The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Updating toolchain to the latest production release version
12.3.Rel1 publicly available on:
https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads
We build TF-A in CI using x86_64 Linux hosted cross toolchains:
---------------------------------------------------------------
* AArch32 bare-metal target (arm-none-eabi)
* AArch64 bare-metal target (aarch64-none-elf)
Change-Id: Ifcabb7fb9d8e13b87e164c3c1be8c8d32c31b49a
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -
1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.
Also, marked PSA_CRYPTO as an experimental feature.
Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This patch enables Scalable Matrix Extension (SME) for RMM. RMM will
save/restore required registers that are shared with SVE/FPU register
state so that Realm can use FPU or SVE.
The Relevant RMM support can be found here :
https://github.com/TF-RMM/tf-rmm/commit/0ccd7ae58b00
Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Change-Id: I3bbdb840e7736dec00b71c85fcec3d5719413ffd
Add transfer list APIs and firmware handoff build option.
Change-Id: I68a0ace22c7e50fcdacd101eb76b271d7b76d8ff
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.
This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f
Update TF-A documentation to recommend using the latest and greatest
release of mbedTLS library to this date, i.e. version 3.4.1. The
upgrade was successfully tested by the OpenCI running all existing
test configs, in particular trusted boot and measured boot related
ones.
The reason for this upgrade is simply to obey TF-A's guideline to
always use up-to-date security libraries. mbedTLS 3.4.1 release
notes [1] do not list any changes that should affect TF-A.
[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.4.1
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Ifc31c2fc825a2fc9ca318ea8baadd51b670e7a4e
Add documentation for the new build option ENABLE_SPMD_LP.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I808e6c00e3699fc900dc97e889af63cc01cae794
This patch details the required packages and terminal commands for
building the documentation in PDF format locally.
Change-Id: Ic5f416b73e46d5f362fe9eb909200b95eda19e6a
Signed-off-by: Elizabeth Ho <elizabeth.ho@arm.com>
Move documentation related to Arm(R) Ethos(TM)-N NPU driver from
docs/plat/arm/arm-build-options.rst to
docs/getting_started/build-options.rst.
Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Change-Id: I388e8dcd3950b11bc3305f5e6396ee2e49c04493
commit@7794d6c8f8c44acc14fbdc5ada5965310056be1e added a march utility
but the details were not updated in docs.
Update docs to provide a glimpse of march utility added.
Change-Id: I696cb9a701a30d7bf36a1ecd38a80d07df1fd551
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
The FEAT_MTPMU feature disable runs very early after reset. This means,
it needs to be written in assembly, since the C runtime has not been
initialised yet.
However, there is no need for it to be initialised so soon. The PMU
state is only relevant after TF-A has relinquished control. The code
to do this is also very verbose and difficult to read. Delaying the
initialisation allows for it to happen with the rest of the PMU. Align
with FEAT_STATE in the process.
BREAKING CHANGE: This patch explicitly breaks the EL2 entry path. It is
currently unsupported.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I2aa659d026fbdb75152469f6d19812ece3488c6f
Moved common build options from Arm-specific file to common build
file.
Change-Id: If74b6223972ae3a6c11d9f9d2fbd8d2ee008b6e5
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Moved the Juno-specific build option from the common build option
file to the Arm build option file.
Change-Id: I0f53203f0cfca4a3baadab2cee4339c9694cfe8b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
For a pretty implementation and straightforward code, the CVE/erratum
dispatching of the errata status reporting was done with a macro,
closely following the old code. Unfortunately, this produces a function
that was over a kilobyte in size, which unsurprisingly doesn't fit on
some platforms.
Convert the macro to a proper C function and call it once. Also hide the
errata ordering checking behind the FEATURE_DETECTION flag to further
save space. This functionality is not necessary for most builds.
Development and platform bringup builds, which should find this
functionality useful, are expected to have FEATURE_DETECTION enabled.
This reduces the function to under 600 bytes.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ibf5376a26cbae28d9dc010128452cb3c694a3f78
PSCI specification reference in the documentation is updated
to point to latest specification and duplicate PSCI references are
removed.
Change-Id: I35ee365f08c557f3017af4d51f6d063a7501b27e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Update to use the following software:
- mbed TLS == 3.4.0
- (DTC) >= 1.4.7
- Ubuntu 22.04 for builds.
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Change-Id: I384aab4dfee9cae9453eebf4091abe82ef9ccfaa
The current usage of RAS_EXTENSION in TF-A codebase is to cater for two
things in TF-A :
1. Pull in necessary framework and platform hooks for Firmware first
handling(FFH) of RAS errors.
2. Manage the FEAT_RAS extension when switching the worlds.
FFH means that all the EAs from NS are trapped in EL3 first and signaled
to NS world later after the first handling is done in firmware. There is
an alternate way of handling RAS errors viz Kernel First handling(KFH).
Tying FEAT_RAS to RAS_EXTENSION build flag was not correct as the
feature is needed for proper handling KFH in as well.
This patch breaks down the RAS_EXTENSION flag into a flag to denote the
CPU architecture `ENABLE_FEAT_RAS` which is used in context management
during world switch and another flag `RAS_FFH_SUPPORT` to pull in
required framework and platform hooks for FFH.
Proper support for KFH will be added in future patches.
BREAKING CHANGE: The previous RAS_EXTENSION is now deprecated. The
equivalent functionality can be achieved by the following
2 options:
- ENABLE_FEAT_RAS
- RAS_FFH_SUPPORT
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1abb9ab6622b8f1b15712b12f17612804d48a6ec
Updating toolchain to the latest production release version
12.2.Rel1 publicly available on https://developer.arm.com/
We build TF-A in CI using:
AArch32 bare-metal target (arm-none-eabi)
AArch64 ELF bare-metal target (aarch64-none-elf)
Change-Id: Ib603cf7417e6878683a1100d5f55311188e36e8e
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Updated errata ABI feature enable flag and the errata non-arm
interconnect based flag, the default values for when the
feature is not enabled.
Change-Id: Ieb2144a1bc38f4ed684fda8280842a18964ba148
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Currently, enabling SME forces SVE off. However, the SME enablement
requires SVE to be enabled, which is reflected in code. This is the
opposite of what the build flags require.
Further, the few platforms that enable SME also explicitly enable SVE.
Their platform.mk runs after the defaults.mk file so this override never
materializes. As a result, the override is only present on the
commandline.
Change it to something sensible where if SME is on then code can rely on
SVE being on too. Do this with a check in the Makefile as it is the more
widely used pattern. This maintains all valid use cases but subtly
changes corner cases no one uses at the moment to require a slightly
different combination of flags.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: If7ca3972ebc3c321e554533d7bc81af49c2472be
This patch introduces support to handle traps from lower ELs for
IMPDEF system register accesses. The actual support is left to the
platforms to implement.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I623d5c432b4ce4328b68f238c15b1c83df97c1e5
FEAT_SME2 is an extension of FEAT_SME and an optional feature
from v9.2. Its an extension of SME, wherein it not only
processes matrix operations efficiently, but also provides
outer-product instructions to accelerate matrix operations.
It affords instructions for multi-vector operations.
Further, it adds an 512 bit architectural register ZT0.
This patch implements all the changes introduced with FEAT_SME2
to ensure that the instructions are allowed to access ZT0
register from Non-secure lower exception levels.
Additionally, it adds support to ensure FEAT_SME2 is aligned
with the existing FEATURE DETECTION mechanism, and documented.
Change-Id: Iee0f61943304a9cfc3db8f986047b1321d0a6463
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Some parts of the documentation referring to Poetry provides incorrect
build instructions and has some minor formatting errors. Reformat the
bits that require formatting, and fix the build instructions. These
were originally part of the patch stack that added Poetry support but
were accidentally reverted prior to merge.
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Change-Id: I336d3a7bbe99f75262430ae436f8ebc2cb050d2c
New python dependencies are introduced by the memory mapping script.
Rather than add another `requirements.txt` utilise poetry. This is a
proper dependency management framework for Python. The two main upsides
of using poetry instead of the traditional requirements.txt are
maintainability and reproducibility.
Poetry provides a proper lock file for pinning dependencies, similar to
npm for JavaScript. This allows for separate environments (i.e. docs,
tools) to be created efficiently, and in a reproducible manner, wherever
the project is deployed. Having dependencies pinned in this manner is a
boon as a security focused project. An additional upside is that we will
receive security updates for dependencies via GitHub's Dependabot.
Change-Id: I5a3c2003769b878a464c8feac0f789e5ecf8d56c
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Arm v9.4 introduces support for Guarded Control Stack, providing
mitigations against some forms of RPO attacks and an efficient mechanism
for obtaining the current call stack without requiring a full stack
unwind. Enable access to this feature for EL2 and below, context
switching the newly added EL2 registers as appropriate.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: I691aa7c22e3547bb3abe98d96993baf18c5f0e7b
Arm v8.9 introduces a series of features providing a new way to set memory
permissions. Instead of directly encoding the permissions in the page
tables the PTEs contain indexes into an array of permissions stored in
system registers, allowing greater flexibility and density of encoding.
Enable access to these features for EL2 and below, context switching the
newly added EL2 registers as appropriate. Since all of FEAT_S[12]P[IO]E
are separately discoverable we have separate build time options for
enabling them, but note that there is overlap in the registers that they
implement and the enable bit required for lower EL access.
Change the FVP platform to default to handling them as dynamic options so
the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: Icf89e444e39e1af768739668b505661df18fb234
The porting guide is currently hosted under the 'Getting started'
section. Yet, porting the full firmware to a new platform is probably
not the first thing that one would do. Before delving into the
details, one would probably start by building the code for an emulated
platform, such as Arm FVP.
Furthermore, the porting guide is such a big and important document
that it probably deserves being visible in the main table of contents.
Thus, move it just above the list of supported platforms.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I51b3d2a93832505ab90d73c823f06f9540e84c77
Version 1 of the translation table library is deprecated. Refer to
version 2 instead.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I10a4ab7b346ea963345f82baff2deda267c5308d
The pull request terminology dates back from when TF-A repository was
hosted on Github. Use a terminology that is more suited to Gerrit
workflow.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Ieecf47617ca1cdb76b9c4a83f63ba3c402b9e975
Add some missing configuration that must be done for supporting NPU on
other platforms.
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: Ic505ea60f73b970d0d7ded101830eb2ce8c7ab64
To be able to further restrict the memory access for the Arm(R)
Ethos(TM)-N NPU, separate read-only and read/write NSAIDs for the
non-protected and protected memory have been added to the Juno
platform's TZMP1 TZC configuration for the NPU.
The platform definition has been updated accordingly and the NPU driver
will now only give read/write access to the streams that require it.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I5a173500fc1943a5cd406a3b379e1f1f554eeda6
BL2 on Juno now loads the Arm(R) Ethos(TM)-N NPU firmware into a fixed
address, using the existing image loading framework.
Includes support for TRUSTED_BOARD_BOOT, if enabled, using the firmware
content and key certificates from the FIP.
Supports the ARM_IO_IN_DTB option so can specify the firmware location
from the dtb rather than it being hardcoded to the FIP
Update makefile to automatically embed the appropriate images into the
FIP.
BREAKING CHANGE: Building the FIP when TZMP1 support is enabled in the
NPU driver now requires a parameter to specify the NPU firmware file.
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I8cd64fb20d58f8bd539facb085606213d6cead06
For the TZC to allow the Arm(R) Ethos(TM)-N NPU to access the buffers
allocated in a protected memory region, it must include the correct
NSAID for that region in its transactions to the memory. This change
updates the SiP service to configure the NSAIDs specified by a platform
define. When doing a protected access the SiP service now configures the
NSAIDs specified by the platform define. For unprotected access the
NSAID is set to zero.
Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I3360ef33705162aba5c67670386922420869e331
FEAT_SVE build macro, "ENABLE_SVE_FOR_NS" default value has been updated
to 2, to support its existing behavior of dynamic detection as well as
keep it aligned with the changes concerning STATE=FEAT_STATE_CHECKED(2),
part of Feature Detection procedure.
Change-Id: Iee43e899f19dc9d5eb57c235998758f462a8c397
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
