feat(arm): support boot info handoff and event log

Add support for processing boot arguments via Firmware
Handoff on Arm platforms. Update platform hooks to pass
boot info to BL31 and BL32 stages.

feat(arm): support boot info handoff and event log

Add support for processing boot arguments via Firmware
Handoff on Arm platforms. Update platform hooks to pass
boot info to BL31 and BL32 stages.

Enable parsing and dumping of an event log from the
transfer list when MEASURED_BOOT is enabled. This allows
measured boot testing in the secure world.

Also update BL32 sources to include event log support when
TSPD and measured boot are both enabled.

Change-Id: Ia310696d0e6cfe93d756bfb075e9fda08342c0a1
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving
refactor(cpufeat): convert FEAT_PAuth setup to C
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
chore(cpufeat): remove PAuth presence checks
feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

show more ...

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it's not compiled in. FEAT_PAuth is architected to be backwards
compatible - a subset of the branch guarding instructions (pacia/autia)
execute as NOPs when PAuth is not present. That subset is used with
`-mbranch-protection=standard` and -march pre-8.3. This patch adds the
necessary logic to also check accesses of the non-backward compatible
registers and allow a fully checked implementation.

Note that a checked support requires -march to be pre 8.3, as otherwise
the compiler will include branch protection instructions that are not
NOPs without PAuth (eg retaa) which cannot be checked.

Change-Id: Id942c20cae9d15d25b3d72b8161333642574ddaa
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "bk/fvp_r" into integration

* changes:
fix(tbbr): remove tbbr_cot_bl1_r64.c
fix(xlat): remove xlat_mpu

fix(xlat): remove xlat_mpu

The only platform to use this is fvp_r. As this platform is now gone, so
is the need for this library. Support for it never went out of
"experimental" so it does not appea

fix(xlat): remove xlat_mpu

The only platform to use this is fvp_r. As this platform is now gone, so
is the need for this library. Support for it never went out of
"experimental" so it does not appear to be finished.

Change-Id: I76499b92ca4368651330f17dc80803991158cc36
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "jc/tc_fw_handoff" into integration

* changes:
refactor(arm): simplify early platform setup function in BL31
refactor(arm): simplify early platform setup function in BL2

Merge changes from topic "jc/tc_fw_handoff" into integration

* changes:
refactor(arm): simplify early platform setup function in BL31
refactor(arm): simplify early platform setup function in BL2
feat(arm): add support for Transfer List creation

show more ...

feat(arm): add support for Transfer List creation

This patch introduces Firmware Handoff support for Arm based
platforms listed under Firmware_Handoff specification.
[https://firmwarehandoff.github.

feat(arm): add support for Transfer List creation

This patch introduces Firmware Handoff support for Arm based
platforms listed under Firmware_Handoff specification.
[https://firmwarehandoff.github.io/firmware_handoff/main/transfer_list.html]

Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: Ie3f30ffe38f809db907b663a8dbf1e48944ec690

show more ...

Merge "build(poetry): install dependencies with `--no-root`" into integration

build(poetry): install dependencies with `--no-root`

More recent versions of Poetry introduced the `package-mode` key to
configure whether the project should be used for dependency management
only,

build(poetry): install dependencies with `--no-root`

More recent versions of Poetry introduced the `package-mode` key to
configure whether the project should be used for dependency management
only, but this is incompatible with the earlier versions of Poetry that
we still support.

Instead, we rely on installing with the `--no-root` flag, which behaves
similarly. Installing without passing the `--no-root` flag is
deprecated, and in recent versions of Poetry has become a hard error.

This change ensures that the build system always installs dependencies
with the required flag.

Change-Id: Ic1543511314dcd20c00b73fd9e8cfae3dd034a41
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes I0396b597,I326f920f,I0437eec8,Ieadf01fc,I4e1d8c24, ... into integration

* changes:
feat(fvp): set defaults for build commandline
docs(arm): enable Linux boot from fip as BL33
fea

Merge changes I0396b597,I326f920f,I0437eec8,Ieadf01fc,I4e1d8c24, ... into integration

* changes:
feat(fvp): set defaults for build commandline
docs(arm): enable Linux boot from fip as BL33
feat(arm): enable Linux boot from fip as BL33
docs(fvp): update fvp build time options
docs(arm): add initrd props to dtb at build time
feat(arm): add initrd props to dtb at build time

show more ...

feat(arm): enable Linux boot from fip as BL33

Disable the reliance of ARM_LINUX_KERNEL_AS_BL33 on PRELOADED_BL33_BASE
so that a Linux Kernel can be loaded and booted from the fip as BL33.

Change-Id

feat(arm): enable Linux boot from fip as BL33

Disable the reliance of ARM_LINUX_KERNEL_AS_BL33 on PRELOADED_BL33_BASE
so that a Linux Kernel can be loaded and booted from the fip as BL33.

Change-Id: I0437eec852cf17e0ed37a7ff77fcc4e66b1cea7a
Signed-off-by: Salman Nabi <salman.nabi@arm.com>

show more ...

Merge changes I1f662f82,I59a3b297 into integration

* changes:
fix(build): include platform mk earlier
fix(arm): use EL3_PAS in MAP_BL2_TOTAL definition

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106

show more ...

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm):

Merge changes from topic "refactor-arm-key-files" into integration

* changes:
feat(mbedtls): optimize SHA256 for reduced memory footprint
refactor(arm): rename ARM_ROTPK_HEADER_LEN
docs(arm): update docs to reflect rotpk key changes
feat(arm): use provided algs for (swd/p)rotpk
feat(arm): use the provided hash alg to hash rotpk

show more ...

feat(arm): use the provided hash alg to hash rotpk

No longer hard code SHA-256 hashed dev rotpks, instead
use the algorithm given by HASH_ALG. This means that
we no longer need the plat_arm_configs

feat(arm): use the provided hash alg to hash rotpk

No longer hard code SHA-256 hashed dev rotpks, instead
use the algorithm given by HASH_ALG. This means that
we no longer need the plat_arm_configs (once the protpk and
swd_rotpk are also updated to use HASH_ALG).

The rot public key is now generated at build time, as is
the header for the key.

Also support some default 3k and 4k RSA keys.

Change-Id: I33538124aeb4fa7d67918d878d17f2a84d3a6756
Signed-off-by: Ryan Everett <ryan.everett@arm.com>

show more ...

Merge changes from topic "rd1ae-upstream" into integration

* changes:
docs(rd1ae): add RD-1 AE documentation
feat(rd1ae): enabling Trusted Board Boot(TBB) for RD-1 AE
feat(rd1ae): introduce BL

Merge changes from topic "rd1ae-upstream" into integration

* changes:
docs(rd1ae): add RD-1 AE documentation
feat(rd1ae): enabling Trusted Board Boot(TBB) for RD-1 AE
feat(rd1ae): introduce BL31 for RD-1 AE platform
feat(rd1ae): add device tree files
feat(rd1ae): introduce Arm RD-1 AE platform
build(bl2): enable check for bl2 base overflow assert
feat(arm): add support for loading CONFIG from BL2

show more ...

Merge "build: make Poetry optional" into integration

feat(rd1ae): introduce BL31 for RD-1 AE platform

This commit introduces BL31 to the RD-1 AE platform. The RD-1 AE
platform incorporates an SCP for CPU power control.

Additinaly introducing the memo

feat(rd1ae): introduce BL31 for RD-1 AE platform

This commit introduces BL31 to the RD-1 AE platform. The RD-1 AE
platform incorporates an SCP for CPU power control.

Additinaly introducing the memory descriptor provides BL image
information that gets used by BL2 to load the images

Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Divin Raj <divin.raj@arm.com>
Change-Id: I035cbfd09f254aa47483ad35676f1cb3ffb661bd

show more ...

feat(arm): add support for loading CONFIG from BL2

This commit introduces a new ARM platform-specific build option called
`ARM_FW_CONFIG_LOAD_ENABLE`. This option enables the loading of the
`fw_conf

feat(arm): add support for loading CONFIG from BL2

This commit introduces a new ARM platform-specific build option called
`ARM_FW_CONFIG_LOAD_ENABLE`. This option enables the loading of the
`fw_config` device tree when resetting to the BL2 scenario.

Additionally, the FW_CONFIG image reference has been added to the
fdts/tbbr_cot_descriptors.dtsi file in order to use in the scenario of
RESET_TO_BL2.

Signed-off-by: Divin Raj <divin.raj@arm.com>
Change-Id: I11de497b7dbb1386ed84d939d6fd2a11856e9e1b

show more ...

build: make Poetry optional

The Yocto team has requested that we do not use Poetry from within the
Makefile, as Yocto does not have network access during the build
process.

We want to maintain the

build: make Poetry optional

The Yocto team has requested that we do not use Poetry from within the
Makefile, as Yocto does not have network access during the build
process.

We want to maintain the current behaviour, so this change makes our use
of Poetry contigent on it being available in the environment.

Additionally, explicitly passing an empty toolchain parameter now allows
a tool to be *disabled* (e.g. passing `POETRY=` will prevent the build
system from trying to use Poetry).

Change-Id: Ibf552a3fee1eaadee767a1b948b559700083b401
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "hm/tlc" into integration

* changes:
feat(handoff): make tl generation flexible
feat(tlc): add command gen-header
feat(tlc): add support for tox
refactor(tlc): fix s

Merge changes from topic "hm/tlc" into integration

* changes:
feat(handoff): make tl generation flexible
feat(tlc): add command gen-header
feat(tlc): add support for tox
refactor(tlc): fix static check errors and code style

show more ...

feat(handoff): make tl generation flexible

Make the process of compiling a TL from DT source flexible. Provide a
top level recipe to make it easier for developers to build a transfer
list. Clean up

feat(handoff): make tl generation flexible

Make the process of compiling a TL from DT source flexible. Provide a
top level recipe to make it easier for developers to build a transfer
list. Clean up integration of TLC into the build system.

Change-Id: I4466e27a457dfd5bf709dc3a360a2b63bf6030ce
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge "fix(arm): add extra hash config to validate ROTPK" into integration

fix(arm): add extra hash config to validate ROTPK

The default mbedTLS configuration enables hash algorithms based on
the HASH_ALG or MBOOT_EL_HASH_ALG selected. However, the Arm ROTPK
is always embe

fix(arm): add extra hash config to validate ROTPK

The default mbedTLS configuration enables hash algorithms based on
the HASH_ALG or MBOOT_EL_HASH_ALG selected. However, the Arm ROTPK
is always embedded as a SHA256 hash in BL1 and BL2. In the future,
we may need to adjust this to use the HASH_ALG algorithm for
embedding the ROTPK hash.

As a temporary workaround, a separate mbedTLS configuration has
been created for Arm platforms to explicitly set SHA256 defines,
rather than relying on the default configuration. This adjustment
is reflected in the mbedTLS configuration file for the TC platform
as well as in the PSA Crypto configuration file.

Change-Id: Ib3128ce7b0fb5c0858624ecbc998d456968beddf
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "mbedtls-config-cleanup" into integration

* changes:
chore(qemu): remove duplicate define
chore(imx): remove duplicate define
chore(arm): remove duplicate defines
ch

Merge changes from topic "mbedtls-config-cleanup" into integration

* changes:
chore(qemu): remove duplicate define
chore(imx): remove duplicate define
chore(arm): remove duplicate defines
chore(mbedtls): remove hash configs

show more ...