andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
arm-trusted-firmware/common/bl_common.c

272 lines
7.7 KiB
C
Raw Permalink Normal View History

ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
/*
refactor(measured-boot): avoid Measured-Boot dependency on Trusted-Boot Measured-Boot and Trusted-Boot are orthogonal to each other and hence removed dependency of Trusted-Boot on Measured-Boot by making below changes - 1. BL1 and BL2 main functions are used for initializing Crypto module instead of the authentication module 2. Updated Crypto module registration macro for MEASURED_BOOT with only necessary callbacks for calculating image hashes 3. The 'load_auth_image' function is now used for the image measurement during Trusted or Non-Trusted Boot flow Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-12-16 10:41:47 +00:00
* Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*
Use SPDX license identifiers To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-05-03 09:38:09 +01:00
* SPDX-License-Identifier: BSD-3-Clause
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Reduce deep nesting of header files Reduce the number of header files included from other header files as much as possible without splitting the files. Use forward declarations where possible. This allows removal of some unnecessary "#ifndef __ASSEMBLY__" statements. Also, review the .c and .S files for which header files really need including and reorder the #include statements alphabetically. Fixes ARM-software/tf-issues#31 Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
2014-04-09 13:14:54 +01:00
#include <assert.h>
Remove concept of top/bottom image loading This concept is no longer required since we now support loading of images at fixed addresses only. The image loader now automatically detects the position of the image inside the current memory layout and updates the layout such that memory fragmentation is minimised. The 'attr' field of the meminfo data structure, which used to hold the bottom/top loading information, has been removed. Also the 'next' field has been removed as it wasn't used anywhere. The 'init_bl2_mem_layout()' function has been moved out of common code and put in BL1-specific code. It has also been renamed into 'bl1_init_bl2_mem_layout'. Fixes ARM-software/tf-issues#109 Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
2014-06-24 14:02:34 +01:00
#include <errno.h>
TBB: abort boot if BL3-2 cannot be authenticated BL3-2 image (Secure Payload) is optional. If the image cannot be loaded a warning message is printed and the boot process continues. According to the TBBR document, this behaviour should not apply in case of an authentication error, where the boot process should be aborted. This patch modifies the load_auth_image() function to distinguish between a load error and an authentication error. The caller uses the return value to abort the boot process or continue. In case of authentication error, the memory region used to store the image is wiped clean. Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
2015-08-17 10:43:27 +01:00
#include <string.h>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <arch.h>
Add support for pointer authentication The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-02-19 11:53:51 +00:00
#include <arch_features.h>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <arch_helpers.h>
#include <common/bl_common.h>
#include <common/debug.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/io/io_storage.h>
#include <lib/utils.h>
#include <lib/xlat_tables/xlat_tables_defs.h>
#include <plat/common/platform.h>
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Allow disabling authentication dynamically This patch allows platforms to dynamically disable authentication of images during cold boot. This capability is controlled via the DYN_DISABLE_AUTH build flag and is only meant for development purposes. Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-03-26 12:43:37 +01:00
#if TRUSTED_BOARD_BOOT
# ifdef DYN_DISABLE_AUTH
static int disable_auth;
/******************************************************************************
* API to dynamically disable authentication. Only meant for development
Remove build option LOAD_IMAGE_V2 The code of LOAD_IMAGE_V2=0 has been removed. Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-09-24 17:20:48 +01:00
* systems. This is only invoked if DYN_DISABLE_AUTH is defined.
Allow disabling authentication dynamically This patch allows platforms to dynamically disable authentication of images during cold boot. This capability is controlled via the DYN_DISABLE_AUTH build flag and is only meant for development purposes. Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-03-26 12:43:37 +01:00
*****************************************************************************/
void dyn_disable_auth(void)
{
INFO("Disabling authentication of images dynamically\n");
disable_auth = 1;
}
# endif /* DYN_DISABLE_AUTH */
/******************************************************************************
* Function to determine whether the authentication is disabled dynamically.
*****************************************************************************/
static int dyn_is_auth_disabled(void)
{
# ifdef DYN_DISABLE_AUTH
return disable_auth;
# else
return 0;
# endif
}
#endif /* TRUSTED_BOARD_BOOT */
Rework type usage in Trusted Firmware This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
2016-06-16 14:52:04 +01:00
uintptr_t page_align(uintptr_t value, unsigned dir)
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
{
/* Round up the limit to the next page boundary */
Increase type widths to satisfy width requirements Usually, C has no problem up-converting types to larger bit sizes. MISRA rule 10.7 requires that you not do this, or be very explicit about this. This resolves the following required rule: bl1/aarch64/bl1_context_mgmt.c:81:[MISRA C-2012 Rule 10.7 (required)]<None> The width of the composite expression "0U | ((mode & 3U) << 2U) | 1U | 0x3c0U" (32 bits) is less that the right hand operand "18446744073709547519ULL" (64 bits). This also resolves MISRA defects such as: bl2/aarch64/bl2arch_setup.c:18:[MISRA C-2012 Rule 12.2 (required)] In the expression "3U << 20", shifting more than 7 bits, the number of bits in the essential type of the left expression, "3U", is not allowed. Further, MISRA requires that all shifts don't overflow. The definition of PAGE_SIZE was (1U << 12), and 1U is 8 bits. This caused about 50 issues. This fixes the violation by changing the definition to 1UL << 12. Since this uses 32bits, it should not create any issues for aarch32. This patch also contains a fix for a build failure in the sun50i_a64 platform. Specifically, these misra fixes removed a single and instruction, 92407e73 and x19, x19, #0xffffffff from the cm_setup_context function caused a relocation in psci_cpus_on_start to require a linker-generated stub. This increased the size of the .text section and caused an alignment later on to go over a page boundary and round up to the end of RAM before placing the .data section. This sectionn is of non-zero size and therefore causes a link error. The fix included in this reorders the functions during link time without changing their ording with respect to alignment. Change-Id: I76b4b662c3d262296728a8b9aab7a33b02087f16 Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
2020-08-04 22:18:52 +01:00
if ((value & PAGE_SIZE_MASK) != 0U) {
value &= ~PAGE_SIZE_MASK;
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
if (dir == UP)
Rework type usage in Trusted Firmware This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
2016-06-16 14:52:04 +01:00
value += PAGE_SIZE;
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
}
return value;
}
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
/*******************************************************************************
Unify cache flush code path after image load Previously the cache flush happened in 2 different places in code depending on whether TRUSTED_BOARD_BOOT is enabled or not. This patch unifies this code path for both the cases. The `load_image()` function is now made an internal static function. Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-11-10 13:14:40 +00:00
* Internal function to load an image at a specific address given
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
* an image ID and extents of free memory.
*
* If the load is successful then the image information is updated.
*
* Returns 0 on success, a negative error code otherwise.
******************************************************************************/
Unify cache flush code path after image load Previously the cache flush happened in 2 different places in code depending on whether TRUSTED_BOARD_BOOT is enabled or not. This patch unifies this code path for both the cases. The `load_image()` function is now made an internal static function. Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-11-10 13:14:40 +00:00
static int load_image(unsigned int image_id, image_info_t *image_data)
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
{
uintptr_t dev_handle;
uintptr_t image_handle;
uintptr_t image_spec;
uintptr_t image_base;
size_t image_size;
size_t bytes_read;
int io_result;
assert(image_data != NULL);
assert(image_data->h.version >= VERSION_2);
image_base = image_data->image_base;
/* Obtain a reference to the image by querying the platform layer */
io_result = plat_get_image_source(image_id, &dev_handle, &image_spec);
if (io_result != 0) {
WARN("Failed to obtain reference to image id=%u (%i)\n",
image_id, io_result);
return io_result;
}
/* Attempt to access the image */
io_result = io_open(dev_handle, image_spec, &image_handle);
if (io_result != 0) {
WARN("Failed to access image id=%u (%i)\n",
image_id, io_result);
return io_result;
}
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
INFO("Loading image id=%u at address 0x%lx\n", image_id, image_base);
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
/* Find the size of the image */
io_result = io_size(image_handle, &image_size);
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
if ((io_result != 0) || (image_size == 0U)) {
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
WARN("Failed to determine the size of the image id=%u (%i)\n",
image_id, io_result);
goto exit;
}
/* Check that the image size to load is within limit */
if (image_size > image_data->image_max_size) {
WARN("Image id=%u size out of bounds\n", image_id);
io_result = -EFBIG;
goto exit;
}
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
/*
* image_data->image_max_size is a uint32_t so image_size will always
* fit in image_data->image_size.
*/
image_data->image_size = (uint32_t)image_size;
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
/* We have enough space so load the image now */
/* TODO: Consider whether to try to recover/retry a partially successful read */
io_result = io_read(image_handle, image_base, image_size, &bytes_read);
if ((io_result != 0) || (bytes_read < image_size)) {
WARN("Failed to load image id=%u (%i)\n", image_id, io_result);
goto exit;
}
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
INFO("Image id=%u loaded: 0x%lx - 0x%lx\n", image_id, image_base,
(uintptr_t)(image_base + image_size));
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
exit:
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
(void)io_close(image_handle);
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
/* Ignore improbable/unrecoverable error in 'close' */
/* TODO: Consider maintaining open device connection from this bootloader stage */
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
(void)io_dev_close(dev_handle);
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
/* Ignore improbable/unrecoverable error in 'dev_close' */
return io_result;
}
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
#if TRUSTED_BOARD_BOOT
/*
* This function uses recursion to authenticate the parent images up to the root
* of trust.
*/
static int load_auth_image_recursive(unsigned int image_id,
Optimize cache flush when authenticating images When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2016-11-22 10:58:30 +00:00
image_info_t *image_data,
int is_parent_image)
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
{
int rc;
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
unsigned int parent_id;
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
/* Use recursion to authenticate parent images */
rc = auth_mod_get_parent_id(image_id, &parent_id);
if (rc == 0) {
rc = load_auth_image_recursive(parent_id, image_data, 1);
if (rc != 0) {
return rc;
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
}
}
/* Load the image */
rc = load_image(image_id, image_data);
if (rc != 0) {
return rc;
}
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
/* Authenticate it */
rc = auth_mod_verify_img(image_id,
(void *)image_data->image_base,
image_data->image_size);
if (rc != 0) {
/* Authentication error, zero memory and flush it right away. */
zero_normalmem((void *)image_data->image_base,
Allow disabling authentication dynamically This patch allows platforms to dynamically disable authentication of images during cold boot. This capability is controlled via the DYN_DISABLE_AUTH build flag and is only meant for development purposes. Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-03-26 12:43:37 +01:00
image_data->image_size);
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
flush_dcache_range(image_data->image_base,
image_data->image_size);
return -EAUTH;
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
}
return 0;
}
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
#endif /* TRUSTED_BOARD_BOOT */
static int load_auth_image_internal(unsigned int image_id,
image_info_t *image_data)
{
#if TRUSTED_BOARD_BOOT
if (dyn_is_auth_disabled() == 0) {
return load_auth_image_recursive(image_id, image_data, 0);
}
#endif
refactor(measured-boot): avoid Measured-Boot dependency on Trusted-Boot Measured-Boot and Trusted-Boot are orthogonal to each other and hence removed dependency of Trusted-Boot on Measured-Boot by making below changes - 1. BL1 and BL2 main functions are used for initializing Crypto module instead of the authentication module 2. Updated Crypto module registration macro for MEASURED_BOOT with only necessary callbacks for calculating image hashes 3. The 'load_auth_image' function is now used for the image measurement during Trusted or Non-Trusted Boot flow Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-12-16 10:41:47 +00:00
return load_image(image_id, image_data);
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
}
Add new version of image loading. This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-12 16:08:41 +01:00
Optimize cache flush when authenticating images When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2016-11-22 10:58:30 +00:00
/*******************************************************************************
* Generic function to load and authenticate an image. The image is actually
* loaded by calling the 'load_image()' function. Therefore, it returns the
* same error codes if the loading operation failed, or -EAUTH if the
* authentication failed. In addition, this function uses recursion to
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
* authenticate the parent images up to the root of trust (if TBB is enabled).
Optimize cache flush when authenticating images When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2016-11-22 10:58:30 +00:00
******************************************************************************/
int load_auth_image(unsigned int image_id, image_info_t *image_data)
{
Add platform hooks for boot redundancy support These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2017-09-26 12:53:01 +01:00
int err;
feat(fwu): avoid booting with an alternate boot source All firmware banks should be part of the same non-volatile storage as per PSA FWU specification, hence avoid checking for any alternate boot source when PSA FWU is enabled. Change-Id: I5b016e59e87f1cbfc73f4cd29fce6017c24f88b3 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-07-01 21:32:31 +01:00
/*
* All firmware banks should be part of the same non-volatile storage as per
* PSA FWU specification, hence don't check for any alternate boot source
* when PSA FWU is enabled.
*/
#if PSA_FWU_SUPPORT
err = load_auth_image_internal(image_id, image_data);
#else
Add platform hooks for boot redundancy support These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2017-09-26 12:53:01 +01:00
do {
Refactor load_auth_image_internal(). The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2019-10-14 12:47:21 +01:00
err = load_auth_image_internal(image_id, image_data);
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
} while ((err != 0) && (plat_try_next_boot_source() != 0));
feat(fwu): avoid booting with an alternate boot source All firmware banks should be part of the same non-volatile storage as per PSA FWU specification, hence avoid checking for any alternate boot source when PSA FWU is enabled. Change-Id: I5b016e59e87f1cbfc73f4cd29fce6017c24f88b3 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-07-01 21:32:31 +01:00
#endif /* PSA_FWU_SUPPORT */
Add platform hooks for boot redundancy support These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2017-09-26 12:53:01 +01:00
refactor(measured-boot): avoid Measured-Boot dependency on Trusted-Boot Measured-Boot and Trusted-Boot are orthogonal to each other and hence removed dependency of Trusted-Boot on Measured-Boot by making below changes - 1. BL1 and BL2 main functions are used for initializing Crypto module instead of the authentication module 2. Updated Crypto module registration macro for MEASURED_BOOT with only necessary callbacks for calculating image hashes 3. The 'load_auth_image' function is now used for the image measurement during Trusted or Non-Trusted Boot flow Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2021-12-16 10:41:47 +00:00
if (err == 0) {
/*
* If loading of the image gets passed (along with its
* authentication in case of Trusted-Boot flow) then measure
* it (if MEASURED_BOOT flag is enabled).
*/
err = plat_mboot_measure_image(image_id, image_data);
if (err != 0) {
return err;
}
/*
* Flush the image to main memory so that it can be executed
* later by any CPU, regardless of cache and MMU state.
*/
flush_dcache_range(image_data->image_base,
image_data->image_size);
}
Add platform hooks for boot redundancy support These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2017-09-26 12:53:01 +01:00
return err;
Optimize cache flush when authenticating images When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2016-11-22 10:58:30 +00:00
}
Introduce print_entry_point_info() function This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-09-28 17:03:06 +01:00
/*******************************************************************************
* Print the content of an entry_point_info_t structure.
******************************************************************************/
void print_entry_point_info(const entry_point_info_t *ep_info)
{
Remove some MISRA defects in common code No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-10-04 09:55:23 +01:00
INFO("Entry point address = 0x%lx\n", ep_info->pc);
Rework type usage in Trusted Firmware This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
2016-06-16 14:52:04 +01:00
INFO("SPSR = 0x%x\n", ep_info->spsr);
Introduce print_entry_point_info() function This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-09-28 17:03:06 +01:00
#define PRINT_IMAGE_ARG(n) \
VERBOSE("Argument #" #n " = 0x%llx\n", \
(unsigned long long) ep_info->args.arg##n)
PRINT_IMAGE_ARG(0);
PRINT_IMAGE_ARG(1);
PRINT_IMAGE_ARG(2);
PRINT_IMAGE_ARG(3);
Switch AARCH32/AARCH64 to __aarch64__ NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
2019-07-09 22:02:43 +01:00
#ifdef __aarch64__
Introduce print_entry_point_info() function This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-09-28 17:03:06 +01:00
PRINT_IMAGE_ARG(4);
PRINT_IMAGE_ARG(5);
PRINT_IMAGE_ARG(6);
PRINT_IMAGE_ARG(7);
AArch32: resolve build error when LOG_LEVEL=50 This patch resolves a build error in Trusted Firmware when `ARCH=aarch32` and LOG_LEVEL >= 50. Change-Id: I62a23ded4a25304533cdcc5ff11442aee041709b
2016-08-30 13:07:31 +01:00
#endif
Introduce print_entry_point_info() function This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-09-28 17:03:06 +01:00
#undef PRINT_IMAGE_ARG
}