Add tox to automate testing across multiple environments, ensuring code
robustness and compatibility with different Python versions. This helps
ensure consistency in test environments so both development and CI
systems run tests uniformly, and simplifies the execution of tasks like
linting and other commands with a single command.
Change-Id: I522adb486e89abecb9a130941ce4cef31332193a
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
This change fixes several breakages that were introduced in some build
configurations by the introduction of the cot-dt2c tool.
Some Python environments cannot be managed directly via `pip`, and
invocations of `make`, including `make distclean`, would cause errors
along the lines of:
error: externally-managed-environment
× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.
This change has been resolved by ensuring that calls to the cot-dt2c
tool from the build system happen exclusively through Poetry, which
automatically sets up a virtual environment that *can* be modified.
Some environments saw the following error when building platforms where
the cot-dt2c tool was used:
make: *** No rule to make target '<..>/debug/bl2_cot.c', needed
by '<..>/debug/bl2/bl2_cot.o'. Stop.
Additionally, environments with a more recent version of Python saw the
following error:
File "<...>/lib/python3.12/site-packages/cot_dt2c/cot_parser.py",
line 637, in img_to_c
if ifdef:
^^^^^
NameError: name 'ifdef' is not defined
Both of these errors have now been resolved by modifications to the
build system and the cot-dt2c tool to enable preprocessing of the device
tree source file before it is processed by the tool.
As a consequence of this change, the `pydevicetree` library is no longer
vendored into the repository tree, and we instead pull it in via a
dependency in Poetry.
This change also resolves several MyPy warnings and errors related to
missing type hints.
Change-Id: I72b2d01caca3fcb789d3fe2549f318a9c92d77d1
Signed-off-by: Chris Kay <chris.kay@arm.com>
Update the test files to eliminate the use of preprocessor macros,
as the tool now requires processed output. The documentation has
also been revised accordingly.
Additionally, remove the Device Tree Source test files that were
added to test the #ifdef conditions.
Change-Id: I13a682db20e5e44170fc25a2e2dbedd45b9c7321
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Add the standalone CoT dt2c tool for CoT DTB conversion to
c file
Change-Id: If28e580a4c2825f5dc9008e93cd2aae3fc173e73
Signed-off-by: Xialin Liu <Xialin.Liu@ARM.com>
This commit adds a command create-from-yaml to tlc, which
creates a transfer list from a yaml file. It also changes
the files structure of the fixtures in the unit tests so
they are in a directory called trusted-firmware-a. This
is necessary because blob file paths in the yaml file are
relative to the root of TF-A.
The blob files are not verified by TLC, so it can be used
to load arbitrary binary information into the transfer
list. The authenticity of the transfer list must be
ensured by the loader.
Change-Id: Idf704ce5d9b7e28b31f471ac337e4aef33d0ad8a
Signed-off-by: Charlie Bareham <charlie.bareham@arm.com>
This makes the build reproducible.
When `make dev-install` was run, it would ignore the existing
poetry lock file, install different versions of all the
libraries, then overwrite the lock file. Once `--no-update`
is added, it stops doing that, and installs exactly what is
in the poetry lock file.
Change-Id: If62637a40504d23deb47a05347a272e1c13bf41e
Signed-off-by: Charlie Bareham <charlie.bareham@arm.com>
Transfer List Compiler is a command line tool that enables the static
generation of TL's compliant with version 0.9 of the firmware handoff
specification. The intent of this tool is to support information passing
via the firmware handoff framework to bootloaders that run without
preceding images (i.e. `RESET_TO_BL31`).
It currently allows for TL's to be statically generated from blobs of
data, and modified by removing/adding TE's. Future work will provide
support for TL generation from configuration file.
Change-Id: Iff670842e34c9ad18eac935248ee2aece43dc533
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Co-authored-by: Charlie Bareham <charlie.bareham@arm.com>
This commit streamlines directory creation by introducing a single
pattern rule to automatically make directories for which there is a
dependency.
We currently use several macros to generate rules to create directories
upon dependence, which is a significant amount of code and a lot of
redundancy. The rule introduced by this change represents a catch-all:
any rule dependency on a path ending in a forward slash is automatically
created.
Now, rules can rely on an unordered dependency (`|`) on `$$(@D)/` which,
when secondary expansion is enabled, expands to the directory of the
target being built, e.g.:
build/main.o: main.c | $$(@D)/ # automatically creates `build/`
Change-Id: I7e554efa2ac850e779bb302fd9c7fbb239886c9f
Signed-off-by: Chris Kay <chris.kay@arm.com>
This is a small change to split up the generation of the RZ/G layout
images into unique targets. This is predominantly for cleanliness
reasons - Make current doesn't know about the `.bin` and `.srec`
binaries generated by the `.elf` target.
Change-Id: I81251ac647b85c5eec8f910ddc841a5a32b49e67
Signed-off-by: Chris Kay <chris.kay@arm.com>
This is a small change to split up the generation of the R-Car layout
images into unique targets. This is predominantly for cleanliness
reasons - Make current doesn't know about the `.bin` and `.srec`
binaries generated by the `.elf` target.
Change-Id: I624bc0c62e99cead66a6d6e25ff016aecf6b985a
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change avoids generating a build message source file on the shell,
instead using the `__DATE__` and `__TIME__` macros directly.
Change-Id: Ida537d4c3e550f2fbbd977472ed6573491d17c23
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change avoids generating a build message source file on the shell,
instead using the `__DATE__` and `__TIME__` macros directly.
Change-Id: Ieda75bbac174847c716701bce8dd10b8e9975902
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change introduces a few helper variables for dealing with verbose
and silent build modes: `silent`, `verbose`, `q` and `s`.
The `silent` and `verbose` variables are boolean values determining
whether the build system has been configured to run silently or
verbosely respectively (i.e. with `--silent` or `V=1`).
These two modes cannot be used together - if `silent` is truthy then
`verbose` is always falsy. As such:
make --silent V=1
... results in a silent build.
In addition to these boolean variables, we also introduce two new
variables - `s` and `q` - for use in rule recipes to conditionally
suppress the output of commands.
When building silently, `s` expands to a value which disables the
command that follows, and `q` expands to a value which supppresses
echoing of the command:
$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed but not echoed'
When building verbosely, `s` expands to a value which disables the
command that follows, and `q` expands to nothing:
$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed and echoed'
In all other cases, both `s` and `q` expand to a value which suppresses
echoing of the command that follows:
$(s)echo 'This command is executed but not echoed'
$(q)echo 'This command is executed but not echoed'
The `s` variable is predominantly useful for `echo` commands, where you
always want to suppress echoing of the command itself, whilst `q` is
more useful for all other commands.
Change-Id: I8d8ff6ed714d3cb401946c52955887ed7dca602b
Signed-off-by: Chris Kay <chris.kay@arm.com>
Generated this change-log using below command:
npm run release -- --skip.commit --skip.tag --release-as 2.11.0
Change-Id: I34c7b342549781057da1b18116500f110bc3f5ad
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Juan Pablo Conde <JuanPablo.Conde@arm.com>
* changes:
refactor(changelog): change all occurrences of RSS to RSE
refactor(qemu): change all occurrences of RSS to RSE
refactor(fvp): change all occurrences of RSS to RSE
refactor(fiptool): change all occurrences of RSS to RSE
refactor(psa): change all occurrences of RSS to RSE
refactor(fvp): remove leftovers from rss measured boot support
refactor(tc): change all occurrences of RSS to RSE
docs: change all occurrences of RSS to RSE
refactor(measured-boot): change all occurrences of RSS to RSE
refactor(rse): change all occurrences of RSS to RSE
refactor(psa): rename all 'rss' files to 'rse'
refactor(tc): rename all 'rss' files to 'rse'
docs: rename all 'rss' files to 'rse'
refactor(measured-boot): rename all 'rss' files to 'rse'
refactor(rss): rename all 'rss' files to 'rse'
Changes all occurrences of "RSS" and "rss" in the code and build files
to "RSE" and "rse".
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I8982c203375250d6c709a26f33fb88673d69da50
OpenSSL has brainpool support only since version 1.1.0, make sure we
put a proper guardrail around it.
Change-Id: Ia2ee686904ed80699f77b1da953546ab7538ec37
Signed-off-by: Donald Chan <donachan@tesla.com>
Currently when RSA-PSS signing is invoked, a salt length of 32 bytes
is assumed. This works well when SHA-256 is the digest algorithm, but
the standard industry practice is that the salt length should follow
the digest length (e.g. 48/64 bytes for SHA-384/SHA-512).
Various cloud services' key management services (KMS) offering have
such restrictions in place, so if someone wants to integrate cert_create
against these services for signing key/content certs, they will have
problem with integration.
Furthermore, JWS (RFC7518) defined these specific combinations as valid
specs and other combinations are not supported:
- PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
- PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
- PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
Change-Id: Iafc7c60ccb36f4681053dbeb4147bac01b9d724d
Signed-off-by: Donald Chan <donachan@tesla.com>
When generating fiptool for STM32MP2, a new parameter is added to
put DDR firmware inside the FIP.
To avoid duplicating fiptool platform files, move
tools/fiptool/plat_fiptool/st/stm32mp1 files in their parent directory
and move plat_def_fip_uuid.h in in plat/st/common/include.
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I1dd796847869e2bfb6ee8c2bcef25c595fa5197a
When configuring GNU GCC as the C compiler, we usually use the GNU BFD
linker directly to link by default. However, this complicates things
because we also need to support LTO, which can only be done when linking
is done via the C compiler, and we cannot change the linker later on if
some other part of the build system wants to enable LTO.
This change migrates the default choice of linker to GCC if the C
compiler is GCC, in order to enable this use-case. This should have no
impact on anything outside of the build system, as by default GCC merely
acts as a wrapper around BFD.
Change-Id: I40771be2b0571def67bbfde9e877e7629ec8cdaa
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change migrates the values of `CC`, `CPP`, `AS` and other toolchain
variables to the new `$(toolchain)-$(tool)` variables, which were
introduced by the toolchain refactor patch. These variables should be
equivalent to the values that they're replacing.
Change-Id: I644fe4ce82ef1894bed129ddb4b6ab94fb04985d
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change refactors how we identify the toolchain, with the ultimate
aim of eventually cleaning up the various mechanisms that we employ to
configure default tools, identify the tools in use, and configure
toolchain flags.
To do this, we introduce three new concepts in this change:
- Toolchain identifiers,
- Tool class identifiers, and
- Tool identifiers.
Toolchain identifiers identify a configurable chain of tools targeting
one platform/machine/architecture. Today, these are:
- The host machine, which receives the `host` identifier,
- The AArch32 architecture, which receives the `aarch32` identifier, and
- The AArch64 architecture, which receivs the `aarch64` identifier.
The tools in a toolchain may come from different vendors, and are not
necessarily expected to come from one single toolchain distribution. In
most cases it is perfectly valid to mix tools from different toolchain
distributions, with some exceptions (notably, link-time optimization
generally requires the compiler and the linker to be aligned).
Tool class identifiers identify a class (or "role") of a tool. C
compilers, assemblers and linkers are all examples of tool classes.
Tool identifiers identify a specific tool recognized and supported by
the build system. Every tool that can make up a part of a toolchain must
receive a tool identifier.
These new identifiers can be used to retrieve information about the
toolchain in a more standardized fashion.
For example, logic in a Makefile that should only execute when the C
compiler is GNU GCC can now check the tool identifier for the C compiler
in the relevant toolchain:
ifeq ($($(ARCH)-cc-id),gnu-gcc)
...
endif
Change-Id: Icc23e43aaa32f4fd01d8187c5202f5012a634e7c
Signed-off-by: Chris Kay <chris.kay@arm.com>
* changes:
build: remove the `NM` variable
build: prefer `gcc-ar` over `ar`
build: add `--no-warn-rwx-segments` when linking with GCC
build: always use the C compiler to assemble
build: always use the C compiler to preprocess
fix(rcar): fix implicit rule invocations in tools
The `rzg_layout_create` and `rcar_layout_create` tools have a rule to
build object files from C files, but it depends on object files in the
parent directory when it should depend on object files in the current
directory. Consequently, the rule is not triggering and the implicit C
compilation rule is executed instead. This rule works, so I have
replaced the broken rule with exactly the same command as what the
implicit rule is executing and fixed the dependency.
Change-Id: Ib8d640361adff8c4d660738dda230e5536bec629
Signed-off-by: Chris Kay <chris.kay@arm.com>
When PIE is enabled, it can be handy to display the .rela.dyn section.
Add RELA in the list of symbols parsed, to display this section in
memory map.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ic40da54ce6fb6e281fb1a6627e9b8830993cfb2c
When building BL1 with SEPARATE_CODE_AND_RODATA=0, symbol names
__RO_{START|END}__ are ignored by memory map dump script.
Fix it by including the symbol in regular expression.
While at it, update the copyright year to current.
Change-Id: Iafeab75c5711429ea0b744510caf27dd8784a29a
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Silence warning from sp_mk_generator that 'is not' operator
is not meant for integers. This replaces the referred instance
with '!='.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I0d31ad65466dbeafebbfc929e506c3e290913aca
Calculate the free space as the range between the
limit and the end of the memory region *_REGION_END.
Change-Id: I9cacadea2543c9f5ddaebca82344a83678cd7d55
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
The FF-A specification has made it such that SPs
may optionally specify their load address in the manifest.
This info was being retrieved to generate some information
for the SPMC manifest. However, it is not a mandatory utility.
This change relaxes the case in which the SP manifest doesn't
have a load address.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: Ic4c1b1ec6666522900c113903be45ba0eb5d0bf6
The same was done for other platforms: stm32mp1, tc before in
commit 034a2e3ef8 ('refactor(fiptool):
move plat_fiptool.mk to tools')
Additionally this will make ignore generated files:
Untracked files:
plat/arm/board/juno/fip/plat_def_uuid_config.d
plat/arm/board/juno/fip/plat_def_uuid_config.o
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Change-Id: Ia5f1082fcd6d9dfc0be012759493e61ddb869956
Fixed the check of the address range which the program is loaded to.
Use the addresses and sizes in the BL31 and BL32 certificates to check
that they are within the range of the target address and size
defined inside the TF-A.
It also uses the addresses and sizes in the BL33x certificates to check
that they are outside the protected area defined inside the TF-A.
Signed-off-by: Hideyuki Nitta <hideyuki.nitta.jf@hitachi.com>
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # Code clean up
Change-Id: Iade15431fc86587489fb0ca9106f6baaf7e926e2
mbedtls/version.h needs to be included before the use of any
mbedtls config variables.
Fixes a build failure regression from commit a8eadc51a.
Change-Id: Idd955d7955b0a55ffd127f31053335542cb15e22
Signed-off-by: Henrik Nordstrom <henrik.nordstrom@addiva.se>
Added changelog for v2.10 release.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: Id06263047fcc1ec60e82f85cd09e2e4bc95830f5
This reverts commit 0abbfab320.
Reason for revert: Changelog was based on rc0 tag but we got few more patches after that which were not captured.
Change-Id: I9829f2b6dc09f0bd5c538845cbae051f6e4c8a75
When key_load() attempts to load the key from a file and it fails to
open this file, the 'err_code' output argument is set to
'KEY_ERR_OPEN' error code. However, it is incorrectly overwritten
later on with 'KEY_ERR_NONE' or 'KEY_ERR_LOAD'.
The latter case messes up with the key creation scenario. The
'KEY_ERR_LOAD' error leads the tool to exit, when it should attempt to
create the said key file if invoked with the --new-keys/-n option.
Note that, to complicate matters further, which of 'KEY_ERR_OPEN' or
'KEY_ERR_NONE' values is returned by key_load() depends on the version
of OpenSSL in use:
- If using v3+, KEY_ERROR_LOAD is returned.
- If using <v3, KEY_ERROR_NONE is returned as a result of the key
pair container being initialized by key_new().
This patch fixes this bug and also takes the opportunity to refactor
key_load() implementation to (hopefully) make it more straight-forward
and easier to reason about.
Fixes: 616b3ce27d "feat(cert-create): add pkcs11 engine support"
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reported-by: Wenchen Tan <xtaens@qq.com>
Change-Id: Ia78ff442e04c5ff98e6ced8d26becbd817a8ccb7
Provide a STATIC command line build option for platforms willing to
build fiptool statically and remove dependency to toolchain and OpenSSL
libraries.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1d1b6676df50081828170e2b0ab7b71c4ec19d6e
