refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A

refactor(console): disable getc() by default

The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.

Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.

This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.

The following changes are introduced when getc() is disabled:

- The multi-console framework no longer provides the console_getc()
function.

- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.

If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up

If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'

- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.

[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.

Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/

Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>

show more ...

Merge changes from topic "bk/context_refactor" into integration

* changes:
refactor(cm): enable S-EL2 globally for all contexts
refactor(cm): remove world differentiation for EL2 context restore

Merge changes from topic "bk/context_refactor" into integration

* changes:
refactor(cm): enable S-EL2 globally for all contexts
refactor(cm): remove world differentiation for EL2 context restore
fix(cm): make ICC_SRE_EL2 fixup generic to all worlds
refactor(cm): clean up SCR_EL3 and CPTR_EL3 initialization

show more ...

Merge changes from topic "mb/psa-crypto-support" into integration

* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash

Merge changes from topic "mb/psa-crypto-support" into integration

* changes:
feat(mbedtls-psa): use PSA crypto API during signature verification
feat(mbedtls-psa): use PSA crypto API during hash calculation
feat(mbedtls-psa): use PSA crypto API for hash verification
feat(mbedtls-psa): initialise mbedtls psa crypto
feat(mbedtls-psa): register an ad-hoc PSA crypto driver
feat(mbedtls-psa): introduce PSA_CRYPTO build option
docs(changelog): add scope for MbedTLS PSA Crypto

show more ...

refactor(cm): remove world differentiation for EL2 context restore

The EL2 context save/restore functions have an optimisation to not
bother with the EL2 context when SEL2 is not in use. However, th

refactor(cm): remove world differentiation for EL2 context restore

The EL2 context save/restore functions have an optimisation to not
bother with the EL2 context when SEL2 is not in use. However, this
decision is made on the current value of SCR_EL3.EEL2, which is not
the value for the selected security state, but rather, for the
security state that came before it. This relies on the EEL2 bit's
value to propagate identically to all worlds.

This has an unintended side effect that for the first entry into
secure world, the restoring of the context is fully skipped, because
SCR_EL3 is only initialized after the call to the restoring routine
which means the EEL2 bit is not initialized (except when FEAT_RME
is present). This is inconsistent with normal and realm worlds which
always get their EL2 registers zeroed.

Remove this optimization to remove all the complexity with managing
the EEL2 bit's value. Instead unconditionally save/restore all
registers. It is worth noting that there is no performance penalty
in the case where SEL2 is empty with this change. This is because
SEL2 will never be entered, and as such no secure save/restore will
happen anyway, while normal world remains unchanged.

Removing the value management of the EEL2 bit causes the
CTX_ICC_SRE_EL2 register to be inaccessible in Secure world for some
configurations.
Make the SCR_EL3.NS workaround in cm_prepare_el3_exit_ns() generic
on every access to the register.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1f56d85814c5897b468e82d4bd4a08e3a90a7f8f

show more ...

refactor(cm): clean up SCR_EL3 and CPTR_EL3 initialization

As with MDCR_EL3, setting some bits of these registers is redundant at
reset since they do not matter for EL3 execution and the registers g

refactor(cm): clean up SCR_EL3 and CPTR_EL3 initialization

As with MDCR_EL3, setting some bits of these registers is redundant at
reset since they do not matter for EL3 execution and the registers get
context switched so they get overwritten anyway.

The SCR_EL3.{TWE, TWI, SMD, API, APK} bits only affect lower ELs so
their place is in context management. The API and APK bits are a bit
special as they would get implicitly unset for secure world when
CTX_INCLUDE_PAUTH_REGS is unset. This is now explicit with their normal
world values being always set as PAuth defaults to enabled. The same
sequence is also added to realm world too. The reasoning is the same as
for Secure world - PAuth will be enabled for NS, and unless explicitly
handled by firmware, it should not leak to realm.

The CPTR_EL3.{ESM, EZ, TAM} bits are set by the relevant
feat_enable()s in lib/extensions so they can be skipped too.

CPTR_EL3.TFP is special as it's needed for access to generic floating
point registers even when SVE is not present. So keep it but move to
context management.

This leaves CPTR_EL3.TCPAC which affects several extensions. This bit
was set centrally at reset, however the earliest need for it is in BL2.
So set it in cm_setup_context_common(). However, this CPTR_EL3 is only
restored for BL31 which is clearly not the case. So always restore it.

Finally, setting CPTR_EL3 to a fresh RESET_VAL for each security state
prevents any bits from leaking between them.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Ie7095e967bd4a6d6ca6acf314c7086d89fec8900

show more ...

feat(mbedtls-psa): initialise mbedtls psa crypto

Initialised Mbedtls PSA cryto during Crypto init using
function call 'psa_crypto_init'.

MbedTLS currently requires a Random Number Generator (RNG) o

feat(mbedtls-psa): initialise mbedtls psa crypto

Initialised Mbedtls PSA cryto during Crypto init using
function call 'psa_crypto_init'.

MbedTLS currently requires a Random Number Generator (RNG) once
PSA Crypto support is enabled. However, TF-A itself doesn't engage
in cryptographic operations that demand randomness. Consequently,
we simulate the presence of an external TRNG (through the configuration
option 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) while, in reality, we offer
a dummy implementation of mbedtls_psa_external_get_random() that always
returns an error.

Change-Id: Ife6d03909c0e6081438d2b2519ef500e5dcdb88f
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

fix(cpus): workaround for Cortex-X3 erratum 2070301

Cortex-X3 erratum 2070301 is a Cat B erratum that applies to all
revisions <= r1p2 and is still open.
The workaround is to write the value 4'b1001

fix(cpus): workaround for Cortex-X3 erratum 2070301

Cortex-X3 erratum 2070301 is a Cat B erratum that applies to all
revisions <= r1p2 and is still open.
The workaround is to write the value 4'b1001 to the PF_MODE bits
in the IMP_CPUECTLR2_EL1 register. This places the data prefetcher
in the most conservative mode instead of disabling it.

SDEN documentation:
https://developer.arm.com/documentation/2055130/latest

Change-Id: I337c4c7bb9221715aaf973a55d0154e1c7555768
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

feat(mbedtls-psa): introduce PSA_CRYPTO build option

This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -

1. Added a build macro PSA_CRYPTO to enable the Mbed

feat(mbedtls-psa): introduce PSA_CRYPTO build option

This is a preparatory patch to provide MbedTLS PSA Crypto
API support, with below changes -

1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA
Crypto API support in the subsequent patches.
2. Compile necessary PSA crypto files from MbedTLS source code
when PSA_CRYPTO=1.

Also, marked PSA_CRYPTO as an experimental feature.

Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "rm/handoff" into integration

* changes:
feat(qemu): implement firmware handoff on qemu
feat(handoff): introduce firmware handoff library

Merge changes from topic "xlnx_dcc_console" into integration

* changes:
chore(dcc): remove unnecessary code in dcc
fix(dcc): add dcc console unregister function

Merge changes from topic "mp/fix_interrupt_type" into integration

* changes:
refactor(el3-runtime): plat_ic_has_interrupt_type returns bool
fix(el3-runtime): leverage generic interrupt controlle

Merge changes from topic "mp/fix_interrupt_type" into integration

* changes:
refactor(el3-runtime): plat_ic_has_interrupt_type returns bool
fix(el3-runtime): leverage generic interrupt controller helpers
fix(gicv3): map generic interrupt type to GICv3 group
chore(gicv2): use interrupt group instead of type

show more ...

fix(dcc): add dcc console unregister function

Add unregistration function for the JTAG DCC (Debug Communication
Channel) console.
The unregistration function flushes DCC buffer before unregistering

fix(dcc): add dcc console unregister function

Add unregistration function for the JTAG DCC (Debug Communication
Channel) console.
The unregistration function flushes DCC buffer before unregistering
the dcc console to make sure that no output char is pending.

Since console_flush() flushes chars for all registered consoles on
the platform, which is not required in this case, dcc_console_flush()
is being called instead.

Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I6f15a07c6ee947dc0e7aa8fb069227618080e611

show more ...

refactor(el3-runtime): plat_ic_has_interrupt_type returns bool

Rather than returning 0 or 1, the above function returns bool false
or true. No functional change.

Change-Id: Iea904ffc368568208fa8203

refactor(el3-runtime): plat_ic_has_interrupt_type returns bool

Rather than returning 0 or 1, the above function returns bool false
or true. No functional change.

Change-Id: Iea904ffc368568208fa8203e0d2e0cdaa500b1e0
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

show more ...

fix(gicv3): map generic interrupt type to GICv3 group

The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.

fix(gicv3): map generic interrupt type to GICv3 group

The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.

Currently, they are used interchangeably in GICv3 driver. It did not
cause any functional issues since the matching type and group had the
same value for corresponding macros. This patch makes the necessary
fixes.

The generic interrupt controller APIs, such as
plat_ic_set_interrupt_type map interrupt type to interrupt group
supported by the GICv3 IP. Similarly, other generic interrupt
controller APIs map interrupt group to interrupt type as needed.

This patch also changes the name of the helper functions to use group
rather than type for handling interrupts.

Change-Id: Ie2d88a3260c71e4ab9c8baacde24cc21e551de3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

show more ...

chore(gicv2): use interrupt group instead of type

The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.

This

chore(gicv2): use interrupt group instead of type

The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.

This patch changes the name of the helper functions to use group
rather than type for handling interrupts. No functional change in this
patch.

Change-Id: If13ec65cc6c87c2da73a3d54b033f02635ff924a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

show more ...

fix(spmd): coverity scan issues

Coverity defects fixed by this patch are:
*** CID 400208: Performance inefficiencies (PASS_BY_VALUE)
/include/services/el3_spmd_logical_sp.h: 108 in
ffa_partition_i

fix(spmd): coverity scan issues

Coverity defects fixed by this patch are:
*** CID 400208: Performance inefficiencies (PASS_BY_VALUE)
/include/services/el3_spmd_logical_sp.h: 108 in
ffa_partition_info_regs_get_last_idx()

*** CID 400207: Performance inefficiencies (PASS_BY_VALUE)
/services/std_svc/spmd/spmd_logical_sp.c: 359 in
ffa_partition_info_regs_get_part_info()

Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I9597377a8ec3d5519995e1619d99ee7102f33939

show more ...

Merge changes from topic "errata" into integration

* changes:
fix(cpus): workaround for Neoverse V2 erratum 2743011
fix(cpus): workaround for Neoverse V2 erratum 2779510
fix(cpus): workaround

Merge changes from topic "errata" into integration

* changes:
fix(cpus): workaround for Neoverse V2 erratum 2743011
fix(cpus): workaround for Neoverse V2 erratum 2779510
fix(cpus): workaround for Neoverse V2 erratum 2719105
fix(cpus): workaround for Neoverse V2 erratum 2331132

show more ...

feat(handoff): introduce firmware handoff library

Add transfer list APIs and firmware handoff build option.

Change-Id: I68a0ace22c7e50fcdacd101eb76b271d7b76d8ff
Signed-off-by: Raymond Mao <raymond.

feat(handoff): introduce firmware handoff library

Add transfer list APIs and firmware handoff build option.

Change-Id: I68a0ace22c7e50fcdacd101eb76b271d7b76d8ff
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>

show more ...

Merge "fix(st-ddr): express memory size with size_t type" into integration

Merge "feat(ethos-n): update npu error handling" into integration

fix(cpus): workaround for Neoverse V2 erratum 2743011

Neoverse V2 erratum 2743011 is a Cat B erratum that applies to
all revisions <= r0p1 and is fixed in r0p2. The workaround is to
set CPUACTLR5_EL

fix(cpus): workaround for Neoverse V2 erratum 2743011

Neoverse V2 erratum 2743011 is a Cat B erratum that applies to
all revisions <= r0p1 and is fixed in r0p2. The workaround is to
set CPUACTLR5_EL1[56:55] to 2'b01.

SDEN documentation:
https://developer.arm.com/documentation/SDEN2332927/latest

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I0e06ca723a1cce51fb027b7160f3dd06a4c93e64

show more ...

fix(cpus): workaround for Neoverse V2 erratum 2779510

Neoverse V2 erratum 2779510 is a Cat B erratum that applies to
all revisions <= r0p1 and is fixed in r0p2. The workaround is to
set bit[47] of C

fix(cpus): workaround for Neoverse V2 erratum 2779510

Neoverse V2 erratum 2779510 is a Cat B erratum that applies to
all revisions <= r0p1 and is fixed in r0p2. The workaround is to
set bit[47] of CPUACTLR3_EL1 which might have a small impact on
power and negligible impact on performance.

SDEN documentation:
https://developer.arm.com/documentation/SDEN2332927/latest

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I6d937747bdcbf2913a64c4037f99918cbc466e80

show more ...

fix(cpus): workaround for Neoverse V2 erratum 2719105

Neoverse V2 erratum 2719105 is a Cat B erratum that applies to all
revisions <= r0p1 and is fixed in r0p2.

The erratum is avoided by setting CP

fix(cpus): workaround for Neoverse V2 erratum 2719105

Neoverse V2 erratum 2719105 is a Cat B erratum that applies to all
revisions <= r0p1 and is fixed in r0p2.

The erratum is avoided by setting CPUACTLR2_EL1[0] to 1 to force
PLDW/PFRM ST to behave like PLD/PRFM LD and not cause invalidations
to other PE caches. There might be a small performance degradation
to this workaround for certain workloads that share data.

SDEN documentation:
https://developer.arm.com/documentation/SDEN2332927/latest

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Id026edcb7ee1ca93371ce0001d18f5a8282c49ba

show more ...

fix(cpus): workaround for Neoverse V2 erratum 2331132

Neoverse V2 erratum 2331132 is a Cat B erratum that applies to all
revisions <= r0p2 and is still open. The workaround is to write the
value 4'b

fix(cpus): workaround for Neoverse V2 erratum 2331132

Neoverse V2 erratum 2331132 is a Cat B erratum that applies to all
revisions <= r0p2 and is still open. The workaround is to write the
value 4'b1001 to the PF_MODE bits in the IMP_CPUECTLR2_EL1 register
which will place the data prefetcher in the most conservative mode
instead of disabling it.

SDEN documentation:
https://developer.arm.com/documentation/SDEN2332927/latest

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ic6c76375df465a4ad2e20dd7add7037477d973c1

show more ...

fix(st-ddr): express memory size with size_t type

Express memory size with size_t type in structures.
Retrieve value as uint32_t from device tree and then cast it to size_t.
Combined with uintptr_t

fix(st-ddr): express memory size with size_t type

Express memory size with size_t type in structures.
Retrieve value as uint32_t from device tree and then cast it to size_t.
Combined with uintptr_t use, it ensures a generic algorithm whatever
the platform architecture, notably within systematic tests. Adapt also
their prototypes.

Move memory size print outside stm32mp_ddr_check_size() to adapt it to
related platform.

Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Change-Id: Ic6e1a62d7a5e23cef49909a658098c800e7dae3f

show more ...