL0 SP
refactor(spm-mm): reorganize secure partition manager shim code
This patch introduces a handler for RDN2 platform to triage Group0
secure interrupts. Currently, it is empty but serves as a
placeholder for future Group0 interrupt sources.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: If0b64e507e9105813d9a5d16f70101cf0d8ca5a4
RdN2 does not make MEM_SHARE/LEND requests. Instead, add a dummy
implementation of memory management related platform hooks.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Ifce55b6661f03d379e2fd2dc5625200d550d8038
In order to provide the EL3 SPMC a sufficient datastore to
record memory descriptor, introduce an accessor function
so that the backing memory can be allocated in a platform
defined manner to accommodate memory constraints and
desired usecases.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: If5842e79c2ad22ccc17362b114f47d9900d82f7e
This patch separates the code from SPM_MM to get xlat table context and
move it to a common location. In addition, only APIs required from both
SPM_MM and FF-A EL3 SPMC are moved to the common location.
This allows understanding better what is required to support a S-EL0 SP
instead of trying to retrofit what already exists.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I142d7fbef5239869176d0de93842c66051d7ed78
Add the following platform specific flags to enable SPMC build.
SECURE_PARTITION_COUNT: Number of secure partitions supported
NS_PARTITION_COUNT: Number of non secure partitions supported
MAX_EL3_LP_DESCS_COUNT: Number of logical partitions supported
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I33d46be9dffd0acfc088bc1701dc0b1ed92dbf46
For EL3 SPMC configuration enabled platforms, allow the reuse of
SPM_MM specific definitions.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Ic88db49d4f854c718d064b2c301a639fc2df2857
For EL3 SPMC configuration enabled platforms, allow the reuse of
SPM_MM specific definitions.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I5ef694f7e2f6d48ec7db26f92ccb350ed537e3f1
Introduce a build flag for enabling the support for loading SEL0 SP in
EL3 SPMC.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I1d63ae4d0d8374a732113565be90d58861506e39
In preparation for adding the support for SEL0 SP in EL3 SPMC,
restructure the existing SPM_MM shim code in a way that allows reuse
of the code for both SPM_MM interface and FF-A EL3 SPMC interface. The
code for changing exception levels is identical for both.
With this restructuring of the code, the shim exception code is moved to
the common sub-directory.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Iadda9cf73f12b56e6a1d31fc21b5ba5dc355867f
1. Allow domain D8 (SCP c0) access to the region 0x50000000~0x528FFFFF.
2. Allow domain D8 (SCP c1) access to the region 0x70000000~0x729FFFFF.
3. Allow domain D4 (DSP) access to the region 0x60000000~0x610FFFFF.
Change-Id: Iea92eebaea4d7dd2968cf51f41d07c2479168e7e
Signed-off-by: Jason Chen <Jason-ch.Chen@mediatek.com>
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Introduces functionality to retrieve console information from the
device tree (DTB) and use it in TF-A code.
Comparing early console information and the data populated from
the DTB. In case of a mistmatch, the changes takes care of
unregistering the build time console configuration and registering the
DTB-based console.
Reorganizes the console configuration setup in BL31 by moving it to a
dedicated function called setup_console() in the plat_console.c
file. This change improves code readability by isolating console-
related settings, making it easier to manage and extend the console
configuration in the future.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I7b6ebad0e91133ab5fbda8f3a8663abfb6dd2458
Introduces functionality to retrieve console information from the
device tree (DTB) and use it in TF-A code.
Comparing early console information and the data populated from
the DTB. In case of a mistmatch, the changes takes care of
unregistering the build time console configuration and registering the
DTB-based console.
Reorganizes the console configuration setup in BL31 by moving it to a
dedicated function called setup_console() in the plat_console.c
file. This change improves code readability by isolating console-related
settings, making it easier to manage and extend the console
configuration in the future.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I617c846d753e73d2433edf15b3286f1a650f01b3
Refactors the code in the AMD-Xilinx platform for Versal and Versal NET
to create a more generic function for obtaining clock signals
from the platform. The new function get_uart_clk is specific to each
platform and providing greater flexibility for clock signal retrieval
in various parts of the codebase.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: Iff67315339b2651c9bea73af0d89fcbad2bb332a
Introduces functionality to retrieve console information from the
device tree (DTB) and use it in TF-A code.
With fdt_get_stdout_node_offset() function, which reads the 'secure-chosen'
first,'chosen' and 'stdout-path' properties from the DTB, providing a
convenient and standardized way to access serial console information.
Implemented a comparison mechanism between early console information
and the data populated from the DTB. In case of a mismatch, the commit
takes care of unregistering the build-time console configuration and
registering the DTB-based console.
Reorganizes the console configuration setup in BL31 by moving it to a
dedicated function called setup_console() in the plat_console.c
file. This change improves code readability by isolating
console-related settings, making it easier to manage and extend the
console configuration in the future.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I857042fc0fb8f070bbc11f6b47aa57a72fbe5392
* changes:
fix(imx8m): map BL32 memory only if SPD_opteed or SPD_trusty is enabled
feat(imx8mn): add workaround for errata ERR050362
feat(imx8m): enable snvs privileged registers access
Updating toolchain to the latest production release version
12.3.Rel1 publicly available on:
https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads
We build TF-A in CI using x86_64 Linux hosted cross toolchains:
---------------------------------------------------------------
* AArch32 bare-metal target (arm-none-eabi)
* AArch64 bare-metal target (aarch64-none-elf)
Change-Id: Ifcabb7fb9d8e13b87e164c3c1be8c8d32c31b49a
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
use common code definition and remove zynqmp local definition
for prepare_dtb in dtb flows.
Change-Id: I362b90b96852e9afccc8a2e23d3b7f709280fba7
Signed-off-by: Amit Nagal <amit.nagal@amd.com>
presence of multiple return path in prepare_dtb results in misra c
violation 15.5: this return statement is not the final statement
in the compound statement that forms the body of the function.
prepare_dtb is refactored to address the same.
Change-Id: I17ca4314202d6ca8d6fb0c4ea2ed9d31a152371b
Signed-off-by: Amit Nagal <amit.nagal@amd.com>
* changes:
refactor(cm): enable S-EL2 globally for all contexts
refactor(cm): remove world differentiation for EL2 context restore
fix(cm): make ICC_SRE_EL2 fixup generic to all worlds
refactor(cm): clean up SCR_EL3 and CPTR_EL3 initialization
* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash calculation
feat(mbedtls-psa): use PSA crypto API for hash verification
feat(mbedtls-psa): initialise mbedtls psa crypto
feat(mbedtls-psa): register an ad-hoc PSA crypto driver
feat(mbedtls-psa): introduce PSA_CRYPTO build option
docs(changelog): add scope for MbedTLS PSA Crypto
Currently, S-EL2 is being enabled specifically while we are in
secure context and gets toggled up when we exit secure world.
This behavior is not ideal and needs correction.
Enabling the S-EL2 via SCR_EL3.EEL2 register setting should be
global and this patch addresses it.
Change-Id: If6c39ca258f2fefa835c4b51e0f6b68165fd2e35
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
The EL2 context save/restore functions have an optimisation to not
bother with the EL2 context when SEL2 is not in use. However, this
decision is made on the current value of SCR_EL3.EEL2, which is not
the value for the selected security state, but rather, for the
security state that came before it. This relies on the EEL2 bit's
value to propagate identically to all worlds.
This has an unintended side effect that for the first entry into
secure world, the restoring of the context is fully skipped, because
SCR_EL3 is only initialized after the call to the restoring routine
which means the EEL2 bit is not initialized (except when FEAT_RME
is present). This is inconsistent with normal and realm worlds which
always get their EL2 registers zeroed.
Remove this optimization to remove all the complexity with managing
the EEL2 bit's value. Instead unconditionally save/restore all
registers. It is worth noting that there is no performance penalty
in the case where SEL2 is empty with this change. This is because
SEL2 will never be entered, and as such no secure save/restore will
happen anyway, while normal world remains unchanged.
Removing the value management of the EEL2 bit causes the
CTX_ICC_SRE_EL2 register to be inaccessible in Secure world for some
configurations.
Make the SCR_EL3.NS workaround in cm_prepare_el3_exit_ns() generic
on every access to the register.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1f56d85814c5897b468e82d4bd4a08e3a90a7f8f
For ICC_SRE_EL2.SRE the Arm ARM specifies that "If software changes this
bit from 1 to 0, the results are UNPREDICTABLE". However, the
indiscriminate zeroing of the EL2 context does just that for Secure and
Realm worlds. Make this fixup generic to avoid the problem.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Iee21ace17faf10eae52a046e6dfafc5141fa7f85
As with MDCR_EL3, setting some bits of these registers is redundant at
reset since they do not matter for EL3 execution and the registers get
context switched so they get overwritten anyway.
The SCR_EL3.{TWE, TWI, SMD, API, APK} bits only affect lower ELs so
their place is in context management. The API and APK bits are a bit
special as they would get implicitly unset for secure world when
CTX_INCLUDE_PAUTH_REGS is unset. This is now explicit with their normal
world values being always set as PAuth defaults to enabled. The same
sequence is also added to realm world too. The reasoning is the same as
for Secure world - PAuth will be enabled for NS, and unless explicitly
handled by firmware, it should not leak to realm.
The CPTR_EL3.{ESM, EZ, TAM} bits are set by the relevant
feat_enable()s in lib/extensions so they can be skipped too.
CPTR_EL3.TFP is special as it's needed for access to generic floating
point registers even when SVE is not present. So keep it but move to
context management.
This leaves CPTR_EL3.TCPAC which affects several extensions. This bit
was set centrally at reset, however the earliest need for it is in BL2.
So set it in cm_setup_context_common(). However, this CPTR_EL3 is only
restored for BL31 which is clearly not the case. So always restore it.
Finally, setting CPTR_EL3 to a fresh RESET_VAL for each security state
prevents any bits from leaking between them.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Ie7095e967bd4a6d6ca6acf314c7086d89fec8900
Always map the BL32 memory can interfere with the BL33 mapping if the
BL33 is not aware of the mapping, e.g. different memory tagging
secure/non-secure. Therefore map the memory only if BL32 (opteed,
trusty) is enabled and BL33 is aware of this memory mapping.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I9c2bf78aa6e88c93e749a9248724186fee9df864
Port the workaround from the downstream imx-atf [1]:
| commit 1990081264f40822d1564f4562f05bbbc0c2941b
| Author: Ji Luo <ji.luo@nxp.com>
| Date: Thu May 20 16:26:55 2021 +0800
|
| MA-19071 imx8mn: workaround for errata ERR050362
|
| Configure the force_incr programmable bit in GPV_5 of PL301_display,
| which fixes partial write issue. This workaround was done in MCU FW
| before, move it to TF-A now as MCU should not touch secure world.
|
| Change-Id: I2e5bbc764640afeab6ac2f4b202939b59bd3b3f2
| Signed-off-by: Ji Luo <ji.luo@nxp.com>
[1] https://github.com/nxp-imx/imx-atf.git
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Iaff5f1faa143204d64c075b288f8dd13eb2902d8
Allow non-privileged access to all SNVS registers in case of no TEE is
available.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I44686a3639a68c72c7eacc80691c294d5c32c9ae
- Fix the name of the user account under which the CI bot posts
review comments.
- The CI has now transitioned to trustedfirmware.org so CI results
are publically accessible.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I53dd93e200c9e119b5df6bbaf2644485cde57ce5
A PSA crypto API is used for signature verification, namely
psa_verify_message, which calculates the signature and verify it
for the given signed message.
Note, this functionality is as of now tested for RSA based Key
algorithm, subsequent patches will provide the signature verification
support for all the key algorithms available in TF-A (provided by KEY_ALG
build option).
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I16214e3cac6a7af445530a6dbd66cfc6ceedcfc6
Yann Gautier
Joanna Farley
Olivier Deprez
Sandrine Bailleux
laurenw-arm
Manish V Badarkhe
Nishant Sharma
Manish Pandey
Jason Chen
Prasad Kummari
Madhukar Pappireddy
Jayanth Dodderi Chidanand
Amit Nagal
Bipin Ravi
Boyan Karatotev
Marco Felsch