Merge "fix(arm): resolve build issue with ARM_ROTPK_LOCATION=regs option" into integration

fix(arm): resolve build issue with ARM_ROTPK_LOCATION=regs option

Fix the broken build when using the ARM_ROTPK_LOCATION=regs option.

Change-Id: Ieaa7baebd86448d198a1b9d2149a3490700b45d3
Signed-off

fix(arm): resolve build issue with ARM_ROTPK_LOCATION=regs option

Fix the broken build when using the ARM_ROTPK_LOCATION=regs option.

Change-Id: Ieaa7baebd86448d198a1b9d2149a3490700b45d3
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes I32bd0c71,I167e7398 into integration

* changes:
fix(arm): don't race on the build directory
fix(armada): don't race on the UART_IMAGE

fix(arm): don't race on the build directory

Wait for it to have been created. This is the same issue as
commit db69d118294f08aae86378c98aa082ac73e15b73.

Change-Id: I32bd0c713e2837563d32131fb0beddb5

fix(arm): don't race on the build directory

Wait for it to have been created. This is the same issue as
commit db69d118294f08aae86378c98aa082ac73e15b73.

Change-Id: I32bd0c713e2837563d32131fb0beddb5533c0792
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(arm): create build directory before key generation" into integration

fix(arm): create build directory before key generation

Arm ROTPK generation may start before the build directory is
created, causing errors like:

00:45:53.235 Can't open "/home/buildslave/workspac

fix(arm): create build directory before key generation

Arm ROTPK generation may start before the build directory is
created, causing errors like:

00:45:53.235 Can't open "/home/buildslave/workspace/tf-a-coverity/
trusted-firmware-a/build/rd1ae/debug/arm_rotpk.bin" for writing,
No such file or directory

This patch ensures the build directory is created beforehand to
prevent such issues.

Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I73f7d5af00efc738e95ea79c5cacecdb6a2d20c6

show more ...

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm):

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm): update docs to reflect rotpk key changes
feat(arm): use provided algs for (swd/p)rotpk
feat(arm): use the provided hash alg to hash rotpk

show more ...

feat(arm): use provided algs for (swd/p)rotpk

No longer hard code SHA-256 hashed rsa dev keys,
now the keys can use pair of key alg: rsa, p256, p384
and hash alg: sha256, sha384, sha512.

All publi

feat(arm): use provided algs for (swd/p)rotpk

No longer hard code SHA-256 hashed rsa dev keys,
now the keys can use pair of key alg: rsa, p256, p384
and hash alg: sha256, sha384, sha512.

All public keys are now generated at build-time from the dev
keys.

Change-Id: I669438b7d1cd319962c4a135bb0e204e44d7447e
Signed-off-by: Ryan Everett <ryan.everett@arm.com>

show more ...

feat(arm): use the provided hash alg to hash rotpk

No longer hard code SHA-256 hashed dev rotpks, instead
use the algorithm given by HASH_ALG. This means that
we no longer need the plat_arm_configs

feat(arm): use the provided hash alg to hash rotpk

No longer hard code SHA-256 hashed dev rotpks, instead
use the algorithm given by HASH_ALG. This means that
we no longer need the plat_arm_configs (once the protpk and
swd_rotpk are also updated to use HASH_ALG).

The rot public key is now generated at build time, as is
the header for the key.

Also support some default 3k and 4k RSA keys.

Change-Id: I33538124aeb4fa7d67918d878d17f2a84d3a6756
Signed-off-by: Ryan Everett <ryan.everett@arm.com>

show more ...

Merge changes from topic "sb/remove-cryptocell" into integration

* changes:
chore(npcm845x): remove CryptoCell-712/713 support
chore(auth)!: remove CryptoCell-712/713 support

chore(auth)!: remove CryptoCell-712/713 support

CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].

As th

chore(auth)!: remove CryptoCell-712/713 support

CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].

As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.

This is a breaking change for downstream platforms which use these
drivers.

[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813

show more ...

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options f

Merge changes from topic "ecdsa_p384" into integration

* changes:
refactor(arm): remove ARM_ROTPK_KEY_LEN comparison
fix(st): setting default KEY_SIZE
docs(cert-create): add key size options for ecdsa
feat(arm): ecdsa p384/p256 full key support
feat(tbbr): update PK_DER_LEN for ECDSA P-384 keys
feat(auth): ecdsa p384 key support
feat(cert-create): ecdsa p384 key support

show more ...

feat(arm): ecdsa p384/p256 full key support

Add full key support for ECDSA P384 and P256.

New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_E

feat(arm): ecdsa p384/p256 full key support

Add full key support for ECDSA P384 and P256.

New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID.

Change-Id: I578b257eca41070bb4f4791ef429f2b8a66b1eb3
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge "refactor(arm): avoid setting HASH_PREREQUISITES for a build without ROT_KEY" into integration

refactor(arm): avoid setting HASH_PREREQUISITES for a build without ROT_KEY

In the absence of ROT_KEY option, there is no need to populate
HASH_PREREQUISITES as the build system uses the hash file s

refactor(arm): avoid setting HASH_PREREQUISITES for a build without ROT_KEY

In the absence of ROT_KEY option, there is no need to populate
HASH_PREREQUISITES as the build system uses the hash file specified by
ARM_ROTPK_HASH directly.

Change-Id: Ib08f53b182b8446bbc430f2608471c7dfdc0e58c
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "cot_cca_nvctr" into integration

* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_cr

Merge changes from topic "cot_cca_nvctr" into integration

* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_create
feat(cert-create): add new option for CCA NV ctr

show more ...

feat(fvp): mock support for CCA NV ctr

AEM FVP does not have a third CCA NV counter so the
implementation will fake it by returning the Trusted
NV counter value when the caller requests the CCA NV
c

feat(fvp): mock support for CCA NV ctr

AEM FVP does not have a third CCA NV counter so the
implementation will fake it by returning the Trusted
NV counter value when the caller requests the CCA NV
counter. This allows us to use the CCA CoT on AEM FVP
nonetheless.

The FVP platform port now gets its own version of
plat_get_nv_ctr() as it now need to diverge from the
common implementation provided at the Arm development
platforms level.

Change-Id: I3258f837249a539d943d6d783406ba222bd4554e
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge "fix(arm): arm_rotpk_header undefined reference" into integration

fix(arm): arm_rotpk_header undefined reference

Moving ARM_ROTPK_S to default to arm_dev_rotpk.S as it was not being
set for Juno cryptocell and this should be the value in most cases.

Change-Id: I5

fix(arm): arm_rotpk_header undefined reference

Moving ARM_ROTPK_S to default to arm_dev_rotpk.S as it was not being
set for Juno cryptocell and this should be the value in most cases.

Change-Id: I56a5a4e61f1ca728b87322b0b09a0d73ed1d5ee0
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>

show more ...

Merge changes from topic "full_dev_rsa_key" into integration

* changes:
docs(arm): add ARM_ROTPK_LOCATION variant full key
feat(arm): add ARM_ROTPK_LOCATION variant full key

feat(arm): add ARM_ROTPK_LOCATION variant full key

Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to

feat(arm): add ARM_ROTPK_LOCATION variant full key

Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to the hash of it. This returns a 2kB development RSA key
embedded into the firmware.

The motivation for this patch is to extend our test coverage in the CI.
Right now, the authentication framework allows platforms to return
either the full ROTPK or a hash of it (*). However, the FVP platform
only supports returning a hash currently so we cannot easily exercise
the full key scenario. This patch adds that capability.

(*) Or even no key at all if it's not deployed on the platform yet, as
is typically the case on pre-production/developement platforms.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ie869cca1082410e63894e2b7dea2d31155684105

show more ...

Merge "fix: make TF-A use provided OpenSSL binary" into integration

fix: make TF-A use provided OpenSSL binary

Currently Tf-A uses whatever openssl binary is on the system to sign
images. However if OPENSSL_DIR is specified in the build flags this can
lead to linkin

fix: make TF-A use provided OpenSSL binary

Currently Tf-A uses whatever openssl binary is on the system to sign
images. However if OPENSSL_DIR is specified in the build flags this can
lead to linking issues as the system binary can end up being linked
against shared libraries provided in OPENSSL_DIR/lib if both binaries
(the system's and the on in OPENSSL_DIR/bin) are the same version.
This patch ensures that the binary used is always the one given by
OPENSSL_DIR to avoid those link issues.

Signed-off-by: Salome Thirot <salome.thirot@arm.com>
Change-Id: Ib534e06ebc8482e4391e376d3791a87968de4a99

show more ...

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build

Merge changes from topic "lw/cca_cot" into integration

* changes:
feat(arm): retrieve the right ROTPK for cca
feat(arm): add support for cca CoT
feat(arm): provide some swd rotpk files
build(tbbr): drive cert_create changes for cca CoT
refactor(arm): add cca CoT certificates to fconf
feat(fiptool): add cca, core_swd, plat cert in FIP
feat(cert_create): define the cca chain of trust
feat(cca): introduce new "cca" chain of trust
build(changelog): add new scope for CCA
refactor(fvp): increase bl2 size when bl31 in DRAM

show more ...

feat(arm): add support for cca CoT

- Use the development PROTPK and SWD_ROTPK if using cca CoT.

- Define a cca CoT build flag for the platform code to provide
different implementations where needed

feat(arm): add support for cca CoT

- Use the development PROTPK and SWD_ROTPK if using cca CoT.

- Define a cca CoT build flag for the platform code to provide
different implementations where needed.

- When ENABLE_RME=1, CCA CoT is selected by default on Arm
platforms if no specific CoT is specified by the user.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I70ae6382334a58d3c726b89c7961663eb8571a64

show more ...