Merge "refactor(console): disable getc() by default" into integration

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.

Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.

This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.

The following changes are introduced when getc() is disabled:

- The multi-console framework no longer provides the console_getc()
function.

- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.

If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up

If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'

- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.

[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.

Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/

Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>

show more ...

Merge "Don't return error information from console_flush" into integration

Don't return error information from console_flush

And from crash_console_flush.

We ignore the error information return by console_flush in _every_
place where we call it, and casting the return typ

Don't return error information from console_flush

And from crash_console_flush.

We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.

Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

show more ...

Merge changes from topic "console_t_cleanup" into integration

* changes:
marvell: Consolidate console register calls
uniphier: Use generic console_t data structure
spe: Use generic console_t d

Merge changes from topic "console_t_cleanup" into integration

* changes:
marvell: Consolidate console register calls
uniphier: Use generic console_t data structure
spe: Use generic console_t data structure
LS 16550: Use generic console_t data structure
stm32: Use generic console_t data structure
rcar: Use generic console_t data structure
a3700: Use generic console_t data structure
16550: Use generic console_t data structure
imx: Use generic console_t data structure

show more ...

16550: Use generic console_t data structure

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data stru

16550: Use generic console_t data structure

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I5c2fe3b6a667acf80c808cfec4a64059a2c9c25f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "console: 16550: Prepare for skipping initialisation" into integration

console: 16550: Prepare for skipping initialisation

On some platforms the UART might have already been initialised, for
instance by firmware running before TF-A or by a separate management
processor

console: 16550: Prepare for skipping initialisation

On some platforms the UART might have already been initialised, for
instance by firmware running before TF-A or by a separate management
processor. In this case it would not be need to initialise it again
(doing so could create spurious characters). But more importantly this
saves us from knowing the right baudrate and the right base clock rate
for the UART. This can lead to more robust and versatile firmware builds.

Allow to skip the 16550 UART initialisation and baud rate divisor
programming, by interpreting an input clock rate of "0" to signify this
case. This will just skip the call to console_16550_core_init, but still
will register the console properly.

Users should just pass 0 as the second parameter, the baudrate (third
parameter) will then be ignored as well.

Fix copy & paste typos in comments for the console_16550_register()
function on the way.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I9f8fca5b358f878fac0f31dc411358fd160786ee

show more ...

Merge changes from topic "rk3288" into integration

* changes:
rockchip: document platform
rockchip: add support for rk3288
rockchip: add common aarch32 support
rockchip: rk3328: drop double

Merge changes from topic "rk3288" into integration

* changes:
rockchip: document platform
rockchip: add support for rk3288
rockchip: add common aarch32 support
rockchip: rk3328: drop double declaration of entry_point storage
rockchip: Allow socs with undefined wfe check bits
rockchip: move pmusram assembler code to a aarch64 subdir
sp_min: allow inclusion of a platform-specific linker script
sp_min: make sp_min_warm_entrypoint public
drivers: ti: uart: add a aarch32 variant

show more ...

drivers: ti: uart: add a aarch32 variant

Rockchip re-uses the ti uart console driver and for aarch32 needs a
specific variant, so add it.
There are also aarch32 ti socs, so it may be useful for them

drivers: ti: uart: add a aarch32 variant

Rockchip re-uses the ti uart console driver and for aarch32 needs a
specific variant, so add it.
There are also aarch32 ti socs, so it may be useful for them as well
at some point.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Change-Id: I31ede7cc7b10347b3691cff051db2b985fd59e17

show more ...