Merge changes I509b7bc5,Ibd36ea5c into integration

* changes:
fix(fconf): boot fails using ARM_ARCH_MINOR=8
fix(libc): add memcpy_s source file to libc_asm mk

fix(fconf): boot fails using ARM_ARCH_MINOR=8

When building TF-A (with SPMD support) with ARM_ARCH_MAJOR=8/
ARCH_ARCH_MINOR=8 options, this forces the -march=armv8.8-a compiler
option. In this condi

fix(fconf): boot fails using ARM_ARCH_MINOR=8

When building TF-A (with SPMD support) with ARM_ARCH_MAJOR=8/
ARCH_ARCH_MINOR=8 options, this forces the -march=armv8.8-a compiler
option. In this condition, the compiler optimises statement [1] into
a store pair to an unaligned address resulting to a supposedly alignment
fault. With -march=armv8.7-a and earlier the compiler resolves with a
memcpy. Replacing this line by an explicit memcpy masks out the issue.
Prefer using the plain struct uuid in place of the uuid_helper union
for further clarity.

[1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/
plat/arm/common/fconf/arm_fconf_sp.c?h=v2.10#n77

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I509b7bc50c7c4a894885d24dc8279d0fe634e8f2

show more ...

Merge "fix(plat/arm): fix SP count limit without dual root CoT" into integration

fix(plat/arm): fix SP count limit without dual root CoT

Remove reserved range for platform provider owned SPs if the dual root
CoT is disabled and allow SPs to populate the range up to MAX_SP_IDS.

fix(plat/arm): fix SP count limit without dual root CoT

Remove reserved range for platform provider owned SPs if the dual root
CoT is disabled and allow SPs to populate the range up to MAX_SP_IDS.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Change-Id: Ib4ec18f6530d2515ada21d2c0c388d55aa479d26

show more ...

Merge "fix(plat/arm): fix a VERBOSE trace" into integration

fix(plat/arm): fix a VERBOSE trace

When the console verbosity is at maximum, fconf_populate_arm_sp()
prints the UUID and load address of each secure partition. However,
the load address has not been

fix(plat/arm): fix a VERBOSE trace

When the console verbosity is at maximum, fconf_populate_arm_sp()
prints the UUID and load address of each secure partition. However,
the load address has not been retrieved yet at this point, which means
all partitions show a zero load address.

Move the trace after we have retrieved the SP's load address from the
device tree to make it more meaningful.

Change-Id: I58ef7df6c9107a433f61113cafd8f0855c468d40
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

Merge "refactor(plat/arm): store UUID as a string, rather than ints" into integration

refactor(plat/arm): store UUID as a string, rather than ints

NOTE: Breaking change to the way UUIDs are stored in the DT

Currently, UUIDs are stored in the device tree as
sequences of 4 integers. T

refactor(plat/arm): store UUID as a string, rather than ints

NOTE: Breaking change to the way UUIDs are stored in the DT

Currently, UUIDs are stored in the device tree as
sequences of 4 integers. There is a mismatch in endianness
between the way UUIDs are represented in memory and the way
they are parsed from the device tree. As a result, we must either
store the UUIDs in little-endian format in the DT (which means
that they do not match up with their string representations)
or perform endianness conversion after parsing them.

Currently, TF-A chooses the second option, with unwieldy
endianness-conversion taking place after reading a UUID.

To fix this problem, and to make it convenient to copy and
paste UUIDs from other tools, change to store UUIDs in string
format, using a new wrapper function to parse them from the
device tree.

Change-Id: I38bd63c907be14e412f03ef0aab9dcabfba0eaa0
Signed-off-by: David Horstmann <david.horstmann@arm.com>

show more ...

Merge "SPM: Get rid of uint32_t array representation of UUID" into integration

SPM: Get rid of uint32_t array representation of UUID

UUID's in the device tree files were stored in little endian. So
to keep all entries in these files RFC 4122 compliant, store them in
big endian

SPM: Get rid of uint32_t array representation of UUID

UUID's in the device tree files were stored in little endian. So
to keep all entries in these files RFC 4122 compliant, store them in
big endian then convert it to little endian when they are read so they
can be used in the UUID data structure.

Signed-off-by: Ruari Phipps <ruari.phipps@arm.com>
Change-Id: I5674159b82b245104381df10a4e3291160d9b3b5

show more ...

Merge changes from topic "sp_dual_signing" into integration

* changes:
SPM: Add owner field to cactus secure partitions
SPM: Alter sp_gen.mk entry depending on owner of partition
plat/arm: ena

Merge changes from topic "sp_dual_signing" into integration

* changes:
SPM: Add owner field to cactus secure partitions
SPM: Alter sp_gen.mk entry depending on owner of partition
plat/arm: enable support for Plat owned SPs

show more ...

plat/arm: enable support for Plat owned SPs

For Arm platforms SPs are loaded by parsing tb_fw_config.dts and
adding them to SP structure sequentially, which in-turn is appended to
loadable image lis

plat/arm: enable support for Plat owned SPs

For Arm platforms SPs are loaded by parsing tb_fw_config.dts and
adding them to SP structure sequentially, which in-turn is appended to
loadable image list.

With recently introduced dualroot CoT for SPs where they are owned
either by SiP or by Platform. SiP owned SPs index starts at SP_PKG1_ID
and Plat owned SPs index starts at SP_PKG5_ID. As the start index of SP
depends on the owner, there should be a mechanism to parse owner of a SP
and put it at the correct index in SP structure.

This patch adds support for parsing a new optional field "owner" and
based on it put SP details(UUID & Load-address) at the correct index in
SP structure.

Change-Id: Ibd255b60d5c45023cc7fdb10971bef6626cb560b
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

show more ...

Merge "tbbr/dualroot: rename SP package certificate file" into integration

tbbr/dualroot: rename SP package certificate file

Currently only single signing domain is supported for SP packages but
there is plan to support dual signing domains if CoT is dualroot.

SP_CONTENT_

tbbr/dualroot: rename SP package certificate file

Currently only single signing domain is supported for SP packages but
there is plan to support dual signing domains if CoT is dualroot.

SP_CONTENT_CERT_ID is the certificate file which is currently generated
and signed with trusted world key which in-turn is derived from Silicon
provider RoT key.
To allow dual signing domain for SP packages, other certificate file
will be derived from Platform owned RoT key.

This patch renames "SP_CONTENT_CERT_ID" to "SIP_SP_CONTENT_CERT_ID" and
does other related changes.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I0bc445a3ab257e2dac03faa64f46e36a9fed5e93

show more ...

Merge "fconf: spm: minor bug fix" into integration

fconf: spm: minor bug fix

This patch fixes a bug where wrong panic was caused when the number
of SP was same as max limit.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I9ace62d8

fconf: spm: minor bug fix

This patch fixes a bug where wrong panic was caused when the number
of SP was same as max limit.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I9ace62d8d5bcdc410eeacdd9d33d55a7be5fcc8e

show more ...

Merge changes from topic "sp_secure_boot" into integration

* changes:
dualroot: add chain of trust for secure partitions
sptool: append cert_tool arguments.
cert_create: add SiP owned secure p

Merge changes from topic "sp_secure_boot" into integration

* changes:
dualroot: add chain of trust for secure partitions
sptool: append cert_tool arguments.
cert_create: add SiP owned secure partitions support

show more ...

dualroot: add chain of trust for secure partitions

A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
b

dualroot: add chain of trust for secure partitions

A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.

To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.

The CoT for secure partition look like below.
+------------------+ +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key |
+------------------+ | Certificate |
| (Auth Image) |
/+-------------------+
/ |
/ |
/ |
/ |
L v
+------------------+ +-------------------+
| Trusted World |------>| SiP owned SPs |
| Public Key | | Content Cert |
+------------------+ | (Auth Image) |
/ +-------------------+
/ |
/ v|
+------------------+ L +-------------------+
| SP_PKG1 Hash |------>| SP_PKG1 |
| | | (Data Image) |
+------------------+ +-------------------+
. .
. .
. .
+------------------+ +-------------------+
| SP_PKG8 Hash |------>| SP_PKG8 |
| | | (Data Image) |
+------------------+ +-------------------+

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f

show more ...

Merge changes from topic "fdt_wrappers_rework" into integration

* changes:
arm: fconf: Fix GICv3 dynamic configuration
plat/stm32: Implement fdt_read_uint32_default() as a wrapper
fdt/wrappers

Merge changes from topic "fdt_wrappers_rework" into integration

* changes:
arm: fconf: Fix GICv3 dynamic configuration
plat/stm32: Implement fdt_read_uint32_default() as a wrapper
fdt/wrappers: Replace fdtw_read_cells() implementation
plat/stm32: Use generic fdt_read_uint32_array() implementation
fdt/wrappers: Generalise fdtw_read_array()

show more ...

fdt/wrappers: Replace fdtw_read_cells() implementation

Our fdtw_read_cells() implementation goes to great lengths to
sanity-check every parameter and result, but leaves a big hole open:
The size of

fdt/wrappers: Replace fdtw_read_cells() implementation

Our fdtw_read_cells() implementation goes to great lengths to
sanity-check every parameter and result, but leaves a big hole open:
The size of the storage the value pointer points at needs to match the
number of cells given. This can't be easily checked at compile time,
since we lose the size information by using a void pointer.
Regardless the current usage of this function is somewhat wrong anyways,
since we use it on single-element, fixed-length properties only, for
which the DT binding specifies the size.
Typically we use those functions dealing with a number of cells in DT
context to deal with *dynamically* sized properties, which depend on
other properties (#size-cells, #clock-cells, ...), to specify the number
of cells needed.

Another problem with the current implementation is the use of
ambiguously sized types (uintptr_t, size_t) together with a certain
expectation about their size. In general there is no relation between
the length of a DT property and the bitness of the code that parses the
DTB: AArch64 code could encounter 32-bit addresses (where the physical
address space is limited to 4GB [1]), while AArch32 code could read
64-bit sized properties (/memory nodes on LPAE systems, [2]).

To make this more clear, fix the potential issues and also align more
with other DT users (Linux and U-Boot), introduce functions to explicitly
read uint32 and uint64 properties. As the other DT consumers, we do this
based on the generic "read array" function.
Convert all users to use either of those two new functions, and make
sure we never use a pointer to anything other than uint32_t or uint64_t
variables directly.

This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
4 bytes into a uint16_t variable (passed via a void pointer).

Also we change the implementation of the function to better align with
other libfdt users, by using the right types (fdt32_t) and common
variable names (*prop, prop_names).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts

Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

fdt/wrappers: Generalise fdtw_read_array()

Currently our fdtw_read_array() implementation requires the length of
the property to exactly match the requested size, which makes it less
flexible for pa

fdt/wrappers: Generalise fdtw_read_array()

Currently our fdtw_read_array() implementation requires the length of
the property to exactly match the requested size, which makes it less
flexible for parsing generic device trees.
Also the name is slightly misleading, since we treat the cells of the
array as 32 bit unsigned integers, performing the endianess conversion.

To fix those issues and align the code more with other DT users (Linux
kernel or U-Boot), rename the function to "fdt_read_uint32_array", and
relax the length check to only check if the property covers at least the
number of cells we request.
This also changes the variable names to be more in-line with other DT
users, and switches to the proper data types.

This makes this function more useful in later patches.

Change-Id: Id86f4f588ffcb5106d4476763ecdfe35a735fa6c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge changes from topic "mp/enhanced_pal_hw" into integration

* changes:
plat/arm/fvp: populate pwr domain descriptor dynamically
fconf: Extract topology node properties from HW_CONFIG dtb
fc

Merge changes from topic "mp/enhanced_pal_hw" into integration

* changes:
plat/arm/fvp: populate pwr domain descriptor dynamically
fconf: Extract topology node properties from HW_CONFIG dtb
fconf: necessary modifications to support fconf in BL31 & SP_MIN
fconf: enhancements to firmware configuration framework

show more ...

fconf: enhancements to firmware configuration framework

A populate() function essentially captures the value of a property,
defined by a platform, into a fconf related c structure. Such a
callback i

fconf: enhancements to firmware configuration framework

A populate() function essentially captures the value of a property,
defined by a platform, into a fconf related c structure. Such a
callback is usually platform specific and is associated to a specific
configuration source.
For example, a populate() function which captures the hardware topology
of the platform can only parse HW_CONFIG DTB. Hence each populator
function must be registered with a specific 'config_type' identifier.
It broadly represents a logical grouping of configuration properties
which is usually a device tree source file.

Example:
> TB_FW: properties related to trusted firmware such as IO policies,
base address of other DTBs, mbedtls heap info etc.
> HW_CONFIG: properties related to hardware configuration of the SoC
such as topology, GIC controller, PSCI hooks, CPU ID etc.

This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
to register and invoke the appropriate callbacks selectively based on
configuration type.

Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

show more ...

Merge changes from topic "sp_loading" into integration

* changes:
SPMD: loading Secure Partition payloads
fvp: add Cactus/Ivy Secure Partition information
fconf: Add Secure Partitions informat

Merge changes from topic "sp_loading" into integration

* changes:
SPMD: loading Secure Partition payloads
fvp: add Cactus/Ivy Secure Partition information
fconf: Add Secure Partitions information as property

show more ...

SPMD: loading Secure Partition payloads

This patch implements loading of Secure Partition packages using
existing framework of loading other bl images.

The current framework uses a statically defin

SPMD: loading Secure Partition payloads

This patch implements loading of Secure Partition packages using
existing framework of loading other bl images.

The current framework uses a statically defined array to store all the
possible image types and at run time generates a link list and traverse
through it to load different images.

To load SPs, a new array of fixed size is introduced which will be
dynamically populated based on number of SPs available in the system
and it will be appended to the loadable images list.

Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

show more ...