* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level for region validity
feat(tc): add dummy TRNG support to be able to boot pVMs
feat(tc): get the parent component provided DPE context_handle
feat(tc): share DPE context handle with child component
feat(tc): add DPE context handle node to device tree
feat(tc): add DPE backend to the measured boot framework
feat(auth): add explicit entries for key OIDs
feat(dice): add DPE driver to measured boot
feat(dice): add client API for DICE Protection Environment
feat(dice): add QCBOR library as a dependency of DPE
feat(dice): add typedefs from the Open DICE repo
docs(changelog): add 'dice' scope
refactor(tc): align image identifier string macros
refactor(fvp): align image identifier string macros
refactor(imx8m): align image identifier string macros
refactor(qemu): align image identifier string macros
fix(measured-boot): add missing image identifier string
refactor(measured-boot): move metadata size macros to a common header
refactor(measured-boot): move image identifier strings to a common header
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
This custom argument is meant to simplify to group
components into certificates. Components with
the same cert_id contribute to the same certificate
regardless of the load order or the structure of the
derivation tree. This argument aims to flatten the tree
structure and make it easy to include branches or
subtrees in the main derivation line.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I83c4abc399616063a5eb04792d603899f7513627
Each client who wants to communicate with the DPE service
must own a valid context handle issued by the DPE service.
A context handle can be used for a single time then it will
be invalidated by the DPE service. In case of calls from
the same component, the next valid context handle is
returned in the response to a DPE command. When a component
finishes their job then the next component in the boot flow
inherits its first context handle from its parent.
How the inheritance is done can be client or
platform-dependent. It can be shared through shared
memory or be part of a DTB object passed to the next
bootloader stage.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ic82f074f1c5b15953e78f9fa5404ed7f48674cbb
To be allowed to communicate with DPE service all
components must own a valid context handle. The first
valid context handle is inherited from the parent
component via a DTB object.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Id357fab3586398b1933444e1d10d1ab6d8243ab9
Implement a DPE specific backend within the
generic measured boot framework.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ia3a0eac0ee6f7b4b337a93d08286613e7c8186b4
The max size macros of metadata elements are shared across
multiple measured boot backends: rss-measured-boot, dpe.
Increase the SW_TYPE_MAX_SIZE to be able to accomodate
all macro.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ic9004a36ef1df96c70a4f7adf7bb86dc27dd307c
The image identifier strings are used across different measured boot
backends. Move them to a common location to avoid the redefiniton
of these per backend and to avoid code duplication.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I58897b9a19396be932ca5d230ee00858c09ef03f
Change the names of some FWU metadata structure members to have them
align with the wording used in the corresponding specification. Use
the GUID type instead of UUID as the fields described in the
specification are GUIDs. Make corresponding changes to the code that
accesses these fields. No functional changes are introduced by the
patch.
Change-Id: Id3544ed1633811b0eeee2bf99477f9b7e6667044
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
The GPT partition uses GUID values for identification of partition
types and partitions. Change the relevant functions to use GUID values
instead of UUID's.
Change-Id: I30df66a8a02fb502e04b0285f34131b65977988e
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Add a function fwu_get_alternate_boot_bank() to return a valid bank to
boot from. This function can be called by a platform to get an
alternate bank to try to boot the platform in the unlikely scenario of
the active bank being in an invalid state, or if the number of times
the platform boots in trial state exceeds a pre-set count.
Change-Id: I4bcd88e68e334c452882255bf028e01b090369d1
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
The version 2 of the FWU metadata structure has a field bank_state in
the top level of the structure which can be used to check if a given
bank is in the either of Trial State, Accepted State, or in an Invalid
State. This is different from the binary states of Valid/Accepted
States that the bank could be in, as defined in the earlier version of
the specification.
Replace the fwu_is_trial_run_state() API with
fwu_get_active_bank_state() to get the state the current active bank
is in. The value returned by this API is then used by the caller to
take appropriate action.
Change-Id: I764f486840a3713bfe5f8e03d0634bfe09b23590
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
The latest version of the FWU specification [1] has changes to the
metadata structure. This is version 2 of the structure.
Primary changes include
- bank_state field in the top level structure
- Total metadata size in the top level structure
- Image description structures now optional
- Number of banks and images per bank values part of the structure
Make changes to the structure to align with version 2 of the structure
defined in the specification. These changes also remove support for
version 1 of the metadata structure.
[1] - https://developer.arm.com/documentation/den0118/latest/
Change-Id: I84b4e742e463cae92375dde8b4603b4a581d62d8
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Update the links for accessing the FWU Multi Bank update specification
to point to the latest revision of the specification.
Change-Id: I25f35556a94ca81ca0a7463aebfcbc2d84595e8f
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Extend the SDS driver to be able to handle multiple
SDS regions:
- AP-SCP
- AP-RSS
Change-Id: Id303840b248c383b3f960227cbf6333d1cc75e65
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
When trying to compile USB stack for STM32MP2, the following warning
happens:
In file included from plat/st/stm32mp2/stm32mp2_usb_dfu.c:7:
include/drivers/usb_device.h:193:9: error: unknown type name 'bool'
193 | bool is_in;
Correct it by adding: #include <stdbool.h>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If17e4e269fcdc885e42f5fcad9cfb763829786e4
Reading the SCMI mailbox status in polling mode causes a burst of bus
accesses. On certain platforms, this would not be ideal as the shared
bus on the CPU subsystem might cause contentions across all the CPUs.
So allow platforms to specify a delay to be introduced while polling.
Change-Id: Ib90ad7b5954854071cfd543f4a27a178dde3d5c6
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
This driver is used for the new version of the BSEC peripheral used
on STM32MP25.
Change-Id: I38ca0db22d06704769c994c6806ccd80b17dde6e
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Update nand driver to match GHRD design, fix row
address calculation method and other misc updates.
Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I1cb3dda43e767ba243fbe89bfa18818db321c5c2
The function stm32_i2c_get_setup_from_fdt() was using fdt_getprop() to
to get some i2c node properties, and set a default value if the node
was not found. The function fdt_read_uint32_default() already does
this in a simpler way.
Remove useless STM32_I2C_SPEED_DEFAULT.
Change-Id: I74c6295bb5765ee7c7e0a9ae020b741f1fe022a6
Signed-off-by: Yann Gautier <yann.gautier@st.com>
In order to ease the introduction of a new BSEC3 driver for STM32MP25,
the BSEC2 driver is reworked. Unused functions are removed. The
bsec_base global variable is removed in favor of the macro BSEC_BASE.
A rework is also done around function checking the state of BSEC.
Change-Id: I1ad76cb67333ab9a8fa1d65db34d74a712bf1190
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].
As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.
This is a breaking change for downstream platforms which use these
drivers.
[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813
Current interface 'partition_init' accepts parameter image_id
and returns no value. But the entire partition driver is build
only to parse and handle GPT partitions, so add new interface
gpt_partition_init which would return failure to platform code
if it fails to parse the image.
Change-Id: Iaf574d2ad01a15d0723c1475290c31dc4a078835
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Currently we just use primary GPT header which is located in second
entry after MBR header, but if this block is corrupted or CRC
mismatch occurs we could try to use the backup GPT header located at
LBAn and GPT entries following this from LBA-33.
Add suitable warning messages before returning any errors to identify
the cause of issue.
Change-Id: I0018ae9eafbacb683a18784d2c8bd917c70f50e1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
GPT header is located in first LBA after MBR entry and mbr header has
details of beginning of first entry, so use mbr header entry first_lba
data to locate GPT header rather than GPT_HEADER_OFFSET.
GPT header size is available in gpt_header, so use that
rather than using DEFAULT_GPT_HEADER_SIZE.
The location of GPT entries is available once we parse gpt_header
and is available as partitiona_lba use that to load gpt_entries rather
than GPT_ENTRY_OFFSET.
Change-Id: I3c11f8cc9d4b0b1778a37fe342fb845ea4a4eff1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Use KEY_SIZE 384 to enable ECDSA P384 key support by
setting MBEDTLS_ECP_DP_SECP384R1_ENABLED.
Selected by setting KEY_ALG=ecdsa and KEY_SIZE=384.
Change-Id: I382f34fc4da98f166a2aada5d16fdf44632b47f5
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Initialised Mbedtls PSA cryto during Crypto init using
function call 'psa_crypto_init'.
MbedTLS currently requires a Random Number Generator (RNG) once
PSA Crypto support is enabled. However, TF-A itself doesn't engage
in cryptographic operations that demand randomness. Consequently,
we simulate the presence of an external TRNG (through the configuration
option 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) while, in reality, we offer
a dummy implementation of mbedtls_psa_external_get_random() that always
returns an error.
Change-Id: Ife6d03909c0e6081438d2b2519ef500e5dcdb88f
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -
1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.
Also, marked PSA_CRYPTO as an experimental feature.
Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Add unregistration function for the JTAG DCC (Debug Communication
Channel) console.
The unregistration function flushes DCC buffer before unregistering
the dcc console to make sure that no output char is pending.
Since console_flush() flushes chars for all registered consoles on
the platform, which is not required in this case, dcc_console_flush()
is being called instead.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I6f15a07c6ee947dc0e7aa8fb069227618080e611
The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.
Currently, they are used interchangeably in GICv3 driver. It did not
cause any functional issues since the matching type and group had the
same value for corresponding macros. This patch makes the necessary
fixes.
The generic interrupt controller APIs, such as
plat_ic_set_interrupt_type map interrupt type to interrupt group
supported by the GICv3 IP. Similarly, other generic interrupt
controller APIs map interrupt group to interrupt type as needed.
This patch also changes the name of the helper functions to use group
rather than type for handling interrupts.
Change-Id: Ie2d88a3260c71e4ab9c8baacde24cc21e551de3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.
This patch changes the name of the helper functions to use group
rather than type for handling interrupts. No functional change in this
patch.
Change-Id: If13ec65cc6c87c2da73a3d54b033f02635ff924a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Express memory size with size_t type in structures.
Retrieve value as uint32_t from device tree and then cast it to size_t.
Combined with uintptr_t use, it ensures a generic algorithm whatever
the platform architecture, notably within systematic tests. Adapt also
their prototypes.
Move memory size print outside stm32mp_ddr_check_size() to adapt it to
related platform.
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Change-Id: Ic6e1a62d7a5e23cef49909a658098c800e7dae3f
Add a header file listing the registers of Reset and Clock Control
peripheral.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Icc90132d5782eba7e343868b932a399c1d47c18a
The implementation of code changes manages the transmit FIFO (TxFIFO)
in the UART driver. The added code snippet includes a sequence of
instructions that ensures efficient handling of data transmission
and synchronization with the host software.
The code first checks the TxFIFO empty flag to determine whether
there is data available for transmission. If the TxFIFO is not empty,
the code waits until it becomes empty, ensuring that the transmit
operation is synchronized with the availability of data.
Subsequently, the code monitors the transmit operation's activity
status. It waits until the transmit operation becomes inactive,
indicating the completion of the previous transmission.
This synchronization step ensures that new data can be added to the
TxFIFO without causing any loss of transmission time.
Update console_flush() function, the function waits for the
Transmitter FIFO to empty and checks the transmitter's active state.
If the transmitter is in an active state, it means it is currently
shifting out a character.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I9d6c05bdfb9270924b40bf1f6ecb5fe541a2242e
Pass "start_idx" to plat_scmi_clock_rates_array.
This parameter is required to obtain the rate table
a second time.
Signed-off-by: XiaoDong Huang <derrick.huang@rock-chips.com>
Change-Id: I97c6751e7d34c839ced8f22bddc39fb534978cc4
Changes have been made in NPU firmware version 13 around error handling
which require some different register values to be set in AUXCTLR and
SYSCTRL1.
SiP service version number has been bumped up to 15 to reflect these
changes.
Change-Id: I6cda0048dc75df2150f7a0fe25f12ba6bf119ced
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
* changes:
feat(qemu): add dummy plat_mboot_measure_key() function
docs(rss): update RSS doc for signer-ID
feat(imx): add dummy 'plat_mboot_measure_key' function
feat(tc): implement platform function to measure and publish Public Key
feat(auth): measure and publicise the Public Key
feat(fvp): implement platform function to measure and publish Public Key
feat(fvp): add public key-OID information in RSS metadata structure
feat(auth): add explicit entries for key OIDs
feat(rss): set the signer-ID in the RSS metadata
feat(auth): create a zero-OID for Subject Public Key
docs: add details about plat_mboot_measure_key function
feat(measured-boot): introduce platform function to measure and publish Public Key
Calculate a hash of the public key and put that into the signer-ID
field of the relevant RSS metadata. The signer-ID metadata is mandatory
in the Arm CCA attestation scheme.
Change-Id: Ic846d8bf882cfea8581d3523a3461c919462df30
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
* changes:
feat(intel): platform enablement for Agilex5 SoC FPGA
feat(intel): ccu driver for Agilex5 SoC FPGA
feat(intel): vab support for Agilex5 SoC FPGA
feat(intel): sdmmc/nand/combo-phy/qspi driver for Agilex5 SoC FPGA
feat(intel): ddr driver for Agilex5 SoC FPGA
feat(intel): power manager for Agilex5 SoC FPGA
feat(intel): cold/warm reset and smp support for Agilex5 SoC FPGA
feat(intel): reset manager support for Agilex5 SoC FPGA
feat(intel): mailbox and SMC support for Agilex5 SoC FPGA
feat(intel): system manager support for Agilex5 SoC FPGA
feat(intel): memory controller support for Agilex5 SoC FPGA
feat(intel): clock manager support for Agilex5 SoC FPGA
feat(intel): mmc support for Agilex5 SoC FPGA
feat(intel): uart support for Agilex5 SoC FPGA
feat(intel): pinmux, peripheral and Handoff support for Agilex5 SoC FPGA
