Update CoT binding documentation to add the signing-key property
as optional in root-certificates and add rot_keys node
Change-Id: I1d1fbc0394275520cfa43213d5b7006e51990fdd
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Until now we have only supported describing chain of trusts through the
CoT DTB with a single ROTPK so the signing key for root certificates was
implicit. Therefore signing key was not a supported property in the
root certificates node.
Now we want to extend that to describe CoTs with mulitiple roots of
trust so we need a way to specify for each root certificate with which
ROTPK it should be verified. For that, we reuse the 'signing-key'
property already in use for the non-root certificates, but we make it
optional for root certificates in single-RoT CoTs and for root
certificates signed with the default ROTPK in multi-RoT CoTs.
Change-Id: I41eb6579e8f1d01eaf10480fe5e224d2eed9c736
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
When building BL1 with SEPARATE_CODE_AND_RODATA=0, symbol names
__RO_{START|END}__ are ignored by memory map dump script.
Fix it by including the symbol in regular expression.
While at it, update the copyright year to current.
Change-Id: Iafeab75c5711429ea0b744510caf27dd8784a29a
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Enable handoff to BL31 and BL32 using transfer list.
Encode TL_TAG_OPTEE_PAGABLE_PART as transfer entry.
Fallback to default handoff args when transfer list is disabled or
fails to archieve args from transfer entries.
Refactor handoff from BL2 to BL33.
Minor fixes of comment style.
Change-Id: I55d92ca7f5c4727bacc9725a7216c0ac70d16aec
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Enable handoff to OP-TEE using transfer list.
Create transfer list when loading OP-TEE image via non-secure SMC call.
Fallback to default handoff args when transfer list is disabled or
transfer list signature does not exist.
Change-Id: I94bb5b7fdfbb8829016a9d5d9ef5aff993d7cc99
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
* changes:
feat(stm32mp2): put back core 1 in wfi after debugger's halt
feat(stm32mp2): add plat_my_core_pos
fix(stm32mp2): correct early/crash console init
Add support for FFA_CONSOLE_LOG in EL3 SPMC,
Disallow forwarding FFA_CONSOLE_LOG across worlds.
Add support for FFA_CONSOLE_LOG in FFA_FEATURES.
Input parameters:
w0/x0 - FFA_CONSOLE_LOG_32/64
w1/x1 - Character count
w2/x2-w7/x7 - 24 or 48 characters depending upon whether a SMC32 or
SMC64 FID was used.
Output parameters in case of success:
w0/x0 - FFA_SUCCESS
Output parameters in case of error:
w0/x0 - FFA_ERROR
w2/x2 - NOT_SUPPORTED: ABI is not implemented
INVALID_PARAMETERS: Parameters are incorrectly encoded
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I004c043729e77d1b9aa396c42d25c73d9268169a
Coverity Scan reminded that we need to take care of MPIDR properly.
We need to make sure that we get MPIDR values from QEMU.
No MPIDR == panic() in case which should not happen.
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Change-Id: Idb5fe7d958f0bcecd3d66a643743f478538f4a8b
Added an assumption in generic threat model that platform's hardware
conforms the Platform Security Requirements specification.
Change-Id: I753287feec1cd459edfd3d1c103e0e701827cc05
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
As stated in the commit introducing the NS_TIMER_SWITCH build flag,
saving/restoring this registers causes the non-secure timer to stop
while in the secure world and non-secure timer interrupts are prevented
from asserting until we return to the non-secure world. This breaks
any realtime OS on the non-secure side that uses this timer for
realtime scheduling.
This flag is by default off, but OP-TEE SPD enables it. The K3 OP-TEE
platform makes no use of these registers and we would like to have
support for realtime OSs while also supporting the OP-TEE SPD. Disable
this flag in our platform definition.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: I65055512d897b93b7690fd63c734f4731a6e09e6
The core 1 is put in wfi for pen holding. If a debugger halts the
core, it causes the core to exit from wfi.
Let the core to jump back in wfi when the debugger resumes the
core's execution.
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Change-Id: I9b5607b05cdcde905dc4047af8d6f1292d53d701
This function is required, at least for bakery locks.
Change-Id: I28906c50e0a0ebff5d387a424247513ec1a599fc
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The former code, using x2 register, was removing the LPEN bit from UART
config register. So the UART clock is stopped as soon as the CA35 is in
CSleep. It was then displaying crap in Linux console.
The ands check instruction is replaced with a clearer tst instruction
directly with the bit to be tested.
Change-Id: I8a2b3ab195981dee2962e0c2f5d501d5933c17f4
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Calculate the free space as the range between the
limit and the end of the memory region *_REGION_END.
Change-Id: I9cacadea2543c9f5ddaebca82344a83678cd7d55
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
The FF-A specification has made it such that SPs
may optionally specify their load address in the manifest.
This info was being retrieved to generate some information
for the SPMC manifest. However, it is not a mandatory utility.
This change relaxes the case in which the SP manifest doesn't
have a load address.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: Ic4c1b1ec6666522900c113903be45ba0eb5d0bf6
QEMU provides us with minimal information about hardware platform using
minimalistic DeviceTree. This is not a Linux DeviceTree. It is not even
a firmware DeviceTree.
Change-Id: I7b6cc5f53a4f78a9ed69bc7fc2fa1a69ea65428d
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
We want to remove use of DeviceTree from EDK2. So we move
functions to TF-A:
- counting cpu cores
- checking NUMA node id
- checking MPIDR
And then it gets passed to EDK2 via SMC calls.
Change-Id: I1c7fc234ba90ba32433b6e4aa2cf127f26da00fd
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
EL2 registers are 8 byte wide and are allocated continuous memory.
After moving MPAM_EL2 registers out of the EL2 struct, the section
of memory, assigned to MPAM registers in EL2 registers structure has
to be removed.
Henceforth, this patch addresses this issue and cleans up the unsued memory.
Change-Id: I3425b43add0755ff1f5cb803cd5fa667082e7814
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
* changes:
fix(rotpk): move rotpk definitions out of arm_def.h
feat(cpu): add support for Poseidon V CPU
fix(cpu): correct variant name for default Poseidon CPU
fix(rmmd): avoid TRP when external RMM is defined
The TF-A does have a official PRELOADED_BL33_BASE define which is used
to tell the TF-A where to jump and that no bl33 loading is requied. Use
this to make the platform specific PLAT_NS_IMAGE_OFFSET configurable.
This becomes necessary if one would like to place the bl33 code to other
places.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I9d462c0e9df8e6d2ad78ee770bfa59e680739a51
* changes:
feat(qemu): support TRP for RME
feat(qemu): load and run RMM image
feat(qemu): setup Granule Protection Table
feat(qemu): setup memory map for RME
feat(qemu): update mapping types for RME
feat(qemu): use mock attestation functions for RME
fix(qemu): increase max FIP size
When an external RMM is not provided during make invocation, include the
Test Realm Payload (TRP) to the FIP.
Change-Id: I15d396cf268a08d79da63075aadb4172238eb225
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
When RME is enabled, jump to the RMM image before BL33. When using
semihosting rather than FIP, the image called "rmm.bin" is loaded from
the runtime directory.
Change-Id: I15863410b1e505aa502276b339b22a2ddcb0b745
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
When RME is enabled, call the GPT library to setup the granule
protection tables and partition the physical address space.
Change-Id: Ib466c4579ff55fcff9307550e6d26d432674779a
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reserve some space in DRAM for RMM, and some space in SRAM for the GPT
tables. Create the page table mappings.
Change-Id: I3822e7e505e86eb0fa15b1b5b6298e4122b17181
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
With RME, mappings for EL3 use MT_ROOT rather than MT_SECURE. Update the
mapping types to select the right memory type: EL3_PAS is MT_ROOT when
RME is enabled, MT_SECURE otherwise.
Change-Id: I93e287009515b64e833a6f69545766be4c87e473
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Since QEMU doesn't yet emulate hardware attestation, provide hardcoded
key and token to demonstrate attestation for RME. They are copied from
the mock values for the FVP platform.
Change-Id: I9ce686955345854e9409af5c3aad2a648adea226
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
The max FIP size for the QEMU virt platform is currently 4MB, which
isn't enough when including a RMM in the FIP. Since the secure flash
size is actually 64MB, we can significantly increase the max FIP size.
Change-Id: Id2b5df355f8d4c90a41fec66f180e46eb7bab9f8
Fixes: a886bbeceb ("qemu: Update flash address map to keep FIP in secure FLASH0")
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
The file arm_def.h currently contains common definitions used by ARM
platforms. However, some platforms may have their own definitions,
allowing them to avoid a direct dependency on arm_def.h. For a clean
platform port of arm_def.h, none of the source files should directly
include arm_def.h; instead, they should include the platform header
which would indirectly include the required definitions.
Presently, the rotpk module has a source file that directly includes
arm_def.h. This could lead to compilation issues if the platform
incorporating the rotpk module has a separate implementation of some or
all of the definitions in arm_def.h file. To address this, move the
relevant definitions out of arm_def.h and into rotpk_def.h.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I9e8b0d319391f9a167af5c69a7b2d42ac488e7b4
Enable support for Poseidon V CPUs. Poseidon V CPUs are distinguished by
a 3MB L2 cache, differing from Poseidon VN(AE) CPUs with a 2MB L2 cache.
This enhancement ensures compatibility with RD-Fremont and similar
platforms utilizing Poseidon V CPUs.
CC: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: Icdcc5f57c62855b2ec54c58a401d3bf09f292189
Update the Poseidon CPU variant name to "POSEIDON VNAE" in alignment
with the MIDR 0x410FD830. This adjustment reflects the accurate
designation for the default Poseidon CPU and allows for seamless support
of other variants in the future.
CC: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I48183290ffc2889d6ae000d3aa423c0ee5e4d211
The Test Realm Package (TRP) is a small payload that runs at R-EL2 if an
external RMM image path is not provided. Currently, the TRP makefile is
included if RME is enabled, regardless of whether an external RMM
image path is defined or not. This fix ensures that TRP is included
only when an external RMM path is not defined.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I3cc3d2a636e65071e45c5c82cc125290887ffc09
The code in the AMD-Xilinx platform for Versal and Versal NET is being
refactored to move the plat_get_syscnt_freq2() function to a common
file. This common function is utilized for obtaining the CPU clock
frequency from the platform.
Change-Id: I7a4c3fa43a2941d51cacd259c57b24e545aea848
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
