Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration
* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT STRING in signatures
fix(auth): reject invalid padding in digests
fix(auth): require at least one extension to be present
fix(auth): forbid junk after extensions
fix(auth): only accept v3 X.509 certificates
fix(auth): require at least one extension to be present
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Bipin Ravi [Wed, 7 Dec 2022 23:01:26 +0000 (17:01 -0600)]
fix(cpus): workaround for Neoverse N2 erratum 2743089
Neoverse N2 erratum 2743089 is a Cat B erratum that applies to
all revisions <=r0p2 and is fixed in r0p3. The workaround is to
insert a dsb before the isb in the power down sequence.
Bipin Ravi [Thu, 15 Dec 2022 20:48:21 +0000 (14:48 -0600)]
fix(cpus): workaround for Cortex-A78 erratum 2772019
Cortex-A78 erratum 2772019 is a Cat B erratum that applies to
all revisions <=r1p2 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
Bipin Ravi [Thu, 15 Dec 2022 17:57:53 +0000 (11:57 -0600)]
fix(cpus): workaround for Neoverse V1 erratum 2743093
Neoverse V1 erratum 2743093 is a Cat B erratum that applies to
all revisions <=r1p2 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
Mate Toth-Pal [Fri, 21 Oct 2022 12:24:49 +0000 (14:24 +0200)]
feat(tc): add delegated attest and measurement tests
This patch adds Delegated Attestation and Measured Boot tests to the
plat/arm/board/tc platform.
The test suite can be activated by adding the build time option
`PLATFORM_TEST=1` to the make command. In this case the boot sequence is
not finished, plat_error_handler is called after the tests are run
(regardless of the test result.)
The actual test code is coming from the Trusted-Firmware-M project. Some
of the files of the tf-m-tests and tf-m-extras repo are linked to the
BL31 image.
Akshay Belsare [Thu, 15 Dec 2022 10:26:23 +0000 (15:56 +0530)]
fix(xilinx): resolve integer handling issue
OEN Number 48 to 63 is for Trusted App and OS.
GET_SMC_OEN limits the return value of OEN number to 63 by bitwise AND
operation with 0x3F. Thus the upper limit check for OEN value returned
by GET_SMC_OEN is not required.
Removing the upper limit check for the OEN value returned by GET_SMC_OEN
resolves integer handling issue CONSTANT_EXPRESSION_RESULT
Olivier Deprez [Thu, 15 Dec 2022 13:25:16 +0000 (14:25 +0100)]
Merge changes from topic "qemu_sel2" into integration
* changes:
docs(build): describes the SPMC_OPTEE build option
feat(qemu): support el3 spmc
feat(el3-spmc): make platform logical partition optional
feat(qemu): support s-el2 spmc
feat(qemu): update abi between spmd and spmc
fix(sptool): add dependency to SP image
fix(intel): missing NCORE CCU snoop filter fix in BL2
Clear Ncore CCU snoop filter. There is hardware bug in NCORE CCU IP
and it is causing an issue in the coherent directory tracking of
outstanding cache lines.
Manish Pandey [Thu, 17 Nov 2022 15:47:05 +0000 (15:47 +0000)]
fix(el3_runtime): allow SErrors when executing in EL3
SCR_EL3.EA is set to 1 in BL31 initialization and is cleared before
entering to lower ELs(except for RAS FFH case "HANDLE_EA_EL3_FIRST_NS").
The cleared value persist even during run time when execution comes
back to EL3.
When SCR_EL3.EA is 0 and execution state is EL3, Async EAs(delivered
as SErrors) are implicitly masked and hence any Async EA by EL3 will
remain pending and will trap at the exception level EA is targeted
to and unmasked when entering lower EL.
This causes unexpected EA at lower EL. This is a very rare
to get SError in EL3 until unless there is any programming error.
This patch sets SCR_EL3.EA to 1 when entering EL3 from lower EL.
Manish Pandey [Wed, 7 Dec 2022 13:04:20 +0000 (13:04 +0000)]
fix(el3_runtime): do not save scr_el3 during EL3 entry
scr_el3 registers cannot be modified in lower ELs which means it retains
the same value which is stored in the EL3 cpu context structure for the
given world. So, we should not save the register when entering to EL3
from lower EL as we have the copy of it present in cpu context.
During EL3 execution SCR_EL3 value can be modifed for following cases
1. Changes which is required for EL3 execution, this change is temp
and do not need to be saved.
2. Changes which affects lower EL execution, these changes need to be
written to cpu context as well and will be retrieved when scr_el3
is restored as part of exiting EL3
Merge changes Ie6a13e4a,I517074b8,Ifd29b748,I1279d9cb,I3b78e0c5, ... into integration
* changes:
feat(imx8mq): add BL31 PIE support
refactor(imx8mq): introduce BL31_SIZE
refactor(imx8mq): make use of setup_page_tables()
feat(imx8mq): always set up console
feat(imx8mq): remove empty bl31_plat_runtime_setup
feat(imx8mq): make IMX_BOOT_UART_BASE configurable via build parameter
Lucas Stach [Thu, 8 Dec 2022 15:44:00 +0000 (16:44 +0100)]
feat(imx8mq): add BL31 PIE support
Enable PIE support so the BL31 firmware can be loaded from anywhere
within the OCRAM (SRAM). For the PIE support we only need to replace
the BL31_BASE define by the BL31_START symbol which is a relocatable
and we need to enable it by setting ENABLE_PIE := 1.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: Ie6a13e4ae0fdc6627a94798d7a86df7d5b310896
Lucas Stach [Thu, 8 Dec 2022 15:37:44 +0000 (16:37 +0100)]
refactor(imx8mq): introduce BL31_SIZE
No functional change.
Introduce BL31_SIZE define and calculate the limits based on the
BL31_BASE and the BL31_SIZE define. Also make use of SZ_64K to make
it easier to read. This is required for later BL31 PIE support since
it drops the calculation based on the BL31_LIMIT and BL31_BASE.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: I517074b866b5bf11841b51777f87c926b304488d
Yann Gautier [Tue, 13 Dec 2022 09:51:56 +0000 (10:51 +0100)]
fix(st-crypto): remove platdata functions
The functions stm32_pka_get_platdata() and stm32_saes_get_platdata()
are not used. They can be removed as we always use DT to retrieve
the device configuration.
This issue was triggered by sparse tool or when enabling warning
-Wmissing-prototypes.
Yann Gautier [Mon, 12 Dec 2022 13:56:39 +0000 (14:56 +0100)]
fix(st-crypto): set get_plain_pk_from_asn1() static
The issue is triggered when enabling -Wmissing-prototypes warning:
plat/st/common/stm32mp_crypto_lib.c:81:5: warning:
no previous prototype for 'get_plain_pk_from_asn1'
[-Wmissing-prototypes]
81 | int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len,
| ^~~~~~~~~~~~~~~~~~~~~~
Yann Gautier [Fri, 18 Nov 2022 13:08:10 +0000 (14:08 +0100)]
fix(stm32mp1): add missing platform.h include
This includes the functions definitions, and avoids sparse warnings:
plat/st/stm32mp1/plat_image_load.c:13:6: warning:
symbol 'plat_flush_next_bl_params' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:21:16: warning:
symbol 'plat_get_bl_image_load_info' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:29:13: warning:
symbol 'plat_get_next_bl_params' was not declared.
Should it be static?
The issue was also found when enabling -Wmissing-prototypes warning:
plat/st/stm32mp1/plat_image_load.c:13:6: error:
no previous prototype for 'plat_flush_next_bl_params'
[-Werror=missing-prototypes]
13 | void plat_flush_next_bl_params(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
plat/st/stm32mp1/plat_image_load.c:21:17: error:
no previous prototype for 'plat_get_bl_image_load_info'
[-Werror=missing-prototypes]
21 | bl_load_info_t *plat_get_bl_image_load_info(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
plat/st/stm32mp1/plat_image_load.c:29:14: error:
no previous prototype for 'plat_get_next_bl_params'
[-Werror=missing-prototypes]
29 | bl_params_t *plat_get_next_bl_params(void)
| ^~~~~~~~~~~~~~~~~~~~~~~
Yann Gautier [Fri, 18 Nov 2022 13:05:10 +0000 (14:05 +0100)]
fix(st): make metadata_block_spec static
This issue was triggered by sparse tool:
plat/st/common/stm32mp_fconf_io.c:31:17: warning:
symbol 'metadata_block_spec' was not declared. Should it be static?
fix(gic): wrap cache enabled assert under plat_can_cmo
with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
Wrap the assert for the d-cache enabled check in CONDITIONAL_CMO and
plat_can_cmo calls to allow booting with d-cache disabled.
Yann Gautier [Mon, 12 Dec 2022 13:53:45 +0000 (14:53 +0100)]
fix(st): include utils.h to solve compilation error
If compiling with STM32MP13 with DECRYPTION_SUPPORT != none, there is
a compilation error:
plat/st/common/stm32mp_crypto_lib.c:
In function 'plat_get_enc_key_info':
plat/st/common/stm32mp_crypto_lib.c:532:25:
error: implicit declaration of function 'zeromem'
[-Werror=implicit-function-declaration]
532 | zeromem(key, *key_len);
| ^~~~~~~
laurenw-arm [Fri, 28 Oct 2022 16:26:32 +0000 (11:26 -0500)]
feat(arm): add ARM_ROTPK_LOCATION variant full key
Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to the hash of it. This returns a 2kB development RSA key
embedded into the firmware.
The motivation for this patch is to extend our test coverage in the CI.
Right now, the authentication framework allows platforms to return
either the full ROTPK or a hash of it (*). However, the FVP platform
only supports returning a hash currently so we cannot easily exercise
the full key scenario. This patch adds that capability.
(*) Or even no key at all if it's not deployed on the platform yet, as
is typically the case on pre-production/developement platforms.
Manish Pandey [Fri, 9 Dec 2022 12:04:05 +0000 (13:04 +0100)]
Merge changes from topic "fix_misra_st_drivers" into integration
* changes:
fix(st-clock): avoid arithmetics on pointers
fix(st-clock): give the size for parent_mp13 and dividers_mp13 tables
fix(st-clock): remove useless switch
fix(st-clock): use Boolean type for tests
fix(st-regulator): use Boolean type for tests
fix(st-regulator): enclose macro parameters in parentheses
fix(st-regulator): rework for_each_*rdev macros
fix(st-regulator): explicitly check operators precedence
fix(st-pmic): define pmic_regs table size
fix(st-pmic): enclose macro parameter in parentheses
Manish Pandey [Fri, 9 Dec 2022 11:54:13 +0000 (12:54 +0100)]
Merge changes from topic "fix_misra_st_platform" into integration
* changes:
fix(stm32mp1): rework DWL buffer cache invalidation
fix(stm32mp1): add const for strings in stm32mp_get_soc_name()
fix(st): use Boolean type for tests
fix(st): rework secure-status check in fdt_get_status()
fix(st): use indices when counting GPIOs in DT
fix(st): add U suffix for unsigned numbers
fix(st): explicitly check operators precedence
AlexeiFedorov [Fri, 9 Dec 2022 11:27:14 +0000 (11:27 +0000)]
fix(gpt_rme): fix compilation error for gpt_rme.c
This patch fixes compilation error for gpt_init_l0_tables()
function in lib/gpt_rme/gpt_rme.c reported by GCC 13.0.0:
"gpt_rme/gpt_rme.c:765:5: error: conflicting types for
'gpt_init_l0_tables' due to enum/integer mismatch;
have 'int(unsigned int, uintptr_t, size_t)'
{aka 'int(unsigned int, long unsigned int, long unsigned int)'}"
Jens Wiklander [Thu, 19 May 2022 13:17:43 +0000 (15:17 +0200)]
feat(el3-spmc): make platform logical partition optional
Prior to this commit a logical platform specific partition is added when
compiling with SPMC at EL3. Not all platform need to add a logical
platform so make this optional.
Jens Wiklander [Tue, 22 Nov 2022 13:39:26 +0000 (14:39 +0100)]
feat(qemu): support s-el2 spmc
Supports S-EL2 SPMC + S-EL1 SP on qemu. S-EL1 SPs packaged in .pkg files
are added to the FIP as blob with an UUID. BL2 parses TB_FW_CONFIG to
know which SP blobs to load into memory.
Jens Wiklander [Fri, 18 Nov 2022 14:40:04 +0000 (15:40 +0100)]
feat(qemu): update abi between spmd and spmc
Updates the ABI between SPMD and the SPMC at S-EL1 so that the hard
coded SPMC manifest can be replaced by a proper manifest via TOS FW
Config. TOS FW Config is provided via QEMU_TOS_FW_CONFIG_DTS as a DTS
file when building. The DTS is turned into a DTB which is added to the
FIP.
Note that this is an incompatible change and requires corresponding
change in OP-TEE ("core: sel1 spmc: boot abi update").
Tony K Nadackal [Wed, 7 Dec 2022 20:44:05 +0000 (20:44 +0000)]
fix(scmi): change function prototype to fix gcc error
Change function prototype of plat_css_get_scmi_info() to fix the GCC
sign conversion error "comparison between signed and unsigned integer
expressions". Changing channel_id type to unsigned int since it can
never be a negative value.
Signed-off-by: Tony K Nadackal <tony.nadackal@arm.com>
Change-Id: I579b21497329db40897c10d86c8fc68e4877f3db
Tony K Nadackal [Wed, 7 Dec 2022 20:30:33 +0000 (20:30 +0000)]
fix(rdn1edge): change variable type to fix gcc sign conversion error
Change variable type in function bl31_platform_setup() to fix the GCC
sign conversion error "comparison between signed and unsigned integer
expressions".
Signed-off-by: Tony K Nadackal <tony.nadackal@arm.com>
Change-Id: Iff914bd7ad521883723c8fb34dd893412cce7fc5
Bipin Ravi [Wed, 7 Dec 2022 19:54:02 +0000 (13:54 -0600)]
fix(cpus): workaround for Cortex-X2 erratum 2768515
Cortex-X2 erratum 2768515 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
Bipin Ravi [Wed, 7 Dec 2022 19:32:35 +0000 (13:32 -0600)]
fix(cpus): workaround for Cortex-A710 erratum 2768515
Cortex-A710 erratum 2768515 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
fix(rmmd): add missing padding to RMM Boot Manifest and initialize it
This patch also:
* Enforces the check of RES0 fields on EL3-RMM boot interface
and manifest
* Fixes a couple of nits on the EL3-RMM Boot Interface
documentation.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Idb9e38f9fcda2ba0655646a1e2c4fdbabd5cdc40
Yann Gautier [Fri, 25 Nov 2022 09:56:25 +0000 (10:56 +0100)]
fix(st-gpio): define shift as uint32_t
This corrects MISRA C2012-10.6:
The value of a composite expression shall not be assigned to an object
with wider essential type.
While at it change all the shift values to unsigned.
Yann Gautier [Mon, 21 Nov 2022 12:36:53 +0000 (13:36 +0100)]
fix(st-sdmmc): check transfer size before filling register
Fix MISRA C2012-10.3:
The value of an expression shall not be assigned to an object with
a narrower essential type or of a different essential type category.
Check buffer size is less than 4GB before casting the command argument.
As the default part do nothing, all the code managing DWL buffer cache
invalidation can be under programmer flags.
This avoids running unneeded code if the flags are not enabled, and
corrects MISRA C2012-16.6:
Every switch statement shall have at least two switch-clauses.
Yann Gautier [Mon, 21 Nov 2022 12:26:37 +0000 (13:26 +0100)]
fix(st): use Boolean type for tests
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Yann Gautier [Mon, 21 Nov 2022 10:45:04 +0000 (11:45 +0100)]
fix(st): use indices when counting GPIOs in DT
Fix MISRA C2012-18.4:
The +, -, += and -= operators should not be applied to an expression
of pointer type.
While at it, avoid computing twice the same value, by removing the
initial value computation outside the loop.
Yann Gautier [Fri, 18 Nov 2022 14:03:22 +0000 (15:03 +0100)]
fix(st): explicitly check operators precedence
This corrects the MISRA violation C2012-12.1:
The precedence of operators within expressions should be made explicit.
This is done either by adding parentheses, or by creating dedicated
variables to ease readability.
Yann Gautier [Fri, 25 Nov 2022 10:37:00 +0000 (11:37 +0100)]
fix(st-clock): give the size for parent_mp13 and dividers_mp13 tables
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
Yann Gautier [Mon, 28 Nov 2022 13:56:58 +0000 (14:56 +0100)]
fix(st-clock): use Boolean type for tests
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
Yann Gautier [Mon, 28 Nov 2022 13:57:06 +0000 (14:57 +0100)]
fix(st-regulator): use Boolean type for tests
This corrects MISRA C2012-14.4
The controlling expression of an if statement and the controlling
expression of an iteration-statement shall have essentially Boolean type.
This corrects the MISRA violation C2012-12.1:
The precedence of operators within expressions should be made explicit.
This is done either by adding parentheses, or by creating dedicated
variables.
Yann Gautier [Thu, 24 Nov 2022 17:17:02 +0000 (18:17 +0100)]
fix(st-pmic): define pmic_regs table size
This corrects MISRA C2012-9.5:
Where designated initializers are used to initialize an array object
the size of the array shall be specified explicitly.
AlexeiFedorov [Thu, 24 Nov 2022 13:42:44 +0000 (13:42 +0000)]
fix(trp): preserve RMI SMC X4 when not used as return
This patch adds X2-X6 and 'smc_ret' parameters to trp_rmi_handler().
The last 'smc_ret' parameter passed in X7 contains address of
'trp_smc_result' structure on stack to return result of RMI SMC call.
This allows to preserve X4 if not used as a return argument as per
SMCCCv1.2. The patch also removes use of trp_args_t in RMI handling.
projects / arm-tf.git / log