Sandrine Bailleux authored Feb 08, 2023 and joannafarley-arm committed Mar 06, 2023

As a coding guideline, we now discourage introducing new weak
functions in platform-agnostic code going forward and provide the
rationale for this.

This was already enforced most of the time in code reviews but this
patch makes it explicit in the project's documentation.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I88f4a55788899fb4146c4d26afb3a7418376b30c

Akshay Belsare authored Feb 27, 2023 and joannafarley-arm committed Mar 06, 2023

When the TF-A is placed in DDR memory range, the DDR memory range is
getting explicitly reserved in the default device tree by TF-A.
This creates an error condition in the use case where Device tree is
not present or it is present at a different location.

To fix this, a new build time parameter, XILINX_OF_BOARD_DTB_ADDR, is
introduced. The TF-A will reserve the DDR memory only when a valid
DTB address is provided to XILINX_OF_BOARD_DTB_ADDR during build.

Now the user has options, either manually reserve the desired
DDR address range for TF-A in device tree or let TF-A access and modify
the device tree, to reserve the DDR address range, in runtime using
the build parameter.

Change-Id: I846fa373ba9f7c984eda3a55ccaaa622082cad81
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>

Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract the
extension data.  This is error prone and caused TFV-10 (CVE-2022-47630).

A simpler approach is to have get_ext() be responsible for all extension
parsing, and to treat a NULL OID as an indicator that get_ext() is only
being called for validation.  cert_parse() checks that get_ext() returns
IMG_PARSER_OK and fails otherwise.

Change-Id: I65a2ff053a188351ba54799827a2b7bd833bb037
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

Jayanth Dodderi Chidanand authored Mar 01, 2023 and Jayanth Dodderi Chidanand committed Mar 01, 2023

Currently most of the architectural feature build flags are set
to 2(FEATURE_STATE_CHECK) for fvp platform only.

However other platforms still configure them by default to 0, which
would lead to build failures in cases when compiler configured
to build TF-A  with zero optimization (CFLAGS='-O0').

This patch addresses such build issues and thereby resolves the failures
seen under CI-l3 test_configurations.

Change-Id: I45b82b821951bba6b9df08177f7d286e624a4239
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>

commit (a8eadc51 refactor(mbedtls): avoid including
MBEDTLS_CONFIG_FILE) avoids using config file directly and relies on
config file usage from mbedtls version.h

But we could build trusted boot without mbedtls dir so guard version.h
include in cot_def.h with availability of config file.

Also we refactored in same commit to break dependencies between
auth_mod.h and cot_def.h, So add cot_def.h include in nxp tbbr
cot file.

Change-Id: I4779e90c18f04c73d2121c88df6420b4b1109c8b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

* changes:
  refactor(trf): enable FEAT_TRF for FEAT_STATE_CHECKED
  refactor(brbe): enable FEAT_BRBE for FEAT_STATE_CHECKED
  refactor(trbe): enable FEAT_TRBE for FEAT_STATE_CHECKED
  fix(cpufeat): context-switch: move FGT availability check to callers
  feat(cpufeat): extend check_feature() to deal with min/max
  refactor(cpufeat): wrap CPU ID register field isolation

* changes:
  refactor(auth): clean up certificate length checks
  refactor(auth): remove code duplication

The previous code was correct but unnecessarily verbose.

Change-Id: Ia19c667811a7c3b6957a0274d36076b0b16e36b7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

The unique IDs are handled identically, so just use a for loop to get
both of them.

Change-Id: I44baaa4747ca7f314d364a79dfcbce97315f5a92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

At the moment we only support FEAT_TRF to be either unconditionally
compiled in, or to be not supported at all.

Add support for runtime detection (ENABLE_TRF_FOR_NS=2), by splitting
is_feat_trf_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access TRF related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_trf_supported() function to guard its execution.

The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_TRF is an ARMv8.4 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.

Change-Id: Ia97b01adbe24970a4d837afd463dc5506b7295a3
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

At the moment we only support FEAT_BRBE to be either unconditionally
compiled in, or to be not supported at all.

Add support for runtime detection (ENABLE_BRBE_FOR_NS=2), by splitting
is_feat_brbe_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access BRBE related registers.

The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_BRBE is an ARMv9 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.

Change-Id: I5f2e2c9648300f65f0fa9a5f8e2f34e73529d053
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

At the moment we only support FEAT_TRBE to be either unconditionally
compiled in, or to be not supported at all.

Add support for runtime detection (ENABLE_TRBE_FOR_NS=2), by splitting
is_feat_trbe_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access TRBE related registers.

The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_TRBE is an ARMv9 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.

Change-Id: Iee7f88ea930119049543a8a4a105389997e7692c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

To be inline with other features, and to allow the availability to be
checked for different contexts, move the FGT availability check out of
the save/restore functions. This is instead now checked at the caller.

Change-Id: I96e0638714f9d1b6fdadc1cb989cbd33bd48b1f6
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

So far the check_feature() function compares the subfield of a CPU ID
register against 0, to learn if a feature is enabled or not.
This is problematic for checks that require a certain revision of a
feature, so we should check against a minimum version number instead.
On top of that we might need to add code to support newer versions of a
feature, so we should be alerted if new hardware introduces a higher
number.

Extend the check_feature() function to take two extra arguments: the
minimum version, and the greatest currently known number.
Then make sure that the CPU ID field is in this range.

Change-Id: I425b68535a2ba9eafd31854e74d142183b521cd5
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Some MISRA test complains about our code to isolate CPU ID register
fields: the ID registers (and associated masks) are 64 bits wide, but
the eventual field is always 4 bits wide only, so we use an unsigned
int to represent that. MISRA dislikes the differing width here.

Since the code to extract a feature field from a CPU ID register is very
schematic already, provide a wrapper macro to make this more readable,
and do the proper casting in one central place on the way.

While at it, use the same macro for the AArch32 feature detection side.

Change-Id: Ie102a9e7007a386f5879ec65e159ff041504a4ee
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

* changes:
  fix(ufs): set the PRDT length field properly
  fix(ufs): flush the entire PRDT
  fix(ufs): only allow using one slot

* changes:
  feat(stm32mp1): add mbedtls-3.3 support config
  refactor(fvp): minor cleanup with TRUSTED_BOARD_BOOT
  style(crypto): add braces for if statement
  feat(fvp): increase BL1_RW and BL2 size
  feat(mbedtls): add support for mbedtls-3.3
  refactor(crypto): avoid using struct mbedtls_pk_rsassa_pss_options
  refactor(mbedtls): avoid including MBEDTLS_CONFIG_FILE

This wasn't listed on the web interface configuration. Perhaps it came
preloaded. Anyway, it's needed for diagrams. Add it back.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I20c1eb0e8d5abaa3533169dd9704cbd3b0eb06a5

Add stm32mp1_mbedtls_config-3.h config file for stm32mp1 builds with
mbedtls-3.3

Change-Id: I4581cb0ea7b2c7022e71aefd7ff05ee3a72f5883
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

EM support was out of SMC SIP range that's why has been moved to SIP
range 0x3000 by commit acbae399 ("fix(zynqmp): move EM SMC range
to SIP range").
But after another investigation was found that this interface has no
user in any our SW and likely never adopted by anybody else. That's
why simply remove it. If there is any user it can be added back but
as TF-A size is challenging removing unused code is very welcome.
Origin code was added by commit 504925f9 ("xilinx: zynqmp: Add
support for Error Management").

Change-Id: I2d9222d7dde507400893e06f7f12e1713ce6bc9a
Signed-off-by: Michal Simek <michal.simek@amd.com>

The PRDT length field contains the count of the entries in the PRDT. See
JEDEC Standard No. 223E, section 6.1.1, "UTP Transfer Request
Descriptor," page 66. Previously we were setting the PRDT length field
to the number of bytes in the PRDT divided by four (the size in units of
32 bits). This was incorrect according to the spec.

Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I960771e6ce57002872392993042fae9ec505447e

Previously, if the image being read exceeded 12,800 KB (or 50 PRDT
entries of size 256 KB), the UFS driver would not flush the entire
Physical Region Descriptor Table (PRDT). This would cause the UFS host
controller to read empty PRDT entries, which eventually would make the
system crash. This change updates the UFS driver to flush the entire
PRDT, irrespective of the size of the image being read.

This change also throws an error if the memory allocated for UFS
descriptors is not sufficient to hold the entire Physical Region
Descriptor Table (PRDT).

Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I291dc62748992481be3cc156ce1474a6e3990ea9

Currently the UFS driver places the Command UPIU, Response UPIU, and
PRDT immediately after the UTP Transfer Request Descriptor. This space
would normally be reserved for other slots in the UTP Transfer Request
List, but because we always use slot zero, the other slots in the UTP
Transfer Request List are never used and this is okay.

Because the Command UPIU, Response UPIU, and PRDT are placed inside the
UTP Transfer Request List, the UFS driver would break if two or more
slots were used at the same time. Therefore, in a sense the
get_empty_slot() function is misleading. It gives developers the
illusion that they can use two or more slots simultaneously but in
reality they cannot.

This change deletes the get_empty_slot() function and replaces it with
is_slot_available() so that only one slot can be used.

Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: I57f316640a1cdd56493505ede61f3012ceb2f305

Update FVP platform attestation token to comply with RMM Beta0
specification. The changes are:
- change platform implementation id claim value from 64 to 32 bits
- change Realm Challenge
- update Hash Algorithm Identifier claim value
- add protected header
- change signing algotithm to ECDSA ES384

Change-Id: I1c5907d1a4961ce08a1408d25128de125b3f2e7f
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>

Add early setup hooks (via custom_early_setup()) and provide a way
to cover custom memory mapping which includes extending memory map
via custom_mmap_add().

This likely also require to align MAX_XLAT_TABLE, MAX_XLAT_TABLES
macros. It can be done for example by defining these macros in
custom_pkg.mk
MAX_MMAP_REGIONS	:= XY
$(eval $(call add_define,MAX_MMAP_REGIONS))
MAX_XLAT_TABLES		:= XZ
$(eval $(call add_define,MAX_XLAT_TABLES))

custom_early_setup() can be used for early low level operations
related to setting up the system to correct state.

Signed-off-by: Amit Nagal <amit.nagal@amd.com>
Change-Id: I61df6f9ba5af0bc97c430974fb10a2edde44f23d

* changes:
  refactor(bl31): use elx_panic for sysreg_handler64
  refactor(aarch64): rename do_panic and el3_panic
  refactor(aarch64): remove weak links to el3_panic
  refactor(aarch64): refactor usage of elx_panic
  refactor(aarch64): cleanup HANDLE_EA_EL3_FIRST_NS usage

When we reach sysreg_handler64 from any trap handling we are entering
this path from lower EL and thus we should be calling lower_el_panic
reporting mechanism to print panic report.

Make report_elx_panic available through assembly func elx_panic which
could be used for reporting any lower_el_panic.

Change-Id: Ieb260cf20ea327a59db84198b2c6a6bfc9ca9537
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>