Adding the possible key sizes for the ecdsa key algorithm.
Change-Id: I58947bc749fed911766a1462a0c2ba520b8f7c69
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Add full key support for ECDSA P384 and P256.
New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID.
Change-Id: I578b257eca41070bb4f4791ef429f2b8a66b1eb3
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Adding the PK_DER_LEN option for 384 key size when adding ECDSA P384 key
support
Change-Id: I0f19aebad20d1c552976dc3c22ed396d79614769
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Use KEY_SIZE 384 to enable ECDSA P384 key support by
setting MBEDTLS_ECP_DP_SECP384R1_ENABLED.
Selected by setting KEY_ALG=ecdsa and KEY_SIZE=384.
Change-Id: I382f34fc4da98f166a2aada5d16fdf44632b47f5
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
* changes:
feat(rdn2): introduce platform handler for Group0 interrupt
feat(rdn2): add plat hook for memory transaction
feat(rdn2): introduce accessor function to obtain datastore
feat(spm): separate StMM SP specifics to add support for a S-EL0 SP
feat(rdn2): add defines needed for spmc-el3
feat(ras): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(bl31): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(arm): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(el3-spmc): add a flag to enable support to load SEL0 SP
refactor(spm-mm): reorganize secure partition manager shim code
This patch introduces a handler for RDN2 platform to triage Group0
secure interrupts. Currently, it is empty but serves as a
placeholder for future Group0 interrupt sources.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: If0b64e507e9105813d9a5d16f70101cf0d8ca5a4
RdN2 does not make MEM_SHARE/LEND requests. Instead, add a dummy
implementation of memory management related platform hooks.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Ifce55b6661f03d379e2fd2dc5625200d550d8038
In order to provide the EL3 SPMC a sufficient datastore to
record memory descriptor, introduce an accessor function
so that the backing memory can be allocated in a platform
defined manner to accommodate memory constraints and
desired usecases.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: If5842e79c2ad22ccc17362b114f47d9900d82f7e
This patch separates the code from SPM_MM to get xlat table context and
move it to a common location. In addition, only APIs required from both
SPM_MM and FF-A EL3 SPMC are moved to the common location.
This allows understanding better what is required to support a S-EL0 SP
instead of trying to retrofit what already exists.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I142d7fbef5239869176d0de93842c66051d7ed78
Add the following platform specific flags to enable SPMC build.
SECURE_PARTITION_COUNT: Number of secure partitions supported
NS_PARTITION_COUNT: Number of non secure partitions supported
MAX_EL3_LP_DESCS_COUNT: Number of logical partitions supported
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I33d46be9dffd0acfc088bc1701dc0b1ed92dbf46
For EL3 SPMC configuration enabled platforms, allow the reuse of
SPM_MM specific definitions.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Ic88db49d4f854c718d064b2c301a639fc2df2857
For EL3 SPMC configuration enabled platforms, allow the reuse of
SPM_MM specific definitions.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I5ef694f7e2f6d48ec7db26f92ccb350ed537e3f1
Introduce a build flag for enabling the support for loading SEL0 SP in
EL3 SPMC.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I1d63ae4d0d8374a732113565be90d58861506e39
In preparation for adding the support for SEL0 SP in EL3 SPMC,
restructure the existing SPM_MM shim code in a way that allows reuse
of the code for both SPM_MM interface and FF-A EL3 SPMC interface. The
code for changing exception levels is identical for both.
With this restructuring of the code, the shim exception code is moved to
the common sub-directory.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: Iadda9cf73f12b56e6a1d31fc21b5ba5dc355867f
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
* changes:
fix(imx8m): map BL32 memory only if SPD_opteed or SPD_trusty is enabled
feat(imx8mn): add workaround for errata ERR050362
feat(imx8m): enable snvs privileged registers access
Updating toolchain to the latest production release version
12.3.Rel1 publicly available on:
https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads
We build TF-A in CI using x86_64 Linux hosted cross toolchains:
---------------------------------------------------------------
* AArch32 bare-metal target (arm-none-eabi)
* AArch64 bare-metal target (aarch64-none-elf)
Change-Id: Ifcabb7fb9d8e13b87e164c3c1be8c8d32c31b49a
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
use common code definition and remove zynqmp local definition
for prepare_dtb in dtb flows.
Change-Id: I362b90b96852e9afccc8a2e23d3b7f709280fba7
Signed-off-by: Amit Nagal <amit.nagal@amd.com>
presence of multiple return path in prepare_dtb results in misra c
violation 15.5: this return statement is not the final statement
in the compound statement that forms the body of the function.
prepare_dtb is refactored to address the same.
Change-Id: I17ca4314202d6ca8d6fb0c4ea2ed9d31a152371b
Signed-off-by: Amit Nagal <amit.nagal@amd.com>
* changes:
refactor(cm): enable S-EL2 globally for all contexts
refactor(cm): remove world differentiation for EL2 context restore
fix(cm): make ICC_SRE_EL2 fixup generic to all worlds
refactor(cm): clean up SCR_EL3 and CPTR_EL3 initialization
* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash calculation
feat(mbedtls-psa): use PSA crypto API for hash verification
feat(mbedtls-psa): initialise mbedtls psa crypto
feat(mbedtls-psa): register an ad-hoc PSA crypto driver
feat(mbedtls-psa): introduce PSA_CRYPTO build option
docs(changelog): add scope for MbedTLS PSA Crypto
Currently, S-EL2 is being enabled specifically while we are in
secure context and gets toggled up when we exit secure world.
This behavior is not ideal and needs correction.
Enabling the S-EL2 via SCR_EL3.EEL2 register setting should be
global and this patch addresses it.
Change-Id: If6c39ca258f2fefa835c4b51e0f6b68165fd2e35
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
The EL2 context save/restore functions have an optimisation to not
bother with the EL2 context when SEL2 is not in use. However, this
decision is made on the current value of SCR_EL3.EEL2, which is not
the value for the selected security state, but rather, for the
security state that came before it. This relies on the EEL2 bit's
value to propagate identically to all worlds.
This has an unintended side effect that for the first entry into
secure world, the restoring of the context is fully skipped, because
SCR_EL3 is only initialized after the call to the restoring routine
which means the EEL2 bit is not initialized (except when FEAT_RME
is present). This is inconsistent with normal and realm worlds which
always get their EL2 registers zeroed.
Remove this optimization to remove all the complexity with managing
the EEL2 bit's value. Instead unconditionally save/restore all
registers. It is worth noting that there is no performance penalty
in the case where SEL2 is empty with this change. This is because
SEL2 will never be entered, and as such no secure save/restore will
happen anyway, while normal world remains unchanged.
Removing the value management of the EEL2 bit causes the
CTX_ICC_SRE_EL2 register to be inaccessible in Secure world for some
configurations.
Make the SCR_EL3.NS workaround in cm_prepare_el3_exit_ns() generic
on every access to the register.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1f56d85814c5897b468e82d4bd4a08e3a90a7f8f
For ICC_SRE_EL2.SRE the Arm ARM specifies that "If software changes this
bit from 1 to 0, the results are UNPREDICTABLE". However, the
indiscriminate zeroing of the EL2 context does just that for Secure and
Realm worlds. Make this fixup generic to avoid the problem.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Iee21ace17faf10eae52a046e6dfafc5141fa7f85
As with MDCR_EL3, setting some bits of these registers is redundant at
reset since they do not matter for EL3 execution and the registers get
context switched so they get overwritten anyway.
The SCR_EL3.{TWE, TWI, SMD, API, APK} bits only affect lower ELs so
their place is in context management. The API and APK bits are a bit
special as they would get implicitly unset for secure world when
CTX_INCLUDE_PAUTH_REGS is unset. This is now explicit with their normal
world values being always set as PAuth defaults to enabled. The same
sequence is also added to realm world too. The reasoning is the same as
for Secure world - PAuth will be enabled for NS, and unless explicitly
handled by firmware, it should not leak to realm.
The CPTR_EL3.{ESM, EZ, TAM} bits are set by the relevant
feat_enable()s in lib/extensions so they can be skipped too.
CPTR_EL3.TFP is special as it's needed for access to generic floating
point registers even when SVE is not present. So keep it but move to
context management.
This leaves CPTR_EL3.TCPAC which affects several extensions. This bit
was set centrally at reset, however the earliest need for it is in BL2.
So set it in cm_setup_context_common(). However, this CPTR_EL3 is only
restored for BL31 which is clearly not the case. So always restore it.
Finally, setting CPTR_EL3 to a fresh RESET_VAL for each security state
prevents any bits from leaking between them.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Ie7095e967bd4a6d6ca6acf314c7086d89fec8900
Always map the BL32 memory can interfere with the BL33 mapping if the
BL33 is not aware of the mapping, e.g. different memory tagging
secure/non-secure. Therefore map the memory only if BL32 (opteed,
trusty) is enabled and BL33 is aware of this memory mapping.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I9c2bf78aa6e88c93e749a9248724186fee9df864
Port the workaround from the downstream imx-atf [1]:
| commit 1990081264f40822d1564f4562f05bbbc0c2941b
| Author: Ji Luo <ji.luo@nxp.com>
| Date: Thu May 20 16:26:55 2021 +0800
|
| MA-19071 imx8mn: workaround for errata ERR050362
|
| Configure the force_incr programmable bit in GPV_5 of PL301_display,
| which fixes partial write issue. This workaround was done in MCU FW
| before, move it to TF-A now as MCU should not touch secure world.
|
| Change-Id: I2e5bbc764640afeab6ac2f4b202939b59bd3b3f2
| Signed-off-by: Ji Luo <ji.luo@nxp.com>
[1] https://github.com/nxp-imx/imx-atf.git
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Iaff5f1faa143204d64c075b288f8dd13eb2902d8
Allow non-privileged access to all SNVS registers in case of no TEE is
available.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I44686a3639a68c72c7eacc80691c294d5c32c9ae
- Fix the name of the user account under which the CI bot posts
review comments.
- The CI has now transitioned to trustedfirmware.org so CI results
are publically accessible.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I53dd93e200c9e119b5df6bbaf2644485cde57ce5
A PSA crypto API is used for signature verification, namely
psa_verify_message, which calculates the signature and verify it
for the given signed message.
Note, this functionality is as of now tested for RSA based Key
algorithm, subsequent patches will provide the signature verification
support for all the key algorithms available in TF-A (provided by KEY_ALG
build option).
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I16214e3cac6a7af445530a6dbd66cfc6ceedcfc6
A PSA crypto API is used for hash verification, namely
'psa_hash_compute', which internally calculates hash of the given
data payload.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ic90e43e68b836ee2add4b868663cfca2340c8108
A PSA crypto API is used for hash verification, namely
psa_hash_verify, which internally calculates and verifies the hash
of the given data payload.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ib48aa6b74b59aea6036333ff00f6ca566b910e60
Initialised Mbedtls PSA cryto during Crypto init using
function call 'psa_crypto_init'.
MbedTLS currently requires a Random Number Generator (RNG) once
PSA Crypto support is enabled. However, TF-A itself doesn't engage
in cryptographic operations that demand randomness. Consequently,
we simulate the presence of an external TRNG (through the configuration
option 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) while, in reality, we offer
a dummy implementation of mbedtls_psa_external_get_random() that always
returns an error.
Change-Id: Ife6d03909c0e6081438d2b2519ef500e5dcdb88f
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
An ad-hoc MbedTLS PSA crypto driver is registered by compiling
a new driver file, namely mbedtls_psa_crypto.c when PSA_CRYPTO=1.
As of now, this file is the same as mbedtls_crypto.c, but subsequent
patches will update crypto functions in this file to trigger
PSA crypto APIs.
Change-Id: I404c347990661d87dcf5d0501d238e36914ec3ee
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Cortex-X3 erratum 2070301 is a Cat B erratum that applies to all
revisions <= r1p2 and is still open.
The workaround is to write the value 4'b1001 to the PF_MODE bits
in the IMP_CPUECTLR2_EL1 register. This places the data prefetcher
in the most conservative mode instead of disabling it.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I337c4c7bb9221715aaf973a55d0154e1c7555768
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Add VERSION_PATCH macro in Makefile. This will help LTS releases.
While at it, handle VERSION_PATCH macro in .versionrc.js script.
Change-Id: Id3ec359f7768a90ba5c67e35d29736a46eb402b5
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Address an issue where incorrect macro name is being used for
setting the UART buad rate. Updated the code to use the
appropriate macro name, ensuring that baud rate name is proper.
Fixes: 04a483359f ("feat(xilinx): sync macro names")
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I27dd8b1559beb0cf7b872de037adc95a948ecc2f
This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -
1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.
Also, marked PSA_CRYPTO as an experimental feature.
Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Added scope for MbedTLS PSA Crypto API implementation.
Change-Id: I0a7c6242841dfb94f6ca5e9174ffd520c5fe00fa
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
* changes:
fix(st): enable RTC clock before accessing nv counter
fix(st-crypto): use GENMASK_32 to define PKA registers masks
fix(st): update comment on encryption key
fix(st): allow crypto lib compilation in aarch64
fix(st-uart): allow 64 bit compilation
fix(st): reduce MMC block_buffer
fix(stm32mp13-fdts): cosmetic fixes in PLL nodes
fix(st): update dt_get_ddr_size() type
fix(nand): reset the SLC NAND
fix(st-crypto): do not read RNG data if it's not ready
