Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm):

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm): update docs to reflect rotpk key changes
feat(arm): use provided algs for (swd/p)rotpk
feat(arm): use the provided hash alg to hash rotpk

show more ...

refactor(arm): rename ARM_ROTPK_HEADER_LEN

This variable had a misleading name, as it is the length
of the header only when the ROTPK is a hash.
Also rename arm_rotpk_header to match the new pattern

refactor(arm): rename ARM_ROTPK_HEADER_LEN

This variable had a misleading name, as it is the length
of the header only when the ROTPK is a hash.
Also rename arm_rotpk_header to match the new pattern.

Change-Id: I36c29998eebf50c356a6ca959ec9223c8837b540
Signed-off-by: Ryan Everett <ryan.everett@arm.com>

show more ...

Merge changes from topic "nrd3_support" into integration

* changes:
feat(rdfremont): add support for measured boot at BL1 and BL2
feat(arm): mock support for CCA NV ctr
feat(rdfremont): fetch

Merge changes from topic "nrd3_support" into integration

* changes:
feat(rdfremont): add support for measured boot at BL1 and BL2
feat(arm): mock support for CCA NV ctr
feat(rdfremont): fetch attestation key and token from RSE
feat(psa): introduce generic library for CCA attestation
feat(rdfremont): initialize the rse comms driver
feat(rdfremont): helper to initialize rse-comms with AP-RSE MHUv3
fix(rse): include lib-psa to resolve build
feat(neoverse-rd): add MHUv3 channels on third gen multichip platforms
feat(neoverse-rd): add MHUv3 doorbell channels on third gen platforms
feat(rdfremont): initialize GPT on GPC SMMU block
feat(rdfremont): update Root registers page offset for SMMUv3
feat(rdfremont): enable MTE2 if present on the platform
feat(rdfremont): enable SVE for SWD and NS
feat(rdfremont): enable AMU if present on the platform
feat(rdfremont): enable MPAM if present on the platform
feat(rdfremont): add DRAM pas entries in pas table for multichip
feat(rdfremont): add implementation for GPT setup
feat(rdfremont): integrate DTS files for RD-Fremont variants
feat(rdfremont): add support for RD-Fremont-Cfg2
feat(rdfremont): add support for RD-Fremont-Cfg1
feat(rdfremont): add support for RD-Fremont
feat(neoverse-rd): add scope for RD-Fremont variants
feat(neoverse-rd): add multichip pas entries
feat(neoverse-rd): add pas definitions for third gen platforms
feat(neoverse-rd): add DRAM layout for third gen platforms
feat(neoverse-rd): add SRAM layout for third gen platforms
feat(neoverse-rd): add firmware definitions for third gen platforms
feat(neoverse-rd): add RoS definitions for third gen platforms
feat(neoverse-rd): add CSS definitions for third gen platforms

show more ...

feat(arm): mock support for CCA NV ctr

Arm reference design FVP platforms such as RD-Fremont do not implement
the CCA_FW_NVCOUNTER. Update firmware such that the implementation will
return TRUSTED_F

feat(arm): mock support for CCA NV ctr

Arm reference design FVP platforms such as RD-Fremont do not implement
the CCA_FW_NVCOUNTER. Update firmware such that the implementation will
return TRUSTED_FW_NVCOUNTER when the caller requests the CCA NV counter.
This allows the platforms to use the CCA CoT on FVP platforms.

Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: Ifab724fae63857056b3eeb44eeefc15c4c610eed

show more ...

Merge changes from topic "sb/remove-cryptocell" into integration

* changes:
chore(npcm845x): remove CryptoCell-712/713 support
chore(auth)!: remove CryptoCell-712/713 support

chore(auth)!: remove CryptoCell-712/713 support

CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].

As th

chore(auth)!: remove CryptoCell-712/713 support

CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].

As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.

This is a breaking change for downstream platforms which use these
drivers.

[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813

show more ...

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options f

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options for ecdsa
feat(arm): ecdsa p384/p256 full key support
feat(tbbr): update PK_DER_LEN for ECDSA P-384 keys
feat(auth): ecdsa p384 key support
feat(cert-create): ecdsa p384 key support

show more ...

feat(arm): ecdsa p384/p256 full key support

Add full key support for ECDSA P384 and P256.

New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_E

feat(arm): ecdsa p384/p256 full key support

Add full key support for ECDSA P384 and P256.

New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID.

Change-Id: I578b257eca41070bb4f4791ef429f2b8a66b1eb3
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge changes from topic "full_dev_rsa_key" into integration

* changes:
docs(arm): add ARM_ROTPK_LOCATION variant full key
feat(arm): add ARM_ROTPK_LOCATION variant full key

feat(arm): add ARM_ROTPK_LOCATION variant full key

Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to

feat(arm): add ARM_ROTPK_LOCATION variant full key

Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to the hash of it. This returns a 2kB development RSA key
embedded into the firmware.

The motivation for this patch is to extend our test coverage in the CI.
Right now, the authentication framework allows platforms to return
either the full ROTPK or a hash of it (*). However, the FVP platform
only supports returning a hash currently so we cannot easily exercise
the full key scenario. This patch adds that capability.

(*) Or even no key at all if it's not deployed on the platform yet, as
is typically the case on pre-production/developement platforms.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ie869cca1082410e63894e2b7dea2d31155684105

show more ...

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build(tbbr): drive cert_create changes for cca CoT
refactor(arm): add cca CoT certificates to fconf
feat(fiptool): add cca, core_swd, plat cert in FIP
feat(cert_create): define the cca chain of trust
feat(cca): introduce new "cca" chain of trust
build(changelog): add new scope for CCA
refactor(fvp): increase bl2 size when bl31 in DRAM

show more ...

feat(arm): retrieve the right ROTPK for cca

The cca chain of trust involves 3 root-of-trust public keys:
- The CCA components ROTPK.
- The platform owner ROTPK (PROTPK).
- The secure world ROTPK (SW

feat(arm): retrieve the right ROTPK for cca

The cca chain of trust involves 3 root-of-trust public keys:
- The CCA components ROTPK.
- The platform owner ROTPK (PROTPK).
- The secure world ROTPK (SWD_ROTPK).

Use the cookie argument as a key ID for plat_get_rotpk_info() to return
the appropriate one.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ieaae5b0bc4384dd12d0b616596596b031179044a

show more ...

Merge "plat/arm: common: add guard for arm_get_rotpk_info_regs" into integration

plat/arm: common: add guard for arm_get_rotpk_info_regs

Only define arm_get_rotpk_info_regs if ROTPK is in registers,
i.e. (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID). This will
allow platform buil

plat/arm: common: add guard for arm_get_rotpk_info_regs

Only define arm_get_rotpk_info_regs if ROTPK is in registers,
i.e. (ARM_ROTPK_LOCATION_ID == ARM_ROTPK_REGS_ID). This will
allow platform build without definition of TZ_PUB_KEY_HASH_BASE
if dedicated registers for ROTPK are not available on the platform.

Change-Id: I74ee2d5007f5d876a031a1efca20ebee2dede0c7
Signed-off-by: Usama Arif <usama.arif@arm.com>

show more ...

Merge "plat/arm: Get the base address of nv-counters from device tree" into integration

plat/arm: Get the base address of nv-counters from device tree

Using the Fconf, register base address of the various nv-counters
(currently, trusted, non-trusted nv-counters) are moved to the
device

plat/arm: Get the base address of nv-counters from device tree

Using the Fconf, register base address of the various nv-counters
(currently, trusted, non-trusted nv-counters) are moved to the
device tree and retrieved during run-time. This feature is
enabled using the build option COT_DESC_IN_DTB.

Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I236f532e63cea63b179f60892cb406fc05cd5830

show more ...

Merge "plat/arm: Retrieve the right ROTPK when using the dualroot CoT" into integration

Merge changes from topic "sb/dualroot" into integration

* changes:
plat/arm: Pass cookie argument down to arm_get_rotpk_info()
plat/arm: Add support for dualroot CoT
plat/arm: Provide some PRO

Merge changes from topic "sb/dualroot" into integration

* changes:
plat/arm: Pass cookie argument down to arm_get_rotpk_info()
plat/arm: Add support for dualroot CoT
plat/arm: Provide some PROTK files for development

show more ...

plat/arm: Retrieve the right ROTPK when using the dualroot CoT

The dualroot chain of trust involves 2 root-of-trust public keys:
- The classic ROTPK.
- The platform ROTPK (a.k.a. PROTPK).

Use the c

plat/arm: Retrieve the right ROTPK when using the dualroot CoT

The dualroot chain of trust involves 2 root-of-trust public keys:
- The classic ROTPK.
- The platform ROTPK (a.k.a. PROTPK).

Use the cookie argument as a key ID for plat_get_rotpk_info() to return the
appropriate one. This only applies if we are using the dualroot CoT ; if using
the TBBR one, the behaviour is unchanged.

Change-Id: I400707a87ec01afd5922b68db31d652d787f79bd
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

plat/arm: Pass cookie argument down to arm_get_rotpk_info()

The cookie will be leveraged in the next commit.

Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
Signed-off-by: Sandrine Bailleux <s

plat/arm: Pass cookie argument down to arm_get_rotpk_info()

The cookie will be leveraged in the next commit.

Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

Merge "Adds option to read ROTPK from registers for FVP" into integration

Adds option to read ROTPK from registers for FVP

Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys fro

Adds option to read ROTPK from registers for FVP

Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
In case of ROT_KEY specified - generates a new hash and replaces the
original.

Note: Juno board was tested by original feature author and was not tested
for this patch since we don't have access to the private key. Juno
implementation was moved to board-specific file without changing
functionality. It is not known whether byte-swapping is still needed
for this platform.

Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

show more ...

Merge changes from topic "gby/cryptocell-multi-vers" into integration

* changes:
cryptocell: add product version awareness support
cryptocell: move Cryptocell specific API into driver

cryptocell: move Cryptocell specific API into driver

Code using Cryptocell specific APIs was used as part of the
arm common board ROT support, instead of being abstracted
in Cryptocell specific driv

cryptocell: move Cryptocell specific API into driver

Code using Cryptocell specific APIs was used as part of the
arm common board ROT support, instead of being abstracted
in Cryptocell specific driver code, creating two problems:
- Any none arm board that uses Cryptocell wuld need to
copy and paste the same code.
- Inability to cleanly support multiple versions of Cryptocell
API and products.

Move over Cryptocell specific API calls into the Cryptocell
driver, creating abstraction API where needed.

Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com>
Change-Id: I9e03ddce90fcc47cfdc747098bece86dbd11c58e

show more ...

Merge pull request #1756 from antonio-nino-diaz-arm/an/header-deps

plat/arm: Fix header dependencies