fix(auth): use NULL instead of 0 for pointer check

This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer

Signed-off-by:

fix(auth): use NULL instead of 0 for pointer check

This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I392316c2a81ef8da7597e35f136e038f152d19d1

show more ...

fix(io): compare function pointers with NULL

The ops->read and ops->write existence was checked with 0, change it
to NULL.
This corrects sparse issues:
drivers/io/io_block.c:272:9: warning:
Using p

fix(io): compare function pointers with NULL

The ops->read and ops->write existence was checked with 0, change it
to NULL.
This corrects sparse issues:
drivers/io/io_block.c:272:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I039050a645107523d8263ddf820e539c260d956c

show more ...

fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succee

fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.

This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.

This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.

Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

fix(auth): avoid out-of-bounds read in auth_nvctr()

auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nv

fix(auth): avoid out-of-bounds read in auth_nvctr()

auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.

This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.

Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes from topic "bk/warnings" into integration

* changes:
docs: describe the new warning levels
build: add -Wunused-const-variable=2 to W=2
build: include -Wextra in generic builds

Merge changes from topic "bk/warnings" into integration

* changes:
docs: describe the new warning levels
build: add -Wunused-const-variable=2 to W=2
build: include -Wextra in generic builds
docs(porting-guide): update a reference
fix(st-usb): replace redundant checks with asserts
fix(brcm): add braces around bodies of conditionals
fix(renesas): align incompatible function pointers
fix(zynqmp): remove redundant api_version check
fix: remove old-style declarations
fix: unify fallthrough annotations

show more ...

fix(gicv3): fixed bug in the initialization of GICv3 SGIs/(E)PPIs interrupt priorities

Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number).

fix(gicv3): fixed bug in the initialization of GICv3 SGIs/(E)PPIs interrupt priorities

Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number). The fix makes the loop to pass INTID in range 0, 4, 8, 12, ...

Signed-off-by: Sylwester Garncarek <sylwester.garncarek@sciopta.com>
Change-Id: Iaa975f6af49f5826c2811161f55242844c28ea81

show more ...

Merge "refactor(auth): avoid parsing signature algorithm twice" into integration

refactor(auth): do not include SEQUENCE tag in saved extensions

This makes the code a little bit smaller. No functional change
intended.

Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed

refactor(auth): do not include SEQUENCE tag in saved extensions

This makes the code a little bit smaller. No functional change
intended.

Change-Id: I794d2927fcd034a79e29c9bba1f8e4410203f547
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): reject junk after certificates

Certificates must not allow trailing junk after them.

Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@g

fix(auth): reject junk after certificates

Certificates must not allow trailing junk after them.

Change-Id: Ie33205fb051fc63af5b72c326822da7f62eec1d1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e931

fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration

* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT

Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration

* changes:
refactor(auth): partially validate SubjectPublicKeyInfo early
fix(auth): reject padding after BIT STRING in signatures
fix(auth): reject invalid padding in digests
fix(auth): require at least one extension to be present
fix(auth): forbid junk after extensions
fix(auth): only accept v3 X.509 certificates

show more ...

Merge changes from topic "st_fix_sparse_warnings" into integration

* changes:
fix(st-crypto): remove platdata functions
fix(st-crypto): set get_plain_pk_from_asn1() static
fix(stm32mp1): add m

Merge changes from topic "st_fix_sparse_warnings" into integration

* changes:
fix(st-crypto): remove platdata functions
fix(st-crypto): set get_plain_pk_from_asn1() static
fix(stm32mp1): add missing platform.h include
fix(st): make metadata_block_spec static

show more ...

refactor(auth): avoid parsing signature algorithm twice

Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Inst

refactor(auth): avoid parsing signature algorithm twice

Since the two instances of the signature algorithm in a certificate must
be bitwise identical, it is not necessary to parse both of them.
Instead, it suffices to parse one of them, and then check that the other
fits in the remaining buffer space and is equal to the first.

Change-Id: Id0a0663165f147879ac83b6a540378fd4873b0dd
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

refactor(auth): partially validate SubjectPublicKeyInfo early

This reduces the likelihood of future problems later.

Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Ob

refactor(auth): partially validate SubjectPublicKeyInfo early

This reduces the likelihood of future problems later.

Change-Id: Ia748b6ae31a7a48f17ec7f0fc08310a50cd1b135
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): reject padding after BIT STRING in signatures

It is forbidden by ASN.1 DER.

Change-Id: Id8a48e14bb8a1a17a6481ea3fde0803723c05e31
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

fix(auth): reject invalid padding in digests

Digests must not have padding after the SEQUENCE or OCTET STRING.

Change-Id: Id25ab23111781f8c8a97c2c3c8edf1cc4a4384c0
Signed-off-by: Demi Marie Obenour

fix(auth): reject invalid padding in digests

Digests must not have padding after the SEQUENCE or OCTET STRING.

Change-Id: Id25ab23111781f8c8a97c2c3c8edf1cc4a4384c0
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): require at least one extension to be present

X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least

fix(auth): require at least one extension to be present

X.509 and RFC5280 allow omitting the extensions entirely, but require
that if the extensions field is present at all, it must contain at least
one certificate. TF-A already requires the extensions to be present,
but allows them to be empty. However, a certificate with an empty
extensions field will always fail later on, as the extensions contain
the information needed to validate the next stage in the boot chain.
Therefore, it is simpler to require the extension field to be present
and contain at least one extension. Also add a comment explaining why
the extensions field is required, even though it is OPTIONAL in the
ASN.1 syntax.

Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate.

Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <de

fix(auth): forbid junk after extensions

The extensions must use all remaining bytes in the TBSCertificate.

Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

fix(auth): only accept v3 X.509 certificates

v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.

fix(auth): only accept v3 X.509 certificates

v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.

Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge "fix(gic): wrap cache enabled assert under plat_can_cmo" into integration

refactor(st): remove unused io_mmc driver

This driver was used when STM32MP_USE_STM32IMAGE was enabled. This flag
is now removed, so the ST io_mmc driver can now be removed.

Signed-off-by: Yann Gau

refactor(st): remove unused io_mmc driver

This driver was used when STM32MP_USE_STM32IMAGE was enabled. This flag
is now removed, so the ST io_mmc driver can now be removed.

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I3c1280dec8926b921534c81e143e86cfe6d4ee0d

show more ...

Merge changes I2b23e7c8,I779587af,Ic46de7a4,If753e987,I00171b05, ... into integration

* changes:
fix(layerscape): unlock write access SMMU_CBn_ACTLR
fix(nxp-ddr): add checking return value
fea

Merge changes I2b23e7c8,I779587af,Ic46de7a4,If753e987,I00171b05, ... into integration

* changes:
fix(layerscape): unlock write access SMMU_CBn_ACTLR
fix(nxp-ddr): add checking return value
feat(lx2): enable OCRAM ECC
fix(nxp-tools): fix coverity issue
fix(nxp-ddr): fix coverity issue
fix(nxp-ddr): fix underrun coverity issue
fix(nxp-drivers): fix sd secure boot failure
feat(lx2): support more variants
fix(lx2): init global data before using it
fix(ls1046a): 4 keys secureboot failure resolved
fix(nxp-crypto): fix secure boot assert inclusion
fix(nxp-crypto): fix coverity issue
fix(nxp-drivers): fix fspi coverity issue
fix(nxp-drivers): fix tzc380 memory regions config
fix(layerscape): fix nv_storage assert checking
fix(nxp-ddr): apply Max CDD values for warm boot
fix(nxp-ddr): use CDDWW for write to read delay
fix(layerscape): fix errata a008850

show more ...

fix(st-crypto): remove platdata functions

The functions stm32_pka_get_platdata() and stm32_saes_get_platdata()
are not used. They can be removed as we always use DT to retrieve
the device configurat

fix(st-crypto): remove platdata functions

The functions stm32_pka_get_platdata() and stm32_saes_get_platdata()
are not used. They can be removed as we always use DT to retrieve
the device configuration.
This issue was triggered by sparse tool or when enabling warning
-Wmissing-prototypes.

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I5cce9a0765144d694e8ddece37361ccbb85d1734

show more ...

fix(gic): wrap cache enabled assert under plat_can_cmo

with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
W

fix(gic): wrap cache enabled assert under plat_can_cmo

with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
Wrap the assert for the d-cache enabled check in CONDITIONAL_CMO and
plat_can_cmo calls to allow booting with d-cache disabled.

Signed-off-by: Channagoud kadabi <kadabi@google.com>
Change-Id: I80153df493d1ec9e5e354c7c2e6a14322d22c446

show more ...

fix(st-gpio): define shift as uint32_t

This corrects MISRA C2012-10.6:
The value of a composite expression shall not be assigned to an object
with wider essential type.
While at it change all the sh

fix(st-gpio): define shift as uint32_t

This corrects MISRA C2012-10.6:
The value of a composite expression shall not be assigned to an object
with wider essential type.
While at it change all the shift values to unsigned.

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Idf9915313af965db2106095df7cb48a84f50c519

show more ...