Merge "refactor(console): disable getc() by default" into integration

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.

Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.

This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.

The following changes are introduced when getc() is disabled:

- The multi-console framework no longer provides the console_getc()
function.

- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.

If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up

If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'

- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.

[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.

Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/

Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>

show more ...

Merge "Don't return error information from console_flush" into integration

Don't return error information from console_flush

And from crash_console_flush.

We ignore the error information return by console_flush in _every_
place where we call it, and casting the return typ

Don't return error information from console_flush

And from crash_console_flush.

We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.

Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

show more ...

Merge changes from topic "console_t_cleanup" into integration

* changes:
marvell: Consolidate console register calls
uniphier: Use generic console_t data structure
spe: Use generic console_t d

Merge changes from topic "console_t_cleanup" into integration

* changes:
marvell: Consolidate console register calls
uniphier: Use generic console_t data structure
spe: Use generic console_t data structure
LS 16550: Use generic console_t data structure
stm32: Use generic console_t data structure
rcar: Use generic console_t data structure
a3700: Use generic console_t data structure
16550: Use generic console_t data structure
imx: Use generic console_t data structure

show more ...

16550: Use generic console_t data structure

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data stru

16550: Use generic console_t data structure

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I5c2fe3b6a667acf80c808cfec4a64059a2c9c25f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "console: 16550: Prepare for skipping initialisation" into integration

console: 16550: Prepare for skipping initialisation

On some platforms the UART might have already been initialised, for
instance by firmware running before TF-A or by a separate management
processor

console: 16550: Prepare for skipping initialisation

On some platforms the UART might have already been initialised, for
instance by firmware running before TF-A or by a separate management
processor. In this case it would not be need to initialise it again
(doing so could create spurious characters). But more importantly this
saves us from knowing the right baudrate and the right base clock rate
for the UART. This can lead to more robust and versatile firmware builds.

Allow to skip the 16550 UART initialisation and baud rate divisor
programming, by interpreting an input clock rate of "0" to signify this
case. This will just skip the call to console_16550_core_init, but still
will register the console properly.

Users should just pass 0 as the second parameter, the baudrate (third
parameter) will then be ignored as well.

Fix copy & paste typos in comments for the console_16550_register()
function on the way.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I9f8fca5b358f878fac0f31dc411358fd160786ee

show more ...

Merge changes from topic "av/console-port" into integration

* changes:
qemu: use new console interface in aarch32
warp7: remove old console from makefile
Remove MULTI_CONSOLE_API flag and refe

Merge changes from topic "av/console-port" into integration

* changes:
qemu: use new console interface in aarch32
warp7: remove old console from makefile
Remove MULTI_CONSOLE_API flag and references to it
Console: removed legacy console API

show more ...

Remove MULTI_CONSOLE_API flag and references to it

The new API becomes the default one.

Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.co

Remove MULTI_CONSOLE_API flag and references to it

The new API becomes the default one.

Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

show more ...

Merge pull request #1920 from ambroise-arm/av/deprecated

Remove deprecated interfaces

Console: remove deprecated finish_console_register

The old version of the macro is deprecated.

Commit cc5859ca19ff ("Multi-console: Deprecate the
`finish_console_register` macro") provides more det

Console: remove deprecated finish_console_register

The old version of the macro is deprecated.

Commit cc5859ca19ff ("Multi-console: Deprecate the
`finish_console_register` macro") provides more details.

Change-Id: I3d1cdf6496db7d8e6cfbb5804f508ff46ae7e67e
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

show more ...

Merge pull request #1726 from antonio-nino-diaz-arm/an/includes

Sanitise includes across codebase

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- inclu

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a282 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca33988b9 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1640 from soby-mathew/sm/fin_con_reg

Multi-console: Deprecate the `finish_console_register` macro

Multi-console: Deprecate the `finish_console_register` macro

The `finish_console_register` macro is used by the multi console
framework to register the `console_t` driver callbacks. It relied
on wea

Multi-console: Deprecate the `finish_console_register` macro

The `finish_console_register` macro is used by the multi console
framework to register the `console_t` driver callbacks. It relied
on weak references to the `ldr` instruction to populate 0 to the
callback in case the driver has not defined the appropriate
function. Use of `ldr` instruction to load absolute address to a
reference makes the binary position dependant. These instructions
should be replaced with adrp/adr instruction for position independant
executable(PIE). But adrp/adr instructions don't work well with weak
references as described in GNU ld bugzilla issue 22589.

This patch defines a new version of `finish_console_register` macro
which can spcify which driver callbacks are valid and deprecates the
old one. If any of the argument is not specified, then the macro
populates 0 for that callback. Hence the functionality of the previous
deprecated macro is preserved. The USE_FINISH_CONSOLE_REG_2 define
is used to select the new variant of the macro and will be removed
once the deprecated variant is removed.

All the upstream console drivers have been migrated to use the new
macro in this patch.

NOTE: Platforms be aware that the new variant of the
`finish_console_register` should be used and the old variant is
deprecated.

Change-Id: Ia6a67aaf2aa3ba93932992d683587bbd0ad25259
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge pull request #1630 from antonio-nino-diaz-arm/an/fix-console

pl011: cnds: cbmem: 16550: Fix comments

pl011: cnds: cbmem: 16550: Fix comments

The comments with the prototypes of the register functions of the
console drivers are incorrect. The arguments are wrong. This patch fixes
them.

Change-Id: I

pl011: cnds: cbmem: 16550: Fix comments

The comments with the prototypes of the register functions of the
console drivers are incorrect. The arguments are wrong. This patch fixes
them.

Change-Id: I38c4b481ee69e840780111c42f03c0752eb6315c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1402 from glneo/for-upstream-uart

drivers: ti: uart: Add TI specific 16550 initialization

drivers: ti: uart: Add TI specific 16550 initialization

On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.

NOTE: The original definition of
http

drivers: ti: uart: Add TI specific 16550 initialization

On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.

NOTE: The original definition of
http://www.ti.com/lit/ds/symlink/pc16550d.pdf has no MDR register, but
many TI SoCs implementing 16550 do have a quirky MDR register
implemented. So, this should be enabled with TI_16550_MDR_QUIRK

NOTE: In such implementation, the CSR register does not exist.

Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>

show more ...

Merge pull request #1329 from antonio-nino-diaz-arm/an/rpi3-multi-console

rpi3: Migrate to the multi console API

drivers: ti: 16550: Implement console flush

Replace placeholder by actual implementation.

Change-Id: I0861b1ac5304b0d2d7c32d7d9a48bd985e258e92
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm

drivers: ti: 16550: Implement console flush

Replace placeholder by actual implementation.

Change-Id: I0861b1ac5304b0d2d7c32d7d9a48bd985e258e92
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1193 from jwerner-chromium/JW_coreboot

New console API and coreboot support [v4]

drivers: ti: uart: Update 16550 UART driver to support MULTI_CONSOLE_API

This patch updates the TI 16550 console driver to support the new
console API. The driver will continue to support the old AP

drivers: ti: uart: Update 16550 UART driver to support MULTI_CONSOLE_API

This patch updates the TI 16550 console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.

Change-Id: I60a44b7ba3c35c74561824c04b8dbe3e3039324c
Signed-off-by: Julius Werner <jwerner@chromium.org>

show more ...

Merge pull request #925 from dp-arm/dp/spdx

Use SPDX license identifiers