Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I5c856437b60cdf05566dd636a01207c9b9f42e61
Add an explicit note that measured boot is out of scope of the threat
model. For example, we have no threat related to the secure
management of measurements, nor do we list its security benefits
(e.g. in terms of repudiation).
This might be a future improvement to the threat model but for now
just acknowledge it is not considered.
Change-Id: I2fb799a2ef0951aa681a755a948bd2b67415d156
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Update supported models list according to changes for v2.7 release in
ci/tf-a-ci-scripts repository:
* general FVP model update: 5c54251
* CSS model update: 3bd12fb
Signed-off-by: Maksims Svecovs <maksims.svecovs@arm.com>
Change-Id: I38c2ef2991b23873821c7e34ad2900b9ad023c4b
John Powell is no longer part of the TF-A core team at Arm.
Change-Id: Iaa91474cb2c5c334b9ae6f2376724fad2677e285
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Jimmy Brisson is no longer part of the TF-A core team at Arm.
Change-Id: I2966c513a0c2cda438a05dedd42149d16190cbf6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The threat description was repeating the threat title.
Change-Id: I67de2c0aab6e86bf33eb91e7562e075fcb76259b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reword the description of threat #9 to make it more future-proof for
Arm CCA. By avoiding specific references to secure or non-secure
contexts, in favour of "worlds" and "security contexts", we make the
description equally applicable to 2-world and 4-world architectures.
Note that there are other threats that would benefit from such a
similar revamp but this is out of scope of this patch.
Also list malicious secure world code as a potential threat
agent. This seems to be an oversight in the first version of the
threat model (i.e. this change is not related to Arm CCA).
Change-Id: Id8c8424b0a801104c4f3dc70e344ee702d2b259a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
By nature, experimental features are incomplete pieces of work,
sometimes going under rapid change. Typically, the threat model
implications have not been fully considered yet.
Change-Id: Ice8d4273a789558e912f82cde592da4747b37fdf
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
- Add empty lines after titles.
- Reduce number of highlighting characters to fit title length.
- Remove most ``monospaced text``.
I think most of it looked weird in the rendered HTML version and
it had no obvious meaning.
Change-Id: I5f746a3de035d8ac59eec0af491c187bfe86dad7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.
Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6
This patch adds support for forwarding the following PSCI messages
received by the SPMC at EL3 to the S-EL1 SP if the SP has indicated
that it wishes to receive the appropriate message via its manifest.
1. A PSCI CPU_OFF message in response to a cpu hot unplug request
from the OS.
2. A message to indicate warm boot of a cpu in response to a cpu
hot plug request from the OS.
3. A PSCI CPU_SUSPEND message in response to a cpu idle event
initiated from the OS.
4. A message to indicate warm boot of a cpu from a shallow power
state in response to a cpu resume power event.
This patch also implements the FFA_SECONDARY_EP_REGISTER function to
enable the SP specify its secondary entrypoint.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I375d0655b2c6fc27445facc39213d1d0678557f4
Adding Sandrine Bailleux for the PSA APIs and myself for the
MHU and RSS comms drivers as code owner.
Change-Id: Ib948479cc6e46163aae59c938877a2d0bcf91754
Signed-off-by: David Vincze <david.vincze@arm.com>
DSU-110 erratum 2313941 is a Cat B erratum and applies to revisions
r0p0, r1p0, r2p0, r2p1, r3p0, r3p1 and is still open.
The workaround sets IMP_CLUSTERACTLR_EL1[16:15] bits to 0b11 to disable
clock gating of the SCLK domain. This will increase the idle power
consumption.
This patch applies the fix for Cortex-X2/A510/A710 and Neoverse N2.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1781796/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I54d948b23e8e01aaf1898ed9fe4e2255dd209318
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Introduce PLAT_RSS_NOT_SUPPORTED build config to
provide a mocked version of PSA APIs. The goal is
to test the RSS backend based measured boot and
attestation token request integration on such
a platform (AEM FVP) where RSS is otherwise
unsupported. The mocked PSA API version does
not send a request to the RSS, it only returns
with success and hard-coded values.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ice8d174adf828c1df08fc589f0e17abd1e382a4d
This patch adds workarounds for following cortex-x1 errata:
- 1821534 (CatB)
- 1688305 (CatB)
- 1827429 (CatB)
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401782/latest
Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I10ebe8d5c56a6d273820bb2c682f21bf98daa7a5
Renamed the existing SPM entry to the SPMD and add myself
as the SPMC maintainer.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ic74659b119986df5fc229a4470049d289eeef21a
Cortex-A78 erratum 2395406 is a cat B erratum that applies to revisions
r0p0 - r1p2 and is still open. The workaround is to set bit[40] of
CPUACTLR2 which will disable folding of demand requests into older
prefetches with L2 miss requests outstanding.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401784
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: If06f988f05f925c2a4bed3e6a9414b6acdfec894
Cortex-A710 erratum 2008768 is a Cat B erratum that applies to revisions
r0p0, r1p0, and r2p0, and is fixed in r2p1. The workaround is to clear
the ED bit in each ERXCTLR_EL1 register before setting the PWRDN bit in
CPUPWRCTLR_EL1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Ib2171c06da762dd4155b02c03d86766f1616381d
Cortex-A78 erratum 2376745 is a cat B erratum that applies to revisions
r0p0 - r1p2 and is still open. The workaround is to set bit[0] of
CPUACTLR2 which will force PLDW/PFRM ST to behave like PLD/PRFM LD and
not cause invalidation to other PE caches.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401784
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I6f1a3a7d613c5ed182a7028f912e0f6ae3aa7f98
Split TLK/Trusty SPD into two separate components and add additional
owners for Trusty SPD.
Signed-off-by: Marco Nelissen <marcone@google.com>
Change-Id: Ifabd1bb630fe4976e304fa29eac1c516ec6e2e18
This patch enables access to the branch record buffer control registers
in non-secure EL2 and EL1 using the new build option ENABLE_BRBE_FOR_NS.
It is disabled for all secure world, and cannot be used with ENABLE_RME.
This option is disabled by default, however, the FVP platform makefile
enables it for FVP builds.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I576a49d446a8a73286ea6417c16bd0b8de71fca0
Added myself and Sandrine Bailleux as code owners for Firmware
Update driver.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I34fad895c6236fedc814fb6da4b04fd7fbed9227
Propose myself as a code owner of the measured boot module.
Also do a couple of updates along the way:
- Add the measured boot bindings document to the list of measured
boot files.
- Fix the list of FVP files. plat/arm/board/fvp/fvp_measured_boot.c
does not exist anymore. It has been replaced by
plat/arm/board/fvp/fvp_measured_{bl1,bl2,common}_boot.c files.
Change-Id: Ifb34f4f7c704b1db966b44428bbffd48c5e3c42b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch adds SPP/EMU platform support for Xilinx Versal and
also updating the documentation.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: Ibdadec4d00cd33ea32332299e7a00de31dc9d60b
Makefile updated to use LLVM utilities instead of GNU utilities when
compiling with clang. `CROSS_COMPILE` is not required since this
dependency has been removed.
Change-Id: I19706b84b9310e07935516681b86596c04ef8ad6
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
As per change [1], now HW_CONFIG gets loaded in secure and
non-secure memory. Hence updated the documentation to show
secure and non-secure load region of HW_CONFIG in FVP Arm
platform.
Additionally, added a note on how FW_CONFIG address gets
passed from BL2 to BL31/SP_MIN.
[1]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/14620
Change-Id: I37e02ff4f433c87bccbe67c7df5ecde3017668b9
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Added a description for the newly introduced 'ns-load-address' property
in the dtb-registry node of FCONF.
Change-Id: Ief8e8a55a6363fd42b23491d000b097b0c48453b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Update the make command with the RESET_TO_BL31=1 addition.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: I46cc81abb539773706348464b3061d20d94522e9
TB_FW_CONFIG DT no longer contains the address of HW_CONFIG; it has
been moved to the FW_CONFIG DT since the introduction of FCONF.
Hence updated the documentation accordingly.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I37b68502a89dbd521acd99f2cb3aeb0bd36a04e0
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Change-Id: I887dfd87893169c7be53b986e6c43338d15949d7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Right now, TF-A documentation recommends downloading Arm compilers
from:
https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads
However, this page is now deprecated, as indicated by the banner at
the top of the page. When navigating to the new recommended page, one
can see the following note, which provides the rationale for the
deprecation:
GNU Toolchain releases from Arm were published previously as two
separate releases - one for A-profile and the other for R & M
profiles (GNU Toolchain for A-profile processors and GNU Arm
Embedded Toolchain).
Arm GNU Toolchain releases unifies these two into a single release
and the previous way of releases therefore have been
discontinued. However, the previous releases will continue to be
available for reference.
This patch updates the link to the new recommended place for compiler
downloads.
Change-Id: Iefdea3866a1af806a5db2d2288edbb63c543b8ee
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add Sieu Mun Tang and Benjamin Jit Loon Lim as new
Intel SocFPGA platform maintainers and remove the
rest of the Intel SocFPGA platform maintainers.
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ieb9a35e278d70a12351aaccab90ddc7be09dc861
With the transition to mailman3, the URLs of TF-A and TF-A Tests
mailing lists have changed. However, we still refer to the old
location, which are now dead links.
Update all relevant links throughout the documentation.
There is one link referring to a specific thread on the TF-A mailing
list in the SPM documentation, for which I had to make a guess as to
what's the equivalent mailman3 URL. The old URL scheme indicates that
the thread dates from February 2020 but beyond that, I could not make
sense of the thread id within the old URL so I picked the most likely
match amongst the 3 emails posted on the subject in this time period.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reported-by: Kuohong Wang <kuohong.wang@mediatek.com>
Change-Id: I83f4843afd1dd46f885df225931d8458152dbb58
The current implementation uses plat_arm API under generic code.
"plat_arm" API is a convention used with Arm common platform layer
and is reserved for that purpose. In addition, the function has a
weak definition which is not encouraged in TF-A.
Henceforth, removing the weak API with a configurable macro "TWED_DELAY"
of numeric data type in generic code and simplifying the implementation.
By default "TWED_DELAY" is defined to zero, and the delay value need to
be explicitly set by the platforms during buildtime.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I25cd6f628e863dc40415ced3a82d0662fdf2d75a
Introduce build flag for enabling the secure partition
manager core, SPMC_AT_EL3. When enabled, the SPMC module
will be included into the BL31 image. By default the
flag is disabled.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I5ea1b953e5880a07ffc91c4dea876a375850cf2a
This toolchain provides multiple cross compilers and is publicly
available on developer.arm.com.
We build TF-A in CI using:
AArch32 bare-metal target (arm-none-eabi)
AArch64 ELF bare-metal target (aarch64-none-elf)
Change-Id: Ia14de2c7d9034a6f0bc56535e961fffc81bcbf29
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Cortex-X2 erratum 2147715 is a Cat B erratum that applies to revision
r2p0 and is fixed in r2p1. The workaround is to set CPUACTLR_EL1[22]=1,
which will cause the CFP instruction to invalidate all branch predictor
resources regardless of context.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I2d81867486d9130f2c36cd4554ca9a8f37254b57
Adding the newly introduced build flags for feature enablement of the
following features:
1.FEAT_AMUv1p1 - ENABLE_FEAT_AMUv1p1
2.FEAT_CSV2_2 - ENABLE_FEAT_CSV2_2
3.FEAT_VHE - ENABLE_FEAT_VHE
4.FEAT_DIT - ENABLE_FEAT_DIT
5.FEAT_SB - ENABLE_FEAT_SB
6.FEAT_SEL2 - ENABLE_FEAT_SEL2
Also as part of feature detection mechanism, we now support three
states for each of these features, allowing the flags to take either
(0 , 1 , 2) values. Henceforth the existing feature build options are
converted from boolean to numeric type and is updated accordingly
in this patch.
The build flags take a default value and will be internally enabled
when they become mandatory from a particular architecture version
and upwards. Platforms have the flexibility to overide this
internal enablement via this feature specific explicit build flags.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I0090c8c780c2e7d1a50ed9676983fe1df7a35e50
Add a dummy realm attestation key to RMMD, and return it on request.
The realm attestation key is requested with an SMC with the following
parameters:
* Fid (0xC400001B2).
* Attestation key buffer PA (the realm attestation key is copied
at this address by the monitor).
* Attestation key buffer length as input and size of realm
attesation key as output.
* Type of elliptic curve.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I12d8d98fd221f4638ef225c9383374ddf6e65eac
Update document for nxp-layerscape to add ls1088a SoC and ls1088ardb,
update maintainer of ls1088a platforms.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: Ic7fdc7b1bbf22e50646991093366a88ee523ffe3
Add new options SEPARATE_BL2_NOLOAD_REGION to separate no-loadable
sections (.bss, stack, page tables) to a ram region specified
by BL2_NOLOAD_START and BL2_NOLOAD_LIMIT.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I844ee0fc405474af0aff978d292c826fbe0a82fd
Add a dummy platform token to RMMD and return it on request. The
platform token is requested with an SMC with the following parameters:
* Fid (0xC40001B3).
* Platform token PA (the platform token is copied at this address by
the monitor). The challenge object needs to be passed by
the caller in this buffer.
* Platform token len.
* Challenge object len.
When calling the SMC, the platform token buffer received by EL3 contains
the challenge object. It is not used on the FVP and is only printed to
the log.
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Change-Id: I8b2f1d54426c04e76d7a3baa6b0fbc40b0116348
Cortex A78 AE erratum 2395408 is a Cat B erratum that applies
to revisions <= r0p1. It is still open.
This erratum states, "A translation table walk that matches an
existing L1 prefetch with a read request outstanding on CHI might
fold into the prefetch, which might lead to data corruption for
a future instruction fetch"
This erratum is avoided by setting CPUACTLR2_EL1[40] to 1 to
disable folding of demand requests into older prefetches with
L2 miss requests outstanding.
SDEN is available at https://developer.arm.com/documentation/SDEN-1707912
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ic17968987ca3c67fa7f64211bcde6dfcb35ed5d6
Cortex A78 AE erratum 2376748 is a Cat B erratum that applies
to revisions <= r0p1. It is still open.
The erratum states, "A PE executing a PLDW or PRFM PST instruction
that lies on a mispredicted branch path might cause a second PE
executing a store exclusive to the same cache line address to fail
continuously."
The erratum is avoided by setting CPUACTLR2_EL1[0] to 1 to force
PLDW/PFRM ST to behave like PLD/PRFM LD and not cause invalidations
to other PE caches. There might be a small performance degradation
to this workaround for certain workloads that share data.
SDEN is available at https://developer.arm.com/documentation/SDEN-1707912
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I93bd392a870d4584f3e12c8e4626dbe5a3a40a4d
J-Alves
Sandrine Bailleux
Manish V Badarkhe
Maksims Svecovs
Juan Pablo Conde
Marc Bonnici
David Vincze
Bipin Ravi
Tamas Ban
Okash Khawaja
Daniel Boulby
Venkatesh Yadav Abbarapu
John Powell
Marco Nelissen
Jorge Ramirez-Ortiz
Harrison Mutai
Sieu Mun Tang
Jayanth Dodderi Chidanand
Soby Mathew
Rex-BC Chen
Jiafei Pan
Varun Wadekar