Cortex-A720 erratum 2940794 is a Cat B erratum that is present
in revision r0p0, r0p1 and is fixed in r0p2.
The workaround is to set bit[37] of the CPUACTLR2_EL1 to 1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN2439421/latest
Change-Id: I1488802e0ec7c16349c9633bb45de4d0e1faa9ad
Signed-off-by: Bipin Ravi <biprav01@u203721.austin.arm.com>
Incorporate a timing side-channel attack into the TF-A generic
threat model. There is no software mitigation measures in TF-A
against this specific type of attack.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I10e53f8ed85a6da32de4fa6a210805f950018102
Recommend OP-TEE as the default BL32 for STMicroelectronics platforms.
SP_MIN is no more supported in STMicroelectronics software [1].
It will then no more receive new features, but should still remain
as it is in the TF-A code.
[1]: https://wiki.st.com/stm32mpu/wiki/STM32_MPU_OpenSTLinux_release_note_-_v5.0.0#TF-A
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ic49338dbba3fdcebcb1e477e6a1dbde32783482b
Due to embedded SRAM used to load BL2 and BL31 or BL32 has a limited
size, only one storage device or serial device flag should be selected
in TF-A build command line for ST platforms.
This is in line with STMicroelectionics recommendation [1] about those
compilation flags.
[1]: https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_BL2#Build_command_details
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I6f6ab17d45d00289989a606d15c143e5710c64ce
Deprecation notice was sent to the community and no objection was
raised, so removing mbedtls 2.x support.
Change-Id: Id3eb98b55692df98aabe6a7c5a5ec910222c8abd
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Cortex-A715 erratum 2413290 is a Cat B erratum that is present
only in revision r1p0 and is fixed in r1p1. The errata is only
present when SPE(Statistical Profiling Extension) is enabled.
The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11
when SPE is enabled, ENABLE_SPE_FOR_NS=1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: Iaeb258c8b0a92e93d70b7dad6ba59d1056aeb135
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
The Raspberry Pi 5 is a single-board computer based on BCM2712 that
contains four Arm Cortex-A76 cores.
This change introduces minimal BL31 support with PSCI that has been
validated to boot Linux and a private EDK2 build.
It's a drop-in replacement for the custom TF-A armstub now included in
the EEPROM images.
Change-Id: Id72a0370f54e71ac97c3daa1bacedacb7dec148f
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
Cortex-A715 erratum 2344187 is a Cat B erratum that applies to r0p0,
r1p0 and is fixed in r1p1. The workaround is to set GCR_EL1.RRND to
0b1, and apply an implementation specific patch sequence.
SDEN: https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: I78ea39a91254765c964bff89f771af33b23f29c1
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Cortex-X4 erratum 2701112 is cat B erratum that applies to
revision r0p0 and is fixed in r0p1. This erratum affects
system configurations that do not use an Arm interconnect IP.
The workaround for this erratum is not implemented in EL3.
The erratum can be enabled/disabled on a platform level.
The flag is used when the errata ABI feature is enabled and can
assist the Kernel in the process of mitigation of the erratum.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN2432808/latest
Change-Id: I8ede1ee75b0ea1658369a0646d8af91d44a8759b
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
Cortex-A715 erratum 2331818 is a cat B erratum that applies to
revisions r0p0 and r1p0 and is fixed in r1p1. The workaround is to
set bit[20] of CPUACTLR2_EL1. Setting this bit is expected to have
a negligible performance impact.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: If3b1ed78b145ab6515cdd41135314350ed556381
Signed-off-by: Bipin Ravi <biprav01@u203721.austin.arm.com>
Cortex-A715 erratum 2420947 is a cat B erratum that applies only
to revision r1p0 and is fixed in r1p1. The workaround is to set
bit[33] of CPUACTLR2_EL1. This will prevent store and store-release
to merge inside the write buffer, and it is not expected to have
much performance impacts.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: I01a71b878cd958e742ff8357f8cdfbfc5625de47
Signed-off-by: Bipin Ravi <biprav01@u203721.austin.arm.com>
The client platform relies on the DICE attestation
scheme. RSS provides the DICE Protection Environment
(DPE) service. TF-A measured boot framework supports
multiple backends. A given platform always enables
the corresponding backend which is required by the
attestation scheme.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Idc3360d0d7216e4859e99b5db3d377407e0aeee5
DPE commands are CBOR encoded. QCBOR library is used
in TF-A for CBOR encoding.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ifd01e1e6e1477cf991e765b97c446684fc6ef9b9
The DPE implementation in RSS is aligned with the
Open Profile for DICE specification:
https://pigweed.googlesource.com/open-dice/
Type definitions are needed to specify the input
values for the DPE service. Instead of mandating to
clone the entire open-dice repo, the following file
is copied from the repository:
https://pigweed.googlesource.com/open-dice/+/refs/heads/main/include/dice/dice.h
Git SHA of the source version: cf549422e3
This is external code, with Apache 2.0 license, therefore
the license.rst is updated accordingly and a copy of this
license is also added.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ie84b8483034819d1143fe0ec812e66514ac7d4cb
Erratum ID 2701951 is an erratum that could affect platforms that
do not use an Arm interconnect IP. This was originally added to the list
of Cortex-A715 in the errata ABI files.
Fixed this by adding it to the Cortex-X3 list.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I6ffaf4360a4a2d0a23c253a2326c178e010c8e45
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Add myself as co-maintainer for SynQuacer platform,
as I'm currently working on it.
Change-Id: I149830bf7f635f72df808214e8fd23730fde7212
Signed-off-by: Masahisa Kojima <kojima.masahisa@socionext.com>
Cortex-A715 erratum 2429384 is a cat B erratum that applies to
revision r1p0 and is fixed in r1p1. The workaround is to set
bit[27] of CPUACTLR2_EL1. There is no workaround for revision
r0p0.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: I3cdb1b71567542174759f6946e9c81f77d0d993d
Signed-off-by: Bipin Ravi <biprav01@u203721.austin.arm.com>
The version 2 of the FWU metadata structure is designed such that the
information on the updatable images can be omitted from the metadata
structure. Add a config flag, PSA_FWU_METADATA_FW_STORE_DESC, which is
used to select whether the metadata structure has this information
included or not. It's value is set to 1 by default.
Change-Id: Id6c99455db768edd59b0a316051432a900d30076
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Update the links for accessing the FWU Multi Bank update specification
to point to the latest revision of the specification.
Change-Id: I25f35556a94ca81ca0a7463aebfcbc2d84595e8f
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Cortex-X3 erratum 2372204 is a Cat B erratum that applies to revisions
r0p0 and r1p0. It is fixed in r1p1.
The workaround is to set bit[40] of CPUACTLR2_EL1 to disable folding
of demand requests into older prefetches with L2 miss requests
outstanding.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2055130/latest
Change-Id: Iad28f8625c84186fbd8049406d139d4f15c6e069
Signed-off-by: Bipin Ravi <biprav01@u203721.austin.arm.com>
Update the section describing the TBBR chain of trust to use the same
terminology as in the code and the specification.
Also refresh the description of some of the certificates to include the
pieces of data they contain today. When this document was originally
written, TF-A did not support configuration files, which is why none of
the certificates included any configuration file hash at that time.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ia85f88c933abd8d8d6727252a7d41fb9f0ce4287
Updated documentation for SMC SiP calling conventions for IPI,
PM, and SiP Service queries.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I4bd71dd8e16c7adf3f9c5cb202f36aa2e275d03a
Updated documentation for SMC SiP calling conventions for IPI,
PM, and SiP Service queries.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: Ic232551bb09152124da5226673c88e1a34a384c4
Updated documentation for SMC SiP calling conventions for IPI,
PM, and SiP Service queries.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I8904628d41b47596257f06791bffb7cde35879de
Also increase add PLAT_ARM_SP_MAX_SIZE to override the default
ARM_SP_MAX_SIZE to support Trusty image and move OPTEE_SP_FW_CONFIG
documentation to build-internals.rst as it's not externally set-able.
Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ief90ae9113d32265ee2200f35f3e517b7b9a4bea
As of now, CSS_SGI_PLATFORM_VARIANT and CSS_SGI_CHIP_COUNT are the
external build option that "sgi" platforms support. As "sgi" has been
renamed to "neoverse_rd" and the source files have been migrated out of
the css directory, replace the prefix "CSS_SGI" with "NRD".
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I27989ff42404d823dd2a8cd22ff485497ccb62d4
Currently, neoverse_rd is hosted under the "css" directory. However,
"css" directory is more relevant for hosting css definitions and
corresponding sources. Since neoverse_rd hosts source and header for css
and soc, move neoverse_rd from css to board folder. Consolidate common
sources and headers under neoverse_rd/common. Additionally, group RD-V1,
RD-V1-MC, RD-N2, RD-N1-Edgex2 and SGI-575 within neoverse_rd/platform.
With the changes in this commit, the tree view would look as follows:
plat/arm/board/neoverse_rd/
├── common
│ ├── arch
│ ├── include
│ └── ras
└── platform
├── rdn1edge
├── rdn2
├── rdv1
├── rdv1mc
└── sgi575
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: Iaccc86bc9d415f5c045c834902241fcf3c00277b
Currently, reference design platforms such as RD-N2, RD-N1-Edge,
RD-V1-MC, RD-V1 and SGI-575 utilize "css/sgi" as the common source
directory. The "sgi" prefix originated from the System Guidance for
Infrastructure (SGI) and was initially associated with the SGI-575
platform. However, subsequent platforms released were under the Neoverse
Reference Design product name.
To align with the Neoverse Reference Design nomenclature, rename the
common source directory from "css/sgi" to "css/neoverse_rd" and update
all file prefixes from "sgi" to "nrd."
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I3dcbb31b9ab202e82caf25218ba33c520dcea4e4
As RD-E1_Edge is no longer actively supported and has been in the
deprecated list for a while, remove its support.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: Iff66ad498dd99e44e2e6b79251ba2cbefbd5f3eb
Exclude the threat of power analysis side-channel attacks
from consideration in the TF-A generic threat model.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I5b245f33609fe8948e473ce4484898db5ff8db4d
Update the FVP TC2 model version and build (11.23/17) to match
the version used for testing in TF-A OpenCI.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ic7411ee4863428b7dfbe43cf39abfc2269f3c3ae
Add support for feat mte2. tfsr_el2 is available only with mte2,
however currently its context_save/restore is done with mte rather than
mte2, so introduce 'is_feat_mte2_supported' to check mte2.
Change-Id: I108d9989a8f5b4d1d2f3b9865a914056fa566cf2
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
This model has been subsumed by the `FVP_Base` model, which is now
available publicly. We no longer have a need to test the Foundation
model, and can shave off a few minutes of CI time by removing it.
Change-Id: Iaa0f23f2efd9ba431d06c8da2be14b76f6974b0a
Signed-off-by: Chris Kay <chris.kay@arm.com>
Explain that platforms are free to define their own Chain of Trust (CoT)
based on their needs but default ones are provided in TF-A source code:
TBBR, dualroot and CCA.
Give a brief overview of the use case for each of these CoTs.
Simplified diagrams are also provided for the TBBR and dualroot CoTs -
CCA CoT is missing such a diagram right now, it should be provided as a
future improvement.
Also do some cosmetic changes along the way.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c4014d4d12d852b0ae5632ba9c71a9ad266080a
In RME documentation use "bp.secure_memory=0" to disable TZC,
and avoid conflicts with SPM in 4-world configuration.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I532bca8ab3bd3e6d4f18b5aa7e848c533e016f39
Cortex-A715 erratum 2561034 is a Cat B erratum that applies to
revision r1p0 and is fixed in r1p1.
The workaround is to set bit[26] in CPUACTLR2_EL1. Setting this
bit is not expected to have a significant performance impact.
SDEN documentation:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: I377f250a2994b6ced3ac7d93f947af6ceb690d49
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Section "Describing the authentication method(s)" of the Authentication
Framework documentation shows the authentication parameters types
(auth_param_type_t enum type) but is missing the AUTH_PARAM_NV_CTR
value. Add it.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c9022badfb039bfa9f999ecee40f18b49e6764c
The former link pointed to a page which displayed the following warning
message:
We could not find that page in the latest version, so we have taken
you to the first page instead
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Icf9277770e38bc5e602b75052c2386301984238d
- Warn contributors that they need to register their email address in
their Gerrit profile. Not doing so causes errors at patch submission
and is a recurrent question on the mailing list.
- Add some links where useful.
- Remove confusing CGit link to TF-A source code. In the context of
setting up a local copy of the repo for contributing patches,
developers should rather clone it through Gerrit and this is best
covered by the "Getting the TF-A Source" section of TF-A
documentation.
- Add references to the OpenCI documentation, which has a lot more
details on some of the topics we briefly cover in the contribution
guidelines.
- Encourage the user to use the 'git review' command for patch
submission, inline with OpenCI documentation instructions. This
automatically sorts out which Gerrit server to push to and against
which repo branch (thanks to the '.gitreview' configuration file in
TF-A root directory).
- Elaborate the Coverity Scan section.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I1131662d8bc3502967b269a599869ea130897efb
This feature provides support to context save the
SCXTNUM_ELx register. FEAT_CSV2_3 implies the implementation
of FEAT_CSV2_2. FEAT_CSV2_3 is supported in AArch64 state only
and is an optional feature in Arm v8.0 implementations.
This patch adds feature detection for v8.9 feature FEAT_CSV2_3,
adds macros for ID_AA64PFR0_EL1.CSV2 bits [59:56] for detecting
FEAT_CSV2_3 and macro for ENABLE_FEAT_CSV2_3.
Change-Id: Ida9f31e832b5f11bd89eebd6cc9f10ddad755c14
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
TF-A aims to comply with MISRA C:2012 Guidelines. We maintain a list of
all rules and directives and whether the project aims to comply with
them or not. A rationale is given for each deviation.
This list used to be provided as an '.ods' spreadsheet file hosted on
developer.trustedfirmware.org. This raises the following issues:
- The list is not version-controlled under the same scheme as TF-A
source code. This could lead to synchronization issues between the
two.
- The file needs to be open in a separate program, which is not as
straightforward as reading it from TF-A documentation itself.
- developer.trustedfirmware.org is deprecated, thus the file cannot be
safely kept there for any longer.
To address these issues, convert the '.ods' file into a CSV (Comma
Separated Values) file, which we import into TF-A source tree itself.
Make use of Sphinx's ability to process and render CSV files as tables
to display that information directly into the Coding Guidelines
document.
Also make the following minor changes along the way:
- Remove dead link to MISRA C:2012 Guidelines page. Replace it with a
link to a Wikipedia page to give a bit of context to the reader.
- We no longer use Coverity for MISRA compliance checks. Instead, we
use ECLAIR nowadays. Reflect this in the document.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I422fdd8246f4f9c2498c1be18115408a873b86ac
developer.trustedfirmware.org is deprecated so we cannot use its issues
tracker anymore. Instead, the project will now make use of the issues
tracker associated with the project's Github mirror at [1].
Reflect this change in TF-A documentation.
[1] https://github.com/TrustedFirmware-A/trusted-firmware-a/issues
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I912f7dafc74368dba4e61ba4c9f358d5bf8346a9
Cortex X3 erratum 2641945 is a Cat B erratum that applies to all
revisions <= r1p0 and is fixed in r1p1.
The workaround is to disable the affected L1 data cache prefetcher
by setting CPUACTLR6_EL1[41] to 1. Doing so will incur a performance
penalty of ~1%. Contact Arm for an alternate workaround that impacts
power.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: Ia6d6ac8a66936c63b8aa8d7698b937f42ba8f044
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
As of now, GPT setup is being handled from BL2 for plat/arm platforms.
However, for platforms having a separate entity to load firmware images,
it is possible for BL31 to setup the GPT. In order to address this
concern, move the GPT setup implementation from arm_bl2_setup.c file to
arm_common.c. Additionally, rename the API from arm_bl2_gpt_setup to
arm_gpt_setup to make it boot stage agnostic.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I35d17a179c8746945c69db37fd23d763a7774ddc
Sona Mathew
Bipin Ravi
Manish V Badarkhe
Yann Gautier
laurenw-arm
Mario Bălănică
Harrison Mutai
Arvind Ram Prakash
Tamas Ban
Masahisa Kojima
Sughosh Ganu
Jacky Bai
Sandrine Bailleux
Prasad Kummari
Arunachalam Ganapathy
Rohit Mathew
Manish Pandey
Govindraj Raja
Chris Kay
J-Alves
Bipin Ravi