fix(security): add clrbhb support

TF-A mitigates spectre-bhb(CVE-2022-23960) issue with loop
workaround based on - https://developer.arm.com/documentation/110280/latest/

On platforms that support `

fix(security): add clrbhb support

TF-A mitigates spectre-bhb(CVE-2022-23960) issue with loop
workaround based on - https://developer.arm.com/documentation/110280/latest/

On platforms that support `clrbhb` instruction it is recommended to
use `clrbhb` instruction instead of the loop workaround.

Ref- https://developer.arm.com/documentation/102898/0108/

Change-Id: Ie6e56e96378503456a1617d5e5d51bc64c2e0f0b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(security): remove CVE_2022_23960 Neoverse V3

Neoverse V3 has ECBHB implemented and is protected against X-Context
attacks.

Ref: https://developer.arm.com/documentation/110280/latest/
TRM: https

fix(security): remove CVE_2022_23960 Neoverse V3

Neoverse V3 has ECBHB implemented and is protected against X-Context
attacks.

Ref: https://developer.arm.com/documentation/110280/latest/
TRM: https://developer.arm.com/documentation/107734/0002/The-Neoverse--V3--core/Supported-standards-and-specifications?lang=en

Remove WORKAROUND_CVE_2022_23960 to avoid accidental enabling of this
workaround and using loop workaround.

This was accidentally added with
commit@c2a15217c3053117f4d39233002cb1830fa96670

Change-Id: I13b27c04c3da5ec80fa79422b4ef4fee64738caa
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(security): remove CVE_2022_23960 Cortex-A720

Cortex-A720 has ECBHB implemented and is protected against X-Context
attacks.

Ref: https://developer.arm.com/documentation/110280/latest/
TRM: https

fix(security): remove CVE_2022_23960 Cortex-A720

Cortex-A720 has ECBHB implemented and is protected against X-Context
attacks.

Ref: https://developer.arm.com/documentation/110280/latest/
TRM: https://developer.arm.com/documentation/102530/0002/The-Cortex-A720--core/Supported-standards-and-specifications?lang=en

Remove WORKAROUND_CVE_2022_23960 for Cortex-A720 to avoid accidental
enabling of this workaround and using loop workaround.

This was accidentally added with
commit@c2a15217c3053117f4d39233002cb1830fa96670

Change-Id: I3c68b5f5d85ede37a6a039369de8ed2aa9205395
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

refactor(docs): deduplicate PSCI documentation

It is already described in the porting guide and context management
sections so it's largely redundant. It also hasn't been updated for a
while despite

refactor(docs): deduplicate PSCI documentation

It is already described in the porting guide and context management
sections so it's largely redundant. It also hasn't been updated for a
while despite lots going on around PSCI so it's clearly not read often.
The only part that isn't is that for describing a new secure dispatcher,
which belongs in the porting guide.

Change-Id: Icdc53e19565f0785bc8a112e5eb49df1b365c66c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "docs(build): update GCC toolchain requirement to 14.3.Rel1" into integration

docs(rdaspen): bl32 and GPT support

Added optional BL32 support for the RDaspen platform to enable
Trusted OS integration when required.

Updated documentation to clarify that if BL32 is not set, BL

docs(rdaspen): bl32 and GPT support

Added optional BL32 support for the RDaspen platform to enable
Trusted OS integration when required.

Updated documentation to clarify that if BL32 is not set, BL33 will
load directly after BL31.

Revised the ARM_GPT_SUPPORT description to note that it must be
enabled when the FIP image resides in a GPT partition on Secure Flash.

Change-Id: I79905efd026994290d0bc6c07cdf1f5a903c9194
Signed-off-by: Ahmed Azeem <ahmed.azeem@arm.com>

show more ...

Merge changes from topic "xl/fwu-trial-run" into integration

* changes:
fix(fwu): fwu NV ctr upgraded on trial run
feat(docs): platform hook for whether NV ctr is shared
feat(fwu): add platfor

Merge changes from topic "xl/fwu-trial-run" into integration

* changes:
fix(fwu): fwu NV ctr upgraded on trial run
feat(docs): platform hook for whether NV ctr is shared
feat(fwu): add platform hook for shared NV ctr

show more ...

docs(maintainers): update QTI platform maintainers

Add myself to the list of QTI platform maintainers.

Change-Id: I779f457cf075bf42acb62b75223912d7b4f1e95b
Signed-off-by: Sumit Garg <sumit.garg@oss

docs(maintainers): update QTI platform maintainers

Add myself to the list of QTI platform maintainers.

Change-Id: I779f457cf075bf42acb62b75223912d7b4f1e95b
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

docs(qti): add RB3Gen2 platform documentation

Add documentation for RB3Gen2 platform listing down step to build, flash
and boot up the platform with TF-A BL2 and BL31 support.

Change-Id: I361fec8fb

docs(qti): add RB3Gen2 platform documentation

Add documentation for RB3Gen2 platform listing down step to build, flash
and boot up the platform with TF-A BL2 and BL31 support.

Change-Id: I361fec8fb7a98b92fed3b1000f6f0c6f510c4887
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

docs(qti): move documentation under docs/plat/qti/

Move documentation under docs/plat/qti/ to become a consolidated place
for QTI platforms documentation.

Change-Id: Ief6f1f811de504761f00ce1acbd608

docs(qti): move documentation under docs/plat/qti/

Move documentation under docs/plat/qti/ to become a consolidated place
for QTI platforms documentation.

Change-Id: Ief6f1f811de504761f00ce1acbd608663eee344f
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

refactor(qti): introduce SoC codename as Kodiak

Qualcomm has recently started using SoC codenames for upstream support
with Linux kernel being the first adoptor. Using SoC codenames for
upstream pro

refactor(qti): introduce SoC codename as Kodiak

Qualcomm has recently started using SoC codenames for upstream support
with Linux kernel being the first adoptor. Using SoC codenames for
upstream projects removes the need to follow different product names
like for kodiak which is also known as sc7280, qcm6490 etc.

Let's follow this practice of using SoC codenames for TF-A project too
beginning with Kodiak. While doing that let's refactor SoC and board
specific files where the existing support for sc7280 has been renamed to
sc7280_chrome to reflect it's usage.

Change-Id: I236fadf8ae9550f94deb05ebfed17e2ddbd69509
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

Merge "fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean" into integration

docs(build): update GCC toolchain requirement to 14.3.Rel1

Update documentation to reflect the use of GCC version 14.3.Rel1,
the latest production release available at:
https://developer.arm.com/dow

docs(build): update GCC toolchain requirement to 14.3.Rel1

Update documentation to reflect the use of GCC version 14.3.Rel1,
the latest production release available at:
https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads

Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I4387ccf519593b804d3e8541e8aaf9723a2aedeb

show more ...

feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a

feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a
valid threat on the Availability asset.

Since the original model, we've gained FEATURE_DETECTION which is meant
to help get platforms configured correctly.

Change-Id: I10f9870173fc4b24ea14a24197537d46ead9f789
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7a072b6e8fc25f77218785a4fc0da8
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the M

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the MMU and we can
rely on all accesses being coherent. However, this is not the case when
HW_ASSISTED_COHERENCY=0. Most of EL3's initialisation (especially on
warm boot) happens with the MMU on but with caching being off. Caches
are only enabled deep into CPU_ON processing when we can be certain the
core has entered coherency. This latter case is the subject of this
patch.

Prior to this patch, the way to work around that was to clean the
apiakey cpu_data storage right after writing it. The write would have
gone straight to memory as caches were off and the clean asserted that
nothing would be in the caches which were assumed to be invalid since
we've just came out of reset.

The problem with this is that we cannot assume that ALL caches are
invalid when coming out of reset. We can reasonably assume those private
to the core to be (so the L1 and/or the L2; those are guaranteed to be
invalidated out of reset for every Arm core) but that is not the case
for shared caches (eg an L2/L3 DSU cache) which can be on when a core
powers down. So the old keys could still be live in the shared cache, we
write new ones to memory and clean the old to memory too, undoing the
work.

So the correct thing to do is to clean and invalidate the cache prior to
writing the keys to memory and invalidate it after. This ensures that if
there is any other data after the apiakey, which shares the cache line,
it will be safely forwarded to memory and the caches will be invalid
when caching is turned on.

It is important to note at this point that this was never observed in
practice - every known configuration that uses PAuth has the apiakey as
the very last member of the cpu_data struct which is padded up to a
cache line and the usage of the apiakey is such that it was never
allocated into the shared caches. So the clean would effectively perform
an invalidate of only the apiakey and all worked well. This was only
spotted with a proposed patch that added data after the apiakey
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/39698/7).

Change-Id: I8493221dff53114c5c56dd73fbfd2a3301e2542c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(mbedtls): update mbedtls to version 3.6.5

Change-Id: Ia5366faa71007024e098a05ee391a2ff8e8676c0
Signed-off-by: Slava Andrianov <slava.andrianov@arm.com>

Merge "docs: update TF-A May'26 release dates" into integration

docs: update TF-A May'26 release dates

Tentatively updating the plan for TF-A v2.15 release in May'26.

Change-Id: I43de74567c57139023844a55ca90d354b6cc680d
Signed-off-by: Govindraj Raja <govindraj.

docs: update TF-A May'26 release dates

Tentatively updating the plan for TF-A v2.15 release in May'26.

Change-Id: I43de74567c57139023844a55ca90d354b6cc680d
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

feat(cpufeat): enable FEAT_PFAR support

Implement support for FEAT_PFAR, which introduces the PFAR_ELx system
register, recording the faulting physical address for some aborts.
Those system register

feat(cpufeat): enable FEAT_PFAR support

Implement support for FEAT_PFAR, which introduces the PFAR_ELx system
register, recording the faulting physical address for some aborts.
Those system registers are trapped by the SCR_EL3.PFARen bit, so set the
bit for the non-secure world context to allow OSes to use the feature.

This is controlled by the ENABLE_FEAT_PFAR build flag, which follows the
usual semantics of 2 meaning the feature being runtime detected.
Let the default for this flag be 0, but set it to 2 for the FVP.

Change-Id: I5c9ae750417e75792f693732df3869e02b6e4319
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "feat(cpufeat): enable FEAT_AIE support" into integration

Merge "fix(docs): fix some broken links" into integration

Merge changes Id711e387,I531a2ee1,Ic5b48514,I81f5f663,I6c529c13, ... into integration

* changes:
refactor(romlib): absorb WRAPPER_FLAGS into LDFLAGS
fix(build): simplify the -target options
fe

Merge changes Id711e387,I531a2ee1,Ic5b48514,I81f5f663,I6c529c13, ... into integration

* changes:
refactor(romlib): absorb WRAPPER_FLAGS into LDFLAGS
fix(build): simplify the -target options
feat(build): allow full LTO builds with clang
refactor(build): make sorting of sections generic
feat(build): use clang as a linker
fix(build): correctly detect that an option is missing with ld_option
feat(build): pass cflags to the linker when LTO is enabled

show more ...

refactor(build): make it standard to request a custom linker script

Hoist the add_define to a global location so that platforms only have to
declare its usage. Fix up #ifdef to #if since we will now

refactor(build): make it standard to request a custom linker script

Hoist the add_define to a global location so that platforms only have to
declare its usage. Fix up #ifdef to #if since we will now always pass a
definition.

Change-Id: Ia52ad5ed4dcbd157d139c8ca2fb3d35b32343b93
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(cm): deprecate use of NS_TIMER_SWITCH" into integration