Implement safer version of 'strnlen' function
to handle NULL terminated strings with additional
bound checking and secure version of string copy function
to support better security and avoid destination
buffer overflow.
Change-Id: I93916f003b192c1c6da6a4f78a627c8885db11d9
Signed-off-by: Jit Loon Lim <jit.loon.lim@altera.com>
Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Clang's nullability completeness checks were triggered after adding
the _Nonnull specifier to one function. Removing it prevents Clang
from flagging atexit() for missing a nullability specifier.
include/lib/libc/stdlib.h:25:25: error: pointer is missing a
nullability type specifier (_Nonnull, _Nullable, or _Null_unspecified)
[-Werror,-Wnullability-completeness]
25 | extern int atexit(void (*func)(void));
This change ensures compliance with the C standard while preventing
unexpected build errors.
Change-Id: I2f881c55b36b692d22c3db22149c6402c32e8c3e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Align entire TF-A to use Arm in copyright header.
Change-Id: Ief9992169efdab61d0da6bd8c5180de7a4bc2244
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
To support memcpy_s for better security purpose
to avoid overflowing the dest while copy from src.
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I63c3ea6a3e99c10d69be6bce04843c14b0a28a4d
Modern C compilers warn about unannotated switch/case fallthrough code,
and require either a comment with some magic words, or an explicit
compiler attribute.
Since some TF-A static analysis CI check suggests having a "fallthrough;"
statement instead of a comment, introduce a macro that implements that
statement, and emits the proper compiler attribute.
Change-Id: Ib34e615fb48d0f4a340aabfad4472e08d5c70248
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
SCHAR_MIN definition should use SCHAR_MAX, and not itself.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8c1751a381dac50fe3ec5fdf19d6a4918470b58
This fix solves problems with using PRI*PTR on aarch64 like so:
error: format '%x' expects argument of type 'unsigned int', but
argument 3 has type 'uintptr_t' {aka 'long unsigned int'}
Change-Id: I135d3e5cea5459f138b20331b5e9472e2e9e566c
Signed-off-by: K <kayo@illumium.org>
- Removing platform dependencies from libc modules.
- Replacing panicking with actual error handling.
- Debug macros are included indirectly from assert.h. Removing
"platform_def.h" from assert.h and adding "common/debug.h"
where the macros are used.
- Removing hack for fixing PLAT_LOG_LEVEL_ASSERT to 40.
Instead removing assert with expression, as this
does not provide additional information.
Signed-off-by: Claus Pedersen <claustbp@google.com>
Change-Id: Icc201ea7b63c1277e423c1cfd13fd6816c2bc568
Use long instead of long long on aarch64 for 64_t stdint types.
Introduce inttypes.h to properly support printf format specifiers for
fixed width types for such change.
Change-Id: I0bca594687a996fde0a9702d7a383055b99f10a1
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Added support for HW computed CRC using Arm ACLE intrinsics.
These are built-in intrinsics available for ARMv8.1-A, and
onwards.
These intrinsics are enabled via '-march=armv8-a+crc' compile
switch for ARMv8-A (supports CRC instructions optionally).
HW CRC support is enabled unconditionally in BL2 for all Arm
platforms.
HW CRC calculation is verified offline to ensure a similar
result as its respective ZLib utility function.
HW CRC calculation support will be used in the upcoming
firmware update patches.
Change-Id: Ia2ae801f62d2003e89a9c3e6d77469b5312614b3
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The Juno Trusted Entropy Source has a bias, which makes the generated
raw numbers fail a FIPS 140-2 statistic test.
To improve the quality of the numbers, we can use the CPU's CRC
instructions, which do a decent job on conditioning the bits.
This adds a *very* simple version of arm_acle.h, which is typically
provided by the compiler, and contains the CRC instrinsics definitions
we need. We need the original version by using -nostdinc.
Change-Id: I83d3e6902d6a1164aacd5060ac13a38f0057bd1a
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I2e94a0b227ec39f6f4530dc50bb477999d27730f
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I9cb581574d46de73c3d6917ebf78935fc5ac075a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I8c3b92751d1ce226c966f7c81fedd83f0846865e
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: Ica95bf5da722913834fe90bf3fe743aa34e01e80
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
Made small changes to fit into TF-A project
Change-Id: I991f653a7ace04f9c84bcda78ad8d7114ea18e93
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
It uses the existing implementation of snprintf() function
Change-Id: Ie59418564c2e415222e819cf322c34e9a4d1f336
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
Made small changes to fit into TF-A project
Change-Id: I07fd7fe1037857f6b299c35367c104fb51fa5cfa
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch redefines 'true' and 'false' definitions in
'include/lib/libc/stdbool.h' to fix defect reported by
MISRA C-2012 Rule 10.1
"The expression \"0\" of non-boolean essential type is
being interpreted as a boolean value for the operator \"? :\"."
Change-Id: Ie1b16e5826e5427cc272bd753e15d4d283e1ee4c
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
SIZE_MAX was mistakenly redefined from UINT32_MAX to UINT64_MAX
on AArch32 when the arch-specific headers were merged.
This value is not currently used by upstream TF-A source code,
so no functionality should be affected.
Change-Id: I2acf7f8736423697c7377e8ed4b08843ced26e66
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
This function scans a string backwards from the end for the first
instance of a character.
Change-Id: I46b21573ed25a0ff222eac340e1e1fb93b040763
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Consolidate the definition of size_t to one header per AArch, and
the definition of NULL to one header
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Iecfbad2cf360cfb705ce7aaa981700fd16219b82
As supporting architectures aside from AArch32 and AArch64 is not a
concern, keeping identical definitions in two places for a large part
of the libc seems counterproductive
The int128 types were left un-unified as __int128 is not supported by
gcc on AArch32
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Idf08e6fab7e4680d9da62d3c57266ea2d80472cf
Conceptually, these are supposed to be the largest integers
representable in C, but GCC and Clang define them as long long for
compatibility.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: I7c0117f3be167342814d260a371889120dcf6576
Sparse warns this:
lib/libc/assert.c:29:6: error: symbol '__assert' redeclared with different type (originally declared at include/lib/libc/assert.h:36) - different modifiers
Add __dead2 to match the header declaration and C definition.
I also changed '__dead2 void' to 'void __dead2' for the consistency
with other parts.
Change-Id: Iefa4f0e787c24fa7e7e499d2e7baf54d4deb49ef
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch adds 128-bit integer types int128_t and uint128_t
for "__int128" and "unsigned __int128" supported by GCC and
Clang for AArch64.
Change-Id: I0e646d026a5c12a09fd2c71dc502082052256a94
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Now that setjmp() and longjmp() are compliant with the standard they can
be moved with the other libc files.
Change-Id: Iea3b91c34eb353ace5e171e72f331602d57774d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only leave the parts relevant to the Trusted Firmware.
Change-Id: I0444c16e402f6c1629211d03bf6cb32ca3dbcf59
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Taken from http://git.simple-cc.org/scc/ from the following commit:
67508ad14af314cea2229783d3c084f28c41daf0
Permission has been granted from the author to use them under the
license BSD-3-Clause instead of ISC.
Change-Id: I65c0ce3ab60c49d34a57533af12a74bd7bde88e5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove code specific to FreeBSD so that they can be used in this
repository.
Change-Id: I5c11eb5b3c05a7fb91aed08371a1f7a0e6122a94
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove all files that don't have only Arm copyright. This is the first
step to cleanup the C library in this repository. They will be re-added
in the following patches.
Change-Id: I72c40a1620d1df3228fc397ec695d569a20245fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
