Manish Pandey [Mon, 16 Jan 2023 15:44:17 +0000 (16:44 +0100)]
Merge changes from topic "refactor_st_common" into integration
* changes:
refactor(st): move board info in common code
refactor(st): move GIC code to common directory
refactor(st): move boot backup register management
Tony K Nadackal [Wed, 24 Nov 2021 16:09:26 +0000 (16:09 +0000)]
feat(rdn2): add platform id value for rdn2 variant 3
The RD-N2-Cfg3 platform is a variant of the RD-N2 platform with the
significant difference being the number of ITS blocks and the use of a
different part number.
Signed-off-by: Tony K Nadackal <tony.nadackal@arm.com>
Change-Id: Id4c5faeae44f21da79cb59540558192d0b02b124
Tony K Nadackal [Sat, 12 Nov 2022 23:21:20 +0000 (23:21 +0000)]
refactor(rdn2): reduce use of CSS_SGI_PLATFORM_VARIANT build flag
The core count is one of the significant difference between the various
RD-N2 platform variants. The PLAT_ARM_CLUSTER_COUNT macro defines the
number of core/cluster for a variant. In preparation to add another
variant of RD-N2 platform, replace the use of CSS_SGI_PLATFORM_VARIANT
build flag, where applicable, with the PLAT_ARM_CLUSTER_COUNT macro.
This helps to reduce the changes required to add support for a new
variant.
Signed-off-by: Tony K Nadackal <tony.nadackal@arm.com>
Change-Id: I89b168308d1b5f7edd402205dd25d6c3a355e100
Joanna Farley [Thu, 12 Jan 2023 10:11:28 +0000 (11:11 +0100)]
Merge changes from topic "fix-power-up-dwn-issue" into integration
* changes:
fix(versal-net): enable wake interrupt during client suspend
fix(versal-net): disable wakeup interrupt during client wakeup
fix(versal-net): clear power down bit during wakeup
fix(versal-net): fix setting power down state
fix(versal-net): clear power down interrupt status before enable
fix(versal-net): resolve misra rule 20.7 warnings
fix(versal-net): resolve misra 10.6 warnings
Bipin Ravi [Thu, 22 Dec 2022 20:19:59 +0000 (14:19 -0600)]
fix(cpus): workaround for Cortex-X2 erratum 2282622
Cortex-X2 erratum 2282622 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround is to set
CPUACTLR2_EL1[0] to 1 to force PLDW/PFRM ST to behave like
PLD/PRFM LD and not cause invalidations to other PE caches.
Following macros removed
- handle_async_ea : It duplicates "check_and_unmask_ea" functionality
- check_if_serror_from_EL3: This macro is small and called only once,
replace this macro with instructions at the caller.
get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
fix(auth): avoid out-of-bounds read in auth_nvctr()
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Jay Buddhabhatti [Fri, 30 Dec 2022 06:15:19 +0000 (22:15 -0800)]
fix(versal-net): clear power down bit during wakeup
Power down bit and power down interrupt needs to be cleared once core
is wakeup to avoid unnecessary power down events. So disable power down
interrupt and clear power down bit during client wakeup.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I3445991692c441831e4ea8dae112e23b19f185a9
Jay Buddhabhatti [Fri, 30 Dec 2022 05:47:54 +0000 (21:47 -0800)]
fix(versal-net): clear power down interrupt status before enable
Currently power down interrupt status is set by default before its
getting enabled. Because of that Linux is getting crashed since its
triggering interrupt before core goes to WFI state. So clear interrupt
status before enabling power down interrupt.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ia8d047b6078a49ab3dbe3e0bf24422357f0138c2
Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6:
- Macro parameter expands into an expression without being wrapped
by parentheses.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ie365d24c02bb38163005a3c073642d5c96412e2d
Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6
- The value of a composite expression shall not be assigned to an
object with wider essential type
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I74f8e5d63523f33d245a21f8e4f04d30e40b05e7
Bipin Ravi [Thu, 22 Dec 2022 19:31:46 +0000 (13:31 -0600)]
fix(cpus): workaround for Cortex-A710 erratum 2282622
Cortex-A710 erratum 2282622 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround was earlier
applied to all revisions <= r2p0, this patch extends it to r2p1.
This was thought to have been fixed in r2p1 which is not the case.
Rohit Mathew [Tue, 18 Oct 2022 21:57:06 +0000 (22:57 +0100)]
fix(mpam): remove unwanted param for "endfunc" macro
"endfunc" macro is used to mark the end of a function. It takes the
function label as an argument. For el2_sysregs_context_save_mpam
function, "endfunc" has been called with an assumed typo, "func", along
with the function label. Remove this unwanted param to fix the endfunc
call.
Yann Gautier [Fri, 18 Nov 2022 13:04:03 +0000 (14:04 +0100)]
fix(fconf): make struct fconf_populator static
In FCONF_REGISTER_POPULATOR macro, add static for the fconf_populator
struct. This avoids this kind of sparse warning:
plat/st/common/stm32mp_fconf_io.c:181:1: warning:
symbol 'stm32mp_io__populator' was not declared. Should it be static?
Yann Gautier [Wed, 4 Jan 2023 15:46:07 +0000 (16:46 +0100)]
refactor(st): move board info in common code
Create a function stm32_display_board_info() that will display ST
board information, from a parameter taken from OTP fuse. The code
is just moved from STM32MP1 part to common directory.
Yann Gautier [Tue, 6 Aug 2019 15:28:23 +0000 (17:28 +0200)]
refactor(st): move GIC code to common directory
The GIC v2 initialization code could be shared to other ST platforms.
The stm32mp1_gic.c file is then moved to common directory, and renamed
stm32mp_gic.c.
The functions are also prefixed with stm32mp_gic.
This backup register used to pass boot information to BL33, has the
same mapping for ST platforms. Its management can then be moved to
common directory.
Merge changes I794d2927,Ie33205fb,Ifdbe3b4c into integration
* changes:
refactor(auth): do not include SEQUENCE tag in saved extensions
fix(auth): reject junk after certificates
fix(auth): require bit strings to have no unused bits
Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration
* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT STRING in signatures
fix(auth): reject invalid padding in digests
fix(auth): require at least one extension to be present
fix(auth): forbid junk after extensions
fix(auth): only accept v3 X.509 certificates
Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.
Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
fix(auth): require at least one extension to be present
X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.
Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Bipin Ravi [Wed, 7 Dec 2022 23:01:26 +0000 (17:01 -0600)]
fix(cpus): workaround for Neoverse N2 erratum 2743089
Neoverse N2 erratum 2743089 is a Cat B erratum that applies to
all revisions <=r0p2 and is fixed in r0p3. The workaround is to
insert a dsb before the isb in the power down sequence.
Andre Przywara [Mon, 21 Nov 2022 17:07:25 +0000 (17:07 +0000)]
feat(fvp): emulate trapped RNDR
When a platform decides to use FEAT_RNG_TRAP, every RNDR or RNDRSS read
will trap into EL3. The platform can then emulate those instructions, by
either executing the real CPU instructions, potentially conditioning the
results, or use rate-limiting or filtering to protect the hardware
entropy pool. Another possiblitiy would be to use some platform specific
TRNG device to get entropy and returning this.
To demonstrate platform specific usage, add a demo implementation for the
FVP: It will execute the actual CPU instruction and just return the
result. This should serve as reference code to implement platform specific
policies.
We change the definition of read_rndr() and read_rndrrs() to use the
alternative sysreg encoding, so that all assemblers can handle that.
Add documentation about the new platform specific RNG handler function.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: Ibce817b3b06ad20129d15531b81402e3cc3e9a9e
Andre Przywara [Mon, 21 Nov 2022 17:04:10 +0000 (17:04 +0000)]
feat(el3-runtime): introduce system register trap handler
At the moment we only handle SMC traps from lower ELs, but ignore any
other synchronous traps and just panic.
To cope with system register traps, which we might need to emulate,
introduce a C function to handle those traps, and wire that up in the
exception handler to be called.
We provide a dispatcher function (in C), that will call platform
specific implementation for certain (classes of) system registers.
For now this is empty.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: If147bcb49472eb02791498700300926afbcf75ff
Bipin Ravi [Thu, 15 Dec 2022 20:48:21 +0000 (14:48 -0600)]
fix(cpus): workaround for Cortex-A78 erratum 2772019
Cortex-A78 erratum 2772019 is a Cat B erratum that applies to
all revisions <=r1p2 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
Bipin Ravi [Thu, 15 Dec 2022 17:57:53 +0000 (11:57 -0600)]
fix(cpus): workaround for Neoverse V1 erratum 2743093
Neoverse V1 erratum 2743093 is a Cat B erratum that applies to
all revisions <=r1p2 and is still open. The workaround is to
insert a dsb before the isb in the power down sequence.
Mate Toth-Pal [Fri, 21 Oct 2022 12:24:49 +0000 (14:24 +0200)]
feat(tc): add delegated attest and measurement tests
This patch adds Delegated Attestation and Measured Boot tests to the
plat/arm/board/tc platform.
The test suite can be activated by adding the build time option
`PLATFORM_TEST=1` to the make command. In this case the boot sequence is
not finished, plat_error_handler is called after the tests are run
(regardless of the test result.)
The actual test code is coming from the Trusted-Firmware-M project. Some
of the files of the tf-m-tests and tf-m-extras repo are linked to the
BL31 image.
Akshay Belsare [Thu, 15 Dec 2022 10:26:23 +0000 (15:56 +0530)]
fix(xilinx): resolve integer handling issue
OEN Number 48 to 63 is for Trusted App and OS.
GET_SMC_OEN limits the return value of OEN number to 63 by bitwise AND
operation with 0x3F. Thus the upper limit check for OEN value returned
by GET_SMC_OEN is not required.
Removing the upper limit check for the OEN value returned by GET_SMC_OEN
resolves integer handling issue CONSTANT_EXPRESSION_RESULT
Olivier Deprez [Thu, 15 Dec 2022 13:25:16 +0000 (14:25 +0100)]
Merge changes from topic "qemu_sel2" into integration
* changes:
docs(build): describes the SPMC_OPTEE build option
feat(qemu): support el3 spmc
feat(el3-spmc): make platform logical partition optional
feat(qemu): support s-el2 spmc
feat(qemu): update abi between spmd and spmc
fix(sptool): add dependency to SP image
fix(intel): missing NCORE CCU snoop filter fix in BL2
Clear Ncore CCU snoop filter. There is hardware bug in NCORE CCU IP
and it is causing an issue in the coherent directory tracking of
outstanding cache lines.
Manish Pandey [Thu, 17 Nov 2022 15:47:05 +0000 (15:47 +0000)]
fix(el3_runtime): allow SErrors when executing in EL3
SCR_EL3.EA is set to 1 in BL31 initialization and is cleared before
entering to lower ELs(except for RAS FFH case "HANDLE_EA_EL3_FIRST_NS").
The cleared value persist even during run time when execution comes
back to EL3.
When SCR_EL3.EA is 0 and execution state is EL3, Async EAs(delivered
as SErrors) are implicitly masked and hence any Async EA by EL3 will
remain pending and will trap at the exception level EA is targeted
to and unmasked when entering lower EL.
This causes unexpected EA at lower EL. This is a very rare
to get SError in EL3 until unless there is any programming error.
This patch sets SCR_EL3.EA to 1 when entering EL3 from lower EL.
Manish Pandey [Wed, 7 Dec 2022 13:04:20 +0000 (13:04 +0000)]
fix(el3_runtime): do not save scr_el3 during EL3 entry
scr_el3 registers cannot be modified in lower ELs which means it retains
the same value which is stored in the EL3 cpu context structure for the
given world. So, we should not save the register when entering to EL3
from lower EL as we have the copy of it present in cpu context.
During EL3 execution SCR_EL3 value can be modifed for following cases
1. Changes which is required for EL3 execution, this change is temp
and do not need to be saved.
2. Changes which affects lower EL execution, these changes need to be
written to cpu context as well and will be retrieved when scr_el3
is restored as part of exiting EL3
Merge changes Ie6a13e4a,I517074b8,Ifd29b748,I1279d9cb,I3b78e0c5, ... into integration
* changes:
feat(imx8mq): add BL31 PIE support
refactor(imx8mq): introduce BL31_SIZE
refactor(imx8mq): make use of setup_page_tables()
feat(imx8mq): always set up console
feat(imx8mq): remove empty bl31_plat_runtime_setup
feat(imx8mq): make IMX_BOOT_UART_BASE configurable via build parameter
Lucas Stach [Thu, 8 Dec 2022 15:44:00 +0000 (16:44 +0100)]
feat(imx8mq): add BL31 PIE support
Enable PIE support so the BL31 firmware can be loaded from anywhere
within the OCRAM (SRAM). For the PIE support we only need to replace
the BL31_BASE define by the BL31_START symbol which is a relocatable
and we need to enable it by setting ENABLE_PIE := 1.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: Ie6a13e4ae0fdc6627a94798d7a86df7d5b310896
Lucas Stach [Thu, 8 Dec 2022 15:37:44 +0000 (16:37 +0100)]
refactor(imx8mq): introduce BL31_SIZE
No functional change.
Introduce BL31_SIZE define and calculate the limits based on the
BL31_BASE and the BL31_SIZE define. Also make use of SZ_64K to make
it easier to read. This is required for later BL31 PIE support since
it drops the calculation based on the BL31_LIMIT and BL31_BASE.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: I517074b866b5bf11841b51777f87c926b304488d
projects / arm-tf.git / log