While loading partition entries, calculate CRC using tf_crc32() for each
entry to find the full CRC value of the partition entry array.
The start of the GPT partition entry array is located at the LBA
indicated by the partition entry array LBA field in the GPT header. The
size of the partition entry array is indicated by the size of partition
entry multiplied by the number of partition entries.
Compare the calculated CRC with the partition entry array CRC in the GPT
header, error out if the values do not match.
Change-Id: I4bfed8cf903125c1ef3fac2f0f4c0fb87d63aa78
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Alter the function parameter to pass the full GPT header to be filled
instead of the starting LBA of the array of partion entries to
load_partition_gpt()
Change-Id: Ib3dde62d5b9996e74157714634bea748bd3b55aa
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
* changes:
docs: update FVP TC2 model version and build (11.23/17)
fix(tc): increase BL2 maximum size limit
refactor(tc): update platform tests
feat(rss): add defines for 'type' range and use them in psa_call()
feat(rss): adjust parameter packing to match TF-M changes
refactor(tc): remap console logs
Extend the SDS driver to be able to handle multiple
SDS regions:
- AP-SCP
- AP-RSS
Change-Id: Id303840b248c383b3f960227cbf6333d1cc75e65
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
In gicv3_main.c the function is_sgi_ppi() returns true when its
sgi/ppi or false when the interrupt number matches an spi interrupt.
Introducing a new API is_valid_interrupt() which validates if
an interrupt number matches SGI/PPI or SPI as a valid interrupt,
any other interrupt number is considered invalid and panics.
Change-Id: Idce8f5432a94c8d300b9408cf5b2502c60e13318
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Fix the wrong placement of the closing parenthesis in the second
condition check that resulted in the incorrect calculation of the MHU
message size. Also, format the code for readability.
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I0e012f3ff00bae2dfc12cdb1c2c636fc6c0a0b55
The function mhu_get_max_message_size() for MHUv2 should return only the
available memory for use after considering all the overheads for its own
use.
Signed-off-by: Sathyam Panda <sathyam.panda@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I14ad16e8f4b781e396bca6173077513db74157d5
Reading the SCMI mailbox status in polling mode causes a burst of bus
accesses. On certain platforms, this would not be ideal as the shared
bus on the CPU subsystem might cause contentions across all the CPUs.
So allow platforms to specify a delay to be introduced while polling.
Change-Id: Ib90ad7b5954854071cfd543f4a27a178dde3d5c6
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
This driver is used for the new version of the BSEC peripheral used
on STM32MP25.
Change-Id: I38ca0db22d06704769c994c6806ccd80b17dde6e
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Update nand driver to match GHRD design, fix row
address calculation method and other misc updates.
Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I1cb3dda43e767ba243fbe89bfa18818db321c5c2
The function stm32_i2c_get_setup_from_fdt() was using fdt_getprop() to
to get some i2c node properties, and set a default value if the node
was not found. The function fdt_read_uint32_default() already does
this in a simpler way.
Remove useless STM32_I2C_SPEED_DEFAULT.
Change-Id: I74c6295bb5765ee7c7e0a9ae020b741f1fe022a6
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The function stm32mp_is_closed_device() is replaced with
stm32mp_check_closed_device(), which return an uint32_t, either
STM32MP_CHIP_SEC_OPEN or STM32MP_CHIP_SEC_CLOSED.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: Ie0790cdc36c4b6522083bc1f0e7c38e8061e6adf
In order to ease the introduction of a new BSEC3 driver for STM32MP25,
the BSEC2 driver is reworked. Unused functions are removed. The
bsec_base global variable is removed in favor of the macro BSEC_BASE.
A rework is also done around function checking the state of BSEC.
Change-Id: I1ad76cb67333ab9a8fa1d65db34d74a712bf1190
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Fixed the check of the address range which the program is loaded to.
Use the addresses and sizes in the BL31 and BL32 certificates to check
that they are within the range of the target address and size
defined inside the TF-A.
It also uses the addresses and sizes in the BL33x certificates to check
that they are outside the protected area defined inside the TF-A.
Signed-off-by: Hideyuki Nitta <hideyuki.nitta.jf@hitachi.com>
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # Code clean up
Change-Id: Iade15431fc86587489fb0ca9106f6baaf7e926e2
Check if next NS image invades a previous loaded image.
Correct non secure image area to avoid loading a NS image to secure
Move GZ compressed payload at 32 * compressed payload size offset,
so it is loaded in non-secure area and can be decompressed into
non-secure area too. It is unlikely that the up to 2 MiB compressed
BL33 blob would decompress to payload larger than 64 MiB .
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # Fix for compressed BL33
Change-Id: I52fd556aab50687e4791e5dbc45d425f802c8757
Make sure the length of the payload is not longer than the
DRAM size in check_load_area(), and make sure the payload
end does not cross protected area start.
Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
The usage of this macro hinders the accuracy of code coverage
data. Lines of code calling this macro always appear as covered because
the test condition within it always gets executed; however, the branch
is not necessarily taken. Consequently, we lose branch coverage
information on these error code paths.
Besides, it is debatable whether such a simple macro really improves
code readability or on the contrary obfuscates the code...
For these reasons, this patch inlines the macro code everywhere it was
called.
It also adds some error messages in all these places to help narrowing
down authentication failures. These messages only get displayed and
compiled into the binaries when building TF-A with 'LOG_VERBOSE' level
of verbosity. We use the same message string everywhere in order to
limit the memory footprint increase for 'LOG_VERBOSE' builds.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I461078bb8c6fd6811d2cbefbe3614e17e83796f2
CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].
As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.
This is a breaking change for downstream platforms which use these
drivers.
[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813
* changes:
docs: mark PSA_CRYPTO as an experimental feature
feat(fvp): increase BL1 RW area for PSA_CRYPTO implementation
feat(mbedtls-psa): mbedTLS PSA Crypto with ECDSA
Current interface 'partition_init' accepts parameter image_id
and returns no value. But the entire partition driver is build
only to parse and handle GPT partitions, so add new interface
gpt_partition_init which would return failure to platform code
if it fails to parse the image.
Change-Id: Iaf574d2ad01a15d0723c1475290c31dc4a078835
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Convert all warn messages to verbose messages. As most warning are
needed during debug only and and won't increase the binary size by
default.
Change-Id: Icc5d5157f13507ccbc34675c20357117cad98255
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Currently we just use primary GPT header which is located in second
entry after MBR header, but if this block is corrupted or CRC
mismatch occurs we could try to use the backup GPT header located at
LBAn and GPT entries following this from LBA-33.
Add suitable warning messages before returning any errors to identify
the cause of issue.
Change-Id: I0018ae9eafbacb683a18784d2c8bd917c70f50e1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
GPT header is located in first LBA after MBR entry and mbr header has
details of beginning of first entry, so use mbr header entry first_lba
data to locate GPT header rather than GPT_HEADER_OFFSET.
GPT header size is available in gpt_header, so use that
rather than using DEFAULT_GPT_HEADER_SIZE.
The location of GPT entries is available once we parse gpt_header
and is available as partitiona_lba use that to load gpt_entries rather
than GPT_ENTRY_OFFSET.
Change-Id: I3c11f8cc9d4b0b1778a37fe342fb845ea4a4eff1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
The ECDSA algorithm signature verification in the PSA differs
from the RSA algorithm in its handling of data formats. In the
case of RSA, an encoded ASN1.0 buffer is passed to the PSA API,
which then decodes the buffer. However, for ECDSA, the PSA API
expects a raw format.
To accomodate this requirement, introduce several static APIs
that allows to retrieve -
1. ECDSA public key data pointer along with its size, and also,
the ECC family in PSA format from the public key.
2. R and S pair of the ECDSA signature along with its size
Change-Id: Icc7d5659aeb3d5c1ab63c3a12c001e68b11a3a86
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The Draak board ID is 7, Eagle is 3, update them to match
HW documentation. Drop the U suffix from Ebisu board ID.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Change-Id: Idd191614a6f1f8dbbc13b8e0bc1f089090f9d20b
Use KEY_SIZE 384 to enable ECDSA P384 key support by
setting MBEDTLS_ECP_DP_SECP384R1_ENABLED.
Selected by setting KEY_ALG=ecdsa and KEY_SIZE=384.
Change-Id: I382f34fc4da98f166a2aada5d16fdf44632b47f5
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
A PSA crypto API is used for signature verification, namely
psa_verify_message, which calculates the signature and verify it
for the given signed message.
Note, this functionality is as of now tested for RSA based Key
algorithm, subsequent patches will provide the signature verification
support for all the key algorithms available in TF-A (provided by KEY_ALG
build option).
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I16214e3cac6a7af445530a6dbd66cfc6ceedcfc6
A PSA crypto API is used for hash verification, namely
'psa_hash_compute', which internally calculates hash of the given
data payload.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ic90e43e68b836ee2add4b868663cfca2340c8108
A PSA crypto API is used for hash verification, namely
psa_hash_verify, which internally calculates and verifies the hash
of the given data payload.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ib48aa6b74b59aea6036333ff00f6ca566b910e60
Initialised Mbedtls PSA cryto during Crypto init using
function call 'psa_crypto_init'.
MbedTLS currently requires a Random Number Generator (RNG) once
PSA Crypto support is enabled. However, TF-A itself doesn't engage
in cryptographic operations that demand randomness. Consequently,
we simulate the presence of an external TRNG (through the configuration
option 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) while, in reality, we offer
a dummy implementation of mbedtls_psa_external_get_random() that always
returns an error.
Change-Id: Ife6d03909c0e6081438d2b2519ef500e5dcdb88f
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
An ad-hoc MbedTLS PSA crypto driver is registered by compiling
a new driver file, namely mbedtls_psa_crypto.c when PSA_CRYPTO=1.
As of now, this file is the same as mbedtls_crypto.c, but subsequent
patches will update crypto functions in this file to trigger
PSA crypto APIs.
Change-Id: I404c347990661d87dcf5d0501d238e36914ec3ee
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -
1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.
Also, marked PSA_CRYPTO as an experimental feature.
Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
* changes:
fix(st): enable RTC clock before accessing nv counter
fix(st-crypto): use GENMASK_32 to define PKA registers masks
fix(st): update comment on encryption key
fix(st): allow crypto lib compilation in aarch64
fix(st-uart): allow 64 bit compilation
fix(st): reduce MMC block_buffer
fix(stm32mp13-fdts): cosmetic fixes in PLL nodes
fix(st): update dt_get_ddr_size() type
fix(nand): reset the SLC NAND
fix(st-crypto): do not read RNG data if it's not ready
