Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.
Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6
To cope with the changes/design decisions in the implementation of
boot protocol, from FF-A v1.1 specification in the S-EL2 SPM, we have
changed the format of the sp pkg header.
These changes need to be reflected in the sptool, used for packaging
the SP binary, and the SP's FF-A manifest. Now the SP pkg can
contain the boot information blob as defined by the FF-A specification.
To cater for these changes, bring to the TF-A project an equivalent to
the tool used in the Hafnium project.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I046f5d6e3c2ef0ba6c87f65302e127dedef34c28
The "sp_mk_generator.py" is responsible for processing the SP layout
file, which contains information about the SPs to be deployed on top of
the SPM, to generate the "sp_gen.mk" file which appends information
specific to each SP that shall help with packing all SPs into a fip
binary.
Before this patch the "sp_mk_generator.py" was a monolithic script,
which has now been broken down into functions for each identified
configuration action.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I8ee7487f2e07d53e508d17d0fe4510e22957f5ca
Developed python framework to help with SPs configuration. The framework
allows for functions (dubbed "actions" in the framework) to be defined
that should process the "sp_layout.json" file.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I278cd5a7aa0574168473e28f3b0fe231d7b548ee
Add some entries in blx_symbols, that are used when the flag
SEPARATE_CODE_AND_RODATA is not enabled (__RO_* and __TEXT_RESIDENT_*).
Add all new symbols that were not yet present in the script.
Correct __BSS_END to __BSS_END__, and add __BSS_START__.
Add new *_XLAT_TABLE_* symbols.
As those strings are longer than 22, update display format string to
be dependent on the longest string.
The script also skips lines for which the _START__ and _END__
symbols have the same address (empty sections).
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I6c510ced6116b35d14ee2cb7a6711405604380d6
Replace bl2_offset with bl2_loc, and fix byte-swapping for
Chassis2 SoC(s) only.
Signed-off-by: Biwen Li <biwen.li@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: Ieb5fd6468178325bfb6fb89b6c31c75cd9030363
The stm32image tool is updated to manage new header v2.0 for BL2
images.
Add new structure for the header v2.0 management.
Adapt to keep compatibility with v1.0.
Add the header version major and minor in the command line
when executing the tool, as well as binary type (0x10 for BL2).
Change-Id: I70c187e8e7e95b57ab7cfad63df314307a78f1d6
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
* changes:
docs(layerscape): add ls1046a soc and board support
feat(ls1046aqds): add board ls1046aqds support
feat(ls1046afrwy): add ls1046afrwy board support
feat(ls1046ardb): add ls1046ardb board support
feat(ls1046a): add new SoC platform ls1046a
fix(nxp-tools): fix tool location path for byte_swape
fix(nxp-qspi): fix include path for QSPI driver
build(changelog): add new scopes for NXP layerscape platforms
Extract the UUID from the SP layout JSON file if the optional 'uuid'
field exists otherwise fall back to the current method for extracting
the SP UUID from the partition manifest file.
This change gives a way to decouple TF-A's dependency on the SP
manifest file's format which is tied to the SPMC.
Signed-off-by: Imre Kis <imre.kis@arm.com>
Change-Id: I13af066c1de58bfb9c3fd470ee137ea0275cd98c
The UUID conversion drops leading zeroes, so make sure that
all hex strings always are 8 digits long
Signed-off-by: Anders Dellien <anders.dellien@arm.com>
Change-Id: I5d7e3cf3b53403a02bf551f35f17dbdb96dec8ae
These fields were not updated accidentally on the v2.6.0 release.
Change-Id: I215105da618ff6f72057eaa40a34ff4b24f7ee36
Signed-off-by: Chris Kay <chris.kay@arm.com>
Updated the fiptool to avoid packing the zero size images in
the FIP.
Also, updated the commitlint-json file to cover the fiptool
changes under a separate scope.
Change-Id: Id7ac3dcff0c7318546e49308d0f17b6cbd5eb24b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
fiptool links to libcrypto, so as with the other tools it should respect
OPENSSL_DIR for include/library paths.
Change-Id: Icd8c15fa5097db1da9a3a9222d9e267548c4c7e2
Signed-off-by: Ross Burton <ross.burton@arm.com>
This change introduces a new NPM run script to automatically generate
the release changelog, as well as bump version numbers across the
code-base and create the release tag.
This script runs [Standard Version] to execute this, which is a tool
designed around automating substantial parts of the release process.
This can be done by running:
npm run release -- [<standard-version args>]
Standard Version expects the project to adhere to the [Semantic
Versioning] convention which TF-A does not, so you may need to specify
the version manually, e.g.:
npm run release -- --release-as 2.6.0
Individual steps of the release process may also be skipped at-will,
which may be necessary when, for example, tweaking the changelog:
npm run release -- --skip.commit --skip.tag
Standard Version is configured by the `.versionrc.js` file, which
contains information about the Conventional Commits types and scopes
used by the project, and how they map to the changelog.
To maintain continuity with the existing changelog style - at least to
the extent possible in the move from manual to automatic creation - a
customized changelog template has been introduced, based on the
Conventional Commits template provided by Standard Version.
This template package extends the Conventional Commits template package
by introducing support for parsing the Conventional Commits scopes into
changelog sections, similarly to how they were previously organized.
[Standard Version]:
https://github.com/conventional-changelog/standard-version
[Semantic Versioning]: https://semver.org
Change-Id: I5bafa512daedc631baae951651c38c1c62046b0a
Signed-off-by: Chris Kay <chris.kay@arm.com>
* changes:
refactor(gpt): productize and refactor GPT library
feat(rme): disable Watchdog for Arm platforms if FEAT_RME enabled
docs(rme): add build and run instructions for FEAT_RME
fix(plat/fvp): bump BL2 stack size
fix(plat/fvp): allow changing the kernel DTB load address
refactor(plat/arm): rename ARM_DTB_DRAM_NS region macros
refactor(plat/fvp): update FVP platform DTS for FEAT_RME
feat(plat/arm): add GPT initialization code for Arm platforms
feat(plat/fvp): add memory map for FVP platform for FEAT_RME
refactor(plat/arm): modify memory region attributes to account for FEAT_RME
feat(plat/fvp): add RMM image support for FVP platform
feat(rme): add GPT Library
feat(rme): add ENABLE_RME build option and support for RMM image
refactor(makefile): remove BL prefixes in build macros
feat(rme): add context management changes for FEAT_RME
feat(rme): add Test Realm Payload (TRP)
feat(rme): add RMM dispatcher (RMMD)
feat(rme): run BL2 in root world when FEAT_RME is enabled
feat(rme): add xlat table library changes for FEAT_RME
feat(rme): add Realm security state definition
feat(rme): add register definitions and helper functions for FEAT_RME
The changes include:
- A new build option (ENABLE_RME) to enable FEAT_RME
- New image called RMM. RMM is R-EL2 firmware that manages Realms.
When building TF-A, a path to RMM image can be specified using
the "RMM" build flag. If RMM image is not provided, TRP is built
by default and used as RMM image.
- Support for RMM image in fiptool
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I017c23ef02e465a5198baafd665a60858ecd1b25
* changes:
feat(plat/rcar3): keep RWDT enabled
feat(drivers/rcar3): add extra offset if booting B-side
feat(plat/rcar3): modify LifeC register setting for R-Car D3
feat(plat/rcar3): modify SWDT counter setting for R-Car D3
feat(plat/rcar3): update DDR setting for R-Car D3
feat(plat/rcar3): remove access to RMSTPCRn registers in R-Car D3
feat(plat/rcar3): add process of SSCG setting for R-Car D3
feat(plat/rcar3): add process to back up X6 and X7 register's value
feat(plat/rcar3): modify operation register from SYSCISR to SYSCISCR
feat(plat/rcar3): add SYSCEXTMASK bit set/clear in scu_power_up
feat(plat/rcar3): change the memory map for OP-TEE
feat(plat/rcar3): use PRR cut to determine DRAM size on M3
feat(plat/rcar3): apply ERRATA_A53_1530924 and ERRATA_A57_1319537
fix(plat/rcar3): fix disabling MFIS write protection for R-Car D3
fix(plat/rcar3): fix eMMC boot support for R-Car D3
fix(plat/rcar3): fix version judgment for R-Car D3
fix(plat/rcar3): fix source file to make about GICv2
fix(drivers/rcar3): console: fix a return value of console_rcar_init
The UUID field in SP manifest DTS is represented as an array of four
integers that the SPMC consumes using the little endian representation.
The reason is that those values are directly mapped to the SMCCC section
5.3 recommendation and the way they are exposed to the
FFA_PARTITION_INFO_GET interface.
Per [1] TF-A build flow expects a big endian representation of the UUID
so the sp_mk_generator script is updated to accommodate this conversion.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9563
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I7c7b295225e23ea64f49170e27d97442b289703b
The memory area size of OP-TEE was changed from 1MB to 2MB
because the size of OP-TEE has increased.
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: Ic8a165c83a3a9ef2829f68d5fabeed9ccb6da95e
Add parameters to fill header version:
Two new options are added (m and n) to fill header version major and minor.
The default is v1.0 (major = 1, minor = 0)
Fix image header on big endian hosts:
Three header fields are not properly converted to little endian
before assignment, resulting in incorrect header while executing
stm32image on big endian hosts.
Convert the value of the header fields version_number,
image_checksum and edcsa_algorithm to little endian before the
assignment.
Don't force the base of strtol, since it's able to select the base
automatically depending on the prefix of the value.
This does not breaks the current build script that extracts the
addresses, including the 0x prefix, from the map file.
This change helps using stm32image in shell scripts where the
addresses can be computed using the shell arithmetic expansion
"$((...))", that produces a value in base decimal.
The variable stm32image_header is declared with global visibility
but is use in one function only, move it as local variable in the function.
Fix error message on destination file:
The error message on mmap() failure of destination file reports
incorrectly information about the source file.
Change the error message to match the file that causes the error.
Change-Id: Iebc8c915297306845b3847b32f9516443a515c97
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Calling 'make clean' in 'all' target is causing recompilation of binary
at every 'make' call, which is wrong.
Also building a new target via 'make TARGET' can cause infinite loop as
it is not defined as explicit make dependency. Dependent targets must be
specified after colon when defining target, which also prevents infinite
loops as make is able to detect these circular dependencies.
Moreover calling 'make clean' is supposed to be done by user when
configuration is changing.
So remove calling 'make clean' in 'all' target and define dependency for
'${PROJECT}' at correct place.
Signed-off-by: Pali Rohár <pali@kernel.org>
Change-Id: I70e7fd2b04b02f6a0650c82df91d58c9a4cb24d9
NXP tool to create pbl from bl2 binary:
- RCW is prepended to BL2.bin
- If TRUSTED_BOARD_BOOT=1, pre-append the CSF header
to be understood by NXP boot-rom.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: Iddc7336a045222e2073ddad86358ebc4440b8bcf
Generic framework is added to include platform defined UUID.
This framework is added for the following:
- All NXP SoC based platforms needed additional fip-fuse.bin
- NXP SoC lx2160a based platforms requires additional fip-ddr.bin
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: Ibe05d9c596256e34077287a490dfcd5b731ef2cf
Changes to 'tools/cert_create' folder, to include platform defined
certificates, keys, and extensions.
NXP SoC lx2160a : based platforms requires additional
FIP DDR to be loaded before initializing the DDR.
To enable chain of trust on these platforms, FIP DDR
image needs to be authenticated, additionally.
Platform specific folder 'tools/nxp/cert_create_helper'
is added to support platform specific macros and definitions.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
This bug manifests itself as a segfault triggered by a double-free.
I noticed that right before the double-free, the sk list contained 2
elements with the same address.
(gdb) p sk_X509_EXTENSION_value(sk, 1)
$34 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_value(sk, 0)
$35 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_num(sk)
$36 = 2
This caused confusion; this should never happen.
I figured that this was caused by a ext_new_xxxx function freeing
something before it is added to the list, so I put a breakpoint on
each of them to step through. I was suprised to find that none of my
breakpoints triggered for the second element of the iteration through
the outer loop just before the double-free.
Looking through the code, I noticed that it's possible to avoid doing
a ext_new_xxxx, when either:
* ext->type == NVCOUNTER and ext->arg == NULL
* ext->type == HASH and ext->arg == NULL and ext->optional == false
So I put a breakpoint on both.
It turns out that it was the HASH version, but I added a fix for both.
The fix for the Hash case is simple, as it was a mistake. The fix for
the NVCOUNTER case, however, is a bit more subtle. The NVCOUNTER may
be optional, and when it's optional we can skip it. The other case,
when the NVCOUNTER is required (not optinal), the `check_cmd_params`
function has already verified that the `ext->arg` must be non-NULL.
We assert that before processing it to covert any possible segfaults
into more descriptive errors.
This should no longer cause double-frees by adding the same ext twice.
Change-Id: Idae2a24ecd964b0a3929e6193c7f85ec769f6470
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
The certification tool creates all the certificates mentioned
statically in the code rather than taking explicit certificate
requests from the command line parameters.
Code is optimized to avoid unnecessary attempts to create
non-requested certificates.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I78feac25bc701bf8f08c6aa5a2e1590bec92d0f2
Add tool support for creating bootparam and cert_header images
for RZ/G2 SoC based platforms.
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Change-Id: Iab8ba6eda442c8d75f23c5633b8178f86339e4c9
Don't depend on clean when building, as the user is capable of cleaning
if required and this introduces a race where "all" depends on both the
compile and the clean in parallel. It's quite possible for some of the
compile to happen in parallel with the clean, which results in the link
failing as objects just built are missing.
Change-Id: I710711eea7483cafa13251c5d94ec693148bd001
Signed-off-by: Ross Burton <ross.burton@arm.com>
When OpenSSL's macro allocates the HASH struct, it allocates the fields
as well. After this allocation, the prior code would assign over the
pointers inside the HASH struct, leaking these fields. This patch
avoids allocating extra copies of these members.
Change-Id: I50a38b0a04b52ec54d6388db0f694feb578d2818
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Previously, we would leak these extensions as they are not freed by the
stack. An except from the `sk_TYPE_free` documentation:
sk_TYPE_free() frees up the sk structure. It does not free up any
elements of sk. After this call sk is no longer valid.
The fix is to drain the stack and free its elements before freeing the
stack. sk_TYPE_pop_free does this, so we use that instead.
Change-Id: Ie70c302f9dda5af1a7243f163d36e99916ee639c
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Although support for building fiptool on a Windows host was present,
the binary was not built when the top level makefile was invoked.
This patch makes the necessary changes to the to support building of
fiptool on a Windows host PC from the main makefile.
Change-Id: I0c01ba237fa3010a027a1b324201131210cf4d7c
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Windows does not have a standard getopt implementation. To address
this an equivalent implementation has been provided in win_posix.c
However, the implementation has an issue with option processing as
described below.
Long option names may be abbreviated if the abbreviation is unique
or an exact match for some defined option.
Since some options can be substring of other options e.g. "scp-fw"
option is a substring of "scp-fwu-cfg", we need to identify if an
option is abbreviated and also check for uniqueness. Otherwise if
a user passes --scp-fw as an option, the "scp-fwu-cfg" option may
get selected, resulting in an incorrectly packaged FIP.
This issue has been be fixed by:
- First searching for an exact match.
- If exact match was not found search for a abbreviated match.
By doing this an incorrect option selection can be avoided.
Change-Id: I22f4e7a683f3df857f5b6f0783bf9b03a64a0bcc
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
This patch: fafd3ec9c assumes that tools must build from
the main makefile folder.
This assumption leads to the error when somebody wants to
build a tool from the tool's folder.
Hence changes are done to provide the default binary name
in the tool's makefile.
Change-Id: Iae570a7f8d322151376b6feb19e739300eecc3fc
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Currently, the tool's makefile override the tool's binary name
which is already been defined in the main makefile.
Hence fix is provided so that the tool's makefile get the tool's
binary name from the main makefile instead of overriding it.
Change-Id: I8af2bd391a96bba2dbcddef711338a94ebf5f038
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
With recently introduced dualroot CoT for SPs where they are owned
either by SiP or by Platform. SiP owned SPs index starts at SP_PKG1_ID
while Plat owned SPs index starts at SP_PKG5_ID.
This patch modifies SP makefile generator script to take CoT as an
argument and if it is "dualroot" then generates SP_PKG in order
mentioned above, otherwise generates it sequentially.
Signed-off-by: Ruari Phipps <ruari.phipps@arm.com>
Change-Id: Iffad1131787be650a9462f6f8cc09b603cddb3b8
Add support to generate a certificate named "plat-sp-cert" for Secure
Partitions(SP) owned by Platform.
Earlier a single certificate file "sip-sp-cert" was generated which
contained hash of all 8 SPs, with this change SPs are divided into
two categories viz "SiP owned" and "Plat owned" containing 4 SPs each.
Platform RoT key pair is used for signing.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6
If the user tries to change BUILD_BASE to put the build products outside
the build tree the compile will fail due to hard coded assumptions that
$BUILD_BASE is a relative path. Fix by using $(abspath $(BUILD_BASE))
to rationalize to an absolute path every time and remove the relative
path assumptions.
This patch also adds documentation that BUILD_BASE can be specified by
the user.
Signed-off-by: Grant Likely <grant.likely@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ib1af874de658484aaffc672f30029b852d2489c8
Jayanth Dodderi Chidanand
Juan Pablo Conde
J-Alves
Yann Gautier
Biwen Li
Joanna Farley
Nicolas Le Bayon
Madhukar Pappireddy
Jiafei Pan
Imre Kis
Anders Dellien
Chris Kay
Manish V Badarkhe
Ross Burton
Soby Mathew
Zelalem Aweke
Manish Pandey
Olivier Deprez
Toshiyuki Ogasahara
Pali Rohár
Pankaj Gupta
Sandrine Bailleux
Lauren Wehrmeister
Jimmy Brisson
Biju Das
Sami Mujawar
Ruari Phipps
Grant Likely