Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Change-Id: I887dfd87893169c7be53b986e6c43338d15949d7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Actually, the upgrade this time simply boils down to including the new
source code module 'constant_time.c' into the firmware.
To quote mbed TLS v2.28.0 release notes [1]:
The mbedcrypto library includes a new source code module
constant_time.c, containing various functions meant to resist timing
side channel attacks. This module does not have a separate
configuration option, and functions from this module will be
included in the build as required.
As a matter of fact, if one is attempting to link TF-A against mbed
TLS v2.28.0 without the present patch, one gets some linker errors
due to missing symbols from this new module.
Apart from this, none of the items listed in mbed TLS release
notes [1] directly affect TF-A. Special note on the following one:
Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32.
In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
feature is enabled with AES-GCM as the authenticated decryption
algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
32-bit value which by definition is always less than 2**32. Therefore,
we are immune to this bug.
With this upgrade, the size of BL1 and BL2 binaries does not appear to
change on a standard sample test build (with trusted boot and measured
boot enabled).
[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Right now, TF-A documentation recommends downloading Arm compilers
from:
https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads
However, this page is now deprecated, as indicated by the banner at
the top of the page. When navigating to the new recommended page, one
can see the following note, which provides the rationale for the
deprecation:
GNU Toolchain releases from Arm were published previously as two
separate releases - one for A-profile and the other for R & M
profiles (GNU Toolchain for A-profile processors and GNU Arm
Embedded Toolchain).
Arm GNU Toolchain releases unifies these two into a single release
and the previous way of releases therefore have been
discontinued. However, the previous releases will continue to be
available for reference.
This patch updates the link to the new recommended place for compiler
downloads.
Change-Id: Iefdea3866a1af806a5db2d2288edbb63c543b8ee
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add Sieu Mun Tang and Benjamin Jit Loon Lim as new
Intel SocFPGA platform maintainers and remove the
rest of the Intel SocFPGA platform maintainers.
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ieb9a35e278d70a12351aaccab90ddc7be09dc861
* changes:
feat(spmc): add support for direct req/resp
feat(spmc): add support for handling FFA_ERROR ABI
feat(spmc): add support for FFA_MSG_WAIT
feat(spmc): add function to determine the return path from the SPMC
feat(spmd): enable handling of FF-A SMCs with the SPMC at EL3
feat(spmd): update SPMC init flow to use EL3 implementation
feat(spmc): add FF-A secure partition manager core
feat(spmc): prevent read only xlat tables with the EL3 SPMC
feat(spmc): enable building of the SPMC at EL3
refactor(spm_mm): reorganize secure partition manager code
Depending on the shell used, the grep command can fail, leading to
a wrong dtc version detection. Correct that by adding quotes.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I329ec929559c94bf1bf99b127662c9d978e067cf
With the transition to mailman3, the URLs of TF-A and TF-A Tests
mailing lists have changed. However, we still refer to the old
location, which are now dead links.
Update all relevant links throughout the documentation.
There is one link referring to a specific thread on the TF-A mailing
list in the SPM documentation, for which I had to make a guess as to
what's the equivalent mailman3 URL. The old URL scheme indicates that
the thread dates from February 2020 but beyond that, I could not make
sense of the thread id within the old URL so I picked the most likely
match amongst the 3 emails posted on the subject in this time period.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reported-by: Kuohong Wang <kuohong.wang@mediatek.com>
Change-Id: I83f4843afd1dd46f885df225931d8458152dbb58
Enable the SPMC to handle FFA_MSG_SEND_DIRECT_REQ and
FFA_MSG_SEND_DIRECT_RESP ABIs.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ia196c7405993f600e4fdbf467397ea3fb035a62a
This ABI is only valid during SP initialisation to indicate
failure. If this occurs during SP initialisation signal a failure,
otherwise respond with a not supported error code.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0182a1641c0f6850e82173af333be79b594f2318
Handle an incoming call of FFA_MSG_WAIT from the secure world
and update the runtime state of the calling partition accordingly.
This ABI can be called in the following scenarios:
- Used by an SP to signal it has finished initializing.
- To resume the normal world after handling a secure interrupt
that interrupted the normal world.
- To relinquish control back to the normal world.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I929713a2280e8ec291b5b4e8f6d4b49df337228c
Use knowledge of the target partition ID and source security state
to determine which route should be used to exit the SPMC.
There are 3 exit paths:
1) Return to the normal world via the SPMD, this will take care of
switching contexts if required.
2) Return to the secure world when the call originated in the normal
world and therefore switch contexts.
3) Return to the secure world when the call originated in the secure
world, therefore we can return directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I4037f3a8a8519e2c9f1876be92806d2c41d0d154
Any FF-A SMC that arrives from the normal world is handled by the
SPMD before being forwarded to the SPMC. Similarly any SMC
arriving from the secure world will hit the SPMC first and be
forwarded to the SPMD if required, otherwise the SPMC will
respond directly.
This allows for the existing flow of handling FF-A ABI's when
the SPMC resides at a lower EL to be preserved.
In order to facilitate this flow the spmd_smc_forward function
has been split and control is either passed to the SPMC or it is
forwarded as before. To allow this the flags and cookie parameters
must now also be passed into this method as the SPMC must be able to
provide these when calling back into the SPMD handler as appropriate.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I84fee8390023295b9689067e14cd25cba23ca39b
Allow the SPMD to initialise an SPMC implementation at EL3 directly
rather than at a lower EL.
This includes removing the requirement to parse an SPMC manifest to
obtain information about the SPMC implementation, in this case since the
SPMD and SPMC reside in the same EL we can hardcode the required
information directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I66d1e1b3ec2d0abbfc28b011a32445ee890a331d
This patch introduces the core support for enabling an SPMC in EL3
as per the FF-A spec.
The current implemented functionality is targeted to enable
initialization of the SPMC itself and initial support for
bringing up a single S-EL1 SP.
This includes initialization of the SPMC's internal state,
parsing of an SP's manifest, preparing the cpu contexts and
appropriate system registers for the Secure Partition.
The spmc_smc_handler is the main handler for all incoming SMCs
to the SPMC, FF-A ABI handlers and functionality will
be implemented in subsequent patches.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ib33c240b91e54cbd018a69fec880d02adfbe12b9
* changes:
refactor(stm32mp1-fdts): remove nvmem_layout node
refactor(stm32mp1): drop the "st,stm32-nvmem-layout" node
refactor(st): remove useless includes
The result variable is not being used so it's better to delete it.
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: Icae614076ce1ba7cdc86267473d59a8bec682f6c
If using the EL3 SPMC ensure that we don't mark the translation
tables as read only. The SPMC requires the ability to map and
unmap a partitions RX/TX buffers at runtime.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibb78a6a2e3847ce4ec74ce81a9bb61ce34fec24c
Introduce build flag for enabling the secure partition
manager core, SPMC_AT_EL3. When enabled, the SPMC module
will be included into the BL31 image. By default the
flag is disabled.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I5ea1b953e5880a07ffc91c4dea876a375850cf2a
As part of the RFC:
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/13651,
this patch adds the 'cm_prepare_el3_exit_ns' function. The function is
a wrapper to 'cm_prepare_el3_exit' function for Non-secure state.
When EL2 sysregs context exists (CTX_INCLUDE_EL2_REGS is
enabled) EL1 and EL2 sysreg values are restored from the context
instead of directly updating the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9b071030576bb05500d54090e2a03b3f125d1653
The patch removes initialization of MPAM EL2 registers when an EL2
software exists. The patch assumes the EL2 software will perform
the necessary initializations of the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I5bed81bc22f417bc3e3cbbcd860a8553cd4307cd
This patch splits the function 'cm_setup_context' into four
functions to make it more readable and easier to maintain.
The function is split into the following functions based on
the security state of the context.
- setup_context_common - performs common initializations
- setup_secure_context - performs Secure state specific
initializations
- setup_realm_context - performs Realm state specific
initializations
- setup_ns_context - performs Non-secure state specific
initializations
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Ie14a1c2fc6586087e7aa36537cf9064c80802f8f
The following registers are only accessible from secure state,
therefore don't need to be saved/restored during world switch.
- SDER32_EL2
- VSTCR_EL2
- VSTTBR_EL2
This patch removes these registers from EL2 context.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I24d08aacb1b6def261c7b37d3e1265bb76adafdc
Cortex-X2 erratum 2147715 is a Cat B erratum that applies to revision
r2p0 and is fixed in r2p1. The workaround is to set CPUACTLR_EL1[22]=1,
which will cause the CFP instruction to invalidate all branch predictor
resources regardless of context.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I2d81867486d9130f2c36cd4554ca9a8f37254b57
Used MBEDTLS_CONFIG_FILE macro for including mbedTLS
configuration.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I374b59a31df3ab1e69481b2c37a6f7455a106b6e
The reported function raises a error when compilers assert the flag
`-Warray-parameter=`, signaling that an array-type argument was promoted
to a pointer-type argument. We observed this behaviour with the gcc 11.2
version.
plat/xilinx/common/pm_service/pm_ipi.c:263:34: error: argument 1 of type 'uint32_t *'
{aka 'unsigned int *'} declared as a pointer [-Werror=array-parameter=]
263 | uint32_t calculate_crc(uint32_t *payload, uint32_t bufsize)
| ~~~~~~~~~~^~~~~~~
In file included from plat/xilinx/common/pm_service/pm_ipi.c:16:
plat/xilinx/common/include/pm_ipi.h:30:33: note: previously declared as an array 'uint32_t[8]'
{aka 'unsigned int[8]'}
30 | uint32_t calculate_crc(uint32_t payload[PAYLOAD_ARG_CNT], uint32_t buffersize);
| ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
cc1.real: all warnings being treated as errors
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: I7329f2e76ee0ca5faba71eb50babd20a796fee64
is_lock_acquired() function is only used in assert() statements, so when
compiling without asserts, e.g. with DEBUG=0, the function is unused.
this is okay when compiling with gcc because the function is marked as
inline but that doesn't work for clang. let's mark this as __unused to
avoid -Wunused-function warning-as-error.
Change-Id: I93f808fd15f715a65d1bd4f7592affb7997c4bad
Signed-off-by: Okash Khawaja <okash@google.com>
In preparation for adding the EL3 SPMC configuration as defined in
the FF-A specification, restructure the existing SPM_MM code.
With this restructuring of the code, the 'spm_mm' directory is
renamed as 'spm' and the code inside has been split into two
sub-directories named 'common' and 'spm_mm'. The code in 'spm_mm'
directory contains the code that implements the MM interface.
In subsequent patches, the 'spmc' directory will be introduced
under the 'spm' directory providing the code that implements
the 'FF-A' interface.
Currently the common functionality for S-EL1 partitions is
limited to assembler functions to enter and exit an SP
synchronously.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I37739b9b53bc68e151ab5c1c0c6a15b3ee362241
* changes:
feat(gic600ae_fmu): enable all GICD, PPI, ITS SMs
feat(gic600ae_fmu): disable SMID for unavailable blocks
feat(gic600ae_fmu): introduce support for RAS error handling
Rupinderjit Singh
Joanna Farley
Sandrine Bailleux
Madhukar Pappireddy
Lauren Wehrmeister
Sieu Mun Tang
Olivier Deprez
Manish Pandey
Yann Gautier
Marc Bonnici
Jorge Troncoso
Sayanta Pattanayak
Zelalem Aweke
Bipin Ravi
Manish V Badarkhe
Venkatesh Yadav Abbarapu
Okash Khawaja