Marc Bonnici [Thu, 19 Aug 2021 13:42:19 +0000 (14:42 +0100)]
test(plat/fvp/lsp): add example logical partition
Add an example logical partition to the FVP platform that
simply prints and echos the contents of a direct request
with the appropriate direct response.
Change-Id: Ib2052c9a63a74830e5e83bd8c128c5f9b0d94658 Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Marc Bonnici [Mon, 14 Feb 2022 17:06:09 +0000 (17:06 +0000)]
feat(spmc/lsp): add logical partition framework
Introduce a framework to support running logical
partitions alongside the SPMC in EL3 as per the
v1.1 FF-A spec.
The DECLARE_LOGICAL_PARTITION macro has been added to
simplify the process to define a Logical Partition.
The partitions themselves are statically allocated
with the descriptors placed in RO memory.
It is assumed that the MAX_EL3_LP_DESCS_COUNT will
be defined by the platform.
Change-Id: I1c2523e0ad2d9c5d36aeeef6b8bcb1e80db7c443 Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Merge changes from topic "allwinner-idle" into integration
* changes:
feat(allwinner): provide CPU idle states to the rich OS
feat(allwinner): simplify CPU_SUSPEND power state encoding
feat(allwinner): choose PSCI states to avoid translation
feat(fdt): add the ability to supply idle state information
fix(allwinner): improve DTB patching error handling
refactor(allwinner): patch the DTB after setting up PSCI
refactor(allwinner): move DTB change code into allwinner/common
In all TF-A commit messages, the first line must comply to the
following format:
type(scope): description
Although the conventional commits specification says that the scope
above is optional, we have made it mandatory in TF-A and the following
error message is printed if no scope is provided:
scope may not be empty [scope-empty]
However, this can be too restrictive for some types of commits. For
example, it is typically hard to choose a scope for documentation
patches which modify several documents of different natures.
Lift this restriction in the tools and leave it up to the developer to
decide whether a scope is needed or not.
John Powell [Fri, 15 Apr 2022 00:10:17 +0000 (19:10 -0500)]
fix(security): update Cortex-A15 CPU lib files for CVE-2022-23960
Cortex-A15 does not support FEAT_CSV2 so the existing workaround for
Spectre V2 is sufficient to mitigate against Spectre BHB attacks,
however the code needed to be updated to work with the new build flag.
Also, some code was refactored several years ago and not updated in
the Cortex-A15 library file so this patch fixes that as well.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I768c88a38c561c91019b038ac6c22b291955f18e
Merge changes I80661161,I82c1fa93,I018ccbb9,Ibc23734d,I97406abe, ... into integration
* changes:
feat(intel): add SMC support for HWMON voltage and temp sensor
feat(intel): add SMC support for Get USERCODE
fix(intel): extend SDM command to return the SDM firmware version
feat(intel): add SMC for enquiring firmware version
fix(intel): configuration status based on start request
fix(intel): bit-wise configuration flag handling
fix(intel): get config status OK status
fix(intel): use macro as return value
fix(intel): fix fpga config write return mechanism
feat(intel): add SiP service for DCMF status
feat(intel): add RSU 'Max Retry' SiP SMC services
feat(intel): enable SMC SoC FPGA bridges enable/disable
feat(intel): add SMC/PSCI services for DCMF version support
feat(intel): allow to access all register addresses if DEBUG=1
fix(intel): modify how configuration type is handled
feat(intel): support SiP SVC version
feat(intel): enable firewall for OCRAM in BL31
feat(intel): create source file for firewall configuration
fix(intel): refactor NOC header
Olivier Deprez [Fri, 4 Feb 2022 11:30:11 +0000 (12:30 +0100)]
feat(smmu): configure SMMU Root interface
This change performs a basic configuration of the SMMU root registers
interface on an RME enabled system. This permits enabling GPC checks
for transactions originated from a non-secure or secure device upstream
to an SMMU. It re-uses the boot time GPT base address and configuration
programmed on the PE.
The root register file offset is platform dependent and has to be
supplied on a model command line.
Sieu Mun Tang [Wed, 27 Apr 2022 10:57:29 +0000 (18:57 +0800)]
feat(intel): add SMC support for Get USERCODE
This patch adds SMC support for enquiring FPGA's User Code.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I82c1fa9390b6f7509b2284d51e199fb8b6a9b1ad
feat(intel): add SMC for enquiring firmware version
This command allows non-secure world software to enquire the
version of currently running Secure Device Manager (SDM) firmware.
This will be useful in maintaining backward-compatibility as well
as ensuring software cross-compabitility.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ibc23734d1135db74423da5e29655f9d32472a3b0
fix(intel): configuration status based on start request
Configuration status command now returns the result based on the last
config start command made to the runtime software. The status type can
be either:
- NO_REQUEST (default)
- RECONFIGURATION
- BITSTREAM_AUTH
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I97406abe09b49b9d9a5b43e62fe09eb23c729bff Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Sieu Mun Tang [Thu, 28 Apr 2022 14:40:58 +0000 (22:40 +0800)]
fix(intel): bit-wise configuration flag handling
Change configuration type handling to bit-wise flag. This is to align
with Linux's FPGA Manager definitions and promotes better compatibility.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I5aaf91d3fec538fe3f4fe8395d9adb47ec969434
Config status have different OK requirement between MBOX_CONFIG_STATUS
and MBOX_RECONFIG_STATUS request. This patch adds the checking to
differentiate between both command.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I45a4c3de460b031757dbcbd0b3a8055cb0a55aff Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
SMC function should strictly return INTEL_SIP_SMC_STATUS macro. Directly
returning value of variable status might cause confusion in calling
software.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: Iea17f4feaa5c917e8b995471f3019dba6ea8dcd3 Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
This revert commit 279c8015fefcb544eb311b9052f417fc02ab84aa.
The previous change breaks this feature compatibility with Linux driver.
Hence, the fix for the earlier issue is going to be fixed in uboot instead.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I93220243bad65ed53322050d990544c7df4ce66b
Sieu Mun Tang [Thu, 28 Apr 2022 14:21:01 +0000 (22:21 +0800)]
feat(intel): add SiP service for DCMF status
This patch adds 2 additional RSU SiP services for Intel SoCFPGA
platforms:
- INTEL_SIP_SMC_RSU_COPY_DCMF_STATUS stores current DCMF status in
BL31
- INTEL_SIP_SMC_RSU_DCMF_STATUS is calling function for non-secure
software to retrieve stored DCMF status
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com> Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ic7a3e6988c71ad4bf66c58a1d669956524dfdf11
Merge changes from topic "ti-k3-system-suspend-base-support" into integration
* changes:
feat(ti): allow build config of low power mode support
feat(ti): increase SEC_SRAM_SIZE to 128k
feat(ti): add PSCI handlers for system suspend
feat(ti): add gic save and restore calls
feat(ti): add enter sleep method
feat(fdt-wrappers): add function to find or add a sudnode
This change adds a new utility function - `fdtw_find_or_add_subnode`
to find a subnode. If the subnode is not present, the function adds
it in the flattened device tree.
Enable SoC FPGA bridges enable/disable from non-secure world
through secure monitor calls
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I4474abab9731923a61ff0e7eb2c2fa32048001cb Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Chee Hong Ang [Wed, 13 May 2020 03:44:04 +0000 (11:44 +0800)]
feat(intel): add SMC/PSCI services for DCMF version support
Support get/store RSU DCMF version:
INTEL_SIP_SMC_RSU_DCMF_VERSION - Get current DCMF version
INTEL_SIP_SMC_RSU_COPY_DCMF_VERSION - Store current DCMF version
Signed-off-by: Chee Hong Ang <chee.hong.ang@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I85ffbc0efc859736899d4812f040fd7be17c8d8d
fix(intel): modify how configuration type is handled
This patch creates macros to handle different configuration
types. These changes will help in adding new configuration
types in the future.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I5826a8e5942228a9ed376212f0df43b1605c0199
Set OCRAM as secure region and required privileged access in BL31 to
prevent software running in normal world (non-secure) accessing memory
region in OCRAM which may contain sensitive information (e.g. FSBL,
handoff data)
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: Ib6b24efd69f49cd3f9aa4ef2ea9f1af5ce582bd6 Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
feat(intel): create source file for firewall configuration
Move codes that previously were part of system_manager driver into
firewall driver which are more appropriate based on their functionalities.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I35e9d792f35ee7491c2f306781417a0c8faae3fd Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Refactor NOC header to be shareable across both Stratix 10 and Agilex
platforms. This patch also removes redundant NOC declarations in system
manager header file.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I6348b67a8b54c2ad19327d6b8c25ae37d25e4b4a Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Leon Chen [Wed, 23 Mar 2022 10:51:48 +0000 (18:51 +0800)]
build(makefile): add extra makefile variable for extension
Introduce EXTRA_LINKERFILE for GCC linker options. GCC linker
can realize multiple linker scripts, and vendors can extend ro or
text sections by inserting sections among the original sections
specified by blx.ld.S.
Vendors can assign compiled object files by assigning MODULE_OBJS
with their own built path.
Signed-off-by: Leon Chen <leon.chen@mediatek.com>
Change-Id: I1bd2e0383a52204723816131da4b7948def4c4e9
As per change [1], now HW_CONFIG gets loaded in secure and
non-secure memory. Hence updated the documentation to show
secure and non-secure load region of HW_CONFIG in FVP Arm
platform.
Additionally, added a note on how FW_CONFIG address gets
passed from BL2 to BL31/SP_MIN.
Currently, HW-config is loaded into non-secure memory, which mean
a malicious NS-agent could tamper with it. Ideally, this shouldn't
be an issue since no software runs in non-secure world at this time
(non-secure world has not been started yet).
It does not provide a guarantee though since malicious external
NS-agents can take control of this memory region for update/corruption
after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat
is mapped to Threat ID#3 (Bypass authentication scenario) in threat
model [1].
Hence modified the code as below -
1. BL2 loads the HW_CONFIG into secure memory
2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an
address provided by the newly added property(ns-load-address) in
the 'hw-config' node of the FW_CONFIG
3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that
it can retrieve details (address and size) of HW_CONFIG from
FW_CONFIG
4. A secure and non-secure HW_CONFIG address will eventually be used
by BL31/SP_MIN/BL32 and BL33 components respectively
5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads
information from it to local variables (structures) and then
unmaps it
6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears
sufficient, and it will also create a free space for any future
components to be added to memory
Dave Gerlach [Fri, 11 Feb 2022 19:57:19 +0000 (13:57 -0600)]
feat(ti): allow build config of low power mode support
Not all K3 platforms support low power mode, so to allow these
features to be included for platforms that do in build and
therefore reported in the PSCI caps, define K3_PM_SYSTEM_SUSPEND
flag that can be set during build that will cause appropriate
space and functionality to be included in build for system
suspend support.
Change-Id: I821fbbd5232d91de6c40f63254b855e285d9b3e8 Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Dave Gerlach [Tue, 30 Nov 2021 21:45:34 +0000 (15:45 -0600)]
feat(ti): add PSCI handlers for system suspend
Add necessary K3 PSCI handlers to enable system suspend to be reported
in the PSCI capabilities when asked during OS boot.
Additionally, have the handlers provide information that all domains
should be off and also have the power domain suspend handler invoke the
TISCI_MSG_ENTER_SLEEP message to enter system suspend.
Change-Id: I351a16167770e9909e8ca525ee0d74fa93331194 Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Dave Gerlach [Fri, 7 Jan 2022 14:12:39 +0000 (08:12 -0600)]
feat(ti): add gic save and restore calls
Add functions to save and restore GICv3 redist and dist contexts during
low power mode and then call these during the suspend entry and finish
psci handlers.
Change-Id: I26c2c0f3b7fc925de3b349499fa42d2405441577 Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Dave Gerlach [Tue, 30 Nov 2021 21:35:08 +0000 (15:35 -0600)]
feat(ti): add enter sleep method
This TISCI API must be used to trigger entry into system suspend, and
this is done through the use of TI_SCI_MSG_ENTER_SLEEP. Introduce a
method to send this message.
Change-Id: Id7af5fb2a34623ad69e76764f389ff4d8d259fba Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Merge changes Ibe6fd206,Icdca3de6,I72016620,I57a2787c into integration
* changes:
fix(versal): fix coverity scan warnings
feat(versal): get version for ATF related EEMI APIs
feat(versal): enhance PM_IOCTL EEMI API to support additional arg
feat(versal): add common interfaces to handle EEMI commands
Ronak Jain [Fri, 4 Feb 2022 08:42:55 +0000 (00:42 -0800)]
feat(versal): get version for ATF related EEMI APIs
The patch does below things.
1. As per current implementation, when Linux send a request to ATF to
get the version of APIs which are implemented in ATF then ATF wasn't
returning any version because there is a check for LIBPM module id.
The ATF is used to return version for the APIs which are implemented
in the firmware only.
Hence moved this switch-case before checking module id to get ATF
version.
Also, no need to pass Linux request to the firmware for the APIs
which are implemented in ATF instead return success after updating
version.
2. As per current implementation, higher 16-bit is used for ATF
version and lower 16-bit is used for firmware version. Now, removed
16-bit shift operation and send complete word i.e. 32-bit to Linux
user as there is no user who checks ATF version.
3. Add bit mask support in the feature check PM EEMI API for QUERY and
IOCTL ids.
Change-Id: Icdca3de6659f3b673b81a423ed79a3c20b678768 Signed-off-by: Ronak Jain <ronak.jain@xilinx.com> Signed-off-by: Tanmay Shah <tanmay.shah@xilinx.com>
feat(versal): enhance PM_IOCTL EEMI API to support additional arg
Currently, SMC handler is limited to parsing 5 arguments (1 API ID + 4
32-bit command args). Extend this handling to support one more 32-bit
command argument which is necessary to support new IOCTL IDs for
secure read/write interface.
Note that, this change is completely transparent and does not affect
existing functionality of any of the EEMI APIs.
Tanmay Shah [Mon, 9 Aug 2021 18:00:41 +0000 (11:00 -0700)]
feat(versal): add common interfaces to handle EEMI commands
This change adds common interfaces to handle commands from firmware driver
to power management controller. It removes big chunk of source line of code
that was handling each command separately and doing same repetitive work.
EEMI - Embedded Energy Management Interface is Xilinx proprietary
protocol to allow communication between power management controller
and different processing clusters.
As of now, Each EEMI command has its own implementation in TF-A.
This is redundant. Essentially most EEMI command implementation
in TF-A does same work. It prepares payload received from kernel, sends
payload to firmware, receives response from firmware and send response
back to kernel.
The same functionality can be achieved if common interface is used among
multiple EEMI commands. This change divides platform management related
SMCCC requests into 4 categories.
1) EEMI commands required for backward compatibility.
Some EEMI commands are still required for backward compatibility
until removed completely or its use is changed to accommodate
common interface
2) EEMI commands that require for PSCI interface and accessed from debugfs
For example EEMI calls related to CPU suspend/resume
3) TF-A specific requests
Functionality such as getting TF-A version and getting callback
data for platform management is handled by this interface
4) Common interface for rest of EEMI commands
This handlers performs payload and firmware response transaction job for
rest of EEMI commands. Also it parses module ID from SMC payload and inserts
in IPI request. If not module ID is found, then default is LIBPM_MODULE_ID.
This helps in making common path in TF-A for all the modules in PLM firmware
Change-Id: I57a2787c7fff9f2e1d1f9003b3daab092632d57e Signed-off-by: Tanmay Shah <tanmay.shah@xilinx.com>
Samuel Holland [Sun, 23 Jan 2022 05:37:12 +0000 (23:37 -0600)]
feat(allwinner): provide CPU idle states to the rich OS
When using SCPI as the PSCI backend, firmware can wake up the CPUs and
cluster from sleep, so CPU idle states are available for the rich OS to
use. In that case, advertise them to the rich OS via the DTB.
Change-Id: I718ef6ef41212fe5213b11b4799613adbbe6e0eb Signed-off-by: Samuel Holland <samuel@sholland.org>
Samuel Holland [Fri, 19 Mar 2021 04:15:28 +0000 (23:15 -0500)]
feat(allwinner): simplify CPU_SUSPEND power state encoding
Use the encoding recommended by the PSCI specification: four bits for
the power state at each power level.
SCPI provides no way to handshake an exit from a standby state, so the
only possible standby state is the architectural WFI state. Since WFI
can be used outside of PSCI, we do not allow passing in standby states.
Change-Id: I4b3b84e5c255ee58a25255a0cab5d7623425086e Signed-off-by: Samuel Holland <samuel@sholland.org>
Samuel Holland [Fri, 19 Mar 2021 03:55:15 +0000 (22:55 -0500)]
feat(allwinner): choose PSCI states to avoid translation
Aligning the PSCI and SCPI power states avoids some code to translate
between the two. This also makes room for an intermediate power state,
for future firmware capability growth.
Change-Id: I26691085f277a96bd405e3305ab0fe390a92b418 Signed-off-by: Samuel Holland <samuel@sholland.org>
Samuel Holland [Sun, 23 Jan 2022 23:12:26 +0000 (17:12 -0600)]
feat(fdt): add the ability to supply idle state information
Some platforms require extra firmware to implement CPU_SUSPEND, or only
have working CPU_SUSPEND in certain configurations. On these platforms,
CPU idle states should only be listed in the devicetree when they are
actually available. Add a function BL31 can use to dynamically supply
this idle state information.
Change-Id: I64fcc288303faba8abec4f59efd13a04220d54dc Signed-off-by: Samuel Holland <samuel@sholland.org>
Currently, if any step of the DTB patching process fails, the whole
process is aborted. However, this causes some problems:
- If any step modifies the DTB (including fdt_open_into), the dcache
must still be cleaned, even if some later step fails.
- The DTB may need changes in multiple places; if one patch fails (for
example due to missing nodes), we should still apply other patches.
- Similarly, if some patch fails, we should still run fdt_pack to
clean up after ourselves.
Change-Id: If1af2e58e5a7edaf542354bb8a261dd1c3da1ad0 Signed-off-by: Samuel Holland <samuel@sholland.org>
Samuel Holland [Sun, 23 Jan 2022 04:06:57 +0000 (22:06 -0600)]
refactor(allwinner): patch the DTB after setting up PSCI
Idle states are advertised to the rich OS by declaring them in the DTB.
Since the availability of idle states depends on which PSCI
implementation was chosen, the DTB must be updated after PSCI setup.
Move this operation to bl31_plat_runtime_setup, the platform hook
which happens at the right time. Defining this hook overrides the weak
definition from plat/common, so copy over the code from there, too.
Change-Id: I42a83edb9cb28e1803d17dc2d73dbc879d885222 Signed-off-by: Samuel Holland <samuel@sholland.org>
Andre Przywara [Sun, 19 Dec 2021 13:39:40 +0000 (13:39 +0000)]
refactor(allwinner): move DTB change code into allwinner/common
So far the H616 was the only Allwinner SoC needed to amend the DTB, to
reserve the DRAM portion that BL31 occupies.
To allow other SoCs to modify the DTB as well, without duplicating code,
move the DTB change routines into Allwinner common code, and generalise
the current code to allow other modifications.
No functional change intended.
Change-Id: I080ea07b6470367f3c2573a4368f8ef5196d411c Signed-off-by: Andre Przywara <andre.przywara@arm.com> Signed-off-by: Samuel Holland <samuel@sholland.org>
docs(fvp): specify correct reference of the hw_config address
TB_FW_CONFIG DT no longer contains the address of HW_CONFIG; it has
been moved to the FW_CONFIG DT since the introduction of FCONF.
Hence updated the documentation accordingly.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I37b68502a89dbd521acd99f2cb3aeb0bd36a04e0
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Actually, the upgrade this time simply boils down to including the new
source code module 'constant_time.c' into the firmware.
To quote mbed TLS v2.28.0 release notes [1]:
The mbedcrypto library includes a new source code module
constant_time.c, containing various functions meant to resist timing
side channel attacks. This module does not have a separate
configuration option, and functions from this module will be
included in the build as required.
As a matter of fact, if one is attempting to link TF-A against mbed
TLS v2.28.0 without the present patch, one gets some linker errors
due to missing symbols from this new module.
Apart from this, none of the items listed in mbed TLS release
notes [1] directly affect TF-A. Special note on the following one:
Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32.
In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
feature is enabled with AES-GCM as the authenticated decryption
algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
32-bit value which by definition is always less than 2**32. Therefore,
we are immune to this bug.
With this upgrade, the size of BL1 and BL2 binaries does not appear to
change on a standard sample test build (with trusted boot and measured
boot enabled).
However, this page is now deprecated, as indicated by the banner at
the top of the page. When navigating to the new recommended page, one
can see the following note, which provides the rationale for the
deprecation:
GNU Toolchain releases from Arm were published previously as two
separate releases - one for A-profile and the other for R & M
profiles (GNU Toolchain for A-profile processors and GNU Arm
Embedded Toolchain).
Arm GNU Toolchain releases unifies these two into a single release
and the previous way of releases therefore have been
discontinued. However, the previous releases will continue to be
available for reference.
This patch updates the link to the new recommended place for compiler
downloads.
Merge changes from topic "ffa_el3_spmc" into integration
* changes:
feat(spmc): add support for direct req/resp
feat(spmc): add support for handling FFA_ERROR ABI
feat(spmc): add support for FFA_MSG_WAIT
feat(spmc): add function to determine the return path from the SPMC
feat(spmd): enable handling of FF-A SMCs with the SPMC at EL3
feat(spmd): update SPMC init flow to use EL3 implementation
feat(spmc): add FF-A secure partition manager core
feat(spmc): prevent read only xlat tables with the EL3 SPMC
feat(spmc): enable building of the SPMC at EL3
refactor(spm_mm): reorganize secure partition manager code
With the transition to mailman3, the URLs of TF-A and TF-A Tests
mailing lists have changed. However, we still refer to the old
location, which are now dead links.
Update all relevant links throughout the documentation.
There is one link referring to a specific thread on the TF-A mailing
list in the SPM documentation, for which I had to make a guess as to
what's the equivalent mailman3 URL. The old URL scheme indicates that
the thread dates from February 2020 but beyond that, I could not make
sense of the thread id within the old URL so I picked the most likely
match amongst the 3 emails posted on the subject in this time period.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Reported-by: Kuohong Wang <kuohong.wang@mediatek.com>
Change-Id: I83f4843afd1dd46f885df225931d8458152dbb58
Marc Bonnici [Fri, 10 Dec 2021 09:21:56 +0000 (09:21 +0000)]
feat(spmc): add support for handling FFA_ERROR ABI
This ABI is only valid during SP initialisation to indicate
failure. If this occurs during SP initialisation signal a failure,
otherwise respond with a not supported error code.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0182a1641c0f6850e82173af333be79b594f2318
Marc Bonnici [Mon, 29 Nov 2021 17:05:33 +0000 (17:05 +0000)]
feat(spmc): add support for FFA_MSG_WAIT
Handle an incoming call of FFA_MSG_WAIT from the secure world
and update the runtime state of the calling partition accordingly.
This ABI can be called in the following scenarios:
- Used by an SP to signal it has finished initializing.
- To resume the normal world after handling a secure interrupt
that interrupted the normal world.
- To relinquish control back to the normal world.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I929713a2280e8ec291b5b4e8f6d4b49df337228c
Marc Bonnici [Mon, 29 Nov 2021 17:17:29 +0000 (17:17 +0000)]
feat(spmc): add function to determine the return path from the SPMC
Use knowledge of the target partition ID and source security state
to determine which route should be used to exit the SPMC.
There are 3 exit paths:
1) Return to the normal world via the SPMD, this will take care of
switching contexts if required.
2) Return to the secure world when the call originated in the normal
world and therefore switch contexts.
3) Return to the secure world when the call originated in the secure
world, therefore we can return directly.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I4037f3a8a8519e2c9f1876be92806d2c41d0d154
Marc Bonnici [Mon, 29 Nov 2021 18:02:45 +0000 (18:02 +0000)]
feat(spmd): enable handling of FF-A SMCs with the SPMC at EL3
Any FF-A SMC that arrives from the normal world is handled by the
SPMD before being forwarded to the SPMC. Similarly any SMC
arriving from the secure world will hit the SPMC first and be
forwarded to the SPMD if required, otherwise the SPMC will
respond directly.
This allows for the existing flow of handling FF-A ABI's when
the SPMC resides at a lower EL to be preserved.
In order to facilitate this flow the spmd_smc_forward function
has been split and control is either passed to the SPMC or it is
forwarded as before. To allow this the flags and cookie parameters
must now also be passed into this method as the SPMC must be able to
provide these when calling back into the SPMD handler as appropriate.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I84fee8390023295b9689067e14cd25cba23ca39b
projects / arm-tf.git / log