The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
And from crash_console_flush.
We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.
Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
The driver initially contained the setup steps to help Tegra186
and Tegra194 SoCs. In order to support future SoCs and make sure
that the driver remains generic enough, some code should be moved
to SoC.
This patch creates a setup handler for a platform to implement its
initialization sequence.
Change-Id: I8bab7fd07f25e0457ead8e2d2713efe54782a59b
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The Memory Controller provides a control register to check
if the video memory can be resized. The previous bootloader
might have locked this feature, which will be reflected by
this register.
This patch reads the control register before processing
a video memory resize request. An error code, -ENOTSUP,
is returned if the feature is locked.
Change-Id: Ia1d67f7a94aa15c6b18ff5c9b9b952e179596ae3
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
MMIO writes should verify that the writes actually went through.
Read the value back after the write operation, perform assert
if the read back value is not same as the write value.
Change-Id: Id2ceb014116f3aa6a9e86505ca1ae9911470a679
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
The SMMU configuration can get corrupted or updated by
external clients during boot without our knowledge.
This patch introduces a "verify" function for the SMMU
driver, to check that the boot configuration settings are
intact. Usually, this function should be called at the
end of the boot cycle.
This function only calls panic() on silicon platforms.
Change-Id: I2ab45a7f228781e71c73ba1f4ffc49353effe146
Signed-off-by: George Bauernschmidt <georgeb@nvidia.com>
SPE no longer requires the flush bit to be set to start transmitting
characters over the physical uart. Therefore, the flush bit is no
longer required when calling console_core_putc. However, flushing the
console still requires the flush bit.
This patch removes the flush bit from the mailbox messages in
console_core_putc to improve ACK latency.
Original change by: Mustafa Bilgen <mbilgen@nvidia.com>
Change-Id: I5b7d1f3ea69ea2ce308566dbaae222b04e4c373d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch removes the unused TZRAM setup function from the memory
controller driver.
Change-Id: Ic16f21fb84c47df71be6ab3e1e286640daa39291
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch moves the 'drivers' and the 'lib' folders out of the
'common' folder. This way the 'common' folder shall contain only
the platform support required for all Tegra platforms.
Change-Id: I2f238572d0a078d60c6b458a559538dc8a4d1856
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Sandrine Bailleux
Elyes Haouas
Jimmy Brisson
Varun Wadekar
Anthony Zhou