feat(imx8mp): set and lock almost all peripherals as non-secure

This sets and locks all peripheral type-1 masters, except CAAM, access
as non-secure, so that they can't access secure world resources

feat(imx8mp): set and lock almost all peripherals as non-secure

This sets and locks all peripheral type-1 masters, except CAAM, access
as non-secure, so that they can't access secure world resources from the
normal world.

The CAAM itself is TrustZone aware and handles memory access between the
normal world and the secure world on its own. Pinning it as non-secure
access results in bus aborts if the secure memory region is protected by
the TZASC380.

Change-Id: Iedf3d67481dc35d56aa7b291749b999a56d6e85e
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>

show more ...

feat(imx8mm): restrict peripheral access to secure world

This restricts and locks all security relevant peripherals to only be
changeable by the secure world. Otherwise the normal world can simply
c

feat(imx8mm): restrict peripheral access to secure world

This restricts and locks all security relevant peripherals to only be
changeable by the secure world. Otherwise the normal world can simply
change the access settings and defeat all security measures put in
place.

Change-Id: I484a2c8164e58b68256d829470e00d5ec473e266
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>

show more ...

feat(imx8mm): set and lock almost all peripherals as non-secure

This sets and locks all peripheral type-1 masters, except CAAM, access
as non-secure, so that they can't access secure world resources

feat(imx8mm): set and lock almost all peripherals as non-secure

This sets and locks all peripheral type-1 masters, except CAAM, access
as non-secure, so that they can't access secure world resources from the
normal world.

The CAAM itself is TrustZone aware and handles memory access between the
normal world and the secure world on its own. Pinning it as non-secure
access results in bus aborts if the secure memory region is protected by
the TZASC380.

Change-Id: Idba4d8a491ccce0491489c61e73545baab1889c4
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>

show more ...

fix(cpus): workaround for Cortex-A715 erratum 2413290

Cortex-A715 erratum 2413290 is a Cat B erratum that is present
only in revision r1p0 and is fixed in r1p1. The errata is only
present when SPE(S

fix(cpus): workaround for Cortex-A715 erratum 2413290

Cortex-A715 erratum 2413290 is a Cat B erratum that is present
only in revision r1p0 and is fixed in r1p1. The errata is only
present when SPE(Statistical Profiling Extension) is enabled.

The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11
when SPE is enabled, ENABLE_SPE_FOR_NS=1.

SDEN documentation:
https://developer.arm.com/documentation/SDEN2148827/latest

Change-Id: Iaeb258c8b0a92e93d70b7dad6ba59d1056aeb135
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

feat(rpi): add Raspberry Pi 5 support

The Raspberry Pi 5 is a single-board computer based on BCM2712 that
contains four Arm Cortex-A76 cores.

This change introduces minimal BL31 support with PSCI t

feat(rpi): add Raspberry Pi 5 support

The Raspberry Pi 5 is a single-board computer based on BCM2712 that
contains four Arm Cortex-A76 cores.

This change introduces minimal BL31 support with PSCI that has been
validated to boot Linux and a private EDK2 build.

It's a drop-in replacement for the custom TF-A armstub now included in
the EEPROM images.

Change-Id: Id72a0370f54e71ac97c3daa1bacedacb7dec148f
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

show more ...

fix(rpi): consider MT when calculating core index from MPIDR

RPi 5 has newer Armv8.2 cores where the MT bit is set to indicate that
the lowest affinity level represents a thread, but there is only o

fix(rpi): consider MT when calculating core index from MPIDR

RPi 5 has newer Armv8.2 cores where the MT bit is set to indicate that
the lowest affinity level represents a thread, but there is only one
thread per core.

To deal with this, simply right shift MPIDR by one affinity level to get
the cluster and core IDs back into Aff1 and Aff0 as expected.

Change-Id: I2bafba38f82fd9a6ef6f2fdf2c089b754279a6de
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

show more ...

refactor(rpi): move register definitions out of rpi_hw.h

Change-Id: I2bd48441359468efb9e94fd2fffb079683f7a7fd
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

refactor(rpi): add platform macro for the crash UART base address

Change-Id: I164c579cbf7c26547a47794cd80152e13fd1937b
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

refactor(rpi): split out console registration logic

Detection of the UART in use and GPIO code only apply to RPi 3 and 4.

RPi 5 has a dedicated PL011 debug port.

Change-Id: Iddf8aea01278e2b79b4e7c

refactor(rpi): split out console registration logic

Detection of the UART in use and GPIO code only apply to RPi 3 and 4.

RPi 5 has a dedicated PL011 debug port.

Change-Id: Iddf8aea01278e2b79b4e7c476740f1add8c419f0
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

show more ...

refactor(rpi): move more platform-specific code into common

In preparation for RPi 5 support, which will reuse most of the RPi 4
logic except for DTB patching.

Change-Id: I6f6ef96933711a1798757a338

refactor(rpi): move more platform-specific code into common

In preparation for RPi 5 support, which will reuse most of the RPi 4
logic except for DTB patching.

Change-Id: I6f6ef96933711a1798757a3389adae1b8ee3de6c
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>

show more ...

Merge "refactor(cm): couple el2 registers with dependent feature flags" into integration

Merge "fix(tc): do not use r0 for HW_CONFIG" into integration

Merge "fix(misra): fix MISRA defects" into integration

Merge changes from topic "DPE" into integration

* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level

Merge changes from topic "DPE" into integration

* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level for region validity
feat(tc): add dummy TRNG support to be able to boot pVMs
feat(tc): get the parent component provided DPE context_handle
feat(tc): share DPE context handle with child component
feat(tc): add DPE context handle node to device tree
feat(tc): add DPE backend to the measured boot framework
feat(auth): add explicit entries for key OIDs
feat(dice): add DPE driver to measured boot
feat(dice): add client API for DICE Protection Environment
feat(dice): add QCBOR library as a dependency of DPE
feat(dice): add typedefs from the Open DICE repo
docs(changelog): add 'dice' scope
refactor(tc): align image identifier string macros
refactor(fvp): align image identifier string macros
refactor(imx8m): align image identifier string macros
refactor(qemu): align image identifier string macros
fix(measured-boot): add missing image identifier string
refactor(measured-boot): move metadata size macros to a common header
refactor(measured-boot): move image identifier strings to a common header

show more ...

fix(misra): fix MISRA defects

This patch resolves the MISRA issues reported in mailing list.
It addresses the following MISRA Rules violations - Rule 15.7 and
Rule 2.4.

* As per Rule 15.7, All if..

fix(misra): fix MISRA defects

This patch resolves the MISRA issues reported in mailing list.
It addresses the following MISRA Rules violations - Rule 15.7 and
Rule 2.4.

* As per Rule 15.7, All if.. else if constructs should be terminated
with an else statement and hence the conditional block
has been changed to switch..case. Updated get_el_str() to include
all EL cases.

* As per Rule 2.4, A project should not contain unused tag declarations,
hence intr_type_desc tag is removed.

* bl31_lib_init is only used in translation unit and hence it's
declaration is removed from bl31.h and the definition is made static to
maintain visibility.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ica1d3041566baf51befcad5fd3714189117ba193

show more ...

refactor(cm): couple el2 registers with dependent feature flags

Currently the EL2 part of the context structure (el2_sysregs_t), is
mostly feature dependent.

For instance, CTX_HCRX_EL2 is only need

refactor(cm): couple el2 registers with dependent feature flags

Currently the EL2 part of the context structure (el2_sysregs_t), is
mostly feature dependent.

For instance, CTX_HCRX_EL2 is only needed when FEAT_HCX
(ENABLE_FEAT_HCX=1) is set, but the entry is unconditionally added
in the EL2 context structure and thereby consuming memory even in
build configurations where FEAT_HCX is disabled.

Henceforth, all such context entries should be coupled/tied with
their respective feature enables and be optimized away when unused.
This would reduce the context memory allocation for platforms, that
dont enable/support all the architectural features at once.

Further, converting the assembly context-offset entries into
a c structure relies on garbage collection of the linker
removing unreferenced structures from memory, as well as aiding
in readability and future maintenance.

Change-Id: I0cf49498ee3033cb6f3ee3810331121b26627783
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>

show more ...

fix(tc): do not use r0 for HW_CONFIG

populate_next_bl_params_config already configures the register values
to be passed to BL33 and puts the HW_CONFIG address in r1. Therefore,
we do not need to ove

fix(tc): do not use r0 for HW_CONFIG

populate_next_bl_params_config already configures the register values
to be passed to BL33 and puts the HW_CONFIG address in r1. Therefore,
we do not need to override r0 here and should instead use r1 in BL33.

Change-Id: I00b425301957b5b0510416e1fa1f3599c0359bfc
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>

show more ...

fix(cpus): workaround for Cortex-X4 erratum 2701112

Cortex-X4 erratum 2701112 is cat B erratum that applies to
revision r0p0 and is fixed in r0p1. This erratum affects
system configurations that do

fix(cpus): workaround for Cortex-X4 erratum 2701112

Cortex-X4 erratum 2701112 is cat B erratum that applies to
revision r0p0 and is fixed in r0p1. This erratum affects
system configurations that do not use an Arm interconnect IP.

The workaround for this erratum is not implemented in EL3.
The erratum can be enabled/disabled on a platform level.
The flag is used when the errata ABI feature is enabled and can
assist the Kernel in the process of mitigation of the erratum.

SDEN Documentation:
https://developer.arm.com/documentation/SDEN2432808/latest

Change-Id: I8ede1ee75b0ea1658369a0646d8af91d44a8759b
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

Merge "fix(gic600): workaround for Part 1 of GIC600 erratum 2384374" into integration

fix(gic600): workaround for Part 1 of GIC600 erratum 2384374

GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet

fix(gic600): workaround for Part 1 of GIC600 erratum 2384374

GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'

This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.

gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.

SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731

show more ...

fix(arm): move console flush/switch in common function

There are some CI configs which apply patch on the fly to test some
unusual test scenarios. After commit c864af989 there is one patch which
doe

fix(arm): move console flush/switch in common function

There are some CI configs which apply patch on the fly to test some
unusual test scenarios. After commit c864af989 there is one patch which
does not apply cleanly into arm_bl31_plat_runtime_setup().

To fix this issue move console flush/switch into the caller of this
function.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I4116044d53bef349a707c977cf26d1df65200045

show more ...

feat(tc): group components into certificates

Set the cert_id argument to group the components
into certificates. The grouping reflects the likely units
of updateability.

Signed-off-by: Tamas Ban <t

feat(tc): group components into certificates

Set the cert_id argument to group the components
into certificates. The grouping reflects the likely units
of updateability.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ie7a1f10c84af727d0cd39e3a78b0cb59cbc2e457

show more ...

feat(tc): add dummy TRNG support to be able to boot pVMs

pVMs on Android 14 has a platform requirement to support
SMCCC TRNG discovery. This implementation add a
dummy TRNG support to TC2.

Signed-o

feat(tc): add dummy TRNG support to be able to boot pVMs

pVMs on Android 14 has a platform requirement to support
SMCCC TRNG discovery. This implementation add a
dummy TRNG support to TC2.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Iae0ca546cadf48a6a404ae578c7ccf5a84d057c4

show more ...

feat(tc): get the parent component provided DPE context_handle

Each client who wants to communicate with the DPE service
must own a valid context handle issued by the DPE service.
A context handle c

feat(tc): get the parent component provided DPE context_handle

Each client who wants to communicate with the DPE service
must own a valid context handle issued by the DPE service.
A context handle can be used for a single time then it will
be invalidated by the DPE service. In case of calls from
the same component, the next valid context handle is
returned in the response to a DPE command. When a component
finishes their job then the next component in the boot flow
inherits its first context handle from its parent.
How the inheritance is done can be client or
platform-dependent. It can be shared through shared
memory or be part of a DTB object passed to the next
bootloader stage.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ic82f074f1c5b15953e78f9fa5404ed7f48674cbb

show more ...

feat(tc): share DPE context handle with child component

To be allowed to communicate with DPE service all
components must own a valid context handle. The first
valid context handle is inherited from

feat(tc): share DPE context handle with child component

To be allowed to communicate with DPE service all
components must own a valid context handle. The first
valid context handle is inherited from the parent
component via a DTB object.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Id357fab3586398b1933444e1d10d1ab6d8243ab9

show more ...