andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
arm-trusted-firmware/plat/arm/board/fvp/fvp_bl2_setup.c

106 lines
3.1 KiB
C
Raw Normal View History

ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
/*
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
* Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*
Use SPDX license identifiers To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-05-03 09:38:09 +01:00
* SPDX-License-Identifier: BSD-3-Clause
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
#include <assert.h>
plat/arm/board/fvp: Add support for Measured Boot This patch adds support for Measured Boot functionality to FVP platform code. It also defines new properties in 'tpm_event_log' node to store Event Log address and it size 'tpm_event_log_sm_addr' 'tpm_event_log_addr' 'tpm_event_log_size' in 'event_log.dtsi' included in 'fvp_tsp_fw_config.dts' and 'fvp_nt_fw_config.dts'. The node and its properties are described in binding document 'docs\components\measured_boot\event_log.rst'. Change-Id: I087e1423afcb269d6cfe79c1af9c348931991292 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2020-07-13 14:59:02 +01:00
#include <common/debug.h>
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
#include <common/desc_image_load.h>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <drivers/arm/sp804_delay_timer.h>
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
#include <lib/fconf/fconf.h>
#include <lib/fconf/fconf_dyn_cfg_getter.h>
plat/arm: Sanitise includes Use full include paths like it is done for common includes. This cleanup was started in commit d40e0e08283a ("Sanitise includes across codebase"), but it only cleaned common files and drivers. This patch does the same to Arm platforms. Change-Id: If982e6450bbe84dceb56d464e282bcf5d6d9ab9b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-25 14:30:04 +00:00
#include <plat/arm/common/plat_arm.h>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <plat/common/platform.h>
plat/arm: Fix header dependencies From now on, platform_def.h must include any header with definitions that are platform-specific (like arm_def.h) and the included headers mustn't include back platform_def.h, and shouldn't be used by other files. Only platform_def.h should be included in other files. This will ensure that all needed definitions are present, rather than needing to include all the headers in all the definitions' headers just in case. This also prevents problems like cyclic dependencies. Change-Id: I9d3cf4d1de4b956fa035c79545222697acdaf5ca Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-15 14:19:50 +00:00
#include <platform_def.h>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
Split platform.h into separate headers Previously, platform.h contained many declarations and definitions used for different purposes. This file has been split so that: * Platform definitions used by common code that must be defined by the platform are now in platform_def.h. The exact include path is exported through $PLAT_INCLUDES in the platform makefile. * Platform definitions specific to the FVP platform are now in /plat/fvp/fvp_def.h. * Platform API declarations specific to the FVP platform are now in /plat/fvp/fvp_private.h. * The remaining platform API declarations that must be ported by each platform are still in platform.h but this file has been moved to /include/plat/common since this can be shared by all platforms. Change-Id: Ieb3bb22fbab3ee8027413c6b39a783534aee474a
2014-05-14 17:44:19 +01:00
#include "fvp_private.h"
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
ARM Platforms: Migrate to new BL handover interface This patch migrates the ARM Standard platforms to the new BL handover interface. The arm_blx_early_platform_setup() functions are also modified to take in 4 arguments. The `ARM_BL31_PLAT_PARAM_VAL` value passed to BL31 from BL2 is now in arg3 in preparation of dynamic configuration arguments. Change-Id: I33e8e61325a19e7a7127b1ff203c3b86921bf153 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-01-10 15:59:31 +00:00
void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1, u_register_t arg2, u_register_t arg3)
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
{
ARM Platforms: Load HW_CONFIG in BL2 The patch adds the necessary changes to load HW_CONFIG in BL2 for ARM Platforms : 1. The load address of HW_CONFIG is specified via the `hw_config_addr` property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size` property defines the maximum size to be expected for the HW_CONFIG. The `arm_dyn_cfg_helpers.c` and corresponding header implements utility functions to parse these DT properties defined. The `arm_dyn_cfg.c` implements wrappers to these helpers to enable them to be invoked from ARM platform layer. 2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is the list of images to be loaded by BL2. 3. The `libfdt` sources are now included when BL2 is built 4. A new helper `populate_next_bl_params_config()` is introduced in desc_image_load.c to populate the subsequent executable BL images with the `hw_config` and the corresponding `fw_config` if available. The `plat_get_next_bl_params()` API for ARM platforms is modified to invoke this new helper. 5. The implementation of `bl2_early_platform_setup2()` is modified to consider `arg0` as well in addition to `arg1` passed from BL1. 6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt. Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-01-15 14:45:33 +00:00
arm_bl2_early_platform_setup((uintptr_t)arg0, (meminfo_t *)arg1);
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
/* Initialize the platform config for future decision making */
Rename FVP specific files and functions FVP specific files and functions containing the word "plat" have been renamed to use the word "fvp" to distinguish them from the common platform functionality and porting functions. Change-Id: I39f9673dab3ee9c74bd18b3e62b7c21027232f7d
2014-05-15 14:53:30 +01:00
fvp_config_setup();
Rework memory information passing to BL3-x images The issues addressed in this patch are: 1. Remove meminfo_t from the common interfaces in BL3-x, expecting that platform code will find a suitable mechanism to determine the memory extents in these images and provide it to the BL3-x images. 2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x code as the images use link-time information to determine memory extents. meminfo_t is still used by common interface in BL1/BL2 for loading images Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
2014-05-16 18:48:12 +01:00
}
FVP: Add SP804 delay timer Add SP804 delay timer support to the FVP BSP. This commit simply provides the 3 constants needed by the SP804 delay timer driver and calls sp804_timer_init() in bl2_platform_setup(). The BSP does not currently use the delay timer functions. Note that the FVP SP804 is a normal world accessible peripheral and should not be used by the secure world after transition to the normal world. Change-Id: I5f91d2ac9eb336fd81943b3bb388860dfb5f2b39 Co-authored-by: Dan Handley <dan.handley@arm.com>
2015-03-17 14:54:01 +00:00
void bl2_platform_setup(void)
{
arm_bl2_platform_setup();
FVP: Add Delay Timer driver to BL1 and BL31 SMMUv3 driver functions which are called from BL1 and BL31 currently use counter-based poll method for testing status bits. Adding Delay Timer driver to BL1 and BL31 is required for timeout-based implementation using timer delay functions for SMMU and other drivers. This patch adds new function `fvp_timer_init()` which initialises either System level generic or SP804 timer based on FVP_USE_SP804_TIMER build flag. In BL2U `bl2u_early_platform_setup()` function the call to `arm_bl2u_early_platform_setup()` (which calls `generic_delay_timer_init()` ignoring FVP_USE_SP804_TIMER flag), is replaced with `arm_console_boot_init()` and `fvp_timer_init()`. Change-Id: Ifd8dcebf4019e877b9bc5641551deef77a44c0d1 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-16 14:15:59 +01:00
/* Initialize System level generic or SP804 timer */
fvp_timer_init();
FVP: Add SP804 delay timer Add SP804 delay timer support to the FVP BSP. This commit simply provides the 3 constants needed by the SP804 delay timer driver and calls sp804_timer_init() in bl2_platform_setup(). The BSP does not currently use the delay timer functions. Note that the FVP SP804 is a normal world accessible peripheral and should not be used by the secure world after transition to the normal world. Change-Id: I5f91d2ac9eb336fd81943b3bb388860dfb5f2b39 Co-authored-by: Dan Handley <dan.handley@arm.com>
2015-03-17 14:54:01 +00:00
}
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
/*******************************************************************************
* This function returns the list of executable images
******************************************************************************/
struct bl_params *plat_get_next_bl_params(void)
{
struct bl_params *arm_bl_params;
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
const struct dyn_cfg_dtb_info_t *hw_config_info __unused;
bl_mem_params_node_t *param_node __unused;
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
arm_bl_params = arm_get_next_bl_params();
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
#if !BL2_AT_EL3 && !EL3_PAYLOAD_BASE
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
const struct dyn_cfg_dtb_info_t *fw_config_info;
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
uintptr_t fw_config_base = 0UL;
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
entry_point_info_t *ep_info;
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
#if __aarch64__
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
/* Get BL31 image node */
param_node = get_bl_mem_params_node(BL31_IMAGE_ID);
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
#else /* aarch32 */
/* Get SP_MIN image node */
param_node = get_bl_mem_params_node(BL32_IMAGE_ID);
#endif /* __aarch64__ */
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
assert(param_node != NULL);
/* get fw_config load address */
fw_config_info = FCONF_GET_PROPERTY(dyn_cfg, dtb, FW_CONFIG_ID);
assert(fw_config_info != NULL);
fw_config_base = fw_config_info->config_addr;
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
assert(fw_config_base != 0UL);
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
/*
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
* Get the entry point info of next executable image and override
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
* arg1 of entry point info with fw_config base address
*/
ep_info = &param_node->ep_info;
ep_info->args.arg1 = (uint32_t)fw_config_base;
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
/* grab NS HW config address */
hw_config_info = FCONF_GET_PROPERTY(dyn_cfg, dtb, HW_CONFIG_ID);
fix(fvp): fix NULL pointer dereference issue Fixed below NULL pointer dereference issue reported by coverity scan by asserting the hw_config_info is not NULL. *** CID 378361: Null pointer dereferences (NULL_RETURNS) /plat/arm/board/fvp/fvp_bl2_setup.c: 84 in plat_get_next_bl_params() 78 79 /* To retrieve actual size of the HW_CONFIG */ 80 param_node = get_bl_mem_params_node(HW_CONFIG_ID); 81 assert(param_node != NULL); 82 83 /* Copy HW config from Secure address to NS address */ >>> CID 378361: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing "hw_config_info", which is known to be "NULL". 84 memcpy((void *)hw_config_info->ns_config_addr, 85 (void *)hw_config_info->config_addr, 86 (size_t)param_node->image_info.image_size); Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com> Change-Id: Iaf584044cfc3b2583862bcc1be825966eaffd38e
2022-05-04 17:21:22 +01:00
assert(hw_config_info != NULL);
feat(fvp): update HW_CONFIG DT loading mechanism Currently, HW-config is loaded into non-secure memory, which mean a malicious NS-agent could tamper with it. Ideally, this shouldn't be an issue since no software runs in non-secure world at this time (non-secure world has not been started yet). It does not provide a guarantee though since malicious external NS-agents can take control of this memory region for update/corruption after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat is mapped to Threat ID#3 (Bypass authentication scenario) in threat model [1]. Hence modified the code as below - 1. BL2 loads the HW_CONFIG into secure memory 2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an address provided by the newly added property(ns-load-address) in the 'hw-config' node of the FW_CONFIG 3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that it can retrieve details (address and size) of HW_CONFIG from FW_CONFIG 4. A secure and non-secure HW_CONFIG address will eventually be used by BL31/SP_MIN/BL32 and BL33 components respectively 5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads information from it to local variables (structures) and then unmaps it 6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears sufficient, and it will also create a free space for any future components to be added to memory [1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2022-03-15 16:05:58 +00:00
/* To retrieve actual size of the HW_CONFIG */
param_node = get_bl_mem_params_node(HW_CONFIG_ID);
assert(param_node != NULL);
/* Copy HW config from Secure address to NS address */
memcpy((void *)hw_config_info->ns_config_addr,
(void *)hw_config_info->config_addr,
(size_t)param_node->image_info.image_size);
/*
* Ensure HW-config device tree committed to memory, as there is
* a possibility to use HW-config without cache and MMU enabled
* at BL33
*/
flush_dcache_range(hw_config_info->ns_config_addr,
param_node->image_info.image_size);
param_node = get_bl_mem_params_node(BL33_IMAGE_ID);
assert(param_node != NULL);
/* Update BL33's ep info with NS HW config address */
param_node->ep_info.args.arg1 = hw_config_info->ns_config_addr;
#endif /* !BL2_AT_EL3 && !EL3_PAYLOAD_BASE */
plat/arm: Use only fw_config between bl2 and bl31 Passed the address of fw_config instead of soc_fw_config as arg1 to BL31 from BL2 for ARM fvp platform. BL31 then retrieve load-address of other device trees from fw_config device tree. Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ib7e9581cd765d76111dcc3b7e0dafc12503c83c1
2020-05-30 17:40:44 +01:00
return arm_bl_params;
}