These fields were not updated accidentally on the v2.6.0 release.
Change-Id: I215105da618ff6f72057eaa40a34ff4b24f7ee36
Signed-off-by: Chris Kay <chris.kay@arm.com>
Updated the fiptool to avoid packing the zero size images in
the FIP.
Also, updated the commitlint-json file to cover the fiptool
changes under a separate scope.
Change-Id: Id7ac3dcff0c7318546e49308d0f17b6cbd5eb24b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
fiptool links to libcrypto, so as with the other tools it should respect
OPENSSL_DIR for include/library paths.
Change-Id: Icd8c15fa5097db1da9a3a9222d9e267548c4c7e2
Signed-off-by: Ross Burton <ross.burton@arm.com>
This change introduces a new NPM run script to automatically generate
the release changelog, as well as bump version numbers across the
code-base and create the release tag.
This script runs [Standard Version] to execute this, which is a tool
designed around automating substantial parts of the release process.
This can be done by running:
npm run release -- [<standard-version args>]
Standard Version expects the project to adhere to the [Semantic
Versioning] convention which TF-A does not, so you may need to specify
the version manually, e.g.:
npm run release -- --release-as 2.6.0
Individual steps of the release process may also be skipped at-will,
which may be necessary when, for example, tweaking the changelog:
npm run release -- --skip.commit --skip.tag
Standard Version is configured by the `.versionrc.js` file, which
contains information about the Conventional Commits types and scopes
used by the project, and how they map to the changelog.
To maintain continuity with the existing changelog style - at least to
the extent possible in the move from manual to automatic creation - a
customized changelog template has been introduced, based on the
Conventional Commits template provided by Standard Version.
This template package extends the Conventional Commits template package
by introducing support for parsing the Conventional Commits scopes into
changelog sections, similarly to how they were previously organized.
[Standard Version]:
https://github.com/conventional-changelog/standard-version
[Semantic Versioning]: https://semver.org
Change-Id: I5bafa512daedc631baae951651c38c1c62046b0a
Signed-off-by: Chris Kay <chris.kay@arm.com>
* changes:
refactor(gpt): productize and refactor GPT library
feat(rme): disable Watchdog for Arm platforms if FEAT_RME enabled
docs(rme): add build and run instructions for FEAT_RME
fix(plat/fvp): bump BL2 stack size
fix(plat/fvp): allow changing the kernel DTB load address
refactor(plat/arm): rename ARM_DTB_DRAM_NS region macros
refactor(plat/fvp): update FVP platform DTS for FEAT_RME
feat(plat/arm): add GPT initialization code for Arm platforms
feat(plat/fvp): add memory map for FVP platform for FEAT_RME
refactor(plat/arm): modify memory region attributes to account for FEAT_RME
feat(plat/fvp): add RMM image support for FVP platform
feat(rme): add GPT Library
feat(rme): add ENABLE_RME build option and support for RMM image
refactor(makefile): remove BL prefixes in build macros
feat(rme): add context management changes for FEAT_RME
feat(rme): add Test Realm Payload (TRP)
feat(rme): add RMM dispatcher (RMMD)
feat(rme): run BL2 in root world when FEAT_RME is enabled
feat(rme): add xlat table library changes for FEAT_RME
feat(rme): add Realm security state definition
feat(rme): add register definitions and helper functions for FEAT_RME
The changes include:
- A new build option (ENABLE_RME) to enable FEAT_RME
- New image called RMM. RMM is R-EL2 firmware that manages Realms.
When building TF-A, a path to RMM image can be specified using
the "RMM" build flag. If RMM image is not provided, TRP is built
by default and used as RMM image.
- Support for RMM image in fiptool
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I017c23ef02e465a5198baafd665a60858ecd1b25
* changes:
feat(plat/rcar3): keep RWDT enabled
feat(drivers/rcar3): add extra offset if booting B-side
feat(plat/rcar3): modify LifeC register setting for R-Car D3
feat(plat/rcar3): modify SWDT counter setting for R-Car D3
feat(plat/rcar3): update DDR setting for R-Car D3
feat(plat/rcar3): remove access to RMSTPCRn registers in R-Car D3
feat(plat/rcar3): add process of SSCG setting for R-Car D3
feat(plat/rcar3): add process to back up X6 and X7 register's value
feat(plat/rcar3): modify operation register from SYSCISR to SYSCISCR
feat(plat/rcar3): add SYSCEXTMASK bit set/clear in scu_power_up
feat(plat/rcar3): change the memory map for OP-TEE
feat(plat/rcar3): use PRR cut to determine DRAM size on M3
feat(plat/rcar3): apply ERRATA_A53_1530924 and ERRATA_A57_1319537
fix(plat/rcar3): fix disabling MFIS write protection for R-Car D3
fix(plat/rcar3): fix eMMC boot support for R-Car D3
fix(plat/rcar3): fix version judgment for R-Car D3
fix(plat/rcar3): fix source file to make about GICv2
fix(drivers/rcar3): console: fix a return value of console_rcar_init
The UUID field in SP manifest DTS is represented as an array of four
integers that the SPMC consumes using the little endian representation.
The reason is that those values are directly mapped to the SMCCC section
5.3 recommendation and the way they are exposed to the
FFA_PARTITION_INFO_GET interface.
Per [1] TF-A build flow expects a big endian representation of the UUID
so the sp_mk_generator script is updated to accommodate this conversion.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9563
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I7c7b295225e23ea64f49170e27d97442b289703b
The memory area size of OP-TEE was changed from 1MB to 2MB
because the size of OP-TEE has increased.
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: Ic8a165c83a3a9ef2829f68d5fabeed9ccb6da95e
Add parameters to fill header version:
Two new options are added (m and n) to fill header version major and minor.
The default is v1.0 (major = 1, minor = 0)
Fix image header on big endian hosts:
Three header fields are not properly converted to little endian
before assignment, resulting in incorrect header while executing
stm32image on big endian hosts.
Convert the value of the header fields version_number,
image_checksum and edcsa_algorithm to little endian before the
assignment.
Don't force the base of strtol, since it's able to select the base
automatically depending on the prefix of the value.
This does not breaks the current build script that extracts the
addresses, including the 0x prefix, from the map file.
This change helps using stm32image in shell scripts where the
addresses can be computed using the shell arithmetic expansion
"$((...))", that produces a value in base decimal.
The variable stm32image_header is declared with global visibility
but is use in one function only, move it as local variable in the function.
Fix error message on destination file:
The error message on mmap() failure of destination file reports
incorrectly information about the source file.
Change the error message to match the file that causes the error.
Change-Id: Iebc8c915297306845b3847b32f9516443a515c97
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Calling 'make clean' in 'all' target is causing recompilation of binary
at every 'make' call, which is wrong.
Also building a new target via 'make TARGET' can cause infinite loop as
it is not defined as explicit make dependency. Dependent targets must be
specified after colon when defining target, which also prevents infinite
loops as make is able to detect these circular dependencies.
Moreover calling 'make clean' is supposed to be done by user when
configuration is changing.
So remove calling 'make clean' in 'all' target and define dependency for
'${PROJECT}' at correct place.
Signed-off-by: Pali Rohár <pali@kernel.org>
Change-Id: I70e7fd2b04b02f6a0650c82df91d58c9a4cb24d9
NXP tool to create pbl from bl2 binary:
- RCW is prepended to BL2.bin
- If TRUSTED_BOARD_BOOT=1, pre-append the CSF header
to be understood by NXP boot-rom.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: Iddc7336a045222e2073ddad86358ebc4440b8bcf
Generic framework is added to include platform defined UUID.
This framework is added for the following:
- All NXP SoC based platforms needed additional fip-fuse.bin
- NXP SoC lx2160a based platforms requires additional fip-ddr.bin
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: Ibe05d9c596256e34077287a490dfcd5b731ef2cf
Changes to 'tools/cert_create' folder, to include platform defined
certificates, keys, and extensions.
NXP SoC lx2160a : based platforms requires additional
FIP DDR to be loaded before initializing the DDR.
To enable chain of trust on these platforms, FIP DDR
image needs to be authenticated, additionally.
Platform specific folder 'tools/nxp/cert_create_helper'
is added to support platform specific macros and definitions.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I4752a30a9ff3aa1d403e9babe3a07ba0e6b2bf8f
This bug manifests itself as a segfault triggered by a double-free.
I noticed that right before the double-free, the sk list contained 2
elements with the same address.
(gdb) p sk_X509_EXTENSION_value(sk, 1)
$34 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_value(sk, 0)
$35 = (X509_EXTENSION *) 0x431ad0
(gdb) p sk_X509_EXTENSION_num(sk)
$36 = 2
This caused confusion; this should never happen.
I figured that this was caused by a ext_new_xxxx function freeing
something before it is added to the list, so I put a breakpoint on
each of them to step through. I was suprised to find that none of my
breakpoints triggered for the second element of the iteration through
the outer loop just before the double-free.
Looking through the code, I noticed that it's possible to avoid doing
a ext_new_xxxx, when either:
* ext->type == NVCOUNTER and ext->arg == NULL
* ext->type == HASH and ext->arg == NULL and ext->optional == false
So I put a breakpoint on both.
It turns out that it was the HASH version, but I added a fix for both.
The fix for the Hash case is simple, as it was a mistake. The fix for
the NVCOUNTER case, however, is a bit more subtle. The NVCOUNTER may
be optional, and when it's optional we can skip it. The other case,
when the NVCOUNTER is required (not optinal), the `check_cmd_params`
function has already verified that the `ext->arg` must be non-NULL.
We assert that before processing it to covert any possible segfaults
into more descriptive errors.
This should no longer cause double-frees by adding the same ext twice.
Change-Id: Idae2a24ecd964b0a3929e6193c7f85ec769f6470
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
The certification tool creates all the certificates mentioned
statically in the code rather than taking explicit certificate
requests from the command line parameters.
Code is optimized to avoid unnecessary attempts to create
non-requested certificates.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I78feac25bc701bf8f08c6aa5a2e1590bec92d0f2
Add tool support for creating bootparam and cert_header images
for RZ/G2 SoC based platforms.
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Change-Id: Iab8ba6eda442c8d75f23c5633b8178f86339e4c9
Don't depend on clean when building, as the user is capable of cleaning
if required and this introduces a race where "all" depends on both the
compile and the clean in parallel. It's quite possible for some of the
compile to happen in parallel with the clean, which results in the link
failing as objects just built are missing.
Change-Id: I710711eea7483cafa13251c5d94ec693148bd001
Signed-off-by: Ross Burton <ross.burton@arm.com>
When OpenSSL's macro allocates the HASH struct, it allocates the fields
as well. After this allocation, the prior code would assign over the
pointers inside the HASH struct, leaking these fields. This patch
avoids allocating extra copies of these members.
Change-Id: I50a38b0a04b52ec54d6388db0f694feb578d2818
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Previously, we would leak these extensions as they are not freed by the
stack. An except from the `sk_TYPE_free` documentation:
sk_TYPE_free() frees up the sk structure. It does not free up any
elements of sk. After this call sk is no longer valid.
The fix is to drain the stack and free its elements before freeing the
stack. sk_TYPE_pop_free does this, so we use that instead.
Change-Id: Ie70c302f9dda5af1a7243f163d36e99916ee639c
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Although support for building fiptool on a Windows host was present,
the binary was not built when the top level makefile was invoked.
This patch makes the necessary changes to the to support building of
fiptool on a Windows host PC from the main makefile.
Change-Id: I0c01ba237fa3010a027a1b324201131210cf4d7c
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Windows does not have a standard getopt implementation. To address
this an equivalent implementation has been provided in win_posix.c
However, the implementation has an issue with option processing as
described below.
Long option names may be abbreviated if the abbreviation is unique
or an exact match for some defined option.
Since some options can be substring of other options e.g. "scp-fw"
option is a substring of "scp-fwu-cfg", we need to identify if an
option is abbreviated and also check for uniqueness. Otherwise if
a user passes --scp-fw as an option, the "scp-fwu-cfg" option may
get selected, resulting in an incorrectly packaged FIP.
This issue has been be fixed by:
- First searching for an exact match.
- If exact match was not found search for a abbreviated match.
By doing this an incorrect option selection can be avoided.
Change-Id: I22f4e7a683f3df857f5b6f0783bf9b03a64a0bcc
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
This patch: fafd3ec9c assumes that tools must build from
the main makefile folder.
This assumption leads to the error when somebody wants to
build a tool from the tool's folder.
Hence changes are done to provide the default binary name
in the tool's makefile.
Change-Id: Iae570a7f8d322151376b6feb19e739300eecc3fc
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Currently, the tool's makefile override the tool's binary name
which is already been defined in the main makefile.
Hence fix is provided so that the tool's makefile get the tool's
binary name from the main makefile instead of overriding it.
Change-Id: I8af2bd391a96bba2dbcddef711338a94ebf5f038
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
With recently introduced dualroot CoT for SPs where they are owned
either by SiP or by Platform. SiP owned SPs index starts at SP_PKG1_ID
while Plat owned SPs index starts at SP_PKG5_ID.
This patch modifies SP makefile generator script to take CoT as an
argument and if it is "dualroot" then generates SP_PKG in order
mentioned above, otherwise generates it sequentially.
Signed-off-by: Ruari Phipps <ruari.phipps@arm.com>
Change-Id: Iffad1131787be650a9462f6f8cc09b603cddb3b8
Add support to generate a certificate named "plat-sp-cert" for Secure
Partitions(SP) owned by Platform.
Earlier a single certificate file "sip-sp-cert" was generated which
contained hash of all 8 SPs, with this change SPs are divided into
two categories viz "SiP owned" and "Plat owned" containing 4 SPs each.
Platform RoT key pair is used for signing.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6
If the user tries to change BUILD_BASE to put the build products outside
the build tree the compile will fail due to hard coded assumptions that
$BUILD_BASE is a relative path. Fix by using $(abspath $(BUILD_BASE))
to rationalize to an absolute path every time and remove the relative
path assumptions.
This patch also adds documentation that BUILD_BASE can be specified by
the user.
Signed-off-by: Grant Likely <grant.likely@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ib1af874de658484aaffc672f30029b852d2489c8
Change the binary image alignment from 4 to 16.
The PKCS signature verification fails for unaligned images.
Change-Id: Ieb08dc3ea128790f542ad93e3c948117567a65af
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Replace deprecated mbedtls_sha256 with mbedtls_sha256_ret
The mbedtls_pk_parse_key does not work correctly anymore
with the DER buffer embedded in the secure image extentson
using the buffer size as the the key length.
Move to mbedtls_pk_parse_subpubkey API that handles such
case correctly.
The DER format already contains the key length, so there
is no particular reason to supply it to the key parser.
Update the doimage version to 3.3
Change-Id: I0ec5ee84b7d1505b43138e0b7a6bdba44a6702b6
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Querying the 'fiptool' for help or help <command> should return 0
return status (success) and not 1 (failure). In the other hand, if tool is
executed with any other command (not help) where command's parameters are
either missing or wrong, then the tool should return non-zero (failure). Now,
the 'usage' function caller is the one that passes the return status.
Change-Id: Id5eea91037cd810fb1e34a42e8199ef504f5daa4
Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
Updated cert_tool to add hash information of fw_config image into
the existing "trusted boot fw" certificate.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I720319225925806a2a9f50a1ac9c8a464be975f0
Added support in fiptool to include fw_config image
in FIP.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ibbd14723a4141598d9d7f6bfcf88a0ef92cf87bc
with sha 0792dd7, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f
To support secure boot of SP's update cert tool arguments while
generating sp_gen.mk which in turn is consumed by build system.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I2293cee9b7c684c27d387aba18e0294c701fb1cc
Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.
A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.
Following new options added to cert_tool:
--sip-sp-cert --> SiP owned Secure Partition Content Certificate
--sp-pkg1 --> Secure Partition Package1 file
--sp-pkg2
.....
--sp-pkg8
Trusted world key pair is used for signing.
Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
Add firmware authenticated encryption tool which utilizes OpenSSL
library to encrypt firmwares using a key provided via cmdline. Currently
this tool supports AES-GCM as an authenticated encryption algorithm.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I60e296af1b98f1912a19d5f91066be7ea85836e4
Selection of the chain of trust is done through the COT build option:
> make COT=dualroot
Change-Id: Id87c7a5116bdd13bdb29645ecf31d111ad094c1e
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Till now TF-A allows limited number of external images to be made part
of FIP. With SPM coming along, there may exist multiple SP packages
which need to be inserted into FIP. To achieve this we need a more
scalable approach to feed SP packages to FIP.
This patch introduces changes in build system to generate and add SP
packages into FIP based on information provided by platform.
Platform provides information in form of JSON which contains layout
description of available Secure Partitions.
JSON parser script is invoked by build system early on and generates
a makefile which updates FIP, SPTOOL and FDT arguments which will be
used by build system later on for final packaging.
"SP_LAYOUT_FILE" passed as a build argument and can be outside of TF-A
tree. This option will be used only when SPD=spmd.
For each SP, generated makefile will have following entries
- FDT_SOURCES += sp1.dts
- SPTOOL_ARGS += -i sp1.img:sp1.dtb -o sp1.pkg
- FIP_ARGS += --blob uuid=XXXX-XXX...,file=SP1.pkg
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ib6a9c064400caa3cd825d9886008a3af67741af7
This patch:
- Add the __COHERENT_RAM_START__ and __COHERENT_RAM_END__ symbols.
- Improve how the symbols are found with a regex.
- Add a build option to revert the memory layout output.
Change-Id: I54ec660261431bc98d78acb0f80e3d95bc5397ac
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Currently sptool generates a single blob containing all the Secure
Partitions, with latest SPM implementation, it is desirable to have
individual blobs for each Secure Partition. It allows to leverage
packaging and parsing of SP on existing FIP framework. It also allows
SP packages coming from different sources.
This patch modifies sptool so that it takes number of SP payload pairs
as input and generates number of SP blobs instead of a single blob.
Each SP blob can optionally have its own header containing offsets and
sizes of different payloads along with a SP magic number and version.
It is also associated in FIP with a UUID, provided by SP owner.
Usage example:
sptool -i sp1.bin:sp1.dtb -o sp1.pkg -i sp2.bin:sp2.dtb -o sp2.pkg ...
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie2db8e601fa1d4182d0a1d22e78e9533dce231bc
Chris Kay
Madhukar Pappireddy
Manish V Badarkhe
Ross Burton
Soby Mathew
Zelalem Aweke
Manish Pandey
Olivier Deprez
Toshiyuki Ogasahara
Nicolas Le Bayon
Pali Rohár
Pankaj Gupta
Sandrine Bailleux
Lauren Wehrmeister
Jimmy Brisson
Biju Das
Sami Mujawar
Ruari Phipps
Grant Likely
joanna.farley
Konstantin Porotchkin
Leonardo Sandoval
Sumit Garg
Louis Mayencourt