feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a

feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a
valid threat on the Availability asset.

Since the original model, we've gained FEATURE_DETECTION which is meant
to help get platforms configured correctly.

Change-Id: I10f9870173fc4b24ea14a24197537d46ead9f789
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7a072b6e8fc25f77218785a4fc0da8
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the M

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the MMU and we can
rely on all accesses being coherent. However, this is not the case when
HW_ASSISTED_COHERENCY=0. Most of EL3's initialisation (especially on
warm boot) happens with the MMU on but with caching being off. Caches
are only enabled deep into CPU_ON processing when we can be certain the
core has entered coherency. This latter case is the subject of this
patch.

Prior to this patch, the way to work around that was to clean the
apiakey cpu_data storage right after writing it. The write would have
gone straight to memory as caches were off and the clean asserted that
nothing would be in the caches which were assumed to be invalid since
we've just came out of reset.

The problem with this is that we cannot assume that ALL caches are
invalid when coming out of reset. We can reasonably assume those private
to the core to be (so the L1 and/or the L2; those are guaranteed to be
invalidated out of reset for every Arm core) but that is not the case
for shared caches (eg an L2/L3 DSU cache) which can be on when a core
powers down. So the old keys could still be live in the shared cache, we
write new ones to memory and clean the old to memory too, undoing the
work.

So the correct thing to do is to clean and invalidate the cache prior to
writing the keys to memory and invalidate it after. This ensures that if
there is any other data after the apiakey, which shares the cache line,
it will be safely forwarded to memory and the caches will be invalid
when caching is turned on.

It is important to note at this point that this was never observed in
practice - every known configuration that uses PAuth has the apiakey as
the very last member of the cpu_data struct which is padded up to a
cache line and the usage of the apiakey is such that it was never
allocated into the shared caches. So the clean would effectively perform
an invalidate of only the apiakey and all worked well. This was only
spotted with a proposed patch that added data after the apiakey
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/39698/7).

Change-Id: I8493221dff53114c5c56dd73fbfd2a3301e2542c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(mbedtls): update mbedtls to version 3.6.5

Change-Id: Ia5366faa71007024e098a05ee391a2ff8e8676c0
Signed-off-by: Slava Andrianov <slava.andrianov@arm.com>

Merge "docs: update TF-A May'26 release dates" into integration

docs: update TF-A May'26 release dates

Tentatively updating the plan for TF-A v2.15 release in May'26.

Change-Id: I43de74567c57139023844a55ca90d354b6cc680d
Signed-off-by: Govindraj Raja <govindraj.

docs: update TF-A May'26 release dates

Tentatively updating the plan for TF-A v2.15 release in May'26.

Change-Id: I43de74567c57139023844a55ca90d354b6cc680d
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

feat(cpufeat): enable FEAT_PFAR support

Implement support for FEAT_PFAR, which introduces the PFAR_ELx system
register, recording the faulting physical address for some aborts.
Those system register

feat(cpufeat): enable FEAT_PFAR support

Implement support for FEAT_PFAR, which introduces the PFAR_ELx system
register, recording the faulting physical address for some aborts.
Those system registers are trapped by the SCR_EL3.PFARen bit, so set the
bit for the non-secure world context to allow OSes to use the feature.

This is controlled by the ENABLE_FEAT_PFAR build flag, which follows the
usual semantics of 2 meaning the feature being runtime detected.
Let the default for this flag be 0, but set it to 2 for the FVP.

Change-Id: I5c9ae750417e75792f693732df3869e02b6e4319
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "feat(cpufeat): enable FEAT_AIE support" into integration

Merge "fix(docs): fix some broken links" into integration

Merge changes Id711e387,I531a2ee1,Ic5b48514,I81f5f663,I6c529c13, ... into integration

* changes:
refactor(romlib): absorb WRAPPER_FLAGS into LDFLAGS
fix(build): simplify the -target options
fe

Merge changes Id711e387,I531a2ee1,Ic5b48514,I81f5f663,I6c529c13, ... into integration

* changes:
refactor(romlib): absorb WRAPPER_FLAGS into LDFLAGS
fix(build): simplify the -target options
feat(build): allow full LTO builds with clang
refactor(build): make sorting of sections generic
feat(build): use clang as a linker
fix(build): correctly detect that an option is missing with ld_option
feat(build): pass cflags to the linker when LTO is enabled

show more ...

refactor(build): make it standard to request a custom linker script

Hoist the add_define to a global location so that platforms only have to
declare its usage. Fix up #ifdef to #if since we will now

refactor(build): make it standard to request a custom linker script

Hoist the add_define to a global location so that platforms only have to
declare its usage. Fix up #ifdef to #if since we will now always pass a
definition.

Change-Id: Ia52ad5ed4dcbd157d139c8ca2fb3d35b32343b93
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(cm): deprecate use of NS_TIMER_SWITCH" into integration

Merge changes from topic "lfa-plat-activate" into integration

* changes:
feat(fvp): add stub implementation for plat_lfa_notify_activate()
feat(lfa): add platform hook for activation notification

docs: add dependabot patches for LTS

The GitHub dependabot creates patches for Node.js or python tools used
by TF-A. Those patches are created for main branch but also for LTS
branches. They should

docs: add dependabot patches for LTS

The GitHub dependabot creates patches for Node.js or python tools used
by TF-A. Those patches are created for main branch but also for LTS
branches. They should be cherry-picked in LTS branches. Add some
directives about that in the LTS documentation.

Change-Id: Ibb730d98818d1b2913d479d25c25ac36b4476864
Signed-off-by: Yann Gautier <yann.gautier@st.com>

show more ...

feat(build): allow full LTO builds with clang

GCC doesn't like LTOing __builtins. This has been broken for time
immemorial (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63215) and
there is no fi

feat(build): allow full LTO builds with clang

GCC doesn't like LTOing __builtins. This has been broken for time
immemorial (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63215) and
there is no fix coming. Prior to GCC 14 a build of the libc with LTO
will simply not work. From GCC14 a workaround is possible passing
-ffat-lto-objects. The underlying issue is that the linker "forgets"
about builtin symbols it added during LTO. The non-LTO copies make these
forgotten functions available during final resolution. However, this
still does not LTO the libc, it just allows for it to build with -flto.

Since GCC is our main compiler, and we do not differentiate the libc
from any other lib we build, we have simply not built libs with LTO so
far. However, there is no need to kneecap clang for GCC's failings, so
LTO all libs on clang when enabled.

When GCC14 becomes the oldest reasonable compiler we support, this can
be done for GCC too, although with the workaround above. This still
won't LTO the libc, but it will at least LTO other libs.

Change-Id: Ic5b4851480131f4e8aefd678cc05d4dd02ee01ef
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(build): use clang as a linker

To support LTO, the gcc binary is used as a compiler, assembler, and
linker. Do the same for clang and enable LTO builds with it as a side
effect.

This simplifies

feat(build): use clang as a linker

To support LTO, the gcc binary is used as a compiler, assembler, and
linker. Do the same for clang and enable LTO builds with it as a side
effect.

This simplifies code quite a bit as the gcc/clang different is much
smaller. Support for ld/lld (if overriden with LD) is maintained.

This is a good time to convert tabs to spaces to conform to make's
expectations on syntax.

Change-Id: I6c529c1393f7e9e8046ed537f871fc3ad91d599a
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(cpufeat): enable FEAT_AIE support

Implement support for FEAT_AIE, which introduces the AMAIR2_ELx and
MAIR2_ELx system registers, extending the memory attributes described
by {A}MAIR_ELx.
Those

feat(cpufeat): enable FEAT_AIE support

Implement support for FEAT_AIE, which introduces the AMAIR2_ELx and
MAIR2_ELx system registers, extending the memory attributes described
by {A}MAIR_ELx.
Those system registers are trapped by the SCR_EL3.AIEn bit, so set the
bit for the non-secure world context to allow OSes to use the feature.

This is controlled by the ENABLE_FEAT_AIE build flag, which follows the
usual semantics of 2 meaning the feature being runtime detected.
Let the default for this flag be 0, but set it to 2 for the FVP.

Change-Id: Iba2011719013a89f9cb3a4317bde18254f45cd25
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

fix(docs): fix some broken links

Fix few broken links from docs.

Link check was done with following steps -

[..]
tf-a/docs$ make clean -j8; poetry run make html -j8
tf-a/docs$ poetry run sphinx-bu

fix(docs): fix some broken links

Fix few broken links from docs.

Link check was done with following steps -

[..]
tf-a/docs$ make clean -j8; poetry run make html -j8
tf-a/docs$ poetry run sphinx-build -j8 -q -b linkcheck . build/
[..]

Add link check conf values to config.py
- avoid reporting false broken links when `#`(anchors) are present
in the link.
- avoid checking for broken links in "change-log.md", this is summary
of commit msg's we are not going to fix broken links in cmt-msg's

Change-Id: I384094c8dcf3e93875c9052afa79ad826b9901d9
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A720 erratum 2729604

Cortex-A720 erratum 2729604 is a Cat B erratum that applies to
revisions r0p0 and r0p1, and is fixed in r0p2.

This workaround might impact perf

fix(cpus): workaround for Cortex-A720 erratum 2729604

Cortex-A720 erratum 2729604 is a Cat B erratum that applies to
revisions r0p0 and r0p1, and is fixed in r0p2.

This workaround might impact performance of workloads heavily
relying on floating point division or square root operations.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2439421

Change-Id: I4567d75ba9f17146d0d7bc5cdb622bb63efadc3c
Signed-off-by: John Powell <john.powell@arm.com>

show more ...

fix(cpus): workaround for Cortex-A720 erratum 3711910

Cortex-A720 erratum 3711910 is a Cat B erratum that applies to
revisions r0p0, r0p1 and r0p2, and is still open.

SDEN documentation:
https://de

fix(cpus): workaround for Cortex-A720 erratum 3711910

Cortex-A720 erratum 3711910 is a Cat B erratum that applies to
revisions r0p0, r0p1 and r0p2, and is still open.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2439421

Change-Id: Id65d5ba41b96648b07c09df77fb25cc4bdb50800
Signed-off-by: John Powell <john.powell@arm.com>

show more ...

Merge changes from topic "ar/v2_errata" into integration

* changes:
fix(cpus): workaround for Neoverse-V2 erratum 3701771
fix(cpus): workaround for Neoverse-V2 erratum 3841324

fix(cpus): workaround for Neoverse-V2 erratum 3701771

Neoverse-V2 erratum 3701771 that applies to r0p0, r0p1, r0p2 is
still Open.

The workaround is for EL3 software that performs context save/resto

fix(cpus): workaround for Neoverse-V2 erratum 3701771

Neoverse-V2 erratum 3701771 that applies to r0p0, r0p1, r0p2 is
still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

The mitigation is implemented in commit 7455cd172 and this patch should be applied on top of it.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2332927/latest

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ic0ad68f7bd393bdc03343d5ba815adb23bf6a24d

show more ...

fix(cpus): workaround for Neoverse-V2 erratum 3841324

Neoverse-V2 erratum 3841324 is a Cat B erratum that applies to
r0p0 and r0p1. It is fixed in r0p2.

This erratum can be avoided by setting CPUAC

fix(cpus): workaround for Neoverse-V2 erratum 3841324

Neoverse-V2 erratum 3841324 is a Cat B erratum that applies to
r0p0 and r0p1. It is fixed in r0p2.

This erratum can be avoided by setting CPUACTLR_EL1[1]
prior to enabling MMU. This bit will disable a branch predictor
power savings feature. Disabling this power feature
results in negligible power movement and no performance impact.

SDEN Documentation:
https://developer.arm.com/documentation/SDEN-2332927/latest

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I9b3a5266103e5000d207c7a270c65455d0646102

show more ...

feat(dsu): enable PMU registers access at EL1

- Disable trapping of write accesses to DSU cluster PMU registers
at EL3 and EL2.
- Clear the SPME bit in CLUSTERPMMDCR_EL3 to prohibit PMU event
co

feat(dsu): enable PMU registers access at EL1

- Disable trapping of write accesses to DSU cluster PMU registers
at EL3 and EL2.
- Clear the SPME bit in CLUSTERPMMDCR_EL3 to prohibit PMU event
counting in the secure state.

Change-Id: If3eb6e997330ae86f45760e0e862c003861f3d66
Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>

show more ...

docs(rdaspen): introduce rdaspen docs

RD-Aspen platform is formally introduced into the
documentation.

Refactors RD platforms separately, and a generic
Automotive RD index doc file is created.

Mai

docs(rdaspen): introduce rdaspen docs

RD-Aspen platform is formally introduced into the
documentation.

Refactors RD platforms separately, and a generic
Automotive RD index doc file is created.

Maintainers list updated for platform maintainer
of rdaspen.

Change-Id: I289a8caaa6f0e34e953f4101ee2814f1500bc9c8
Signed-off-by: Ahmed Azeem <ahmed.azeem@arm.com>

show more ...