Merge changes from topic "mec" into integration

* changes:
feat(qemu): add plat_rmmd_mecid_key_update()
feat(rmmd): add RMM_MECID_KEY_UPDATE call

feat(rmmd): add RMM_MECID_KEY_UPDATE call

With this addition, TF-A now has an SMC call to handle the
update of MEC keys associated to MECIDs.

The behavior of this newly added call is empty for now

feat(rmmd): add RMM_MECID_KEY_UPDATE call

With this addition, TF-A now has an SMC call to handle the
update of MEC keys associated to MECIDs.

The behavior of this newly added call is empty for now until an
implementation for the MPE (Memory Protection Engine) driver is
available. Only parameter sanitization has been implemented.

Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I2a969310b47e8c6da1817a79be0cd56158c6efc3

show more ...

Merge "chore: organize rmmd smccc by fid sequence" into integration

chore: organize rmmd smccc by fid sequence

This patch only arranged the case numbers that were incorrectly
ordered.

Change-Id: I0da48c68c5c2f4b5ba19ab770377ea91066bcb6a
Signed-off-by: Sona Mathew <

chore: organize rmmd smccc by fid sequence

This patch only arranged the case numbers that were incorrectly
ordered.

Change-Id: I0da48c68c5c2f4b5ba19ab770377ea91066bcb6a
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

Merge "feat(pmuv3): setup per world MDCR_EL3" into integration

feat(pmuv3): setup per world MDCR_EL3

MDCR_EL3 register will context switch across all worlds. Thus the pmuv3
init has to be part of context management initialization.

Change-Id: I10ef7a3071c0fc5c1

feat(pmuv3): setup per world MDCR_EL3

MDCR_EL3 register will context switch across all worlds. Thus the pmuv3
init has to be part of context management initialization.

Change-Id: I10ef7a3071c0fc5c11a93d3c9c2a95ec8c6493bf
Signed-off-by: Mateusz Sulimowicz <matsul@google.com>

show more ...

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change own

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change owning security state when a feature is disabled

show more ...

refactor(cm): clean up per-world context

In preparation for SMCCC_ARCH_FEATURE_AVAILABILITY, it is useful for
context to be directly related to the underlying system. Currently,
certain bits like SC

refactor(cm): clean up per-world context

In preparation for SMCCC_ARCH_FEATURE_AVAILABILITY, it is useful for
context to be directly related to the underlying system. Currently,
certain bits like SCR_EL3.APK are always set with the understanding that
they will only take effect if the feature is present.

However, that is problematic for SMCCC_ARCH_FEATURE_AVAILABILITY (an
SMCCC call to report which features firmware enables), as simply reading
the enable bit may contradict the ID register, like the APK bit above
for a system with no Pauth present.

This patch is to clean up these cases. Add a check for PAuth's presence
so that the APK bit remains unset if not present. Also move SPE and TRBE
enablement to only the NS context. They already only enable the features
for NS only and disable them for Secure and Realm worlds. This change
only makes these worlds' context read 0 for easy bitmasking.

There's only a single snag on SPE and TRBE. Currently, their fields have
the same values and any world asymmetry is handled by hardware. Since we
don't want to do that, the buffers' ownership will change if we just set
the fields to 0 for non-NS worlds. Doing that, however, exposes Secure
state to a potential denial of service attack - a malicious NS can
enable profiling and call an SMC. Then, the owning security state will
change and since no SPE/TRBE registers are contexted, Secure state will
start generating records. Always have NS world own the buffers to
prevent this.

Finally, get rid of manage_extensions_common() as it's just a level of
indirection to enable a single feature.

Change-Id: I487bd4c70ac3e2105583917a0e5499e0ee248ed9
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "feat(rmmd): el3 token sign during attestation" into integration

feat(rmmd): el3 token sign during attestation

Add required SMCs by RMM to push attestation signing requests to EL3
and get responses. EL3 may then choose to push these requests to a HES
as suitable

feat(rmmd): el3 token sign during attestation

Add required SMCs by RMM to push attestation signing requests to EL3
and get responses. EL3 may then choose to push these requests to a HES
as suitable for a platform. This patch also supports the new
RMM_EL3_FEATURES interface, that RMM can use to query for support for
HES based signing. The new interface exposes a feature register with
different bits defining different discoverable features. This new
interface is available starting the 0.4 version of the RMM-EL3
interface, causing the version to bump up. This patch also adds a
platform port for FVP that implements the platform hooks required to
enable the new SMCs, but it does not push to a HES and instead copies a
zeroed buffer in EL3.

Change-Id: I69c110252835122a9533e71bdcce10b5f2a686b2
Signed-off-by: Raghu Krishnamurthy <raghupathyk@nvidia.com>

show more ...

Merge "refactor(rmmd): plat token requests in pieces" into integration

refactor(rmmd): plat token requests in pieces

Until now, the attestation token size was limited by the size of the
shared buffer between RMM and TF-A. With this change, RMM can now
request the token

refactor(rmmd): plat token requests in pieces

Until now, the attestation token size was limited by the size of the
shared buffer between RMM and TF-A. With this change, RMM can now
request the token in pieces, so they fit in the shared buffer. A new
output parameter was added to the SMC call, which will return (along
with the size of bytes copied into the buffer) the number of bytes
of the token that remain to be retrieved.

TF-A will keep an offset variable that will indicate the position in
the token where the next call will retrieve bytes from. This offset
will be increased on every call by adding the number number of bytes
copied. If the received hash size is not 0, TF-A will reset the
offset to 0 and copy from that position on.

The SMC call will now return at most the size of the shared buffer
in bytes on every call. Therefore, from now on, multiple SMC calls
may be needed to be issued if the token size exceeds the shared
buffer size.

Change-Id: I591f7013d06f64e98afaf9535dbea6f815799723
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>

show more ...

Merge changes from topic "rmmd-graceful-exit" into integration

* changes:
fix(rmmd): remove the assert check for RMM_BASE
fix(std_svc): continue boot if rmmd_setup fails
fix(rmmd): ignore SMC

Merge changes from topic "rmmd-graceful-exit" into integration

* changes:
fix(rmmd): remove the assert check for RMM_BASE
fix(std_svc): continue boot if rmmd_setup fails
fix(rmmd): ignore SMC FID when RMM image is not present
fix(rmmd): fail gracefully if RME is not enabled
fix(rmmd): handle RMMD manifest loading failure

show more ...

fix(rmmd): remove the assert check for RMM_BASE

This patch removes the assert from rmmd_setup() that checks if the
RMM image PC is equal to RMM_BASE. The RMM image can be relocated to
any address in

fix(rmmd): remove the assert check for RMM_BASE

This patch removes the assert from rmmd_setup() that checks if the
RMM image PC is equal to RMM_BASE. The RMM image can be relocated to
any address in the DRAM by the previous bootloader. So, providing the
RMM base address at compile time is not feasible for such platforms.

The assert check is now replaced with a runtime check for the RMM image.

Change-Id: I568cdb6f76f41d0dcdc7a95feb75e252a7c5c930
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

show more ...

fix(rmmd): ignore SMC FID when RMM image is not present

This patch marks the RMM boot as failed, to ignore the SMC
FID for the RMM at runtime, if RMM image is not present on
the platform.

Change-Id

fix(rmmd): ignore SMC FID when RMM image is not present

This patch marks the RMM boot as failed, to ignore the SMC
FID for the RMM at runtime, if RMM image is not present on
the platform.

Change-Id: I3c19d886d32c56837a1a0d260d5204da8b2d12f1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

show more ...

fix(rmmd): fail gracefully if RME is not enabled

This patch converts the assert check for RME presence into
a runtime check and returns an error to fail gracefully. This
allows platforms to use the

fix(rmmd): fail gracefully if RME is not enabled

This patch converts the assert check for RME presence into
a runtime check and returns an error to fail gracefully. This
allows platforms to use the same image on boards that do not
support RME too.

Change-Id: I0cacdd7afd85ed3581e90ea81f0a51d076adb875
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

show more ...

fix(rmmd): handle RMMD manifest loading failure

This patch sets the rmm_boot_failed flag to true if the RMMD
manifest loading fails. This instructs the RMMD to ignore all
SMC FID for the RMM at runt

fix(rmmd): handle RMMD manifest loading failure

This patch sets the rmm_boot_failed flag to true if the RMMD
manifest loading fails. This instructs the RMMD to ignore all
SMC FID for the RMM at runtime.

Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: If61be6200e28fcea7a5ad697393e83679f488abc

show more ...

Merge changes from topic "sm/feat_detect" into integration

* changes:
refactor(cpufeat): restore functions in detect_arch_features
refactor(cpufeat): add macro to simplify is_feat_xx_present
c

Merge changes from topic "sm/feat_detect" into integration

* changes:
refactor(cpufeat): restore functions in detect_arch_features
refactor(cpufeat): add macro to simplify is_feat_xx_present
chore: simplify the macro names in ENABLE_FEAT mechanism

show more ...

refactor(cpufeat): add macro to simplify is_feat_xx_present

In this patch, we are trying to introduce the wrapper macro
CREATE_FEATURE_PRESENT to get the following capability and
align it for all th

refactor(cpufeat): add macro to simplify is_feat_xx_present

In this patch, we are trying to introduce the wrapper macro
CREATE_FEATURE_PRESENT to get the following capability and
align it for all the features:

-> is_feat_xx_present(): Does Hardware implement the feature.
-> uniformity in naming the function across multiple features.
-> improved readability

The is_feat_xx_present() is implemented to check if the hardware
implements the feature and does not take into account the
ENABLE_FEAT_XXX flag enabled/disabled in software.

- CREATE_FEATURE_PRESENT(name, idreg, shift, mask, idval)
The wrapper macro reduces the function to a single line and
creates the is_feat_xx_present function that checks the
id register based on the shift and mask values and compares
this against a determined idvalue.

Change-Id: I7b91d2c9c6fbe55f94c693aa1b2c50be54fb9ecc
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

Merge "fix(rmmd): fix bug, raised by coverity, when zeroing manifest struct" into integration

fix(rmmd): fix bug, raised by coverity, when zeroing manifest struct

An "Incorrect expression (SIZEOF_MISMATCH)" bug was raised by coverity
on the memset for clearing the manifest structure. This pa

fix(rmmd): fix bug, raised by coverity, when zeroing manifest struct

An "Incorrect expression (SIZEOF_MISMATCH)" bug was raised by coverity
on the memset for clearing the manifest structure. This patch resolves
that issue.

Signed-off-by: Harry Moulton <harry.moulton@arm.com>
Change-Id: I40431b972fc434d2b33f597813f22126d5d4cb70

show more ...

Merge changes I3a4f9a4f,Iedc4e640 into integration

* changes:
docs(rmm): document console struct in rmm boot manifest
feat(rme): pass console info via RMM-EL3 ifc

feat(rme): pass console info via RMM-EL3 ifc

This patch modifies the boot manifest to add console information to
be passed from EL3 to RMM.

Boot manifest version is bumped to v0.3

Signed-off-by: H

feat(rme): pass console info via RMM-EL3 ifc

This patch modifies the boot manifest to add console information to
be passed from EL3 to RMM.

Boot manifest version is bumped to v0.3

Signed-off-by: Harry Moulton <harry.moulton@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: Iedc4e640fb7a4450ce5ce966ae76936d1b7b742d

show more ...

Merge "refactor(cm): couple el2 registers with dependent feature flags" into integration

refactor(cm): couple el2 registers with dependent feature flags

Currently the EL2 part of the context structure (el2_sysregs_t), is
mostly feature dependent.

For instance, CTX_HCRX_EL2 is only need

refactor(cm): couple el2 registers with dependent feature flags

Currently the EL2 part of the context structure (el2_sysregs_t), is
mostly feature dependent.

For instance, CTX_HCRX_EL2 is only needed when FEAT_HCX
(ENABLE_FEAT_HCX=1) is set, but the entry is unconditionally added
in the EL2 context structure and thereby consuming memory even in
build configurations where FEAT_HCX is disabled.

Henceforth, all such context entries should be coupled/tied with
their respective feature enables and be optimized away when unused.
This would reduce the context memory allocation for platforms, that
dont enable/support all the architectural features at once.

Further, converting the assembly context-offset entries into
a c structure relies on garbage collection of the linker
removing unreferenced structures from memory, as well as aiding
in readability and future maintenance.

Change-Id: I0cf49498ee3033cb6f3ee3810331121b26627783
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>

show more ...