Varun Wadekar [Tue, 19 May 2015 11:18:04 +0000 (16:48 +0530)]
Support for NVIDIA's Tegra T210 SoCs
T210 is the latest chip in the Tegra family of SoCs from NVIDIA. It is an
ARM v8 dual-cluster (A57/A53) SoC, with any one of the clusters being active
at a given point in time.
This patch adds support to boot the Trusted Firmware on T210 SoCs. The patch
also adds support to boot secondary CPUs, enter/exit core power states for
all CPUs in the slow/fast clusters. The support to switch between clusters
is still not available in this patch and would be available later.
Juan Castillo [Thu, 16 Apr 2015 13:17:49 +0000 (14:17 +0100)]
FVP: update device tree idle state entries
Device tree idle state bindings changed in kernel v3.18. This patch
updates the FVP DT files to use PSCI suspend as idle state.
The patch also updates the 'compatible' property in the PSCI node
and the 'entry-method' property in the idle-states node in the FVP
Foundation GICv2-legacy device tree.
There has been a breaking change in the communication protocols used
between the AP cores and the SCP on CSS based platforms like Juno.
This means both the AP Trusted Firmware and SCP firmware must be
updated at the same time.
In case the user forgets to update the SCP ROM firmware, this patch
detects when it still uses the previous version of the communication
protocol. It will then output a comprehensive error message that helps
trouble-shoot the issue.
The communication protocol used between the AP cores and the SCP
in CSS-based platforms like Juno has undergone a number of changes.
This patch makes the required modifications to the SCP Boot Protocol,
SCPI Protocol and MHU driver code in shared CSS platform code so that
the AP cores are still able to communicate with the SCP.
This patch focuses on the mandatory changes to make it work. The
design of this code needs to be improved but this will come in
a subsequent patch.
The main changes are:
- MHU communication protocol
- The command ID and payload size are no longer written into the
MHU registers directly. Instead, they are stored in the payload
area. The MHU registers are now used only as a doorbell to kick
off messages. Same goes for any command result, the AP has to
pick it up from the payload area.
- SCP Boot Protocol
- The BL3-0 image is now expected to embed a checksum. This
checksum must be passed to the SCP, which uses it to check the
integrity of the image it received.
- The BL3-0 image used to be transferred a block (4KB)
at a time. The SCP now supports receiving up to 128KB at a
time, which is more than the size of the BL3-0 image.
Therefore, the image is now sent in one go.
- The command IDs have changed.
- SCPI Protocol
- The size of the SCPI payload has been reduced down from 512
bytes to 256 bytes. This changes the base address of the
AP-to-SCP payload area.
- For commands that have a response, the response is the same SCPI
header that was sent, except for the size and the status, which
both must be updated appropriately. Success/Failure of a command
is determined by looking at the updated status code.
- Some command IDs have changed.
NOTE: THIS PATCH BREAKS COMPATIBILITY WITH FORMER VERSIONS OF THE SCP
FIRMWARE AND THUS REQUIRES AN UPDATE OF THIS BINARY. THE LATEST SCP
BINARY CAN BE OBTAINED FROM THE ARM CONNECTED COMMUNITY WEBSITE.
Dan Handley [Mon, 27 Apr 2015 18:34:53 +0000 (19:34 +0100)]
Move Juno port to plat/arm/board/juno
Move the Juno port from plat/juno to plat/arm/board/juno. Also rename
some of the files so they are consistently prefixed with juno_.
Update the platform makefiles accordingly.
Dan Handley [Thu, 19 Mar 2015 19:22:44 +0000 (19:22 +0000)]
Migrate Juno port to use common code
Major update to the Juno platform port to use the common platform code
in (include/)plat/arm/* and (include/)plat/common/*. This mainly
consists of removing duplicated code but also introduces some small
behavioural changes where there was unnecessary variation between the
FVP and Juno ports. See earlier commit titled `Add common ARM and CSS
platform code` for details.
Also move the ARM SoC specific security setup (i.e. NIC-400 and PCIe
initialization) from BL1 to `plat_arm_security_setup()` in BL2,
where the other security setup is done.
Dan Handley [Mon, 27 Apr 2015 18:17:18 +0000 (19:17 +0100)]
Move FVP port to plat/arm/board/fvp
Move the FVP port from plat/fvp to plat/arm/board/fvp. Also rename
some of the files so they are consistently prefixed with fvp_.
Update the platform makefiles accordingly.
Dan Handley [Thu, 19 Mar 2015 19:17:53 +0000 (19:17 +0000)]
Migrate FVP port to use common code
Major update to the FVP platform port to use the common platform code
in (include/)plat/arm/* and (include/)plat/common/*. This mainly
consists of removing duplicated code but also introduces some small
behavioural changes where there was unnecessary variation between the
FVP and Juno ports. See earlier commit titled `Add common ARM and CSS
platform code` for details.
Also add support for Foundation FVP version 9.1 during FVP config
setup to prevent a warning being emitted in the console.
Dan Handley [Thu, 19 Mar 2015 18:58:55 +0000 (18:58 +0000)]
Add common ARM and CSS platform code
This major change pulls out the common functionality from the
FVP and Juno platform ports into the following categories:
* (include/)plat/common. Common platform porting functionality that
typically may be used by all platforms.
* (include/)plat/arm/common. Common platform porting functionality
that may be used by all ARM standard platforms. This includes all
ARM development platforms like FVP and Juno but may also include
non-ARM-owned platforms.
* (include/)plat/arm/board/common. Common platform porting
functionality for ARM development platforms at the board
(off SoC) level.
* (include/)plat/arm/css/common. Common platform porting
functionality at the ARM Compute SubSystem (CSS) level. Juno
is an example of a CSS-based platform.
* (include/)plat/arm/soc/common. Common platform porting
functionality at the ARM SoC level, which is not already defined
at the ARM CSS level.
No guarantees are made about the backward compatibility of
functionality provided in (include/)plat/arm.
Also remove any unnecessary variation between the ARM development
platform ports, including:
* Unify the way BL2 passes `bl31_params_t` to BL3-1. Use the
Juno implementation, which copies the information from BL2 memory
instead of expecting it to persist in shared memory.
* Unify the TZC configuration. There is no need to add a region
for SCP in Juno; it's enough to simply not allow any access to
this reserved region. Also set region 0 to provide no access by
default instead of assuming this is the case.
* Unify the number of memory map regions required for ARM
development platforms, although the actual ranges mapped for each
platform may be different. For the FVP port, this reduces the
mapped peripheral address space.
These latter changes will only be observed when the platform ports
are migrated to use the new common platform code in subsequent
patches.
Dan Handley [Mon, 27 Apr 2015 10:49:22 +0000 (11:49 +0100)]
Add linker symbol declarations to bl_common.h
Add extern declarations of linker symbols to bl_common.h. These are
used by platform ports to determine the memory layout of BL images.
Adding the declarations to this file facilitates removal of these
declarations from the platform porting source files in subsequent
patches.
Also remove the linker symbol declarations from common TSP source
code.
Dan Handley [Fri, 27 Mar 2015 17:44:35 +0000 (17:44 +0000)]
Allow deeper platform port directory structure
Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursively searches for all files called `platform.mk` in
all subdirectories of `plat/`. The directory containing
`platform.mk` is the platform name. Platform names must be unique
across the codebase.
Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
these are both used to report the same information back to the user.
Update the TSP and cert_create tool makefiles in a similar way
to support a deeper platform port directory structure.
Also add PLAT_<plat_name> as a define passed through the top level
makefile to the source files, to allow build time variation in common
platform code.
Dan Handley [Wed, 1 Apr 2015 15:51:20 +0000 (16:51 +0100)]
Separate out common console functionality
Separate out the common console functionality in
`drivers/arm/pl011/pl011_console.S` into a new source file
`drivers/console/console.S`. The former includes the latter to
provide backwards compatibility for platform make files.
Also add a skeleton console implementation for platforms that do not
want to use PL011.
Dan Handley [Wed, 1 Apr 2015 16:34:24 +0000 (17:34 +0100)]
Add header guards to asm macro files
Some assembly files containing macros are included like header files
into other assembly files. This will cause assembler errors if they
are included multiple times.
Add header guards to assembly macro files to avoid assembler errors.
Dan Handley [Mon, 30 Mar 2015 16:15:16 +0000 (17:15 +0100)]
Remove use of PLATFORM_CACHE_LINE_SIZE
The required platform constant PLATFORM_CACHE_LINE_SIZE is
unnecessary since CACHE_WRITEBACK_GRANULE effectively provides the
same information. CACHE_WRITEBACK_GRANULE is preferred since this
is an architecturally defined term and allows comparison with the
corresponding hardware register value.
Replace all usage of PLATFORM_CACHE_LINE_SIZE with
CACHE_WRITEBACK_GRANULE.
Also, add a runtime assert in BL1 to check that the provided
CACHE_WRITEBACK_GRANULE matches the value provided in CTR_EL0.
Dan Handley [Thu, 19 Mar 2015 19:26:52 +0000 (19:26 +0000)]
Add TZC function to configure region 0
Region 0 is special in TZC-400. It is possible to set the access
permissions for this but not the address range or filters to which
the permissions apply. Add a function for setting the region 0
access permissions.
Also add some VERBOSE logging and allow assembly files to include
the TZC header.
This patch fixes an issue in the cpu specific register reporting
of FVP AEM model whereby crash reporting itself triggers an exception
thus resulting in recursive crash prints. The input to the
'size_controlled_print' in the crash reporting framework should
be a NULL terminated string. As there were no cpu specific register
to be reported on FVP AEM model, the issue was caused by passing 0
instead of NULL terminated string to the above mentioned function.
Pass arguments/results between EL3/S-EL1 via CPU registers (x0-x7)
This patch removes the need for a shared buffer between the EL3 and S-EL1
levels. We now use the CPU registers, x0-x7, while passing data between
the two levels. Since TLK is a 32-bit Trusted OS, tlkd has to unpack the
arguments in the x0-x7 registers. TLK in turn gets these values via r0-r7.
Remove the ARCH build configuration from the Makefile
The ARCH variable, which defaults to 'aarch64', gives the wrong
impression that the Trusted Firmware can be built for other
architectures. This patch removes it. This doesn't have any
consequence on the rest of the build system because the variable
was unused.
The return value of bl2_plat_handle_bl30() used to be ignored.
This patch modifies the function load_bl30() so that it now
checks this return value and returns it to bl2_main().
This patch also unifies the error handling code across the
load_blx() functions so that they return a status code in all
cases and bl2_main() has the sole responsibility of panicking
if appropriate.
Kévin Petit [Tue, 24 Mar 2015 14:03:57 +0000 (14:03 +0000)]
Add support to indicate size and end of assembly functions
In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.
To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.
The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.
Fixes ARM-Software/tf-issues#295
Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc Signed-off-by: Kévin Petit <kevin.petit@arm.com>
Varun Wadekar [Fri, 13 Mar 2015 09:48:20 +0000 (15:18 +0530)]
Open/Close TA sessions, send commands/events to TAs
This patch adds support to open/close secure sessions with Trusted
Apps and later send commands/events. Modify TLK_NUM_FID to indicate
the total number of FIDs available to the NS world.
Varun Wadekar [Fri, 13 Mar 2015 09:40:54 +0000 (15:10 +0530)]
Preempt/Resume standard function ID calls
This patch allows servicing of the non-secure world IRQs when the
CPU is in the secure world. Once the interrupt is handled, the
non-secure world issues the Resume FID to allow the secure payload
complete the preempted standard FID.
Varun Wadekar [Fri, 13 Mar 2015 09:29:03 +0000 (14:59 +0530)]
Translate secure/non-secure virtual addresses
This patch adds functionality to translate virtual addresses from
secure or non-secure worlds. This functionality helps Trusted Apps
to share virtual addresses directly and allows the NS world to
pass virtual addresses to TLK directly.
Varun Wadekar [Fri, 13 Mar 2015 08:49:11 +0000 (14:19 +0530)]
Register NS shared memory for SP's activity logs and TA sessions
This patch registers NS memory buffer with the secure payload using
two different functions IDs - REGISTER_LOGBUF, REGISTER_REQBUF.
a. The SP uses the log-buffer to store its activity logs, in a
pre-decided format. This helps in debugging secure payload's issues.
b. The SP uses the req-buffer to get the parameters required by
sessions with Trusted Applications.
Soby Mathew [Fri, 20 Feb 2015 16:04:17 +0000 (16:04 +0000)]
Remove the `owner` field in bakery_lock_t data structure
This patch removes the `owner` field in bakery_lock_t structure which
is the data structure used in the bakery lock implementation that uses
coherent memory. The assertions to protect against recursive lock
acquisition were based on the 'owner' field. They are now done based
on the bakery lock ticket number. These assertions are also added
to the bakery lock implementation that uses normal memory as well.
Soby Mathew [Thu, 19 Feb 2015 16:23:51 +0000 (16:23 +0000)]
Optimize the bakery lock structure for coherent memory
This patch optimizes the data structure used with the bakery lock
implementation for coherent memory to save memory and minimize memory
accesses. These optimizations were already part of the bakery lock
implementation for normal memory and this patch now implements
it for the coherent memory implementation as well. Also
included in the patch is a cleanup to use the do-while loop while
waiting for other contenders to finish choosing their tickets.
The shell command used to list all files but the libc's ones
introduced in commit 95d5353c33 was incorrect. It was listing
subdirectories without referencing their parent directories.
This patch fixes it.
Also, the command used to invoke the checkpatch.pl script is now
printed when V=1.
Add support for Juno r1 in the platform reset handler
For Juno r0, the platform reset handler needs to:
- Implement the workaround for defect #831273
- Increase the L2 Data and Tag RAM latencies for Cortex-A57.
Defect #831273 does not affect Juno r1. Also, the default value
for the L2 Tag RAM latency for Cortex-A57 is suitable on Juno r1.
The L2 Data RAM latency for Cortex-A57 still needs to be
increased, though.
This patch modifies the Juno platform reset handler to detect
the board revision and skip the unnecessary steps on Juno r1.
The behaviour on Juno r0 is unchanged.
Achin Gupta [Mon, 9 Mar 2015 21:54:40 +0000 (21:54 +0000)]
Set group status of PPIs and SGIs correctly on GICv3 systems
On a GICv2 system, the group status of PPIs and SGIs is set in the GICD_IGROUPR0
register. On a GICv3 system, if affinity routing is enabled for the non-secure
state, then the group status of PPIs and SGIs should be set in the GICR_IGROUPR0
register. ARM Trusted firmware sets the group status using the GICv2
sequence. On a GICv3 system, if the group status of an interrupt is set to Group
1 through a write to the GICD_IGROUPR0, then the GICR_IGROUPR0 is updated as
well.
The current sequence is incorrect since it first marks all PPIs and SGIs as
Group 1. It then clears the bits in GICD_IGROUPR0 corresponding to secure
interrupts to set their group status to Group 0. This operation is a no-op. It
leaves the secure generic timer interrupt (#29) used by the TSP marked as Group
1. This causes the interrupt to interfere with the execution of non-secure
software. Once an interrupt has been marked as Group 1, the GICR_IGROUPR0 should
be programmed to change its group status.
This patch rectifies this issue by setting the group status of only the
non-secure PPI and SGIs to Group 1 in the first place. GICD_IGROUPR0 resets to
0. So secure interrupts are marked as Group 0 by default.
Vikram Kanigiri [Tue, 23 Dec 2014 01:00:22 +0000 (01:00 +0000)]
Common driver for ARM Cache Coherent Interconnects
Even though both CCI-400 and CCI-500 IPs have different configurations
with respect to the number and types of supported interfaces, their
register offsets and programming sequences are similar. This patch
creates a common driver for enabling and disabling snoop transactions
and DVMs with both the IPs.
New platform ports which implement one of these IPs should use this
common driver. Existing platform ports which implement CCI-400 should
migrate to the common driver as the standalone CCI-400 will be
deprecated in the future.
Vikram Kanigiri [Thu, 29 Jan 2015 18:27:38 +0000 (18:27 +0000)]
Initialise cpu ops after enabling data cache
The cpu-ops pointer was initialized before enabling the data cache in the cold
and warm boot paths. This required a DCIVAC cache maintenance operation to
invalidate any stale cache lines resident in other cpus.
This patch moves this initialization to the bl31_arch_setup() function
which is always called after the data cache and MMU has been enabled.
This change removes the need:
1. for the DCIVAC cache maintenance operation.
2. to initialise the CPU ops upon resumption from a PSCI CPU_SUSPEND
call since memory contents are always preserved in this case.
Juan Castillo [Wed, 11 Mar 2015 14:21:53 +0000 (14:21 +0000)]
checkpatch: ignore GIT_COMMIT_ID
By default, the checkpatch script requires that commit references
included in commit messages follow a predefined format. Github
merge commits do not follow this convention, causing the code
style test to fail when a new pull request is created.
This patch adds the ignore GIT_COMMIT_ID option to the checkpatch
parameters. This flag indicates the tool to ignore the commit
message format.
Juan Castillo [Tue, 10 Mar 2015 12:17:21 +0000 (12:17 +0000)]
TBB: remove PolarSSL SHA1 functions from the binary
Commit ea4ec3aad5e1 ("TBB: use SHA256 to generate the certificate
signatures") updated the cert_create tool to generate the
signatures using SHA256 instead of SHA1. Therefore, SHA1 is no
longer required.
This patch removes the SHA1 option from the PolarSSL configuration
file. The source file sha1.c is no longer needed and has been
excluded from the build. The SHA1 functions are no longer included
in the binary, reducing the memory footprint of BL1 and BL2 by
approximately 6 KB.
User guide: Add dependency on libssl-dev for cert_create tool
The 'libssl-dev' package must be installed on the host to build the
certificate generation tool. This patch adds it to the list of
required tools in the User Guide.
The message printed by 'make help' is incomplete. It doesn't
mention all relevant supported targets. This patch updates it.
The format of the first line of the help message has been changed
so that it no longer lists all supported targets. This eases the
maintenance as we don't need to update the list in 2 places
anymore whenever a new target is added.
Also add a reference to the user guide to get the list of
supported options.
Enable type-checking of arguments passed to printf() et al.
This patch modifies the declarations of the functions printf() et al.
and adds the right GCC attribute to request the compiler to check
the type of the arguments passed to these functions against the given
format string. This will ensure that the compiler outputs warning
messages like the following whenever it detects an inconsistency:
file.c:42: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
It also fixes the type mismatch inconsistencies that it revealed
across the code base.
NOTE: THIS PATCH MAY FORCE PLATFORM PORTS OR SP/SPDS THAT USE THE
PRINTF FAMILY OF FUNCTIONS TO FIX ANY TYPE MISMATCH INCONSISTENCIES.
Juan Castillo [Mon, 16 Feb 2015 10:34:28 +0000 (10:34 +0000)]
TBB: use SHA256 to generate the certificate signatures
This patch replaces SHA1 by SHA256 in the 'cert_create' tool, so
certificate signatures are generated according to the NSA Suite B
cryptographic algorithm requirements.
Juan Castillo [Mon, 2 Mar 2015 16:16:13 +0000 (16:16 +0000)]
TBB: fix build target 'all' dependency on certificates
Build target 'all' fails when GENERATE_COT=1 and no BL3-3 or
BL3-0 (if required) images are specified. The reason is that,
when GENERATE_COT=1, a dependency on the certificates is added
to the target 'all', and the certificates depend on the BL3-3
and BL3-0 images, causing the build process to fail if the
images are not specified.
This patch moves the dependency on the certificates from 'all' to
'fip'. Target 'all' may be used to build the individual images.
The certificates will be created by calling the target 'fip', where
BL3-3 and BL3-0 (if required) must be specified.
All coding style violations have been fixed in a previous patch and
since then, each individual patch has been checked in this regard.
However, the latest version of the checkpatch.pl script from the Linux
kernel is more advanced and it is able to flag new errors in the
Trusted Firmware codebase. This patch fixes them.
The C library source files embedded into the Trusted Firmware
tree are not required to comply to the Linux Coding Style.
Unfortunately, 'make checkpatch' does take them into account.
This patch modifies the Makefile so that the C library source
and header files are now ignored by 'make checkpatch'.
It also instructs the checkpatch.pl script to not treat the
presence of a 'Change-Id' line in the commit message as an error.
Robin Murphy [Fri, 9 Jan 2015 14:30:58 +0000 (14:30 +0000)]
Juno: clear DMA-330 SMMU security state
By default the SMMU for the DMA-330 is configured to mark some stream IDs
as always belonging to the Secure world. As a result, if EL1 software turns
the SMMU on, certain Non-Secure accesses get rewritten as Secure, making
them bypass translation and access Secure physical addresses directly.
Since the current Juno board firmware configures the DMA-330 hardware as
Non-Secure, rewrite the SMMU's default SSD table as well to prevent any
unexpected behaviour in EL1.
Soby Mathew [Thu, 12 Feb 2015 14:45:02 +0000 (14:45 +0000)]
Export maximum affinity using PLATFORM_MAX_AFFLVL macro
This patch removes the plat_get_max_afflvl() platform API
and instead replaces it with a platform macro PLATFORM_MAX_AFFLVL.
This is done because the maximum affinity level for a platform
is a static value and it is more efficient for it to be defined
as a platform macro.
NOTE: PLATFORM PORTS NEED TO BE UPDATED ON MERGE OF THIS COMMIT
Achin Gupta [Wed, 4 Feb 2015 14:29:32 +0000 (14:29 +0000)]
Fix model command line for legacy VE memory map
The command line options specified in the User Guide to run the AEMv8 Base FVP
with the legacy VE memory map apply only when the model is configured to use GIC
v2.0. This patch adds the 'gicv3.gicv2-only=1' to the command line to ensure
that the right version of GIC is used.
Achin Gupta [Sun, 25 Jan 2015 22:44:23 +0000 (22:44 +0000)]
TBB: Add documentation for Trusted Board Boot
This patch updates the user-guide.md with the various build options related to
Trusted Board Boot and steps to build a FIP image which includes this
support. It also adds a trusted-board-boot.md which describes the scope and
design of this feature.
* DS-5 (to v5.20)
* EDK2 (to v2.1-rc0)
* Linux Kernel (to 1.3-Juno)
* Linaro file-system (to 14.12)
* Juno SCP binary (to 1.5.0-rc0 within board recovery image 0.10.1).
Also remove duplicate information that is available from the
ARM Connected Community website.
* Base FVP (to 6.2)
* Foundation FVP (to 9.1). Also update the name of the Foundation
FVP binary since it has changed since version 2.1.
Co-Authored-By: Dan Handley <dan.handley@arm.com>
Change-Id: I1cf2f2b1a3f1b997ac905a4ab440876d265698c0
Soby Mathew [Thu, 29 Jan 2015 12:00:58 +0000 (12:00 +0000)]
Fix the Cortex-A57 reset handler register usage
The CPU specific reset handlers no longer have the freedom
of using any general purpose register because it is being invoked
by the BL3-1 entry point in addition to BL1. The Cortex-A57 CPU
specific reset handler was overwriting x20 register which was being
used by the BL3-1 entry point to save the entry point information.
This patch fixes this bug by reworking the register allocation in the
Cortex-A57 reset handler to avoid using x20. The patch also
explicitly mentions the register clobber list for each of the
callee functions invoked by the reset handler
Juan Castillo [Tue, 13 Jan 2015 10:37:27 +0000 (10:37 +0000)]
TBB: add authentication module interface
This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.
To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.
To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.
If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.
Juan Castillo [Tue, 13 Jan 2015 12:21:04 +0000 (12:21 +0000)]
TBB: add PolarSSL based authentication module
This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.
PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).
To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.
Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:
Changes on FVP:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- BL2 memory region has been increased to 112 KB
Changes on Juno:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- Trusted ROM region in Flash has been increased to 128 KB.
- BL2 memory region has been increased to 116 KB
Juan Castillo [Mon, 17 Nov 2014 17:27:41 +0000 (17:27 +0000)]
stdlib: add missing features to build PolarSSL
This patch adds the missing features to the C library included
in the Trusted Firmware to build PolarSSL:
- strcasecmp() function
- exit() function
- sscanf()* function
- time.h header file (and its dependencies)
* NOTE: the sscanf() function is not a real implementation. It just
returns the number of expected arguments by counting the number of
'%' characters present in the formar string. This return value is
good enough for PolarSSL because during the certificate parsing
only the return value is checked. The certificate validity period
is ignored.
Juan Castillo [Wed, 7 Jan 2015 10:39:25 +0000 (10:39 +0000)]
TBB: add a platform specific function to validate the ROTPK
This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.
The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).
TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.
For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.
projects / arm-tf.git / log