Broadcom-s Trusted Firmware A https://git-03.infra.openwrt.org/project/bcm63xx/atf/atom?h=master 2019-09-13T13:11:59Z 2019-09-13T13:11:59Z Alexei Fedorov 2019-09-13T13:11:59Z urn:sha1:ed108b56051de5da8024568a06781ce287e86c78 This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com> 2019-03-14T12:57:27Z Sandrine Bailleux 2019-03-13T17:02:09Z urn:sha1:47102b35d644a8c5a1343f9ec05c29b5d1e0e1b0 The dummy implementation of the plat_init_apiakey() platform API uses an internal 128-bit buffer to store the initial key value used for Pointer Authentication support. The intent - as stated in the file comments - was for this buffer to be write-protected by the MMU. Initialization of the buffer would be performed before enabling the MMU, thus bypassing write protection checks. However, the key buffer ended up into its own read-write section by mistake due to a typo on the section name ('rodata.apiakey' instead of '.rodata.apiakey', note the leading dot). As a result, the linker script was not pulling it into the .rodata output section. One way to address this issue could have been to fix the section name. However, this approach does not work well for BL1. Being the first image in the boot flow, it typically is sitting in real ROM so we don't have the capacity to update the key buffer at any time. The dummy implementation of plat_init_apiakey() provided at the moment is just there to demonstrate the Pointer Authentication feature in action. Proper key management and key generation would have to be a lot more careful on a production system. Therefore, the approach chosen here to leave the key buffer in writable memory but move it to the BSS section. This does mean that the key buffer could be maliciously updated for intalling unintended keys on the warm boot path but at the feature is only at an experimental stage right now, this is deemed acceptable. Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> 2019-02-27T11:58:09Z Antonio Nino Diaz 2019-01-31T11:01:10Z urn:sha1:ff6844c3de9b34a09f358a3204264059834e2b1d This feature is only supported on FVP. Change-Id: I4e265610211d92a84bd2773c34acfbe02a1a1826 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> 2019-02-01T09:48:34Z Sandrine Bailleux 2019-01-31T14:06:21Z urn:sha1:d57d2b315856fde5c9a2984ef46040c1ed7a28f6 The BL33 image must not go past the end of DRAM. Change-Id: I56668ab760d82332d69a8904d125d9a055aa91d5 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> 2019-02-01T09:48:34Z Sandrine Bailleux 2019-01-31T14:01:32Z urn:sha1:ece6fd2dac7da28a3e5d0911ec0957af6b21a70f PLAT_ARM_NS_IMAGE_OFFSET is in fact not an offset relative to some base address, it is an absolute address. Rename it to avoid any confusion. Change-Id: I1f7f5e8553cb267786afe7e5f3cd4d665b610d3f Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> 2019-01-04T10:43:17Z Antonio Nino Diaz 2018-12-14T00:18:21Z urn:sha1:09d40e0e08283a249e7dce0e106c07c5141f9b7e Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> 2018-11-14T05:48:22Z Sughosh Ganu 2018-11-14T05:12:46Z urn:sha1:5681b292c01ba8612256e4dfefb43e736de2a1c3 Register a priority level, PLAT_SP_PRI, for secure partition with EL3 exception handling framework(ehf) module. The secure partition manager(SPM) would raise the core's priority to PLAT_SP_PRI before entering the secure partition, to protect the core from getting interrupted while in secure partition. Change-Id: I686897f052a4371e0efa9b929c07d3ad77249e95 Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com> 2018-10-25T08:56:09Z Antonio Nino Diaz 2018-10-16T13:10:15Z urn:sha1:c02c69f8ef9020f82f4f09f5108a40b058fbaa06 In Arm platforms the crash console doesn't print anything if the crash happens early enough. This happens in all images, not only BL1. The reason is that they the files ``plat/common/aarch64/platform_helpers.S`` and ``plat/arm/common/aarch64/arm_helpers.S``, and the crash console functions are defined as weak in both files. In practice, the linker can pick the one in ``plat/common``, which simply switches the multi console to crash mode when it wants to initialize the crash console. In the case of Arm platforms, there are no console drivers registered at that point, so nothing is printed. This patch makes the functions in plat/arm strong so that they override the weak functions in plat/common. Change-Id: Id358db7d2567d7df0951790a695636cf6c9ac57f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> 2018-06-21T15:15:23Z Jeenu Viswambharan 2018-06-08T07:44:36Z urn:sha1:a7055c5828fecaba80054348cc469b7e5d025937 The file arm_ras.c intended to provide common platform-specific RAS configuration for Arm platforms. Because this file has symbol definitions, it's proving difficult to provide a common definition. This patch therefore renames and makes the file specific to FVP. Other platforms shall provide their own configuration in similar fashion. Change-Id: I766fd238946e3e49cdb659680e1b45f41b237901 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2018-06-19T08:29:36Z Antonio Nino Diaz 2018-06-19T08:29:36Z urn:sha1:88a0523e914cb28fded2ce398a184e0c0e8843c8 The old API is deprecated and will eventually be removed. Arm platforms now use the multi console driver for boot and runtime consoles. However, the crash console uses the direct console API because it doesn't need any memory access to work. This makes it more robust during crashes. The AArch32 port of the Trusted Firmware doesn't support this new API yet, so it is only enabled in AArch64 builds. Because of this, the common code must maintain compatibility with both systems. SP_MIN doesn't have to be updated because it's only used in AArch32 builds. The TSP is only used in AArch64, so it only needs to support the new API without keeping support for the old one. Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this causes the UARTs to reset (except for the one used by the TSP). This means that they must be unregistered when suspending and re-registered when resuming. This wasn't a problem with the old driver because it just restarted the UART, and there were no problems associated with registering and unregistering consoles. The size reserved for BL2 has been increased. Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>