This patch implements the platform APIs plat_get_rotpk_info,
plat_get_nv_ctr, plat_set_nv_ctr to invoke CryptoCell SBROM
APIs when ARM_CRYPTOCELL_INT is set.
Change-Id: I693556b3c7f42eceddd527abbe6111e499f55c45
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch implements the basic lifecycle state check when CryptoCell
SBROM is initialized. Currently the check ensures that if the lifecycle
state is Security Disabled (SD), the boot process does not proceed
further.
Change-Id: I5101335453cd3ea413e97bcfb9138a96c05e1aea
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:
* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
the CryptoCell crypto driver for Trusted Board boot.
* The TrustZone filter settings for Non Secure DRAM is modified
to allow CryptoCell to read this memory. This is required to
authenticate BL33 which is loaded into the Non Secure DDR.
* The CSS platforms are modified to use coherent stacks in BL1 and BL2
when CryptoCell crypto is selected. This is because CryptoCell makes
use of DMA to transfer data and the CryptoCell SBROM library allocates
buffers on the stack during signature/hash verification.
Change-Id: I1e6f6dcd1899784f1edeabfa2a9f279bbfb90e31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds a crypto driver which utilizes the ARM® TrustZone®
CryptoCell-712 to verify signature and hash during Trusted Board Boot. Along
with this driver, the CryptoCell SBROM library is required to successfully
build the BL image. The path to this library is specified via
the `CCSBROM_LIB_PATH` variable. Please note that, mbedTLS is still required
to do the X509 certificate ASN.1 parsing and CryptoCell is only utilized for
signature and hash verification.
Change-Id: If82dfbae0d7772ba1c64839f0b27850c103fe253
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds header files with required declarations and
macro definitions to enable integration with CryptoCell SBROM
version `CC712 – Release 1.0.0.1061`. These headers enable ARM
Trusted Firmware to build and link with CryptoCell SBROM
library.
Change-Id: I501eda7fe1429acb61db8e1cab78cc9aee9c1871
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch defines the variable `LDLIBS` which allows external
libraries to be specified to 'ld' to enable it to link the
libraries.
Change-Id: I02a490eca1074063d00153ccb0ee974ef8859a0e
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
CFLAGS content can be set on the command line to allow passing extra
options to the compiler. Its content is appended after the options set
by the Makefile (TF_CFLAGS).
The Makefiles must use TF_CFLAGS instead of CFLAGS, as the latter can be
completely overriden by setting it on the command line.
Also tell about LDFLAGS in the "Debugging options" section.
Change-Id: Iaf27b424002898ef3040133f78cb133983a37aee
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Use TF_LDFLAGS from the Makefiles, and still append LDFLAGS as well to
the compiler's invocation. This allows passing extra options from the
make command line using LDFLAGS.
Document new LDFLAGS Makefile option.
Change-Id: I88c5ac26ca12ac2b2d60a6f150ae027639991f27
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Updated section 6, building a FIP for Juno and FVP, adding
instructions for AArch32 and AArch64.
Updated section 4.1, summary of build options, to include a
description of the `JUNO_AARCH32_EL3_RUNTIME` build flag.
Change-Id: I4ed006522cab981371c382859063f088fbfcb8f7
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
Without the additional newlines all the text becomes a single paragraph
and next newlines are ignored.
Change-Id: I783198477f654e3923fcabb21248f2bc62c33e9d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
For rk3399, the L2ACTLR[14] is 0 by default, as ACE CCI-500 doesn't
support WriteEvict. and you will hit the condition L2ACTLR[3] with 0,
as the Evict transactions should propagate to CCI-500 since it has
snoop filters.
Maybe this erratum applies to all Cortex-A53 cores so far, especially
if RK3399's A53 is a r0p4. we should enable it to avoid data corruption,
Change-Id: Ib86933f1fc84f8919c8e43dac41af60fd0c3ce2f
Signed-off-by: Caesar Wang <wxt@rock-chips.com>
A recent commit 030567e6f5 added U()/ULL()
macro to TF constants. This has caused some signed-unsigned comparison
warnings / errors in the TF static analysis.
This patch addresses these issues by migrating impacted variables from
signed ints to unsigned ints and vice verse where applicable.
Change-Id: I4b4c739a3fa64aaf13b69ad1702c66ec79247e53
Signed-off-by: David Cunado <david.cunado@arm.com>
On Juno AArch32, the L2 cache may contain garbage after the warm reset
from AArch64 to AArch32. This is all fine until the MMU is configured
and the data caches enabled. To avoid fetching stale data from the L2
unified cache, invalidate it before the warm reset to AArch32 state.
Change-Id: I7d27e810692c02c3e83c9f31de67f6bae59a960a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Before BL2 loads the SCP ram firmware, `SCP_BOOT_CFG_ADDR` specifies
the primary core. After the SCP ram firmware has started executing,
`SCP_BOOT_CFG_ADDR` is modified. This is not normally an issue but
the Juno AArch32 boot flow is a special case. BL1 does a warm reset
into AArch32 and the core jumps to the `sp_min` entrypoint. This is
effectively a `RESET_TO_SP_MIN` configuration. `sp_min` has to be
able to determine the primary core and hence we need to restore
`SCP_BOOT_CFG_ADDR` to the cold boot value before `sp_min` runs.
This magically worked when booting on A53 because the core index was
zero and it just so happened to match with the new value in
`SCP_BOOT_CFG_ADDR`.
Change-Id: I105425c680cf6238948625c1d1017b01d3517c01
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Use TF_CFLAGS instead of CFLAGS, to allow CFLAGS to be overriden from
the make command line.
Change-Id: I3e5726c04bcd0176f232581b8be2c94413374ac7
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
This change avoids warning about type conversion.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Use NULL instead of 0 where required.
Include headers to have the prototype of the functions.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
This change avoids warnings when setting -Wmissing-prototypes or when
using sparse tool.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Call svc_suspend_finish if registered.
psci_get_stat() is static to psci_stat.c
Fix types used in comparison.
Fix coding style (empty line between variable definition and instructions
block).
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html
Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.
Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769
Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419
The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.
Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.
Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
TLBI instructions for monitor mode won't have the desired effect under
specific circumstances in Cortex-A57 r0p0. The workaround is to
execute DSB and TLBI twice each time.
Even though this errata is only needed in r0p0, the current errata
framework is not prepared to apply run-time workarounds. The current one
is always applied if compiled in, regardless of the CPU or its revision.
The `DSB` instruction used when initializing the translation tables has
been changed to `DSB ISH` as an optimization and to be consistent with
the barriers used for the workaround.
NOTE: This workaround is present in AArch64 TF and already enabled by
default on Juno.
Change-Id: I10b0baa304ed64b13b7b26ea766e61461e759dfa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
SPE is only supported in non-secure state. Accesses to SPE specific
registers from SEL1 will trap to EL3. During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained. This is to
avoid a potential invalid memory access in SEL1.
SPE is architecturally specified only for AArch64.
Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
This patch updates the el3_arch_init_common macro so that it fully
initialises essential control registers rather then relying on hardware
to set the reset values.
The context management functions are also updated to fully initialise
the appropriate control registers when initialising the non-secure and
secure context structures and when preparing to leave EL3 for a lower
EL.
This gives better alignement with the ARM ARM which states that software
must initialise RES0 and RES1 fields with 0 / 1.
This patch also corrects the following typos:
"NASCR definitions" -> "NSACR definitions"
Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
Signed-off-by: David Cunado <david.cunado@arm.com>
This patch enables cache helper functions `flush_dcache_range`,
`clean_dcache_range` and `invalidate_dcache_range` to exit early
if the size argument specified is zero
Change-Id: I0b63e8f4bd3d47ec08bf2a0b0b9a7ff8a269a9b0
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch fixes the following issues in Firmware Update (FWU) code:
1. The FWU layer maintains a list of loaded image ids and
while checking for image overlaps, INVALID_IMAGE_IDs were not
skipped. The patch now adds code to skip INVALID_IMAGE_IDs.
2. While resetting the state corresponding to an image, the code
now resets the memory used by the image only if the image were
copied previously via IMAGE_COPY smc. This prevents the invalid
zeroing of image memory which are not copied but are directly
authenticated via IMAGE_AUTH smc.
Change-Id: Idf18e69bcba7259411c88807bd0347d59d9afb8f
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info().
It is up to users how to retrieve ROTPK if the ROT verification is
desired. This is not nice.
This commit improves plat_get_rotpk_info() implementation and automates
the ROTPK deployment. UniPhier platform has no ROTPK storage, so it
should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case.
This makes sense because UniPhier platform implements its internal ROM
i.e. BL1 is used as updatable pseudo ROM.
Things work like this:
- ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing.
Users can override ROT_KEY from the command line if they want to
use a specific ROT key.
- ROTPK_HASH is generated based on ROT_KEY.
- ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2.
- ROT_KEY is input to cert_create tool.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
danh-arm
Soby Mathew
Douglas Raillard
Isla Mitchell
Roberto Vargas
Caesar Wang
davidcunado-arm
Dimitris Papastamos
Etienne Carriere
Masahiro Yamada