Ref: https://linaro.atlassian.net/browse/TFC-669
The initial LTS document was created as pdf and was maintained in a
shared folder location, to avoid pdf getting lost and trying to find
where it is we decided to have LTS details part of docs in TF-A.
This patch directly reflects the data from pdf attached to TFC-669.
Any improvements or amends to this will be done at later phases based
on LTS maintainers comments and agreements.
Change-Id: I1434c29f0236161d2a127596e2cc528bf4cc3e85
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
* This patch adds some details on the EL3/Root-Context
and its related interfaces.
* Additionally it updates the existing details on the
interfaces, related to various CPU context entries which
have been improvised recently.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I81a992fe09feca4dc3d579a48e54a4763425e052
Two diagrams in the documentation contained the string "ARM TF", which
is probably a remainder of the older "ARM Trusted Firmware" name.
Replace that with "TF-A", which is now the more widely known name for
Trusted Firmware.
This was done with an image editing program, by just moving the letters
around, as I didn't find any source for that image.
Change-Id: I1fa18341b3aa8fc8c4ecc8988bf4de66e473caa7
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch adds some documentation for the context management library.
It mainly covers the design at a higher level, with more focus on
the cold boot and warm boot entries as well as the operations
involved during context switch. Further it also includes a section
on feature enablement for individual world contexts.
Change-Id: I77005730f4df7f183f56a2c6dd04f6362e813c07
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Changes all occurrences of "RSS" and "rss" in the documentation
to "RSE" and "rse".
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ia42078f5faa1db331b1e5a35f01faeaf1afacb5f
Explain that platforms are free to define their own Chain of Trust (CoT)
based on their needs but default ones are provided in TF-A source code:
TBBR, dualroot and CCA.
Give a brief overview of the use case for each of these CoTs.
Simplified diagrams are also provided for the TBBR and dualroot CoTs -
CCA CoT is missing such a diagram right now, it should be provided as a
future improvement.
Also do some cosmetic changes along the way.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c4014d4d12d852b0ae5632ba9c71a9ad266080a
Software supply chain attacks aim to inject malicious code into a
software product. There are several ways a malicious code can be
injected into a software product (open-source project).
These include:
- Malicious code commits
- Malicious dependencies
- Malicious toolchains
This document provides analysis of software supply chain attack
threats for the TF-A project
Change-Id: I03545d65a38dc372f3868a16c725b7378640a771
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.
The main changes introduced in TF-A to support Arm CCA / RME are:
- Presence of a new threat agent: realm world clients.
- Availability of Arm CCA Hardware Enforced Security (HES) to support
measured boot and trusted boot.
- Configuration of the Granule Protection Tables (GPT) for
inter-world memory protection.
This is only an initial version of the threat model and we expect to
enrich it in the future.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF-A, which is
not covered in the threat model right now.
Fill this gap by:
- Updating the data flow diagrams. Data may flow from the UART into
TF-A (and not only the other way around).
- Documenting the threats inherent to reading untrusted data from a
UART.
Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add details about RAS error handling philosophies and its implementation
It also updates the tests introduced to verify them.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iedc8c1e713dad05baadd58e5752df36fa00121a7
set_fw_config_info() interface got renamed into set_config_info() as
part of commit f441718936 ("lib/fconf:
Update 'set_fw_config_info' function"). Rename a few left-overs of the
old name.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I119719cd7f3ba544e0c4c438e5341d35c7b5bdc2
This patch adds a new optional member `pwr_domain_validate_suspend` to
the `plat_psci_ops_t` structure that allows a platform to optionally
perform platform specific validations in OS-initiated mode. This is
conditionally compiled into the build depending on the value of the
`PSCI_OS_INIT_MODE` build option.
In https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/17682,
the return type of the `pwr_domain_suspend` handler was updated from
`void` to `int` to allow a platform to optionally perform platform
specific validations in OS-initiated mode. However, when an error code
other than `PSCI_E_SUCCESS` is returned, the current exit path does not
undo the operations in `psci_suspend_to_pwrdown_start`, and as a result,
the system ends up in an unexpected state.
The fix in this patch prevents the need to undo the operations in
`psci_suspend_to_pwrdown_start`, by allowing the platform to first
perform any necessary platform specific validations before the PSCI
generic code proceeds to the point of no return where the CPU_SUSPEND
request is expected to complete successfully.
Change-Id: I05d92c7ea3f5364da09af630d44d78252185db20
Signed-off-by: Wing Li <wingers@google.com>
This patch updates description of RMM-EL3 Boot Manifest
structure and its corresponding diagram and tables with DRAM
layout data.
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I1b092bc1ad5f1c7909d25c1a0dc89c2b210ada27
Threat model for EL3 SPMC.
The mitigations are based on the guidance
provided in FF-A v1.1 EAC0 spec.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I7f4c9370b6eefe6d1a7d1afac27e8b3a7b476072
Add documentation how to build EL3 SPMC,
briefly describes all FF-A interfaces,
SP boot flow, SP Manifest, Power Management,
Boot Info Protocol, Runtime model and state
transition and Interrupt Handling.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I630df1d50a4621b344a09e462563eacc90109de4
This patch documents the RMM-EL3 Boot and runtime interfaces.
Note that for the runtime interfaces, some services are not
documented in this patch and will be added on a later doc patch.
These services are:
* RMMD_GTSI_DELEGATE
* RMMD_GTSI_UNDELEGATE
* RMMD_RMI_REQ_COMPLETE
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: I8fcc89d91fe5a334c2f68c6bfd1fd672a8738b5c
Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I5c856437b60cdf05566dd636a01207c9b9f42e61
This patch submits an RFC to refactor the context management
mechanism in TF-A.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: Ia1ad5a85cb86c129e2feaf36bed123f0067c3965
This patch expands the RME documentation with description of TF-A
changes for RME. It also modifies some other parts of TF-A documentation
to account for RME changes.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9e6feeee235f0ba4b767d239f15840f1e0c540bb
This is the first release of the public Trusted
Firmware A class threat model. This release
provides the baseline for future updates to be
applied as required by developments to the
TF-A code base.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I3c9aadc46196837679f0b1377bec9ed4fc42ff11
Documented the build options used in Arm GPT parser enablement.
Change-Id: I9d7ef2f44b8f9d2731dd17c2639e5ed0eb6d0b3a
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Updated the documentation for the FIP generation process using
SP images.
Change-Id: I4df7f379f08f33adba6f5c82904291576972e106
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Former EL3 Secure Partition Manager using MM protocol is renamed
Secure Partition Manager (MM).
A new Secure Partition Manager document covers TF-A support for the
PSA FF-A compliant implementation.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9763359c2e96181e1726c8ad72738de293b80eb4
Updated the document for BL1 and BL2 boot flow to capture
below changes made in FCONF
1. Loading of fw_config and tb_fw_config images by BL1.
2. Population of fw_config and tb_fw_config by BL2.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ifea5c61d520ff1de834c279ce1759b53448303ba
Update the plantuml diagrams to match the latest modification in fconf.
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change-Id: I90f55bba0fd039a3f7e1bd39661cf849fccd64f5
Some of the plantuml diagrams in the I/O storage abstraction layer
documentation are absent from the rendered version of the porting
guide. The build log (see [1] for example) reports a syntax error in
these files. This is due to the usage of the 'order' keyword on the
participants list, which does not seem to be supported by the version
of plantuml installed on the ReadTheDocs server.
Fix these syntax errors by removing the 'order' keyword altogether. We
simply rely on the participants being declared in the desired order,
which will be the order of display, according to the plantuml
documentation.
[1] https://readthedocs.org/api/v2/build/9870345.txt
Change-Id: Ife35c74cb2f1dac28bda07df395244639a8d6a2b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add uml sequence and class diagram to illustrate the behavior of the
storage abstraction layer.
Change-Id: I338262729f8034cc3d3eea1d0ce19cca973a91bb
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Currently we have some pre-rendered versions of certain diagrams
in SVG format. These diagrams have corresponding PlantUML source
that can be rendered automatically as part of the documentation
build, removing the need for any intermediate files.
This patch adds the Sphinx "plantuml" extension, replaces
references to the pre-rendered SVG files within the documents,
and finally removes the SVG files and helper script.
New requirements for building the docs are the
"sphinxcontrib-plantuml" Python module (added to the pip
requirements.txt file) and the Graphviz package (provides the
"dot" binary) which is in the Ubuntu package repositories.
Change-Id: I24b52ee40ff79676212ed7cff350294945f1b50d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
The project has been renamed from "Arm Trusted Firmware (ATF)" to
"Trusted Firmware-A (TF-A)" long ago. A few references to the old
project name that still remained in various places have now been
removed.
This change doesn't affect any platform files. Any "ATF" references
inside platform files, still remain.
Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Add the essentials for supporting a Sphinx documentation build:
- A makefile under docs/ to invoke Sphinx with the desired output
format
- A Sphinx master configuration file (conf.py)
- A single, top-level index page (index.rst)
- The TF.org logo that is integrated in the the sidebar of the
rendered output
Change-Id: I85e67e939658638337ca7972936a354878083a25
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
