TF-A makefile accepts a device-tree snippet to override hardcoded SP
nodes, via the `ARM_BL2_SP_LIST_DTS` variable. However the SPs declared
in `ARM_BL2_SP_LIST_DTS` must be in the same order as they are in the
FIP image, otherwise hash authentication will fail when loaded by BL2.
This patch generates the `ARM_BL2_SP_LIST_DTS` file from the
`sp_layout.json` file. The SPs in the FIP image are also generated from
`sp_layout.json`, so this ensures that there is only one source of truth
for the SP list, removing the possibility to have the lists disagree
with each other.
Signed-off-by: Karl Meakin <karl.meakin@arm.com>
Change-Id: I7d76715135c596605c6a02aad5196d967dfeb1ce
The build flags to enable the Arm(R) Ethos(TM)-N NPU driver are in arm
platform specific make files i.e. plat/arm/common/arm_common.mk. These
flags are renamed and moved to ethosn_npu.mk. Other source and make
files are changed to reflect the changes in these flags.
Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Change-Id: I6fd20225343c574cb5ac1f0f32ff2fc28ef37ea6
In their respective makefiles, cert_create, encrypt_fw and fiptool
depend on the --openssl phony target as a prerequisite. This forces
those tools to be re-linked each time.
Move the dependencies on the --openssl target from the tools to their
makefiles all targets, to avoid unnecessary linking while preserving the
OpenSSL version printing done in the --openssl targets when in debug.
Fixes: cf2dd17ddd ("refactor(security): add OpenSSL 1.x compatibility")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Change-Id: I98a3ab30f36dffc253cecaaf3a57d2712522135d
Add symbols to mark end of TEXT/RODATA before page alignment.
Similar change was done by commit 8d69a03f6a ("Various
improvements/cleanups on the linker scripts") for
RO_END/COHERENT_RAM. These symbols help to know how much free
space is in the final binary because of page alignment.
Also show all *UNALIGNED__ symbols via poetry.
For example:
poetry run memory -p zynqmp -b debug
Change-Id: I322beba37dad76be9f4e88ca7e5b3eff2df7d96e
Signed-off-by: Michal Simek <michal.simek@amd.com>
The intial patch stack only supported ELF files, which proved
particularly problematic when dealing with incomplete builds (i.e. build
didn't complete due to linker errors). This adds support for GNU map
files. Most analysis performed by the tool should be possible with map
files alone.
Change-Id: I89f775a98efc5aef6671a17d0e6e973df555a6fa
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_create
feat(cert-create): add new option for CCA NV ctr
Extends cert_create tool with a new option for CCA NV
counter: ccafw_nvctr.
And changes the non-volatile counter used to protect
the CCA Content Certificate from the Trusted FW NV counter
to the CCA FW NV counter in the CCA CoT description.
Change-Id: I27f3ab2e25809f0dcc56fa05e5c3a25a2e861ef6
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
In response to feedback provided during review of the v2.9 changelog,
commits with the `build` type and without a scope are now treated as
though they have the `build` scope as well.
Change-Id: I9628e0faf1fcf31fe88758ad3e75ca8febf1bb36
Signed-off-by: Chris Kay <chris.kay@arm.com>
plat_fiptool.mk files now need to be in tools/fiptool/plat_fiptool/, so
this file has been moved to the new location so that it is picked up
correctly by the build system.
Change-Id: Id3596b08bc856362e300f3dfefcaab5d75b4c400
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Present memory usage in hierarchical view. This view maps modules to
their respective segments and sections.
Change-Id: I5c374b46738edbc83133441ff3f4268f08cb011d
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Add support for tabulating static memory consumption data from ELF
binaries. This relies on static symbols, defined in the linker files,
that provide information about the memory ranges.
Change-Id: Ie19cd2b80a7b591607640feeb84c63266963ea4d
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Make the symbol table produced by the memory mapping script more
readable. Add a generic interface for interacting with ELF binaries.
This interface enables us to get symbols that provide some insights into
TF-A's memory usage.
Change-Id: I6646f817a1d38d6184b837b78039b7465a533c5c
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
The fill_image_descs() function in fiptool adds images until
.cmdline_name is NULL.
Add a void entry to STM32MP1 plat_def_toc_entries[] to properly
escape the loop.
Also reported by Valentyn Korniienko (@ValentiWorkLearning) on github
with pull requests [1] and [2].
[1] https://github.com/ARM-software/arm-trusted-firmware/pull/1997
[2] https://github.com/STMicroelectronics/arm-trusted-firmware/pull/8
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I94fd36ca677d46ce6df95c7674c6b6bd365b28c7
The object target in the fiptool Makefile only depends on the
corresponding source file so it won't rebuild the object, if a header
file used by the source file is changed.
To make it rebuild the object file for both source and header file
changes, a dependency file will now be generated for each object and
included in the Makefile.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I0468c6e9c54126242150667268d471f28e011b0d
Currently we include MBEDTLS_CONFIG_FILE directly and if a custom
config file is used it will included.
However from mbedtls-3.x onwards it discourages usage of
MBEDTLS_CONFIG_FILE include directly, so to resolve this and keep 2.28
compatibility include version.h which would include the custom config
file if present and also would expose us with mbedtls-major-version
number which could be used for selecting features and functions for
mbedtls 2.28 or 3.3
Change-Id: I029992311be2a38b588ebbb350875b03ea29acdb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
SAVE_KEYS is set to '0' by default, causing cert_create to
show the 'Key filename not specified' message on each run
even though this is perfectly normal. Show the message only
in the VERBOSE log level.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Change-Id: I472cdec2670055ab0edd99d172f79d01ad575972
Move all plat_fiptool.mks into tools, change the logic to recursively
check for tools/fiptool/plat_fiptool/<plat_path>/plat_fiptool.mk
I.e. for a platform that has the path "plat/arm/board/tc/platform.mk",
the makefile will now load the first existing file from:
- tools/fiptool/plat_fiptool/arm/board/tc/plat_fiptool.mk
- tools/fiptool/plat_fiptool/arm/board/plat_fiptool.mk
- tools/fiptool/plat_fiptool/arm/plat_fiptool.mk
This enables fiptool to support multiple platforms, or a specific one.
Remove file-copying previously being used to handle old default path.
Remove custom file cleaning in plat_fiptool.mk.
Change-Id: I95245bcf7143b329481d4394ab64f29bfe9de5ab
Signed-off-by: Raef Coles <raef.coles@arm.com>
When FIP is programmed in a disk partition, fiptool cannot be used
directly; this forces the user to temporarily copy the partition
to a file, apply fiptool and copy back the file. This is caused by
fstat() that returns zero file size on a block special file, thus
making fiptool commands info, update, unpack and remove to exit.
For either Linux host or Linux target, recover the partition size
with ioctl() and use it as FIP file size. E.g.:
fiptool info /dev/disk/by-partlabel/fip-a
fiptool info /dev/mtdblock4
While there, rework two identical error log messages to provide
more details about the failure and update the date in copyright.
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Change-Id: I7cab60e577422d94c24ba7e39458f58bcebc2336
In the generated sp_gen.mk, add a dependency to the image described in
the sp_layout.json file to make sure that the pkg file is re-generated
if the SP image is updated.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: Id936f907d6baa6b0627c4bb9608323e5157c7a9b
Updated cert_tool to be able to select brainpool P256r/t1
or NIST prim256v1 curve for certificates signature.
Change-Id: I6e800144697069ea83660053b8ba6e21c229243a
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fact that 1.x APIs became deprecated in 3.0 and
therefore their use cause compiling errors. In addition, updating
for a newer version of OpenSSL meant improving the stability
against security threats. However, although version 1.1.1 is
now deprecated, it still receives security updates, so it would
not imply major security issues to keep compatibility with it too.
This patch adds backwards compatibility with OpenSSL 1.x versions
by adding back 1.x API code. It defines a macro USING_OPENSSL3,
which will select the appropriate OpenSSL API version depending on
the OpenSSL library path chosen (which is determined by the
already-existing OPENSSL_DIR variable).
In addition, cleanup items were packed in functions and moved to
the proper modules in order to make the code more maintainable and
legible.
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I8deceb5e419edc73277792861882404790ccd33c
Replace the "is/is not" operator by "==/!=" for literals, to fix the
syntax warnings below:
tools/sptool/sp_mk_generator.py:93: SyntaxWarning: "is not" with a literal. Did you mean "!="?
return len(sppkg_rule) is not 0
tools/sptool/sp_mk_generator.py:203: SyntaxWarning: "is" with a literal. Did you mean "=="?
assert(len(uuid_lines) is 1)
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I10800f6b607942542aa2cbaaecac86b854f6b56a
The script 'sp_mk_generator.py' was reworked in [1]. There was a
reference the variable 'data' left. This variable 'data' used to refer
to the json data of a the sp layout file.
This patch fixed the reference with the proper variable according to the
rework [1].
[1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a96a07bfb66b7d38fe3da824e8ba183967659008
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I9ddbfa8d55a114bcef6997920522571e070fc7d2
Add dependency between rules to generate SP packages and their dtb files
to ensure the dtb files are built before the sptool attempts to generate
the SP package.
Change-Id: I071806f4aa09f39132e3e1990c91d71dc9acd728
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Added support for cca CoT in the fiptool by adding the cca,
core_swd, and plat key certificates.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I1ba559e188ad8c33cb0e643d7a2fc6fb96736ab9
Selection of the cca chain of trust is done through the COT build
option:
> make COT=cca
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I123c0a841f67434633a3123cc1fa3e2318585482
Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.
Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6
To cope with the changes/design decisions in the implementation of
boot protocol, from FF-A v1.1 specification in the S-EL2 SPM, we have
changed the format of the sp pkg header.
These changes need to be reflected in the sptool, used for packaging
the SP binary, and the SP's FF-A manifest. Now the SP pkg can
contain the boot information blob as defined by the FF-A specification.
To cater for these changes, bring to the TF-A project an equivalent to
the tool used in the Hafnium project.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I046f5d6e3c2ef0ba6c87f65302e127dedef34c28
The "sp_mk_generator.py" is responsible for processing the SP layout
file, which contains information about the SPs to be deployed on top of
the SPM, to generate the "sp_gen.mk" file which appends information
specific to each SP that shall help with packing all SPs into a fip
binary.
Before this patch the "sp_mk_generator.py" was a monolithic script,
which has now been broken down into functions for each identified
configuration action.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I8ee7487f2e07d53e508d17d0fe4510e22957f5ca
Developed python framework to help with SPs configuration. The framework
allows for functions (dubbed "actions" in the framework) to be defined
that should process the "sp_layout.json" file.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I278cd5a7aa0574168473e28f3b0fe231d7b548ee
Add some entries in blx_symbols, that are used when the flag
SEPARATE_CODE_AND_RODATA is not enabled (__RO_* and __TEXT_RESIDENT_*).
Add all new symbols that were not yet present in the script.
Correct __BSS_END to __BSS_END__, and add __BSS_START__.
Add new *_XLAT_TABLE_* symbols.
As those strings are longer than 22, update display format string to
be dependent on the longest string.
The script also skips lines for which the _START__ and _END__
symbols have the same address (empty sections).
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I6c510ced6116b35d14ee2cb7a6711405604380d6
Replace bl2_offset with bl2_loc, and fix byte-swapping for
Chassis2 SoC(s) only.
Signed-off-by: Biwen Li <biwen.li@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: Ieb5fd6468178325bfb6fb89b6c31c75cd9030363
The stm32image tool is updated to manage new header v2.0 for BL2
images.
Add new structure for the header v2.0 management.
Adapt to keep compatibility with v1.0.
Add the header version major and minor in the command line
when executing the tool, as well as binary type (0x10 for BL2).
Change-Id: I70c187e8e7e95b57ab7cfad63df314307a78f1d6
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
