For RME-enabled platforms, initializing L0 and L1 tables and enabling
GPC checks is necessary. For systems using BL2 to load firmware images,
the GPT initialization has to be done in BL2 prior to the image load.
The common Arm platform code currently implements this in the
"arm_bl2_plat_gpt_setup" function, relying on the FVP platform's
specifications (PAS definitions, GPCCR_PPS, and GPCCR_PGS).
Different Arm platforms may have distinct PAS definitions, GPCCR_PPS,
GPCCR_PGS, L0/L1 base, and size. To accommodate these variations,
introduce the "plat_arm_get_gpt_info" API. Platforms must implement
this API to provide the necessary data for GPT setup on RME-enabled
platforms. It is essential to note that these additions are relevant to
platforms under the plat/arm hierarchy that will reuse the
"arm_bl2_plat_gpt_setup" function.
As a result of these new additions, migrate data related to the FVP
platform to its source and header files.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I4f4c8894c1cda0adc1f83e7439eb372e923f6147
The current documentation of the FEATURE_DETECTION build option seems
to suggest that this macro enables the dynamic runtime checking of
features, although this is done regardless of this debug feature.
FEATURE_DETECTION just adds the detect_arch_features() function to the
build and calls it early on, plus it enables the CPU errata order
checking.
Simplify the description of the FEATURE_DETECTION macro to make this
clear, and move the dynamic feature detection description into a
separate section, before all the specific ENABLE_FEAT_xxx explanations.
This also renames all mentioning of:
"... to align with the FEATURE_DETECTIION mechanism ..."
with:
"... to align with the ENABLE_FEAT mechanism ..."
in the description of each feature.
Change-Id: I5f4dd2d1e43bd440687b7cee551d02ec853d4e23
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Currently CTX_INCLUDE_MTE_REGS is used for dual purpose,
to enable allocation tags register and to context save and restore
them and also to check if mte feature is available.
To make it more meaningful, remove CTX_INCLUDE_MTE_REGS
and introduce FEAT_MTE. This would enable allocation tags register
when FEAT_MTE is enabled and also supported from platform.
Also arch features can be conditionally enabled disabled based on
arch version from `make_helpers/arch_features.mk`
Change-Id: Ibdd2d43874634ad7ddff93c7edad6044ae1631ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Software supply chain attacks aim to inject malicious code into a
software product. There are several ways a malicious code can be
injected into a software product (open-source project).
These include:
- Malicious code commits
- Malicious dependencies
- Malicious toolchains
This document provides analysis of software supply chain attack
threats for the TF-A project
Change-Id: I03545d65a38dc372f3868a16c725b7378640a771
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Added a threat model for PSA firmware update as well as TBBR FWU aka
firmware recovery.
Change-Id: I2396e13144076d7294f61f6817e1a8646225c6c2
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Update CoT binding documentation to add the signing-key property
as optional in root-certificates and add rot_keys node
Change-Id: I1d1fbc0394275520cfa43213d5b7006e51990fdd
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Cortex-A78C erratum 2683027 is a cat B erratum that applies to
revisions r0p1 - r0p2 and is still open. The workaround is to
execute a specific code sequence in EL3 during reset.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN-2004089/latest
Change-Id: I2bf9e675f48b62b4cd203100f7df40f4846aafa8
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Cortex-X3 erratum 2266875 is a Cat B erratum that applies to
all revisions <= r1p0 and is fixed in r1p1. The workaround is to
set CPUACTLR_EL1[22]=1 which will cause the CFP instruction to
invalidate all branch predictor resources regardless of context.
SDEN Documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I9c610777e222f57f520d223bb03fc5ad05af1077
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Cortex-X3 erratum 2302506 is a cat B erratum that applies to
revisions r0p0-r1p1 and is fixed in r1p2. The workaround is to
set bit[0] of CPUACTLR2 which will force PLDW/PFRM ST to behave
like PLD/PRFM LD and not cause invalidation to other PE caches.
There might be a small performance degradation to this workaround
for certain workloads that share data.
SDEN can be found here:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I048b830867915b88afa36582c6da05734a56d22a
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Added an assumption in generic threat model that platform's hardware
conforms the Platform Security Requirements specification.
Change-Id: I753287feec1cd459edfd3d1c103e0e701827cc05
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
On receiving CPU power down callback, TF-A raises SGI interrupt to all active
cores to power down each active cores. Add handler for this SGI IRQ.
By default TF-A uses SGI 6 for CPU power down request. This can be
configurable through CPU_PWRDWN_SGI build flag.
e.g., If user wants to use SGI 7 instead of SGI 6 then provide build
flag CPU_PWRDWN_SGI=7
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Id0df32187d1de3f0af4486eb4d4930cb3ab01dbd
This patch provides a reporting functionality to display the memory
consumed by the context in each security state and for each exception
level. Flag PLATFORM_REPORT_CTX_MEM_USE enables or disables this
feature.
Change-Id: I1515366bf87561dcedf2b3206be167804df681d4
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
New build option CTX_INCLUDE_MPAM_REGS is added to select
if the firmware needs to save the MPAM EL2 registers during world
switches. This option is currently disabled as MPAM is only
enabled for NS world.
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ie2e5e184cdb65f7e1a98d8fe81590253fd859679
tf.org-wide documents have been migrated away from
developer.trustedfirmware.org, because the latter will be
decomissioned at some point in the future. These documents are now
hosted in a new 'tf_docs' repository hosted on Github [1] and can be
easily browsed through a new ReadTheDocs website at [2].
Update all relevant links in TF-A documentation to refer to [2].
[1] https://github.com/TrustedFirmware/tf_docs
[2] https://trusted-firmware-docs.readthedocs.io/
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Ib9d39c36250a05754fe5e46cb6f3044ecb776534
Cortex X3 erratum 2743088 is a Cat B erratum that applies to all
revisions <= r1p1 and is fixed in r1p2. The workaround is to add a DSB
instruction before the ISB of the powerdown code sequence specified in
the TRM.
SDEN documentation: https://developer.arm.com/documentation/2055130
Change-Id: I2c8577e3ca0781af8b1c3912e577d3bd77f92709
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Add information about Versal platform for ERRATA_ABI_SUPPORT and
provide the build commands.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I8466ea446814f888ae56f5cbb7bbdc06099d54f8
Cortex-A520 erratum 2858100 is a Cat B erratum that applies to
all revisions <=r0p1 and is still open. The workaround is to
set bit[29] of CPUACTLR_EL1.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN-2444153/latest
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I5a07163f919352583b03328abd5659bf7b268677
Cortex-A520 erratum is a Cat B erratum that applies
to revisions r0p0 and r0p1 and is still open.
The workaround is to set CPUACTLR_EL1[38] to 1.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN-2444153/latest
Change-Id: Idb6f32f680ee1378a57c2d2f809ea847fffe5910
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Cortex-X2 erratum 2778471 is a Cat B erratum that applies
to revisions r0p1, r1p0, r2p0 and r2p1 and is still open.
The workaround is to set CPUACTLR3_EL1[47] to 1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775100/latest
Change-Id: Ia95f0e276482283bf50e06c58c2bc5faab3f62c6
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Cortex-A710 erratum 2778471 is a Cat B erratum that applies
to revisions r0p1, r1p0, r2p0 and r2p1 and is still open.
The workaround is to set CPUACTLR3_EL1[47] to 1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775101/latest
Change-Id: Id3bb4a2673e41ff237682e46784d37752daf2f83
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Neoverse V2 erratum 2618597 is a Cat B erratum that applies to
all revisions <= r0p1 and is fixed in r0p2. The workaround is to
disable the use of the Full Retention power mode in the core (setting
WFI_RET_CTRL and WFE_RET_CTRL in IMP_CPUPWRCTLR_EL1 to 0b000).
SDEN can be found here:
https://developer.arm.com/documentation/SDEN-2332927/latest
Change-Id: I23a81275d1e40cae39e6897093d6cdd3e11c08ea
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
verify_hash should be placed before calc_hash
align with crypto_mod.h
Change-Id: I536125502d83bb732cf70fbe516d5fe009dc95fe
Signed-off-by: zhiyang.shi <zhiyang.shi@cixtech.com>
Added changelog for v2.10 release.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: Id06263047fcc1ec60e82f85cd09e2e4bc95830f5
This patch enables support for the gcc compiler option "-mharden-sls",
the default is not to use this option. Setting HARDEN_SLS=1 sets
"-mharden-sls=all" that enables all hardening against straight line
speculation.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I59f5963c22431571f5aebe7e0c5642b32362f4c9
Neoverse V2 erratum 2662553 is a Cat B erratum that applies to all
revisions <= r0p1 and is fixed in r0p2.
The workaround is to set L2 TQ size statically to it's full size.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2332927/latest
Change-Id: I3bc43e7299c17db8a6771a547515ffb2a172fa0f
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
This reverts commit 0abbfab320.
Reason for revert: Changelog was based on rc0 tag but we got few more patches after that which were not captured.
Change-Id: I9829f2b6dc09f0bd5c538845cbae051f6e4c8a75
Cortex-A78C erratum 2743232 is a Cat B erratum that applies
to revisions r0p1 and r0p2 and is still open.
The workaround is to set CPUACTLR5_EL1[56:55] to 2'b01.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN-2004089/latest
Change-Id: Ic62579c2dd69b7a8cbbeaa936f45b2cc9436439a
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Neoverse V1 erratum 2348377 is a Cat B erratum that applies to
all revisions <= r1p1 and is fixed in r1p2. The workaround is to
set CPUACTLR5_EL1[61] to 1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1401781/latest
Change-Id: Ica402494f78811c85e56a262e1f60b09915168fe
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Cortex-X3 erratum 2779509 is a Cat B erratum that applies to
all revisions <= r1p1 and is fixed in r1p2. The workaround is
to set chicken bit CPUACTLR3_EL1[47], this might have a small
impact on power and has negligible impact on performance.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: Id92dbae6f1f313b133ffaa018fbf9c078da55d75
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Arm has made the strategic decision to deprecate the TC1 platform.
Consequently, software development and the creation of fast models
for the TC1 platform have been officially discontinued.
The TC1 platform, now considered obsolete, has been succeeded by
the TC2 platform. It's noteworthy that the TC2 platform is already
integrated and supported in both TF-A and CI repositories.
Change-Id: Ia196a5fc975b4dbf3c913333daf595199968d95d
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
A number of features are marked experimental in the build system through
makefiles but there wasn't an explicit document to list them.
Added a dedicated experimental build options section and moved
existing experimental build option descriptions in this section.
Restoring the change from [1] removing the experimental flag on the EL3
SPMC (this has been lost in rebasing a later change).
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/24713
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I2c458c6857c347114b265404e8b9ede9ac588463
As part of the release process, revisit the list of maintainers to
keep it updated.
Change-Id: Ifdbbe0d0dd1c8db3e5fbc84affcceb6d3c7716d4
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
This change updates the model versions that we claim to be testing with
to reflect what the reality in the CI.
Change-Id: Ieb44f3f21cd0ba7149d47f7688698831c9eab487
Signed-off-by: Chris Kay <chris.kay@arm.com>
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.
The main changes introduced in TF-A to support Arm CCA / RME are:
- Presence of a new threat agent: realm world clients.
- Availability of Arm CCA Hardware Enforced Security (HES) to support
measured boot and trusted boot.
- Configuration of the Granule Protection Tables (GPT) for
inter-world memory protection.
This is only an initial version of the threat model and we expect to
enrich it in the future.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
Removed RSS usage from the Base AEM FVP platform, as it wasn't
functional on this platform. The Base AEM FVP platform lacks
support for RSS.
Instead, the TC2 platform with RSS is available for actual RSS
interface implementation and testing.
Change-Id: I8f68157319399ab526f9e851b26dba903db5c2e7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Removed the PLAT_RSS_NOT_SUPPORTED build option, which was initially
introduced for building the Base AEM FVP platform platform with RSS.
However, we now have a well-defined TC2 platform with RSS, making it
unnecessary to keep this flag.
Note -
Theoretically this is a breaking change. Other platforms could be
using the PLAT_RSS_NOT_SUPPORTED build option. Among upstream platforms,
only the Base AEM FVP uses it right now but we don't know about
downstream platforms.
Change-Id: I931905a4c6ac1ebe3895ab6e0287d0fa07721707
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF-A, which is
not covered in the threat model right now.
Fill this gap by:
- Updating the data flow diagrams. Data may flow from the UART into
TF-A (and not only the other way around).
- Documenting the threats inherent to reading untrusted data from a
UART.
Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].
As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.
This is a breaking change for downstream platforms which use these
drivers.
[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813
The EL3 SPMC is known to be deployed into end products and properly
tested since its introduction into TF-A v2.7.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I96bb897cfefef20c33cfc39627b10746dce5485c
There is no platform function to retrieve the info in the generic code.
Populate the BL32 image base, size and max limit in arg2, arg3 and arg4.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I35527fb41829102083b488a5150c0c707c5ede15
Introducing INIT_UNUSED_NS_EL2 macro which guards the code that
disables the unused EL2 when a platform hands off from EL3
to NS-EL1 instead of NS-EL2. Platforms without NS-EL2 in use
must enable this flag.
BREAKING CHANGE: Initialisation code for handoff from EL3 to NS-EL1
disabled by default. Platforms which do that need to enable this macro
going forward
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I61431cc4f7e2feb568d472828e5fd79cc73e51f5
Add a chapter "Version numbering" in release information file that
explains macros used for TF-A version. It also introduces VERSION_PATCH
macro that is used for LTS releases. A comment for this macro is also
added in Makefile.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I946b6cb91bb8454131f07b24534d28ab1aef1771
Rohit Mathew
Andre Przywara
Govindraj Raja
laurenw-arm
Manish V Badarkhe
Manish Pandey
Bipin Ravi
Michael Trimarchi
Jay Buddhabhatti
Juan Pablo Conde
Arvind Ram Prakash
Sandrine Bailleux
Harrison Mutai
Prasad Kummari
Sona Mathew
Javier Almansa Sobrino
zhiyang.shi
Olivier Deprez
Chris Kay
Nishant Sharma
Yann Gautier