Added support for cca CoT in the fiptool by adding the cca,
core_swd, and plat key certificates.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I1ba559e188ad8c33cb0e643d7a2fc6fb96736ab9
Selection of the cca chain of trust is done through the COT build
option:
> make COT=cca
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I123c0a841f67434633a3123cc1fa3e2318585482
This chain of trust is targeted at Arm CCA solutions and defines 3
independent signing domains:
1) CCA signing domain. The Arm CCA Security Model (Arm DEN-0096.A.a) [1]
refers to the CCA signing domain as the provider of CCA components
running on the CCA platform. The CCA signing domain might be independent
from other signing domains providing other firmware blobs.
The CCA platform is a collective term used to identify all hardware and
firmware components involved in delivering the CCA security guarantee.
Hence, all hardware and firmware components on a CCA enabled system that
a Realm is required to trust.
In the context of TF-A, this corresponds to BL1, BL2, BL31, RMM and
associated configuration files.
The CCA signing domain is rooted in the Silicon ROTPK, just as in the
TBBR CoT.
2) Non-CCA Secure World signing domain. This includes SPMC (and
associated configuration file) as the expected BL32 image as well as
SiP-owned secure partitions. It is rooted in a new SiP-owned key called
Secure World ROTPK, or SWD_ROTPK for short.
3) Platform owner signing domain. This includes BL33 (and associated
configuration file) and the platform owner's secure partitions. It is
rooted in the Platform ROTPK, or PROTPK.
[1] https://developer.arm.com/documentation/DEN0096/A_a
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I6ffef3f53d710e6a2072fb4374401249122a2805
Increase the space for BL2 by 0xC000 to accommodate the increase in size
of BL2 when ARM_BL31_IN_DRAM is set.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ifc99da51f2de3c152bbed1c8269dcc8b9100797a
Replay-protected memory block access is enabled by writing 0x3
to PARTITION_ACCESS (bit[2:0]). Instead the driver is using the
first boot partition, which does not provide any playback protection.
Additionally, it unconditionally activates the first boot partition,
potentially breaking boot for SoCs that consult boot partitions,
require boot ack or downgrading to an old bootloader if the first
partition happens to be the inactive one.
Also, neither enabling or disabling the RPMB observes the
PARTITION_SWITCH_TIME. As there are no in-tree users for these
functions, drop them for now until a properly functional implementation
is added. That one will likely share most code with the existing boot
partition switch, which doesn't suffer from the described issues.
Change-Id: Ia4a3f738f60a0dbcc33782f868cfbb1e1c5b664a
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
* changes:
feat(stm32mp1): extend STM32MP_EMMC_BOOT support to FIP format
refactor(mmc): replace magic value with new PART_CFG_BOOT_PARTITION_NO_ACCESS
refactor(mmc): export user/boot partition switch functions
Due to commit updating kernel yaml file [1], we need to align TF-A DT
files to what is done in kernel.
[1] c09acbc499e8 ("dt-bindings: pinctrl: use pinctrl.yaml")
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id717162e42d3959339d6c01883e87a9d4399f5d9
Instead of searching pinctrl node with its name, search with its
compatible. This will be necessary before pin-controller name changes
to pinctrl due to kernel yaml changes.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I00590414fa65e193c6a72941a372bcecac673f60
The link to commitlintrc.js file in the v2.7 changelog
is updated.
Change-Id: I24ee736180d8df72b2d831e110a9a3a80a6d9862
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
STM32MP_EMMC_BOOT allowed placing SSBL into the eMMC boot
partition along with FSBL. This allows atomic update of both
FSBL and SSBL at the same time. Previously, this was only
possible for the FSBL, as the eMMC layout expected by TF-A
had a single SSBL GPT partition in the eMMC user area.
TEE binaries remained in dedicated GPT partitions whether
STM32MP_EMMC_BOOT was on or off.
The new FIP format collects SSBL and TEE partitions into
a single binary placed into a GPT partition.
Extend STM32MP_EMMC_BOOT, so eMMC-booted TF-A first uses
a FIP image placed at offset 256K into the active eMMC boot
partition. If no FIP magic is detected at that offset or if
STM32MP_EMMC_BOOT is disabled, the GPT on the eMMC user area
will be consulted as before.
This allows power fail-safe update of all firmware using the
built-in eMMC boot selector mechanism, provided it fits into
the boot partition - SZ_256K. SZ_256K was chosen because it's
the same offset used with the legacy format and because it's
the size of the on-chip SRAM, where the STM32MP15x BootROM
loads TF-A into. As such, TF-A may not exceed this size limit
for existing SoCs.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: Id7bec45652b3a289ca632d38d4b51316c5efdf8d
Disabling access to the boot partition reverts the MMC to read from the
user area. Add a macro to make this clearer.
Suggested-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: I34a5a987980bb4690d08d255f465b11a4697ed5a
At the moment, mmc_boot_part_read_blocks() takes care to switch
to the boot partition before transfer and back afterwards.
This can introduce large overhead when reading small chunks.
Give consumers of the API more control by exporting
mmc_part_switch_current_boot() and mmc_part_switch_user().
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: Ib641f188071bb8e0196f4af495ec9ad4a292284f
With recent changes, TF-A now panics on MC-1, Avenger96 and Odyssey:
NOTICE: CPU: STM32MP157C?? Rev.B
NOTICE: Model: Linux Automation MC-1 board
ERROR: regul ldo3: max value 750 is invalid
PANIC at PC : 0x2ffeebb7
as the driver takes great offense at the content of the device
tree. The parts in question were copy-pasted from ST DTs, but
those ST DTs were fixed by commit 67d95409ba
("refactor(stm32mp1-fdts): update regulator description").
Fix the breakage by transplanting the same changes into all
remaining STM32MP1 DTs.
Change was boot-tested on MC-1, but only build tested for the
other two.
Fixes: bba9fdee58 ("feat(stm32mp1): add regulator framework compilation")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: I143d0091625f62c313b3b71449c9ad99583d01c8
- Add security state attribute to memory and device regions.
- Rename device region reg attribution to base-address aligned with
memory regions.
- Add pages-count field to device regions.
- Refresh interrupt attributes description in device regions.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I901f48d410edb8b10f65bb35398b80f18105e427
- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
For each threat, we now separate:
- how to mitigate against it;
- whether TF-A currently implements these mitigations.
A new "Mitigations implemented?" box is added to each threat to
provide the implementation status. For threats that are partially
mitigated from platform code, the original text is improved to make
these expectations clearer. The hope is that platform integrators will
have an easier time identifying what they need to carefully implement
in order to follow the security recommendations from the threat model.
Change-Id: I8473d75946daf6c91a0e15e61758c183603e195b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I5c856437b60cdf05566dd636a01207c9b9f42e61
This patch fixes the following encodings in the System register
encoding space for the MPAM registers. The encodings now match
with the Arm® Architecture Reference Manual Supplement for MPAM.
* MPAMVPM0_EL2
* MPAMVPM1_EL2
* MPAMVPM2_EL2
* MPAMVPM3_EL2
* MPAMVPM4_EL2
* MPAMVPM5_EL2
* MPAMVPM6_EL2
* MPAMVPM7_EL2
* MPAMVPMV_EL2
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ib339412de6a9c945a3307f3f347fe7b2efabdc18
After the SRC bit clear, we must wait for a while to make sure
the operation is finished. And don't enable all the PU domains
by default.
for USB OTG, the limitations are:
1. before system clock configuration. ipg clock runs at 12.5MHz.
delay time should longer than 82us.
2. after system clock configuration. ipg clock runs at 66.5MHz.
delay time should longer than 15.3us.
so add udelay 100 to safely clear the SRC bit 0.
Signed-off-by: Jacky Bai <ping.bai@nxp.com>
Change-Id: I52e8e7739fdaaf86442bcd148e768b6af38bcdb7
Denver CPUs use the same workaround for CVE-2017-5715 and CVE-2022-23960
vulnerabilities. The workaround for CVE-2017-5715 is always enabled, so
all Denver variants use CPU_NO_EXTRA3_FUNC as a placeholder for the
mitigation for CVE-2022-23960. This patch implements the approach.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I0863541ce19b6b3b6d1b2f901d3fb6a77f315189
Different from other i.MX SoCs, which typically use a 24MHz reference clock,
the i.MX8MQ uses a 25MHz reference clock. As the architected timer clock
frequency is directly sourced from the reference clock via a /3 divider this
SoC runs the timers at 8.33MHz.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: Ief36af9ffebce7cb75a200124134828d3963e744
Optimizing the pinctrl_functions structure. Remove the pointer to
array of u16 type which consumes a lot of memory (64bits pointer to
array + 16B for END_OF_GROUPS + almost useless 8bits on every entry
which is the same for every group) and add two new members of type
u16 and u8 with the name called group_base and group_size
respectively.
The group_base member contains the base value of pinctrl group whereas
the group_size member contains the total number of groups requested
from the pinctrl function.
Overall, it saves around ~2KB of RAM and ~0.7KB of code memory.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Ronak Jain <ronak.jain@xilinx.com>
Change-Id: I79b761b45df350d390fa344d411b340d9b2f13ac
Fixing possible Null pointer dereference error, found
by Coverity scan.
Change-Id: If60b7f7e13ecbc3c01e3a9c5005c480260bbabdd
Signed-off-by: David Vincze <david.vincze@arm.com>
Fix the wrong FF-A version being used for retrieving existing memory
descriptors for v1.0 clients. Internally these should always be stored
using the latest version rather than client version.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibee1b2452c8d6ebd23bbd9d703c96ca185444093
Fix an incorrect bound check for overlapping memory regions which can
give false positives if the two regions are consecutive to each other.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I997dc4d1ef2014660cc964aff0a73e348c44eff0
GCC 11 and Clang 14 now use the DWARF 5 standard by default however
Arm-DS currently only supports up to version 4. Therefore, for debug
builds, ensure the DWARF 4 standard is used.
Also update references for Arm DS-5 to it's successor Arm-DS (Arm
Development Studio).
Change-Id: Ica59588de3d121c1b795b3699f42c31f032cee49
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
