Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm):

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm): update docs to reflect rotpk key changes
feat(arm): use provided algs for (swd/p)rotpk
feat(arm): use the provided hash alg to hash rotpk

show more ...

docs(arm): update docs to reflect rotpk key changes

The hashing algorithm for the rotpk is now HASH_ALG,
not always sha-256. The public development keys are
no longer in the repository and are now g

docs(arm): update docs to reflect rotpk key changes

The hashing algorithm for the rotpk is now HASH_ALG,
not always sha-256. The public development keys are
no longer in the repository and are now generated at
run-time, updates the documentation to reflect this.

Change-Id: Ic336f7aca858e9b6a1af6d6e6dc5f4aa428da179
Signed-off-by: Ryan Everett <ryan.everett@arm.com>

show more ...

Merge "docs(auth): align TBBR CoT names to match the code" into integration

docs(auth): align TBBR CoT names to match the code

Update the section describing the TBBR chain of trust to use the same
terminology as in the code and the specification.

Also refresh the descripti

docs(auth): align TBBR CoT names to match the code

Update the section describing the TBBR chain of trust to use the same
terminology as in the code and the specification.

Also refresh the description of some of the certificates to include the
pieces of data they contain today. When this document was originally
written, TF-A did not support configuration files, which is why none of
the certificates included any configuration file hash at that time.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ia85f88c933abd8d8d6727252a7d41fb9f0ce4287

show more ...

Merge "docs(auth): add more information about CoTs" into integration

docs(auth): add more information about CoTs

Explain that platforms are free to define their own Chain of Trust (CoT)
based on their needs but default ones are provided in TF-A source code:
TBBR, dua

docs(auth): add more information about CoTs

Explain that platforms are free to define their own Chain of Trust (CoT)
based on their needs but default ones are provided in TF-A source code:
TBBR, dualroot and CCA.

Give a brief overview of the use case for each of these CoTs.

Simplified diagrams are also provided for the TBBR and dualroot CoTs -
CCA CoT is missing such a diagram right now, it should be provided as a
future improvement.

Also do some cosmetic changes along the way.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c4014d4d12d852b0ae5632ba9c71a9ad266080a

show more ...

Merge "docs: fix link to TBBR specification" into integration

docs: fix link to TBBR specification

The former link pointed to a page which displayed the following warning
message:

We could not find that page in the latest version, so we have taken
you to

docs: fix link to TBBR specification

The former link pointed to a page which displayed the following warning
message:

We could not find that page in the latest version, so we have taken
you to the first page instead

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Icf9277770e38bc5e602b75052c2386301984238d

show more ...

Merge changes If9672598,I219c49d3 into integration

* changes:
feat(cert-create): add pkcs11 engine support
fix(cert-create): key: Avoid having a temporary value for pkey in key_load

feat(cert-create): add pkcs11 engine support

Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compli

feat(cert-create): add pkcs11 engine support

Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.

This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f

show more ...

Merge "fix: remove "experimental" tag for stable features" into integration

fix: remove "experimental" tag for stable features

there are features which are marked as experimental even though they
are stable and used for quite some time.
Following features are no longer mark

fix: remove "experimental" tag for stable features

there are features which are marked as experimental even though they
are stable and used for quite some time.
Following features are no longer marked as experimental
- SPMD
- MEASURED_BOOT
- FCONF and associated build flags
- DECRYPTION_SUPPORT and associated build flags
- ENABLE_PAUTH
- ENABLE_BTI
- USE_SPINLOCK_CAS
- GICv3 Multichip support

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I4bb653d9c413c66095ec31f0b8aefeb13ea04ee9

show more ...

Merge "Update cryptographic algorithms in TBBR doc" into integration

Update cryptographic algorithms in TBBR doc

The TBBR documentation has been written along with an early
implementation of the code. At that time, the range of supported
encryption and hash algorithm

Update cryptographic algorithms in TBBR doc

The TBBR documentation has been written along with an early
implementation of the code. At that time, the range of supported
encryption and hash algorithms was failry limited. Since then, support
for other algorithms has been added in TF-A but the documentation has
not been updated.

Instead of listing them all, which would clutter this document while
still leaving it at risk of going stale in the future, remove specific
references to the original algorithms and point the reader at the
relevant comprehensive document for further details.

Change-Id: I29dc50bc1d53b728091a1fbaa1c3970fb999f7d5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

Merge changes from topic "tbbr/fw_enc" into integration

* changes:
docs: qemu: Add instructions to boot using FIP image
docs: Update docs with firmware encryption feature
qemu: Support optiona

Merge changes from topic "tbbr/fw_enc" into integration

* changes:
docs: qemu: Add instructions to boot using FIP image
docs: Update docs with firmware encryption feature
qemu: Support optional encryption of BL31 and BL32 images
qemu: Update flash address map to keep FIP in secure FLASH0
Makefile: Add support to optionally encrypt BL31 and BL32
tools: Add firmware authenticated encryption tool
TBB: Add an IO abstraction layer to load encrypted firmwares
drivers: crypto: Add authenticated decryption framework

show more ...

docs: Update docs with firmware encryption feature

Update documentation with optional firmware encryption feature.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I26691b18e1ee52a73090

docs: Update docs with firmware encryption feature

Update documentation with optional firmware encryption feature.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I26691b18e1ee52a73090954260f26f2865c4e05a

show more ...

Merge "doc: Split the User Guide into multiple files" into integration

doc: Split the User Guide into multiple files

The User Guide document has grown organically over time and
now covers a wide range of topics, making it difficult to
skim read and extract information

doc: Split the User Guide into multiple files

The User Guide document has grown organically over time and
now covers a wide range of topics, making it difficult to
skim read and extract information from. Currently, it covers
these topics and maybe a couple more:

- Requirements (hardware, tools, libs)
- Checking out the repo
- Basic build instructions
- A comprehensive list of build flags
- FIP packaging
- Building specifically for Juno
- Firmware update images
- EL3 payloads
- Preloaded BL33 boot flow
- Running on FVPs
- Running on Juno

I have separated these out into a few groups that become new
documents. Broadly speaking, build instructions for the tools,
for TF-A generally, and for specific scenarios are separated.
Content relating to specific platforms (Juno and the FVPs are
Arm-specific platforms, essentially) has been moved into the
documentation that is specific to those platforms, under
docs/plat/arm.

Change-Id: Ica87c52d8cd4f577332be0b0738998ea3ba3bbec
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

show more ...

Merge changes from topic "pb/readthedocs" into integration

* changes:
doc: Add guide for building the docs locally
doc: De-duplicate readme and license files
doc: Convert internal links to RST

Merge changes from topic "pb/readthedocs" into integration

* changes:
doc: Add guide for building the docs locally
doc: De-duplicate readme and license files
doc: Convert internal links to RST format

show more ...

doc: Convert internal links to RST format

Currently links between documents are using the format:

<path/to/><filename>.rst

This was required for services like GitHub because they render each
docum

doc: Convert internal links to RST format

Currently links between documents are using the format:

<path/to/><filename>.rst

This was required for services like GitHub because they render each
document in isolation - linking to another document is like linking
to any other file, just provide the full path.

However, with the new approach, the .rst files are only the raw
source for the documents. Once the documents have been rendered
the output is now in another format (HTML in our case) and so,
when linking to another document, the link must point to the
rendered version and not the .rst file.

The RST spec provides a few methods for linking between content.
The parent of this patch enabled the automatic creation of anchors
for document titles - we will use these anchors as the targets for
our links. Additional anchors can be added by hand if needed, on
section and sub-section titles, for example.

An example of this new format, for a document with the title
"Firmware Design" is :ref:`Firmware Design`.

One big advantage of this is that anchors are not dependent on
paths. We can then move documents around, even between directories,
without breaking any links between documents. Links will need to be
updated only if the title of a document changes.

Change-Id: I9e2340a61dd424cbd8fd1ecc2dc166f460d81703
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

show more ...

Merge changes from topic "jts/docs" into integration

* changes:
Removing IRC related info from the documentation
Further fixes to documentation links

Further fixes to documentation links

Change-Id: Ib021c721652d96f6c06ea18741f19a72bba1d00f
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Merge changes from topic "pb/sphinx-doc" into integration

* changes:
doc: Use proper note and warning annotations
doc: Refactor contributor acknowledgements
doc: Reorganise images and update l

Merge changes from topic "pb/sphinx-doc" into integration

* changes:
doc: Use proper note and warning annotations
doc: Refactor contributor acknowledgements
doc: Reorganise images and update links
doc: Set correct syntax highlighting style
doc: Add minimal glossary
doc: Remove per-page contents lists
doc: Make checkpatch ignore rst files
doc: Format security advisory titles and headings
doc: Reformat platform port documents
doc: Normalise section numbering and headings
doc: Reword document titles

show more ...

doc: Use proper note and warning annotations

The documentation contains plenty of notes and warnings. Enable
special rendering of these blocks by converting the note prefix
into a .. note:: annotati

doc: Use proper note and warning annotations

The documentation contains plenty of notes and warnings. Enable
special rendering of these blocks by converting the note prefix
into a .. note:: annotation.

Change-Id: I34e26ca6bf313d335672ab6c2645741900338822
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

show more ...

doc: Remove per-page contents lists

These are no longer needed as there will always be a table of contents
rendered to the left of every page.

Some of these lists can be quite long and, when openin

doc: Remove per-page contents lists

These are no longer needed as there will always be a table of contents
rendered to the left of every page.

Some of these lists can be quite long and, when opening a page, the
reader sees nothing but a huge list of contents! After this patch,
the document contents are front-and-centre and the contents are
nicely rendered in the sidebar without duplication.

Change-Id: I444754d548ec91d00f2b04e861de8dde8856aa62
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

show more ...