Sharing the same CFLAGS for both the firmware and host tools is not
useful and can lead to compilation failure when CFLAGS is set on the
command line.
This patch make MAKEOVERRIDES special variable empty so make's command
line variable definitions are not implicitly forwarded to sub make
invocations. However, make options are still forwarded like "-s" option
to make the build silent.
Change-Id: Ia921c02beb1fd2041696a26160b9e7974ae000fa
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
The errata reporting policy is as follows:
- If an errata workaround is enabled:
- If it applies (i.e. the CPU is affected by the errata), an INFO
message is printed, confirming that the errata workaround has been
applied.
- If it does not apply, a VERBOSE message is printed, confirming
that the errata workaround has been skipped.
- If an errata workaround is not enabled, but would have applied had
it been, a WARN message is printed, alerting that errata workaround
is missing.
The CPU errata messages are printed by both BL1 (primary CPU only) and
runtime firmware on debug builds, once for each CPU/errata combination.
Relevant output from Juno r1 console when ARM Trusted Firmware is built
with PLAT=juno LOG_LEVEL=50 DEBUG=1:
VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied
VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied
INFO: BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied
WARNING: BL1: cortex_a57: errata workaround for 826974 was missing!
WARNING: BL1: cortex_a57: errata workaround for 826977 was missing!
WARNING: BL1: cortex_a57: errata workaround for 828024 was missing!
WARNING: BL1: cortex_a57: errata workaround for 829520 was missing!
WARNING: BL1: cortex_a57: errata workaround for 833471 was missing!
...
VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied
VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied
INFO: BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied
WARNING: BL31: cortex_a57: errata workaround for 826974 was missing!
WARNING: BL31: cortex_a57: errata workaround for 826977 was missing!
WARNING: BL31: cortex_a57: errata workaround for 828024 was missing!
WARNING: BL31: cortex_a57: errata workaround for 829520 was missing!
WARNING: BL31: cortex_a57: errata workaround for 833471 was missing!
...
VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied
INFO: BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied
Also update documentation.
Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, spin locks can only defined from C files. Add some macros
such that they can be defined from assembly files too.
Change-Id: I64f0c214062f5c15b3c8b412c7f25c908e87d970
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Disable the automatic substitution of functions with builtins. The
existing -ffreestanding option should already do this but explicitly
adding -fno-builtin reduces the risk of compiler variation. With this
option, GCC is not supposed to be able to make assumptions on what the
function does, which could otherwise lead to security-sensitive code
removal.
This can lead to potentially less efficient code but improves
predictability of what code is actually compiled into the binary.
Change-Id: I06ad151c61318bd1b00d84976f051d2d94314acc
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
The current fiptool packs all the images without any padding between
them. So, the offset to each image has no alignment. This is not
efficient, for example, when the FIP is read from a block-oriented
device.
For example, (e)MMC is accessed by block-addressing. The block size
is 512 byte. So, the best case is each image is aligned by 512 byte
since the DMA engine can transfer the whole of the image to its load
address directly. The worst case is the offset does not have even
DMA-capable alignment (this is where we stand now). In this case,
we need to transfer every block to a bounce buffer, then do memcpy()
from the bounce buffer to our final destination. At least, this
should work with the abstraction by the block I/O layer, but the
CPU-intervention for the whole data transfer makes it really slow.
This commit adds a new option --align to the fiptool. This option,
if given, requests the tool to align each component in the FIP file
by the specified byte. Also, add a new Make option FIP_ALIGN for
easier access to this feature; users can give something like
FIP_ALIGN=512 from the command line, or add "FIP_ALIGN := 512" to
their platform.mk file.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The struct image has "uuid" and "size" to memorize the field values
they had in the TOC entry. So, parse_fip() copies them from struct
fip_toc_entry to struct image, then pack_images() copies them back
to struct fip_toc_entry.
The next commit (support --align option) will require to save the
"offset" field as well. This makes me realize that struct image
can embed struct fip_toc_entry.
This commit will allow the "flags" field to persevere the "update"
command. At this moment, the "flags" is not used in a useful way.
(Yet, platforms can save their own parameters in the flags field.)
It makes sense to save it unless users explicitly replace the image.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
We need not handle the image_head as a special case. Just use
a double-pointer to simplify the traverse.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
lookup_image(_desc)_from_uuid() traverses the linked list, so it
is not efficient. We just want to make sure *p points to NULL here.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Commit e0f083a09b ("fiptool: Prepare ground for expanding the set
of images at runtime") introduced another side effect; the "update"
command now changes the image order in the FIP.
Let's say you have an FIP with BL2, BL31, BL32, BL33. If you update
for example, BL32 with the "update" command, you will get a new FIP
with BL2, BL31, BL33, BL32, in this order.
It happens like this; remove_image() removes the old image from the
linked list, add_image() adds the new image at the tail of the list,
then images are packed in the new order. Prior to that commit,
images were updated by replace_image(), but it was deleted by the
re-work. Revive replace_image() that is re-implemented to work with
the linked list.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The conditional
if (desc != NULL)
...
is always true here because we assert it 6 lines above:
assert(desc != NULL);
Remove the if-conditional and concatenate the printf() calls.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This line should check the existence of the input file, but it is
actually checking the output file. When -o option is given to the
"update" command, the outfile is unlikely to exist, then parse_fip()
is skipped and an empty FIP file is output. This is wrong behavior.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The current user guide mentions that Foundation model doesn't support
debugger interface. Clarify that all FVPs support --cadi-server option
such that a CADI-compliant debugger can connect to and control model
execution.
Also fix broken URL to FVP home page.
Change-Id: Ia14d618a4e0abb4b228eb1616040f9b51fb3f6f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
With GCC 6.2 compiler, more C undefined behaviour is being flagged as
warnings, which result in build errors in ARM TF build.
The specific issue that this patch resolves is the use of (1 << 31),
which is predominantly used in case statements, where 1 is represented
as a signed int. When shifted to msb the behaviour is undefined.
The resolution is to specify 1 as an unsigned int using a convenience
macro ULL(). A duplicate macro MAKE_ULL() is replaced.
FixesARM-software/tf-issues#438
Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
Signed-off-by: David Cunado <david.cunado@arm.com>
To avoid timing side-channel attacks, it is needed to use a constant
time memory comparison function when comparing hashes. The affected
code only cheks for equality so it isn't needed to use any variant of
memcmp(), bcmp() is enough.
Also, timingsafe_bcmp() is as fast as memcmp() when the two compared
regions are equal, so this change incurrs no performance hit in said
case. In case they are unequal, the boot sequence wouldn't continue as
normal, so performance is not an issue.
Change-Id: I1c7c70ddfa4438e6031c8814411fef79fd3bb4df
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some side-channel attacks involve an attacker inferring something from
the time taken for a memory compare operation to complete, for example
when comparing hashes during image authentication. To mitigate this,
timingsafe_bcmp() must be used for such operations instead of the
standard memcmp().
This function executes in constant time and so doesn't leak any timing
information to the caller.
Change-Id: I470a723dc3626a0ee6d5e3f7fd48d0a57b8aa5fd
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This code has been imported and slightly adapted from FreeBSD:
6253393ad8/lib/libc/string/strnlen.c
Change-Id: Ie5ef5f92e6e904adb88f8628077fdf1d27470eb3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.
For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true. (Options passed by $(call add_define,)
are the cases.)
For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.
For AARCH32/AARCH64, these macros are defined in the top-level
Makefile as follows:
ifeq (${ARCH},aarch32)
$(eval $(call add_define,AARCH32))
else
$(eval $(call add_define,AARCH64))
endif
This means only one of the two is defined. So, AARCH32/AARCH64
belongs to the latter group where we should use #ifdef or #ifndef.
The conditionals are mostly coded correctly, but I see some mistakes.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.
For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true. (Options passed by $(call add_define,)
are the cases.)
For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.
Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
follows:
$(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
$(OBJ): $(2)
@echo " CC $$<"
$$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
This means, IMAGE_BL* is defined when building the corresponding
image, but *undefined* for the other images.
So, IMAGE_BL* belongs to the latter group where we should use #ifdef
or #ifndef.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Soren reports build fails if -j option is given:
$ make -j16 CROSS_COMPILE=aarch64-linux-gnu-
Building fvp
make: *** No rule to make target 'build/fvp/release/bl1/',
needed by 'build/fvp/release/bl1/bl1.ld'. Stop.
make: *** Waiting for unfinished jobs....
The cause of the failure is that $(dir ) leaves a trailing / on the
directory names. It must be ripped off to let Make create the
directory.
There are some ways to fix the issue. Here, I chose to make MAKE_LD
look like MAKE_C and MAKE_S because bl*_dirs seems the central place
of making directories.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reported-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Tested-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
In mbedtls_x509_parser.c there are some static arrays that are filled
during the integrity check and then read whenever an authentication
parameter is requested. However, they aren't cleared in case of an
integrity check failure, which can be problematic from a security
point of view. This patch clears these arrays in the case of failure.
Change-Id: I9d48f5bc71fa13e5a75d6c45b5e34796ef13aaa2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Fix the parameter type of the maintenance functions of data cache.
Add missing declarations for AArch32 versions of dcsw_op_louis and
dcsw_op_all to match the AAch64 ones.
Change-Id: I4226e8ea4f8b2b5bc2972992c83de659ee0da52c
We have lots of duplicated defines (and comment blocks too).
Move them to include/plat/common/common_def.h.
While we are here, suffix the end address with _END instead of
_LIMIT. The _END is a better fit to indicate the linker-derived
real end address.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The usage of _LIMIT seems odd here, so rename as follows:
BL_CODE_LIMIT --> BL_CODE_END
BL_RO_DATA_LIMIT --> BL_RO_DATA_END
BL1_CODE_LIMIT --> BL1_CODE_END
BL1_RO_DATA_LIMIT --> BL1_RO_DATA_END
Basically, we want to use _LIMIT and _END properly as follows:
*_SIZE + *_MAX_SIZE = *_LIMIT
*_SIZE + *_SIZE = *_END
The _LIMIT is generally defined by platform_def.h to indicate the
platform-dependent memory constraint. So, its typical usage is
ASSERT(. <= BL31_LIMIT, "BL31 image has exceeded its limit.")
in a linker script.
On the other hand, _END is used to indicate the end address of the
compiled image, i.e. we do not know it until the image is linked.
Here, all of these macros belong to the latter, so should be
suffixed with _END.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
NOTE - this is patch does not address all occurrences of system
includes not being in alphabetical order, just this one case.
Change-Id: I3cd23702d69b1f60a4a9dd7fd4ae27418f15b7a3
Delete old version of libfdt at lib/libfdt. Move new libfdt API
headers to include/lib/libfdt and all other files to lib/libfdt.
Change-Id: I32b7888f1f20d62205310e363accbef169ad7b1b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
* Add libfdt.mk helper makefile
* Remove unused libfdt files
* Minor changes to fdt.h and libfdt.h to make them C99 compliant
Adapted from 754d78b1b3.
Change-Id: I0847f1c2e6e11f0c899b0b7ecc522c0ad7de210c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Import libfdt code from https://git.kernel.org/cgit/utils/dtc/dtc.git
tag "v1.4.2" commit ec02b34c05be04f249ffaaca4b666f5246877dea.
This version includes commit d0b3ab0a0f46ac929b4713da46f7fdcd893dd3bd,
which fixes a buffer overflow in fdt_offset_ptr().
Change-Id: I05a30511ea68417ee7ff26477da3f99e0bd4e06b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Douglas Raillard
Jeenu Viswambharan
Masahiro Yamada
danh-arm
David Cunado
Antonio Nino Diaz
Sandrine Bailleux
Koan-Sin Tan
Haojian Zhuang