Neoverse-V1 erratum 2372203 is a cat B erratum that applies to revisions
r0p0 - r1p1 and is still open. The workaround is to set bit[40] of
CPUACTLR2_EL1 to disable folding of demand requests into older
prefetches with L2 miss requests outstanding.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401781/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ice8c2e5a0152972a35219c8245a2e07e646d0557
If the interrupt being targeted is released from the CPU before the
CLEAR command is sent to the CPU then a subsequent SET command may not
be delivered in a finite time. To workaround this, issue an unblocking
event by toggling GICR_CTLR.DPG* bits after clearing the cpu group
enable (EnableGrp* bits of GIC CPU interface register)
This fix is implemented as per the errata 2384374-part 2 workaround
mentioned here:
https://developer.arm.com/documentation/sden892601/latest/
Change-Id: I13926ceeb7740fa4c05cc5b43170e7ce49598f70
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Neoverse-V1 erratum 2294912 is a cat B erratum that applies to revisions
r0p0 - r1p1 and is still open. The workaround is to set bit[0] of
CPUACTLR2_EL1 to force PLDW/PFRM ST to behave like PLD/PRFM LD and not
cause invalidations to other PE caches.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401781/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ia7afb4c42fe66b36fdf38a7d4281a0d168f68354
The link to commitlintrc.js file in the v2.7 changelog
is updated.
Change-Id: I24ee736180d8df72b2d831e110a9a3a80a6d9862
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
This change adds "FEAT_TRBE" to be part of feature detection mechanism.
Previously feature enablement flags were of boolean type, containing
either 0 or 1. With the introduction of feature detection procedure
we now support three states for feature enablement build flags(0 to 2).
Accordingly, "ENABLE_TRBE_FOR_NS" flag is now modified from boolean
to numeric type to align with the feature detection.
Change-Id: I53d3bc8dc2f6eac63feef22dfd627f3a48480afc
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
This change adds "FEAT_BRBE" to be part of feature detection mechanism.
Previously feature enablement flags were of boolean type, possessing
either 0 or 1. With the introduction of feature detection procedure
we now support three states for feature enablement build flags(0 to 2).
Accordingly, "ENABLE_BRBE_FOR_NS" flag is now modified from boolean
to numeric type to align with the feature detection.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I1eb52863b4afb10b808e2f0b6584a8a210d0f38c
- Add security state attribute to memory and device regions.
- Rename device region reg attribution to base-address aligned with
memory regions.
- Add pages-count field to device regions.
- Refresh interrupt attributes description in device regions.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I901f48d410edb8b10f65bb35398b80f18105e427
- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
For each threat, we now separate:
- how to mitigate against it;
- whether TF-A currently implements these mitigations.
A new "Mitigations implemented?" box is added to each threat to
provide the implementation status. For threats that are partially
mitigated from platform code, the original text is improved to make
these expectations clearer. The hope is that platform integrators will
have an easier time identifying what they need to carefully implement
in order to follow the security recommendations from the threat model.
Change-Id: I8473d75946daf6c91a0e15e61758c183603e195b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I5c856437b60cdf05566dd636a01207c9b9f42e61
GCC 11 and Clang 14 now use the DWARF 5 standard by default however
Arm-DS currently only supports up to version 4. Therefore, for debug
builds, ensure the DWARF 4 standard is used.
Also update references for Arm DS-5 to it's successor Arm-DS (Arm
Development Studio).
Change-Id: Ica59588de3d121c1b795b3699f42c31f032cee49
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
* changes:
build(changelog): add new scope for Arm SMMU driver
feat(smmu): add SMMU abort transaction function
docs(build): add build option for DRTM support
build(drtm): add DRTM support build option
* changes:
docs(threat-model): remove some redundant text in threat #08
docs(threat-model): make experimental features out of scope
docs(threat-model): cosmetic changes
Add an explicit note that measured boot is out of scope of the threat
model. For example, we have no threat related to the secure
management of measurements, nor do we list its security benefits
(e.g. in terms of repudiation).
This might be a future improvement to the threat model but for now
just acknowledge it is not considered.
Change-Id: I2fb799a2ef0951aa681a755a948bd2b67415d156
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Update supported models list according to changes for v2.7 release in
ci/tf-a-ci-scripts repository:
* general FVP model update: 5c54251
* CSS model update: 3bd12fb
Signed-off-by: Maksims Svecovs <maksims.svecovs@arm.com>
Change-Id: I38c2ef2991b23873821c7e34ad2900b9ad023c4b
John Powell is no longer part of the TF-A core team at Arm.
Change-Id: Iaa91474cb2c5c334b9ae6f2376724fad2677e285
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Jimmy Brisson is no longer part of the TF-A core team at Arm.
Change-Id: I2966c513a0c2cda438a05dedd42149d16190cbf6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The threat description was repeating the threat title.
Change-Id: I67de2c0aab6e86bf33eb91e7562e075fcb76259b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reword the description of threat #9 to make it more future-proof for
Arm CCA. By avoiding specific references to secure or non-secure
contexts, in favour of "worlds" and "security contexts", we make the
description equally applicable to 2-world and 4-world architectures.
Note that there are other threats that would benefit from such a
similar revamp but this is out of scope of this patch.
Also list malicious secure world code as a potential threat
agent. This seems to be an oversight in the first version of the
threat model (i.e. this change is not related to Arm CCA).
Change-Id: Id8c8424b0a801104c4f3dc70e344ee702d2b259a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
By nature, experimental features are incomplete pieces of work,
sometimes going under rapid change. Typically, the threat model
implications have not been fully considered yet.
Change-Id: Ice8d4273a789558e912f82cde592da4747b37fdf
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
- Add empty lines after titles.
- Reduce number of highlighting characters to fit title length.
- Remove most ``monospaced text``.
I think most of it looked weird in the rendered HTML version and
it had no obvious meaning.
Change-Id: I5f746a3de035d8ac59eec0af491c187bfe86dad7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.
Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6
* changes:
feat(spmd): allow forwarding of FFA_FRAG_RX/TX calls
feat(spmc): add support for FFA_SPM_ID_GET
feat(spmc): add support for forwarding a secure interrupt to the SP
feat(spmc): add support for FF-A power mgmt. messages in the EL3 SPMC
This patch adds support for forwarding the following PSCI messages
received by the SPMC at EL3 to the S-EL1 SP if the SP has indicated
that it wishes to receive the appropriate message via its manifest.
1. A PSCI CPU_OFF message in response to a cpu hot unplug request
from the OS.
2. A message to indicate warm boot of a cpu in response to a cpu
hot plug request from the OS.
3. A PSCI CPU_SUSPEND message in response to a cpu idle event
initiated from the OS.
4. A message to indicate warm boot of a cpu from a shallow power
state in response to a cpu resume power event.
This patch also implements the FFA_SECONDARY_EP_REGISTER function to
enable the SP specify its secondary entrypoint.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I375d0655b2c6fc27445facc39213d1d0678557f4
Adding Sandrine Bailleux for the PSA APIs and myself for the
MHU and RSS comms drivers as code owner.
Change-Id: Ib948479cc6e46163aae59c938877a2d0bcf91754
Signed-off-by: David Vincze <david.vincze@arm.com>
DSU-110 erratum 2313941 is a Cat B erratum and applies to revisions
r0p0, r1p0, r2p0, r2p1, r3p0, r3p1 and is still open.
The workaround sets IMP_CLUSTERACTLR_EL1[16:15] bits to 0b11 to disable
clock gating of the SCLK domain. This will increase the idle power
consumption.
This patch applies the fix for Cortex-X2/A510/A710 and Neoverse N2.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1781796/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I54d948b23e8e01aaf1898ed9fe4e2255dd209318
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Introduce PLAT_RSS_NOT_SUPPORTED build config to
provide a mocked version of PSA APIs. The goal is
to test the RSS backend based measured boot and
attestation token request integration on such
a platform (AEM FVP) where RSS is otherwise
unsupported. The mocked PSA API version does
not send a request to the RSS, it only returns
with success and hard-coded values.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ice8d174adf828c1df08fc589f0e17abd1e382a4d
This patch adds workarounds for following cortex-x1 errata:
- 1821534 (CatB)
- 1688305 (CatB)
- 1827429 (CatB)
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401782/latest
Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I10ebe8d5c56a6d273820bb2c682f21bf98daa7a5
Renamed the existing SPM entry to the SPMD and add myself
as the SPMC maintainer.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ic74659b119986df5fc229a4470049d289eeef21a
Cortex-A78 erratum 2395406 is a cat B erratum that applies to revisions
r0p0 - r1p2 and is still open. The workaround is to set bit[40] of
CPUACTLR2 which will disable folding of demand requests into older
prefetches with L2 miss requests outstanding.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401784
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: If06f988f05f925c2a4bed3e6a9414b6acdfec894
Cortex-A710 erratum 2008768 is a Cat B erratum that applies to revisions
r0p0, r1p0, and r2p0, and is fixed in r2p1. The workaround is to clear
the ED bit in each ERXCTLR_EL1 register before setting the PWRDN bit in
CPUPWRCTLR_EL1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Ib2171c06da762dd4155b02c03d86766f1616381d
Cortex-A78 erratum 2376745 is a cat B erratum that applies to revisions
r0p0 - r1p2 and is still open. The workaround is to set bit[0] of
CPUACTLR2 which will force PLDW/PFRM ST to behave like PLD/PRFM LD and
not cause invalidation to other PE caches.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401784
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I6f1a3a7d613c5ed182a7028f912e0f6ae3aa7f98
