Merge "fix(mpam): refine MPAM initialization and enablement process" into integration

fix(mpam): refine MPAM initialization and enablement process

Restricts MPAM to only NS world and enables trap to EL3 for access of
MPAM registers from lower ELs of Secure and Realm world.

This patc

fix(mpam): refine MPAM initialization and enablement process

Restricts MPAM to only NS world and enables trap to EL3 for access of
MPAM registers from lower ELs of Secure and Realm world.

This patch removes MPAM enablement from global context and adds it to
EL3 State context which enables/disables MPAM during world switches.
Renamed ENABLE_MPAM_FOR_LOWER_ELS to ENABLE_FEAT_MPAM and
removed mpam_init_el3() as RESET behaviour is trapping.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I131f9dba5df236a71959b2d425ee11af7f3c38c4

show more ...

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options f

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options for ecdsa
feat(arm): ecdsa p384/p256 full key support
feat(tbbr): update PK_DER_LEN for ECDSA P-384 keys
feat(auth): ecdsa p384 key support
feat(cert-create): ecdsa p384 key support

show more ...

docs(cert-create): add key size options for ecdsa

Adding the possible key sizes for the ecdsa key algorithm.

Change-Id: I58947bc749fed911766a1462a0c2ba520b8f7c69
Signed-off-by: Lauren Wehrmeister <

docs(cert-create): add key size options for ecdsa

Adding the possible key sizes for the ecdsa key algorithm.

Change-Id: I58947bc749fed911766a1462a0c2ba520b8f7c69
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge changes from topic "ns/spmc_at_el3" into integration

* changes:
feat(rdn2): introduce platform handler for Group0 interrupt
feat(rdn2): add plat hook for memory transaction
feat(rdn2): i

Merge changes from topic "ns/spmc_at_el3" into integration

* changes:
feat(rdn2): introduce platform handler for Group0 interrupt
feat(rdn2): add plat hook for memory transaction
feat(rdn2): introduce accessor function to obtain datastore
feat(spm): separate StMM SP specifics to add support for a S-EL0 SP
feat(rdn2): add defines needed for spmc-el3
feat(ras): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(bl31): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(arm): reuse SPM_MM specific defines for SPMC_AT_EL3
feat(el3-spmc): add a flag to enable support to load SEL0 SP
refactor(spm-mm): reorganize secure partition manager shim code

show more ...

feat(el3-spmc): add a flag to enable support to load SEL0 SP

Introduce a build flag for enabling the support for loading SEL0 SP in
EL3 SPMC.

Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>

feat(el3-spmc): add a flag to enable support to load SEL0 SP

Introduce a build flag for enabling the support for loading SEL0 SP in
EL3 SPMC.

Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I1d63ae4d0d8374a732113565be90d58861506e39

show more ...

Merge "refactor(console): disable getc() by default" into integration

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.

Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.

This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.

The following changes are introduced when getc() is disabled:

- The multi-console framework no longer provides the console_getc()
function.

- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.

If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up

If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'

- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.

[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.

Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/

Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>

show more ...

Merge changes from topic "mb/psa-crypto-support" into integration

* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash

Merge changes from topic "mb/psa-crypto-support" into integration

* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash calculation
feat(mbedtls-psa): use PSA crypto API for hash verification
feat(mbedtls-psa): initialise mbedtls psa crypto
feat(mbedtls-psa): register an ad-hoc PSA crypto driver
feat(mbedtls-psa): introduce PSA_CRYPTO build option
docs(changelog): add scope for MbedTLS PSA Crypto

show more ...

feat(mbedtls-psa): introduce PSA_CRYPTO build option

This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -

1. Added a build macro PSA_CRYPTO to enable the Mbed

feat(mbedtls-psa): introduce PSA_CRYPTO build option

This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -

1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.

Also, marked PSA_CRYPTO as an experimental feature.

Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge "feat(rmmd): enable SME for RMM" into integration

feat(rmmd): enable SME for RMM

This patch enables Scalable Matrix Extension (SME) for RMM. RMM will
save/restore required registers that are shared with SVE/FPU register
state so that Realm can use

feat(rmmd): enable SME for RMM

This patch enables Scalable Matrix Extension (SME) for RMM. RMM will
save/restore required registers that are shared with SVE/FPU register
state so that Realm can use FPU or SVE.

The Relevant RMM support can be found here :
https://github.com/TF-RMM/tf-rmm/commit/0ccd7ae58b00

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Change-Id: I3bbdb840e7736dec00b71c85fcec3d5719413ffd

show more ...

Merge changes from topic "rm/handoff" into integration

* changes:
feat(qemu): implement firmware handoff on qemu
feat(handoff): introduce firmware handoff library

Merge changes If9672598,I219c49d3 into integration

* changes:
feat(cert-create): add pkcs11 engine support
fix(cert-create): key: Avoid having a temporary value for pkey in key_load

feat(handoff): introduce firmware handoff library

Add transfer list APIs and firmware handoff build option.

Change-Id: I68a0ace22c7e50fcdacd101eb76b271d7b76d8ff
Signed-off-by: Raymond Mao <raymond.

feat(handoff): introduce firmware handoff library

Add transfer list APIs and firmware handoff build option.

Change-Id: I68a0ace22c7e50fcdacd101eb76b271d7b76d8ff
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>

show more ...

feat(cert-create): add pkcs11 engine support

Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compli

feat(cert-create): add pkcs11 engine support

Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.

This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f

show more ...

Merge changes from topic "el3_direct_msg" into integration

* changes:
docs(spm): document new build option
feat(fvp): spmd logical partition smc handler
feat(fvp): add spmd logical partition

Merge changes from topic "el3_direct_msg" into integration

* changes:
docs(spm): document new build option
feat(fvp): spmd logical partition smc handler
feat(fvp): add spmd logical partition
feat(spmd): get logical partitions info
feat(spmd): add partition info get regs
refactor(ff-a): move structure definitions
feat(spmd): el3 direct message API
feat(spmd): add spmd logical partitions

show more ...

docs(spm): document new build option

Add documentation for the new build option ENABLE_SPMD_LP.

Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I808e6c00e3699fc900dc97e889af

docs(spm): document new build option

Add documentation for the new build option ENABLE_SPMD_LP.

Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I808e6c00e3699fc900dc97e889af63cc01cae794

show more ...

Merge changes I2c4e826f,I388e8dcd,I6fd20225 into integration

* changes:
chore(ethos-n): use non blocking soft reset on npu
docs(ethos-n): update build-options.rst
refactor(ethos-n): move build

Merge changes I2c4e826f,I388e8dcd,I6fd20225 into integration

* changes:
chore(ethos-n): use non blocking soft reset on npu
docs(ethos-n): update build-options.rst
refactor(ethos-n): move build flags to ethosn_npu.mk

show more ...

docs(ethos-n): update build-options.rst

Move documentation related to Arm(R) Ethos(TM)-N NPU driver from
docs/plat/arm/arm-build-options.rst to
docs/getting_started/build-options.rst.

Signed-off-by

docs(ethos-n): update build-options.rst

Move documentation related to Arm(R) Ethos(TM)-N NPU driver from
docs/plat/arm/arm-build-options.rst to
docs/getting_started/build-options.rst.

Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Change-Id: I388e8dcd3950b11bc3305f5e6396ee2e49c04493

show more ...

Merge "chore(docs): update march utility details" into integration

Merge "feat(mte): adds feature detection for MTE_PERM" into integration

feat(mte): adds feature detection for MTE_PERM

Adds feature detection for v8.9 feature FEAT_MTE_PERM. Adds respective
ID_AA64PFR2_EL1 definitions and ENABLE_FEAT_MTE_PERM define.

Change-Id: If24b42

feat(mte): adds feature detection for MTE_PERM

Adds feature detection for v8.9 feature FEAT_MTE_PERM. Adds respective
ID_AA64PFR2_EL1 definitions and ENABLE_FEAT_MTE_PERM define.

Change-Id: If24b42f1207154e639016b0b840b2d91c6ee13d4
Signed-off-by: Maksims Svecovs <maksims.svecovs@arm.com>
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

chore(docs): update march utility details

commit@7794d6c8f8c44acc14fbdc5ada5965310056be1e added a march utility
but the details were not updated in docs.

Update docs to provide a glimpse of march u

chore(docs): update march utility details

commit@7794d6c8f8c44acc14fbdc5ada5965310056be1e added a march utility
but the details were not updated in docs.

Update docs to provide a glimpse of march utility added.

Change-Id: I696cb9a701a30d7bf36a1ecd38a80d07df1fd551
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

Merge "docs: move common build option from Arm-specific to common file" into integration