Merge changes from topic "hm/evlog" into integration

* changes:
refactor(drtm): use crypto-agile measured boot
refactor(imx): use crypto-agile measured boot
refactor(qemu): use crypto-agile me

Merge changes from topic "hm/evlog" into integration

* changes:
refactor(drtm): use crypto-agile measured boot
refactor(imx): use crypto-agile measured boot
refactor(qemu): use crypto-agile measured boot
refactor(juno): use crypto-agile measured boot
refactor(rpi3): use crypto-agile measured boot
refactor(fvp): use crypto-agile measured boot
feat(measured-boot): enable dynamic hash provisioning
feat: add TPM/TCG hashing helper to crypto module
chore: bump event log library

show more ...

feat(measured-boot): enable dynamic hash provisioning

Introduce dynamic hash provisioning for Measured Boot by removing the
previous static hash-selection path and allowing platforms to supply
algor

feat(measured-boot): enable dynamic hash provisioning

Introduce dynamic hash provisioning for Measured Boot by removing the
previous static hash-selection path and allowing platforms to supply
algorithm metadata at runtime. Add mboot_find_event_log_metadata() as a
common helper for resolving image metadata. Update the Event Log build
logic to use MAX_DIGEST_SIZE and MAX_HASH_COUNT, deprecate legacy
MBOOT_EL_HASH_ALG, and warn when it is used. Adjust MbedTLS
configuration to enable hash algorithms automatically when Measured Boot
is enabled.

Change-Id: I704e1a5005f6caad3d51d868bacc53699b6dd64f
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes from topic "little-build-fixes" into integration

* changes:
fix(build): don't rely on Event Log build tree
fix(build): link Event Log library directly
fix(build): scan symbols un

Merge changes from topic "little-build-fixes" into integration

* changes:
fix(build): don't rely on Event Log build tree
fix(build): link Event Log library directly
fix(build): scan symbols until all are resolved
fix(build): add include directory dependencies

show more ...

fix(build): don't rely on Event Log build tree

Follow proper CMake usage by installing libeventlog and referring to
the installed artifacts rather than the build directory. The previous
approach rel

fix(build): don't rely on Event Log build tree

Follow proper CMake usage by installing libeventlog and referring to
the installed artifacts rather than the build directory. The previous
approach relied on build-tree paths, which is considered an anti-
pattern and may break across CMake versions since the build layout is
not stable or part of the public interface.

This change installs libeventlog into a staging directory and updates
the TF-A build to use the installed include and library paths. This
improves portability, stability, and compliance with CMake idioms.

Change-Id: I740a558fd6f3163a6af3b122e9e1df558a045872
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

fix(build): link Event Log library directly

The `libraries` target is a `.PHONY` target to which various real
library targets, including the Event Log library, have been added over
the years. This t

fix(build): link Event Log library directly

The `libraries` target is a `.PHONY` target to which various real
library targets, including the Event Log library, have been added over
the years. This target is added as a dependency to any target created
with the `MAKE_BL` function. While this might look convenient on the
surface, it also dictates that a library must be linked even to images
it is totally irrelevant for.

The Event Log library is a good example of this; the library is not
typically used by all images, but by attaching itself to the `libraries`
target it becomes mandatory for all of them.

This change returns some of the control over when and where the Event
Log goes to platform maintainers via the introduction of two new
variables:

- `LIBEVLOG_LIBS`: the path to the Event Log static library.
- `LIBEVLOG_INCLUDE_DIRS`: include directories for the public API.

These can be appended to `BLx_LIBS` and `BLx_INCLUDE_DIRS` to include
the Event Log library in the relevant bootloaders.

Change-Id: I3e1a48cd45493334590b34b2ade0c6e29cbfd47a
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "ck/tf-a/cmake-cc-fix" into integration

* changes:
fix(build): forward compiler launcher to CMake
fix(build): force CMake to cross-compile
fix(build): correctly forwar

Merge changes from topic "ck/tf-a/cmake-cc-fix" into integration

* changes:
fix(build): forward compiler launcher to CMake
fix(build): force CMake to cross-compile
fix(build): correctly forward C compiler to CMake
feat(build): add helpers for managing compiler launchers
refactor(build): track toolchain tool origin
refactor(build): unify toolchain derivation

show more ...

fix(build): forward compiler launcher to CMake

To ensure that compiler launchers like `ccache` are forwarded to CMake,
we need to provide them separately via `CMAKE_C_COMPILER_LAUNCHER`.

Change-Id:

fix(build): forward compiler launcher to CMake

To ensure that compiler launchers like `ccache` are forwarded to CMake,
we need to provide them separately via `CMAKE_C_COMPILER_LAUNCHER`.

Change-Id: I943d2fb5aaefe3915dbe424cb29277bac6dae799
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

fix(build): force CMake to cross-compile

CMake provides the `CMAKE_SYSTEM_NAME` variable, which identifies the
target operating system that the project is being built for. By default
this variable i

fix(build): force CMake to cross-compile

CMake provides the `CMAKE_SYSTEM_NAME` variable, which identifies the
target operating system that the project is being built for. By default
this variable inherits its value from `CMAKE_HOST_SYSTEM_NAME`, which
identifies the operating system of the host machine.

If these two variables differ in value, CMake determines that the
project is being cross-compiled, and changes some of its behaviours.

For example: on macOS, unless cross-compiling is enabled, CMake passes
Apple Clang's `-arch` flag to the C compiler whether it is Apple Clang
or not.

To resolve this, this change now sets the following CMake variables:

- `CMAKE_SYSTEM_NAME` to `Generic`, indicating no specific system.
- `CMAKE_SYSTEM_VERSION` to ``, to un-inherit the host system version.

See the CMake documentation for the following variables:

- https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_COMPILER.html
- https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_HOST_COMPILER.html
- https://cmake.org/cmake/help/latest/variable/CMAKE_CROSSCOMPILING.html

Change-Id: Id5406c61baec459f56b6a105b3b507d238ff2847
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

fix(build): correctly forward C compiler to CMake

When `$($(ARCH)-cc)` does not represent a valid program name or path,
CMake fails to configure the Event Log library.

This occurs because CMake tre

fix(build): correctly forward C compiler to CMake

When `$($(ARCH)-cc)` does not represent a valid program name or path,
CMake fails to configure the Event Log library.

This occurs because CMake treats `CMAKE_C_COMPILER` as a
semicolon-delimited list of arguments to pass to `exec()`, whereas we
provide it the value of `$($(ARCH)-cc)`, which is a shell fragment that
does not necessarily represent a correct program path.

This change ensures that we pass a semicolon-delimited list as is
expected by CMake.

Change-Id: I1dd3e53624054c4b5c881be1ab99e77ea22ceba2
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "hm/evlog" into integration

* changes:
build(measured-boot)!: move to ext event log lib
feat(build): add utilities for modifying includes

build(measured-boot)!: move to ext event log lib

Removes in-tree Event Log library implementation and updates all
references to use the external submodule. Updates include paths,
Makefile macros, an

build(measured-boot)!: move to ext event log lib

Removes in-tree Event Log library implementation and updates all
references to use the external submodule. Updates include paths,
Makefile macros, and platform integration logic to link with lib as a
static library.

If you cloned TF-A without the `--recurse-submodules` flag, you can
ensure that this submodule is present by running:

git submodule update --init --recursive

BREAKING-CHANGE: LibEventLog is now included in TF-A as a submodule.
Please run `git submodule update --init --recursive` if you encounter
issues after migrating to the latest version of TF-A.

Change-Id: I723f493033c178759a45ea04118e7cc295dc2438
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes from topic "hm/handoff-mb" into integration

* changes:
feat(arm): support boot info handoff and event log
fix(arm): update tsp_early_platform_setup prototype
fix(xilinx): update

Merge changes from topic "hm/handoff-mb" into integration

* changes:
feat(arm): support boot info handoff and event log
fix(arm): update tsp_early_platform_setup prototype
fix(xilinx): update tsp_early_platform_setup prototype
fix(socionext): update tsp_early_platform_setup prototype
fix(msm8916): update tsp_early_platform_setup prototype
feat(tsp): cascade boot arguments to platforms
feat(fvp): port event log to firmware handoff
feat(arm): port event log to firmware handoff
feat(fvp): increase bl2 mmap len for handoff
feat(measured-boot): add fw handoff event log utils

show more ...

feat(measured-boot): add fw handoff event log utils

Add utilities for handling an event log from a transfer list. These
handle initialisation, and extension of an existing event log.

Change-Id: I42

feat(measured-boot): add fw handoff event log utils

Add utilities for handling an event log from a transfer list. These
handle initialisation, and extension of an existing event log.

Change-Id: I42d8b65a7fa82fa866d8ac258d9eeb58af730a96
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes from topic "hm/evlog" into integration

* changes:
refactor(measured-boot): refine event log lib docs
refactor(fvp): explicitly handle event log errors
feat(measured-boot): make e

Merge changes from topic "hm/evlog" into integration

* changes:
refactor(measured-boot): refine event log lib docs
refactor(fvp): explicitly handle event log errors
feat(measured-boot): make event log lib standalone

show more ...

feat(measured-boot): make event log lib standalone

Remove dependencies on TF-A so the library can be conveniently exported
by other projets. The main changes are to remove explicit error
handling, a

feat(measured-boot): make event log lib standalone

Remove dependencies on TF-A so the library can be conveniently exported
by other projets. The main changes are to remove explicit error
handling, and ensure that functions instead return errno codes that
consumers can rely on instead. Some work has also been done to make the
function naming a little more consistent.

Change-Id: Ic182dfe7dd6f56a4b73e0da4c9051813938cfe44
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes from topic "dtpm_poc" into integration

* changes:
feat(docs): update mboot threat model with dTPM
docs(tpm): add design documentation for dTPM
fix(rpi3): expose BL1_RW to BL2 ma

Merge changes from topic "dtpm_poc" into integration

* changes:
feat(docs): update mboot threat model with dTPM
docs(tpm): add design documentation for dTPM
fix(rpi3): expose BL1_RW to BL2 map for mboot
feat(rpi3): add dTPM backed measured boot
feat(tpm): add Infineon SLB9670 GPIO SPI config
feat(tpm): add tpm drivers and framework
feat(io): add generic gpio spi bit-bang driver
feat(rpi3): implement eventlog handoff to BL33
feat(rpi3): implement mboot for rpi3

show more ...

feat(tpm): add tpm drivers and framework

Add tpm2 drivers to tf-a with adequate framework
-implement a fifo spi interface that works
with discrete tpm chip.
-implement tpm command layer interfaces

feat(tpm): add tpm drivers and framework

Add tpm2 drivers to tf-a with adequate framework
-implement a fifo spi interface that works
with discrete tpm chip.
-implement tpm command layer interfaces that are used
to initialize, start and make measurements and
close the interface.
-tpm drivers are built using their own make file
to allow for ease in porting across platforms,
and across different interfaces.

Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
Change-Id: Ie1a189f45c80f26f4dea16c3bd71b1503709e0ea

show more ...

Merge changes from topic "mb_hash" into integration

* changes:
refactor(imx): update config of mbedtls support
refactor(qemu): update configuring mbedtls support
refactor(measured-boot): mb al

Merge changes from topic "mb_hash" into integration

* changes:
refactor(imx): update config of mbedtls support
refactor(qemu): update configuring mbedtls support
refactor(measured-boot): mb algorithm selection

show more ...

refactor(measured-boot): mb algorithm selection

With RSS now introduced, we have 2 Measured Boot backends. Both backends
can be used in the same firmware build with potentially different hash
algori

refactor(measured-boot): mb algorithm selection

With RSS now introduced, we have 2 Measured Boot backends. Both backends
can be used in the same firmware build with potentially different hash
algorithms, so now there can be more than one hash algorithm in a build.
Therefore the logic for selecting the measured boot hash algorithm needs
to be updated and the coordination of algorithm selection added. This is
done by:

- Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm
to replace TPM_HASH_ALG, removing reference to TPM.

- Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to
replace TPM_HASH_ALG.

- Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the
Measured Boot configuration macros through defining
TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either
backend requires a stronger algorithm than SHA-256.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a

show more ...

Merge "refactor(measured-boot): cleanup Event Log makefile" into integration

refactor(measured-boot): cleanup Event Log makefile

The Event Log sources are added to the source-list of BL1 and BL2
images in the Event Log Makefile. It doesn't seem correct since
some platforms o

refactor(measured-boot): cleanup Event Log makefile

The Event Log sources are added to the source-list of BL1 and BL2
images in the Event Log Makefile. It doesn't seem correct since
some platforms only compile Event Log sources for BL2.
Hence, moved compilation decision of Event Log sources to the
platform makefile.

Change-Id: I1cb96e24d6bea5e091d08167f3d1470d22b461cc
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge "refactor(measured-boot): add generic macros for using Crypto library" into integration

refactor(measured-boot): add generic macros for using Crypto library

It doesn't look correct to use mbed TLS defines directly in the Event
Log driver as this driver may use another Crypto library in

refactor(measured-boot): add generic macros for using Crypto library

It doesn't look correct to use mbed TLS defines directly in the Event
Log driver as this driver may use another Crypto library in future.
Hence mbed TLS Crypto dependency on Event Log driver is removed by
introducing generic Crypto defines and uses those in the Event Log
driver to call Crypto functions.
Also, updated mbed TLS glue layer to map these generic Crypto defines
to mbed TLS library defines.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ibc9c751f60cbce4d3f3cf049b7c53b3d05cc6735

show more ...

Merge changes from topic "refactor-mb" into integration

* changes:
docs(measured boot): add measured boot platform functions
refactor(measured boot): make measurement strings compliant with SBSG

Merge changes from topic "refactor-mb" into integration

* changes:
docs(measured boot): add measured boot platform functions
refactor(measured boot): make measurement strings compliant with SBSG
feat(plat/fvp): pass Event Log addr and size from BL1 to BL2
feat(measured_boot): update tb_fw_config with event log properties
feat(measured_boot): image hash measurement and recording in BL1
refactor(measured boot): remove platform calls from Event Log driver
refactor(measured_boot): remove passing of BL2 hash via device tree
refactor(measured boot): move BL2 measurement to platform layer
refactor(measured boot): rename add_event2()
refactor(measured boot): move image measurement to generic layer
build(measured boot): rename measured boot makefile
feat(measured boot): move init and teardown functions to platform layer
refactor(measured boot): rename tpm_record_measurement()

show more ...

feat(measured_boot): image hash measurement and recording in BL1

It looks safer and cleaner approach to record the measurement taken by
BL1 straightaway in TCG Event Log instead of deferring these r

feat(measured_boot): image hash measurement and recording in BL1

It looks safer and cleaner approach to record the measurement taken by
BL1 straightaway in TCG Event Log instead of deferring these recordings
to BL2.
Hence pull in the full-fledged measured boot driver into BL1 that
replaces the former ad-hoc platform interfaces i.e.
bl1_plat_set_bl2_hash, bl2_plat_get_hash.

As a result of this change the BL1 of Arm FVP platform now do the
measurements and recordings of below images:
1. FW_CONFIG
2. TB_FW_CONFIG
3. BL2

Change-Id: I798c20336308b5e91b547da4f8ed57c24d490731
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...