Andre Przywara [Thu, 26 Jan 2023 16:47:52 +0000 (16:47 +0000)]
refactor(cpufeat): enable FEAT_DIT for FEAT_STATE_CHECKED
At the moment we only support FEAT_DIT to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_DIT=2), by splitting
is_armv8_4_dit_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed).
We use ENABLE_DIT in two occassions in assembly code, where we just set
the DIT bit in the DIT system register.
Protect those two cases by reading the CPU ID register when ENABLE_DIT
is set to 2.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I506d352f18e23c60db8cdf08edb449f60adbe098 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Manish Pandey [Tue, 14 Mar 2023 13:44:53 +0000 (13:44 +0000)]
fix(fvp): correct ehf priority for SPM_MM
PLAT_SP_PRI is used by SPM_MM and it is assigned same value as RAS
priority. Which is not allowed by exception handling framework and
causes build failure if both SPM_MM and RAS is enabled.
To fix this problem assign SP a different priority than RAS.
Merge changes from topic "mb/trusted-boot-update" into integration
* changes:
refactor(auth)!: unify REGISTER_CRYPTO_LIB
refactor(auth): replace plat_convert_pk
docs(auth): add auth_decrypt in CM chapter
feat(auth): compare platform and certificate ROTPK for authentication
docs(auth): add 'calc_hash' function's details in CM
Yann Gautier [Wed, 15 Mar 2023 10:31:25 +0000 (11:31 +0100)]
refactor(auth)!: unify REGISTER_CRYPTO_LIB
Have only one definition for REGISTER_CRYPTO_LIB macro, with all the
possible fields. Worst case adds 4 u64 to crypto_lib_desc.
While at it, correct some MISRA violations:
MC3R1.R12.1: (advisory) The precedence of operators within expressions
should be made explicit.
Yann Gautier [Tue, 24 Jan 2023 08:39:47 +0000 (09:39 +0100)]
refactor(auth): replace plat_convert_pk
Following discussions in the reviews of the patch that introduced
plat_convert_pk() function [1], it was decided to deprecate it to
avoid weak function declaration.
A new optional function pointer convert_pk is added to crypto_lib_desc_t.
A new function crypto_mod_convert_pk() will either call
crypto_lib_desc.convert_pk() if it is defined, or do the same
as what was done by the weak function otherwise.
Harrison Mutai [Thu, 16 Feb 2023 10:20:48 +0000 (10:20 +0000)]
feat: add support for poetry
New python dependencies are introduced by the memory mapping script.
Rather than add another `requirements.txt` utilise poetry. This is a
proper dependency management framework for Python. The two main upsides
of using poetry instead of the traditional requirements.txt are
maintainability and reproducibility.
Poetry provides a proper lock file for pinning dependencies, similar to
npm for JavaScript. This allows for separate environments (i.e. docs,
tools) to be created efficiently, and in a reproducible manner, wherever
the project is deployed. Having dependencies pinned in this manner is a
boon as a security focused project. An additional upside is that we will
receive security updates for dependencies via GitHub's Dependabot.
Change-Id: I5a3c2003769b878a464c8feac0f789e5ecf8d56c Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
docs(threat-model): add a notes related to the Measured Boot
TF-A currently does not have any TPM2 driver for extending
measurements into a discrete TPM chip. In TPM-based attestation
scheme, measurements are just stored into a TCG-compatible event
log buffer in secure memory.
In light of the fact that Event Log measurements are taken by BL1 and
BL2, we need to trust these components to store genuine measurements,
and the Generic Threat Model always mitigates against attacks on these
components, therefore, there is no explicit document for the Measured
Boot threat model at this time is needed.
Change-Id: I41b037b2f5956d327b53cd834345e5aefdcfb5ef Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Chris Kay [Tue, 18 Apr 2023 16:32:41 +0000 (17:32 +0100)]
build(hooks): allow hooks to skip Commitizen
Adds a conditional check in the `prepare-commit-msg` commit hook that
reads the `tf-a.disableCommitizen` Git configuration option, and
does not execute Commitizen if it is found.
To skip Commitizen, run:
git config tf-a.disableCommitizen true
Change-Id: Ic8967f6f42bf3555df09b57096044fb99438d4d4 Signed-off-by: Chris Kay <chris.kay@arm.com>
feat(fvp): add Event Log maximum size property in DT
Updated the code to get and set the 'tpm_event_log_max_size' property
in the event_log.dtsi.
In this change, the maximum Event Log buffer size allocated by BL1 is
passed to BL2, rather than both relying on the maximum Event Log buffer
size macro.
Change-Id: I7aa6256390872171e362b6f166f3f7335aa6e425 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Mark Brown [Tue, 14 Mar 2023 21:33:04 +0000 (21:33 +0000)]
feat(gcs): support guarded control stack
Arm v9.4 introduces support for Guarded Control Stack, providing
mitigations against some forms of RPO attacks and an efficient mechanism
for obtaining the current call stack without requiring a full stack
unwind. Enable access to this feature for EL2 and below, context
switching the newly added EL2 registers as appropriate.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: I691aa7c22e3547bb3abe98d96993baf18c5f0e7b
Markus Niebel [Tue, 2 Mar 2021 17:44:25 +0000 (18:44 +0100)]
feat(imx8): add support for debug uart on lpuart1
Needed for TQMa8Xx on MBa8Xx. With this changes it is
possible to build:
$ make PLAT=imx8qx IMX_DEBUG_UART=1 DEBUG_CONSOLE=1 bl31
Signed-off-by: Markus Niebel <Markus.Niebel@tq-group.com> Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Change-Id: If380845b254f30fe919ebb33c86130597c4b8ad3
Michal Simek [Mon, 17 Apr 2023 11:51:59 +0000 (13:51 +0200)]
fix(zynqmp): remove unused PLAT_NUM_POWER_DOMAINS
Remove unused PLAT_NUM_POWER_DOMAINS macro. Macro is referenced by
docs/design/psci-pd-tree.rst but it is not used in any calculation
that's why it is better to remove it.
Change-Id: I33f26cda6a4404061af5598ea4c751f64127e50a Signed-off-by: Michal Simek <michal.simek@amd.com>
Michal Simek [Mon, 17 Apr 2023 11:15:23 +0000 (13:15 +0200)]
fix(xilinx): remove asserts around arg0/arg1
The commit a6f340fe58b9 ("Introduce the new BL handover interface")
extended handoff to 4 registers instead of 2. Arguments arg0-3 are
not used by platform code but in future they can be used for it.
But it doesn't make sense to checking their unused value.
Change-Id: I151e4b1574465409424453c054d937487086b79a Signed-off-by: Michal Simek <michal.simek@amd.com>
Michal Simek [Fri, 14 Apr 2023 06:43:51 +0000 (08:43 +0200)]
style(xilinx): replace ARM by Arm in copyrights
The commit 6bb49c876c75 ("style(hooks): adds Arm copyright style fix")
is enforcing proper case for ARM. That's why fix it in plat/xilinx to
make sure that pre-commit.copyright won't be touching platform specific
files.
Change-Id: I49c66e18d46ed871a6aa128c9b2a403d0cf83416 Signed-off-by: Michal Simek <michal.simek@amd.com>
fix(intel): fix Agilex and N5X clock manager to main PLL C0
Update Agilex and N5X clock manager to get MPU clock from mainPLL C0
and PeriPLLC0.
1. Updated macro name PLAT_SYS_COUNTER_CONVERT_TO_MHZ to
PLAT_HZ_CONVERT_TO_MHZ.
2. Updated get_cpu_clk to point to get_mpu_clk and added comment.
3. Added get_mpu_clk to get clock from main PLL C0 and Peri PLL C0.
Rob Newberry [Thu, 30 Mar 2023 17:43:21 +0000 (10:43 -0700)]
fix(rpi3): initialize SD card host controller
Add initial configuration parameters for Rasperry Pi 3's sdhost
controller, and then configure and use those parameters.
This change allows warm reboots of UEFI on Raspberry Pi 3B+ where
existing code often fails with "unknown error". See discussion at:
https://github.com/pftf/RPi3/issues/24
The basic idea is that some initial configuration parameters
(clock rate, bus width) aren't configured into the hardware before
commands start being sent. I suspect that the particular setting
that matters is the "slow card" bit, but the initial clock setting
also seemed wrong to me.
Change-Id: I526def340def143f23f3422f1fc14c12c937ca7f Signed-off-by: Rob Newberry <robthedude@mac.com>
Juan Pablo Conde [Wed, 22 Feb 2023 16:09:52 +0000 (10:09 -0600)]
feat(hcx): initialize HCRX_EL2 to its default value
The value of register HCRX_EL2 is UNKNOWN out of reset. This can
affect the behavior in lower exception levels, such as traps to
EL2 due to a wrong configuration of the register upon reset.
This patch initializes the register at EL3 and disables all traps
related to it.
On the other hand, new fields have been introduced for HCRX_EL2,
which are now defined in this patch, so they can be used in
further development.
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I0bf1e949aa0d3be9f227358ad088a1ecb96ce222
Mark Brown [Tue, 14 Mar 2023 20:48:43 +0000 (20:48 +0000)]
feat(pie/por): support permission indirection and overlay
Arm v8.9 introduces a series of features providing a new way to set memory
permissions. Instead of directly encoding the permissions in the page
tables the PTEs contain indexes into an array of permissions stored in
system registers, allowing greater flexibility and density of encoding.
Enable access to these features for EL2 and below, context switching the
newly added EL2 registers as appropriate. Since all of FEAT_S[12]P[IO]E
are separately discoverable we have separate build time options for
enabling them, but note that there is overlap in the registers that they
implement and the enable bit required for lower EL access.
Change the FVP platform to default to handling them as dynamic options so
the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: Icf89e444e39e1af768739668b505661df18fb234
Fix coverity finding in psci_cpu_on, in which target_idx is directly
assigned the return value from plat_core_pos_by_mpidr. If the latter
returns a negative or large positive value, it can trigger an out of
bounds overflow for the psci_cpu_pd_nodes array.
>>>> CID 382009: (OVERRUN)
>>>> Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_lock_cpu".
> 80 psci_spin_lock_cpu(target_idx);
>>>> CID 382009: (OVERRUN)
>>>> Overrunning callee's array of size 8 by passing argument "target_idx" (which evaluates to 4294967295) in call to "psci_spin_unlock_cpu".
> 160 psci_spin_unlock_cpu(target_idx);
If PLATFORM_STACK_SIZE not already defined, use the default value of
PLATFORM_STACK_SIZE.
This makes the stack size value configurable for different interface
like custom packages.
Signed-off-by: Amit Nagal <amit.nagal@amd.com> Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
Change-Id: I87e9fcbfb4c4092378b1ac0ff8fb6d084495d320
docs(porting): refer the reader back to the threat model
When porting TF-A to a new platform, it is essential to read the
threat model documents in conjunction with the porting guide to
understand the security responsibilities of each platform interface
to implement.
Add a note to highlight this in the porting guide.
docs(porting): move porting guide upper in table of contents
The porting guide is currently hosted under the 'Getting started'
section. Yet, porting the full firmware to a new platform is probably
not the first thing that one would do. Before delving into the
details, one would probably start by building the code for an emulated
platform, such as Arm FVP.
Furthermore, the porting guide is such a big and important document
that it probably deserves being visible in the main table of contents.
Thus, move it just above the list of supported platforms.
fix(intel): update boot scratch to indicate to Uboot is PSCI ON
There is a use case where kernel requested ATF to power off/on only CPU0.
However, after ATF power off/on CPU0, CPU0 did not back into the state
to wait for ATF. Instead, CPU0 continue to reentry SPL boot sequence
because CPU0 is master/primary core. This causing the system reboot from
SPL again, while the slave core still in kernel.
To resolve this, ATF is set the boot scratch register 8 bit 17 whenever
it is a request from kernel to power off/on only CPU0. So, if this boot
scratch bit is set, CPU 0 will be able to put into a state to wait for
ATF.
Qemu-tcg with GICv3 emulation enabled will by default configure MPIDR
topology to report up to 16 cpus per cluster. This is NOT overriden by
qemu's -smp setting, e.g. -smp 8,clusters=2,cores=4,threads=1 will still
generate MPIDR reads as if all 8 CPUs were within one cluster.
Increase the hardcoded limit to reflect that so that we accept PSCI
calls that provide MPIDRs based on what was actually read from the
emulated CPU.
Andre Przywara [Tue, 4 Apr 2023 15:52:25 +0000 (16:52 +0100)]
fix(imx8mq): fix compilation with gcc >= 12.x
Starting with GCC >= 12.x the -Wall option includes -Werror=array-bounds
checks. Per default GCC treats all memory accesses below 4096 as NULL,
so access to ROMAPI causes the following warning:
------------
In file included from plat/imx/imx8m/imx8mq/imx8mq_bl31_setup.c:20:
In function 'mmio_read_8',
inlined from 'imx8mq_soc_info_init' at plat/imx/imx8m/imx8mq/imx8mq_bl31_setup.c:70:16,
inlined from 'bl31_platform_setup' at plat/imx/imx8m/imx8mq/imx8mq_bl31_setup.c:206:2:
include/lib/mmio.h:19:16: error: array subscript 0 is outside array bounds of 'volatile uint8_t[0]' {aka 'volatile unsigned char[]'} [-Werror=array-bounds]
19 | return *(volatile uint8_t*)addr;
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function 'mmio_read_8',
inlined from 'imx8mq_soc_info_init' at plat/imx/imx8m/imx8mq/imx8mq_bl31_setup.c:74:16,
inlined from 'bl31_platform_setup' at plat/imx/imx8m/imx8mq/imx8mq_bl31_setup.c:206:2:
include/lib/mmio.h:19:16: error: array subscript 0 is outside array bounds of 'volatile uint8_t[0]' {aka 'volatile unsigned char[]'} [-Werror=array-bounds]
19 | return *(volatile uint8_t*)addr;
| ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
------------
This comes arguably from us somewhat abusing pointers to access MMIO
memory regions, which is not really covered by the C language.
Replace the pointer-dereferencing mmio_read_8() with an implementation
that uses inline assembly, to directly generate an 8-bit load
instruction. This avoids the compiler thinking that this access is using
a pointer it needs to jealously look after.
Change-Id: Iab39f6f615d51d3e8a1c54a1262d1e6ec208811d Reported-by: Marco Felsch <m.felsch@pengutronix.de> Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Govindraj Raja [Mon, 13 Mar 2023 12:09:12 +0000 (12:09 +0000)]
feat(cpus): add support for blackhawk cpu
Add basic CPU library code to support the Blackhawk CPU,
BlackHawk core is based out of Hunter ELP core,
so overall library code was adapted based on that.
Change-Id: I4750e774732218ee669dceb734cd107f46b78492 Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Govindraj Raja [Fri, 10 Mar 2023 10:38:54 +0000 (10:38 +0000)]
feat(cpus): add support for chaberton cpu
Add basic CPU library code to support the Chaberton CPU,
Chaberton cores are based out of Hunter core, so overall
library code was adapted based on that.
Change-Id: I58321c77f2c364225a764da6fa65656d1bec33f1 Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
fix(fvp): work around DRTM_SUPPORT BL31 progbits exceeded
Just like the tspd, DRTM support pulls in a lot of code which can't fit
into SRAM with everything else the fvp is including. Luckily, testing
this feature is only done on v8.0 models, meaning all feature related
code can be excluded for this run, saving space. The benefit of doing it
this way is that the test can continue running unaltered in the interim.
Merge changes from topic "ethos-n" into integration
* changes:
docs(maintainers): update NPU driver files
docs(ethos-n): update porting-guide.rst for NPU
feat(ethos-n): add separate RO and RW NSAIDs
feat(ethos-n)!: add protected NPU firmware setup
feat(ethos-n): add stream extends and attr support
feat(ethos-n): add reserved memory address support
feat(ethos-n): add event and aux control support
feat(ethos-n): add SMC call to get FW properties
refactor(ethos-n): split up SMC call handling
feat(ethos-n): add NPU firmware validation
feat(ethos-n): add check for NPU in SiP setup
feat(ethos-n)!: load NPU firmware at BL2
feat(juno): support ARM_IO_IN_DTB option for Juno
fix(fconf): fix FCONF_ARM_IO_UUID_NUMBER value
fix(fvp): incorrect UUID name in FVP tb_fw_config
fix(ethos-n): add workaround for erratum 2838783
feat(ethos-n): add support for NPU to cert_create
feat(ethos-n): add NPU support in fiptool
feat(ethos-n): add support to set up NSAID
build(fiptool): add object dependency generation
feat(ethos-n): add NPU sleeping SMC call
feat(ethos-n): add multiple asset allocators
feat(ethos-n): add reset type to reset SMC calls
feat(ethos-n): add protected NPU TZMP1 regions
build(ethos-n): add TZMP1 build flag
The top-level page for threat model documents is evidently out-dated,
as it contains text which no longer makes sense on its own. Most
likely it relates back to the days where we had a single threat model
document.
Reword it accordingly. While we are at it, explain the motivation and
structure of the documents.
Andre Przywara [Wed, 29 Mar 2023 11:05:19 +0000 (12:05 +0100)]
fix(psci): remove unreachable switch/case blocks
The PSCI function dispatcher switch/case is split up between 32-bit and
64-bit function IDs, based on bit 30 of the encoding. This bit just
encodes the maximum size of the arguments, not necessarily whether they
are used from AArch64 or AArch32. So while some functions exist in both
worlds (CPU_ON, for instance), some functions take no or only 32-bit
arguments (CPU_OFF, PSCI_FEATURES), so they only exist as a 32-bit
function call.
Commit b88a4416b5e5 ("feat(psci): add support for PSCI_SET_SUSPEND_MODE"
, gerrit ID Iebf65f5f7846aef6b8643ad6082db99b4dcc4bef) and commit 9a70e69e0598 ("feat(psci): update PSCI_FEATURES", gerrit ID
I5da8a989b53419ad2ab55b73ddeee6e882c25554) introduced two "case"
sections for 32-bit function IDs in the 64-bit branch, which will never
trigger. The one small extra case caused the sun50i_a64 DEBUG build to
go beyond its RAM limit.
Removed the redundant switch/case blocks, to make sun50i_a64 build
again.
Change-Id: Ic65b7403d128837296a0c3af42c6f23f9f57778e Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Mikael Olsson [Tue, 28 Mar 2023 13:51:49 +0000 (15:51 +0200)]
docs(maintainers): update NPU driver files
New files have been added for the Arm(R) Ethos(TM)-N NPU driver with the
addition of TZMP1 support so the files in the maintainers list have been
updated accordingly.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I3768b2ab78c117c1dd4fc03b38cf35f6811fa378
Rob Hughes [Mon, 20 Feb 2023 12:03:52 +0000 (12:03 +0000)]
docs(ethos-n): update porting-guide.rst for NPU
Add some missing configuration that must be done for supporting NPU on
other platforms.
Signed-off-by: Rob Hughes <robert.hughes@arm.com> Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: Ic505ea60f73b970d0d7ded101830eb2ce8c7ab64
Mikael Olsson [Tue, 14 Mar 2023 17:29:06 +0000 (18:29 +0100)]
feat(ethos-n): add separate RO and RW NSAIDs
To be able to further restrict the memory access for the Arm(R)
Ethos(TM)-N NPU, separate read-only and read/write NSAIDs for the
non-protected and protected memory have been added to the Juno
platform's TZMP1 TZC configuration for the NPU.
The platform definition has been updated accordingly and the NPU driver
will now only give read/write access to the streams that require it.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I5a173500fc1943a5cd406a3b379e1f1f554eeda6
Mikael Olsson [Fri, 10 Feb 2023 15:59:23 +0000 (16:59 +0100)]
feat(ethos-n)!: add protected NPU firmware setup
When the Arm(R) Ethos(TM)-N NPU driver is built with TZMP1 support, the
NPU should use the firmware that has been loaded into the protected
memory by BL2. The Linux Kernel NPU driver in the non-secure world is
not allowed to configure the NPU to do this in a TZMP1 build so the SiP
service will now configure the NPU to boot with the firmware in the
protected memory.
BREAKING CHANGE: The Linux Kernel NPU driver can no longer directly
configure and boot the NPU in a TZMP1 build. The API version has
therefore been given a major version bump with this change.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I65d00f54b3ade3665d7941e270da7a3dec02281a
Mikael Olsson [Fri, 10 Feb 2023 15:59:03 +0000 (16:59 +0100)]
feat(ethos-n): add stream extends and attr support
The SiP service for the Arm(R) Ethos(TM)-N NPU driver will now handle
setting up the address extension and attribute control for the NPU's
streams. The non-secure world will still be allowed to read the address
extension for stream0 but non-secure access to all other streams have
been removed.
The API version has been given a minor bump with this change to indicate
the added functionality.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I2b041ca4a0a2b5cd6344a4ae144f75e137c72592
Mikael Olsson [Fri, 10 Feb 2023 10:39:40 +0000 (11:39 +0100)]
feat(ethos-n): add reserved memory address support
The FCONF parsing of the HW_CONFIG for the Arm(R) Ethos(TM)-N NPU now
supports reading the address of the reserved memory setup for the NPU so
the address can be used in the SiP service for the NPU.
Change-Id: I0968255a966e84896b00ea935d6aa3d5232c5f7b Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>