AArch32: Add generic changes in BL2

This patch adds generic changes in BL2 to support AArch32 state.
New AArch32 specific assembly/C files are introduced and
some files are moved to AArch32/64 speci

AArch32: Add generic changes in BL2

This patch adds generic changes in BL2 to support AArch32 state.
New AArch32 specific assembly/C files are introduced and
some files are moved to AArch32/64 specific folders.
BL2 for AArch64 is refactored but functionally identical.

BL2 executes in Secure SVC mode in AArch32 state.

Change-Id: Ifaacbc2a91f8640876385b953adb24744d9dbde3

show more ...

Changes for new version of image loading in BL1/BL2

This patch adds changes in BL1 & BL2 to use new version
of image loading to load the BL images.

Following are the changes in BL1:
-Use new vers

Changes for new version of image loading in BL1/BL2

This patch adds changes in BL1 & BL2 to use new version
of image loading to load the BL images.

Following are the changes in BL1:
-Use new version of load_auth_image() to load BL2
-Modified `bl1_init_bl2_mem_layout()` to remove using
`reserve_mem()` and to calculate `bl2_mem_layout`.
`bl2_mem_layout` calculation now assumes that BL1 RW
data is at the top of the bl1_mem_layout, which is more
restrictive than the previous BL1 behaviour.

Following are the changes in BL2:
-The `bl2_main.c` is refactored and all the functions
for loading BLxx images are now moved to `bl2_image_load.c`
`bl2_main.c` now calls a top level `bl2_load_images()` to
load all the images that are applicable in BL2.
-Added new file `bl2_image_load_v2.c` that uses new version
of image loading to load the BL images in BL2.

All the above changes are conditionally compiled using the
`LOAD_IMAGE_V2` flag.

Change-Id: Ic6dcde5a484495bdc05526d9121c59fa50c1bf23

show more ...

Merge pull request #587 from antonio-nino-diaz-arm/an/rename-bl33-base

Rename BL33_BASE and make it work with RESET_TO_BL31

Rename BL33_BASE option to PRELOADED_BL33_BASE

To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistak

Rename BL33_BASE option to PRELOADED_BL33_BASE

To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistaken by similar names like BL32_BASE that work in a
completely different way.

NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
BUILD OPTION `PRELOADED_BL33_BASE`.

Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b

show more ...

Merge pull request #561 from antonio-nino-diaz-arm/an/bootwrapper

Enable preloaded BL33 alternative boot flow

Enable preloaded BL33 alternative boot flow

Enable alternative boot flow where BL2 does not load BL33 from
non-volatile storage, and BL31 hands execution over to a preloaded
BL33.

The flag used to

Enable preloaded BL33 alternative boot flow

Enable alternative boot flow where BL2 does not load BL33 from
non-volatile storage, and BL31 hands execution over to a preloaded
BL33.

The flag used to enable this bootflow is BL33_BASE, which must hold
the entrypoint address of the BL33 image. The User Guide has been
updated with an example of how to use this option with a bootwrapped
kernel.

Change-Id: I48087421a7b0636ac40dca7d457d745129da474f

show more ...

Merge pull request #467 from jcastillo-arm/jc/tbb_oid

Apply new image terminology

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.c

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.com/ARM-software/arm-trusted-firmware/wiki

Changes apply to output messages, comments and documentation.

non-ARM platform files have been left unmodified.

Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76

show more ...

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-

Replace all SCP FW (BL0, BL3-0) references

This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):

BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2

This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.

IMPORTANT: build option to specify the SCP FW image has changed:

BL30 --> SCP_BL2

IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:

BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()

Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58

show more ...

Merge pull request #453 from yatharth-arm/yk/fwu-6

Firmware Update patch stack

FWU: Add Generic Firmware Update framework support in BL1

Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific

FWU: Add Generic Firmware Update framework support in BL1

Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific code detects that it is needed.

This patch adds support for FWU feature support in BL1 which is
included by enabling `TRUSTED_BOARD_BOOT` compile time flag.

This patch adds bl1_fwu.c which contains all the core operations
of FWU, which are; SMC handler, image copy, authentication, execution
and resumption. It also adds bl1.h introducing #defines for all
BL1 SMCs.

Following platform porting functions are introduced:

int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
unsigned int flags);
This function can be used to add platform specific memory checks
for the provided base/size for the given security state.
The weak definition will invoke `assert()` and return -ENOMEM.

__dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
This function can be used to initiate platform specific procedure
to mark completion of the FWU process.
The weak definition waits forever calling `wfi()`.

plat_bl1_common.c contains weak definitions for above functions.

FWU process starts when platform detects it and return the image_id
other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
`bl1_main()`.

NOTE: User MUST provide platform specific real definition for
bl1_plat_mem_check() in order to use it for Firmware update.

Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed

show more ...

Merge pull request #443 from achingupta/sb/el3_payloads-cb_single_cpu

Add support to boot EL3 payloads and only a single CPU at cold reset

CSS: Enable booting of EL3 payloads

This patch adds support for booting EL3 payloads on CSS platforms,
for example Juno. In this scenario, the Trusted Firmware follows
its normal boot flow up to the

CSS: Enable booting of EL3 payloads

This patch adds support for booting EL3 payloads on CSS platforms,
for example Juno. In this scenario, the Trusted Firmware follows
its normal boot flow up to the point where it would normally pass
control to the BL31 image. At this point, it jumps to the EL3
payload entry point address instead.

Before handing over to the EL3 payload, the data SCP writes for AP
at the beginning of the Trusted SRAM is restored, i.e. we zero the
first 128 bytes and restore the SCP Boot configuration. The latter
is saved before transferring the BL30 image to SCP and is restored
just after the transfer (in BL2). The goal is to make it appear that
the EL3 payload is the first piece of software to run on the target.

The BL31 entrypoint info structure is updated to make the primary
CPU jump to the EL3 payload instead of the BL31 image.

The mailbox is populated with the EL3 payload entrypoint address,
which releases the secondary CPUs out of their holding pen (if the
SCP has powered them on). The arm_program_trusted_mailbox() function
has been exported for this purpose.

The TZC-400 configuration in BL2 is simplified: it grants secure
access only to the whole DRAM. Other security initialization is
unchanged.

This alternative boot flow is disabled by default. A new build option
EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
payload's entry point address. The build system has been modified
such that BL31 and BL33 are not compiled and/or not put in the FIP in
this case, as those images are not used in this boot flow.

Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077

show more ...

Merge pull request #415 from jcastillo-arm/jc/plat_err_handler

Add optional platform error handler API

Add optional platform error handler API

This patch adds an optional API to the platform port:

void plat_error_handler(int err) __dead2;

The platform error handler is called when there is a spe

Add optional platform error handler API

This patch adds an optional API to the platform port:

void plat_error_handler(int err) __dead2;

The platform error handler is called when there is a specific error
condition after which Trusted Firmware cannot continue. While panic()
simply prints the crash report (if enabled) and spins, the platform
error handler can be used to hand control over to the platform port
so it can perform specific bookeeping or post-error actions (for
example, reset the system). This function must not return.

The parameter indicates the type of error using standard codes from
errno.h. Possible errors reported by the generic code are:

-EAUTH : a certificate or image could not be authenticated
(when Trusted Board Boot is enabled)
-ENOENT : the requested image or certificate could not be found
or an IO error was detected
-ENOMEM : resources exhausted. Trusted Firmware does not use
dynamic memory, so this error is usually an indication
of an incorrect array size

A default weak implementation of this function has been provided.
It simply implements an infinite loop.

Change-Id: Iffaf9eee82d037da6caa43b3aed51df555e597a3

show more ...

Merge pull request #414 from jcastillo-arm/jc/io_ret_values

Use standard error code definitions

Use standard errno definitions in load_auth_image()

This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The

Use standard errno definitions in load_auth_image()

This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.

It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.

Change-Id: I1228477346d3876151c05b470d9669c37fd231be

show more ...

Merge pull request #368 from jcastillo-arm/jc/genfw/1126

TBB: abort boot if BL3-2 cannot be authenticated

TBB: abort boot if BL3-2 cannot be authenticated

BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the

TBB: abort boot if BL3-2 cannot be authenticated

BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.

This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.

In case of authentication error, the memory region used to store
the image is wiped clean.

Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992

show more ...

Merge pull request #315 from jcastillo-arm/jc/tbb_tmp9

Authentication Framework

TBB: switch to the new authentication framework

This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto

TBB: switch to the new authentication framework

This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.

A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.

The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.

The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.

On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.

REMOVED BUILD OPTIONS:

* 'AUTH_MOD'

Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867

show more ...

Use numbers to identify images instead of names

The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in t

Use numbers to identify images instead of names

The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.

This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.

As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.

A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.

Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.

The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.

IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.

Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5

show more ...

Merge pull request #287 from danh-arm/sb/bl2-loading-errors

Panic if platform specific BL3-0 handling fails v2

Panic if platform specific BL3-0 handling fails

The return value of bl2_plat_handle_bl30() used to be ignored.
This patch modifies the function load_bl30() so that it now
checks this return value an

Panic if platform specific BL3-0 handling fails

The return value of bl2_plat_handle_bl30() used to be ignored.
This patch modifies the function load_bl30() so that it now
checks this return value and returns it to bl2_main().

This patch also unifies the error handling code across the
load_blx() functions so that they return a status code in all
cases and bl2_main() has the sole responsibility of panicking
if appropriate.

Change-Id: I2b26cdf65afa443b48c7da1fa7da8db956071bfb

show more ...

Merge pull request #249 from danh-arm/jc/tbb_prototype

Trusted Board Boot Prototype