Merge changes from topic "bk/multibuild" into integration

* changes:
fix(lx2160a): put cert_create_tbbr.mk in the standard location
feat(build): put crttool in the build directory
feat(build):

Merge changes from topic "bk/multibuild" into integration

* changes:
fix(lx2160a): put cert_create_tbbr.mk in the standard location
feat(build): put crttool in the build directory
feat(build): put enctool in the build directory
feat(build): put fiptool in the build directory
build(marvell): avoid using recursive expansion for BLE_INCLUDES

show more ...

feat(build): put fiptool in the build directory

For some reason, tools are not built in the build directory, but rather
in the source directory, regardless of what BUILD_BASE might say. This
is espe

feat(build): put fiptool in the build directory

For some reason, tools are not built in the build directory, but rather
in the source directory, regardless of what BUILD_BASE might say. This
is especially annoying when trying to have a few builds going at the
same time (like in a CI). For example, run A may check if a file X
exists. Seeing that it does not, it will start building the file. At the
same time, run B may also check if file X exists but before A has
written it, starting a build again. Then it is possible for A to use the
file it believes to have built right at the moment B begins writing to
it (and truncating it beforehand). This results in gcc failing to read a
fail and a failed build. The more parallel runs there are, the more
likely this is to happen, and this is virtually guaranteed to happen
with just a handful onwards.

So move fiptool and all of its build artefacts to the build directory.
Since there are platform differences between the various fiptool
incarnations, this goes in the plat build rather than a more top-level
location.

This patch adds the build macro MAKE_TOOL to do this generically for any
kind of tool since the other tools suffer from the same shortfall. This
macro takes care to use unique names for every type of argument that
building a tool might need. The fiptool makefile and platform add-ons
are updated accordingly.

This should have never been allowed in the first place, but downstream
scripts almost certainly depend on this behaviour now. So add a symlink
in the place of the old fiptool so these continue working. With any
luck, this will be removed in the future.

Change-Id: I3d4d87dab0f53deab5b43fbc6652146f0e4e7e81
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "build: remove Windows compatibility layer" into integration

build: remove Windows compatibility layer

For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulat

build: remove Windows compatibility layer

For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulation layers like MSYS2, Mingw64, Cygwin or WSL.

This change removes the remainder of the OS compatibility layer
entirely, and migrates the build system over to explicitly relying on a
POSIX environment.

Change-Id: I8fb60d998162422e958009afd17eab826e3bc39b
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "dynamic-toolchain" into integration

* changes:
build: allow multiple toolchain defaults
build: determine toolchain tools dynamically

build: determine toolchain tools dynamically

Since the introduction of the toolchain detection framework into the
build system, we have done determination and identification of the
toolchain(s) used

build: determine toolchain tools dynamically

Since the introduction of the toolchain detection framework into the
build system, we have done determination and identification of the
toolchain(s) used for the build at the initialization of the build
system.

This incurs a large cost to the build every time - for every toolchain
that has been requested by the current makefile, we try to identify each
tool in the list of known tool classes, even if that tool doesn't
actually see any use.

For the clean and check-like targets we worked around this by disabling
most of the toolchains if we detect these targets, but this is
inflexible and not very reliable, and it still means that when building
normal targets we are incurring that cost for all tools whether they are
used or not.

This change instead modifies the toolchain detection framework to only
initialize a tool for a given toolchain when it is first used. This does
mean that we can no longer warn about an incorrectly-configured
toolchain at the beginning of build system invocation, but it has the
advantage of substantially reducing build time and the complexity of
*using* the framework (at the cost of an increase in complexity in the
framework itself).

Change-Id: I7f3d06b2eb58c1b26a846791a13b0037f32c8013
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "ck/tf-a/verbosity-cleanup" into integration

* changes:
build: unify verbosity handling
build: add facilities for interpreting boolean values
build: add string casing

Merge changes from topic "ck/tf-a/verbosity-cleanup" into integration

* changes:
build: unify verbosity handling
build: add facilities for interpreting boolean values
build: add string casing facilities to utilities

show more ...

build: unify verbosity handling

This change introduces a few helper variables for dealing with verbose
and silent build modes: `silent`, `verbose`, `q` and `s`.

The `silent` and `verbose` variables

build: unify verbosity handling

This change introduces a few helper variables for dealing with verbose
and silent build modes: `silent`, `verbose`, `q` and `s`.

The `silent` and `verbose` variables are boolean values determining
whether the build system has been configured to run silently or
verbosely respectively (i.e. with `--silent` or `V=1`).

These two modes cannot be used together - if `silent` is truthy then
`verbose` is always falsy. As such:

make --silent V=1

... results in a silent build.

In addition to these boolean variables, we also introduce two new
variables - `s` and `q` - for use in rule recipes to conditionally
suppress the output of commands.

When building silently, `s` expands to a value which disables the
command that follows, and `q` expands to a value which supppresses
echoing of the command:

$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed but not echoed'

When building verbosely, `s` expands to a value which disables the
command that follows, and `q` expands to nothing:

$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed and echoed'

In all other cases, both `s` and `q` expand to a value which suppresses
echoing of the command that follows:

$(s)echo 'This command is executed but not echoed'
$(q)echo 'This command is executed but not echoed'

The `s` variable is predominantly useful for `echo` commands, where you
always want to suppress echoing of the command itself, whilst `q` is
more useful for all other commands.

Change-Id: I8d8ff6ed714d3cb401946c52955887ed7dca602b
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge "build: use new toolchain variables for tools" into integration

Merge "build: refactor toolchain detection" into integration

build: use new toolchain variables for tools

This change migrates the values of `CC`, `CPP`, `AS` and other toolchain
variables to the new `$(toolchain)-$(tool)` variables, which were
introduced by

build: use new toolchain variables for tools

This change migrates the values of `CC`, `CPP`, `AS` and other toolchain
variables to the new `$(toolchain)-$(tool)` variables, which were
introduced by the toolchain refactor patch. These variables should be
equivalent to the values that they're replacing.

Change-Id: I644fe4ce82ef1894bed129ddb4b6ab94fb04985d
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

build: refactor toolchain detection

This change refactors how we identify the toolchain, with the ultimate
aim of eventually cleaning up the various mechanisms that we employ to
configure default to

build: refactor toolchain detection

This change refactors how we identify the toolchain, with the ultimate
aim of eventually cleaning up the various mechanisms that we employ to
configure default tools, identify the tools in use, and configure
toolchain flags.

To do this, we introduce three new concepts in this change:

- Toolchain identifiers,
- Tool class identifiers, and
- Tool identifiers.

Toolchain identifiers identify a configurable chain of tools targeting
one platform/machine/architecture. Today, these are:

- The host machine, which receives the `host` identifier,
- The AArch32 architecture, which receives the `aarch32` identifier, and
- The AArch64 architecture, which receivs the `aarch64` identifier.

The tools in a toolchain may come from different vendors, and are not
necessarily expected to come from one single toolchain distribution. In
most cases it is perfectly valid to mix tools from different toolchain
distributions, with some exceptions (notably, link-time optimization
generally requires the compiler and the linker to be aligned).

Tool class identifiers identify a class (or "role") of a tool. C
compilers, assemblers and linkers are all examples of tool classes.

Tool identifiers identify a specific tool recognized and supported by
the build system. Every tool that can make up a part of a toolchain must
receive a tool identifier.

These new identifiers can be used to retrieve information about the
toolchain in a more standardized fashion.

For example, logic in a Makefile that should only execute when the C
compiler is GNU GCC can now check the tool identifier for the C compiler
in the relevant toolchain:

ifeq ($($(ARCH)-cc-id),gnu-gcc)
...
endif

Change-Id: Icc23e43aaa32f4fd01d8187c5202f5012a634e7c
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge "feat(fiptool): add ability to build statically" into integration

feat(fiptool): add ability to build statically

Provide a STATIC command line build option for platforms willing to
build fiptool statically and remove dependency to toolchain and OpenSSL
libraries.

feat(fiptool): add ability to build statically

Provide a STATIC command line build option for platforms willing to
build fiptool statically and remove dependency to toolchain and OpenSSL
libraries.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1d1b6676df50081828170e2b0ab7b71c4ec19d6e

show more ...

Merge "build(tools): avoid unnecessary link" into integration

build(tools): avoid unnecessary link

In their respective makefiles, cert_create, encrypt_fw and fiptool
depend on the --openssl phony target as a prerequisite. This forces
those tools to be re-linke

build(tools): avoid unnecessary link

In their respective makefiles, cert_create, encrypt_fw and fiptool
depend on the --openssl phony target as a prerequisite. This forces
those tools to be re-linked each time.

Move the dependencies on the --openssl target from the tools to their
makefiles all targets, to avoid unnecessary linking while preserving the
OpenSSL version printing done in the --openssl targets when in debug.

Fixes: cf2dd17ddda2 ("refactor(security): add OpenSSL 1.x compatibility")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Change-Id: I98a3ab30f36dffc253cecaaf3a57d2712522135d

show more ...

Merge "refactor(fiptool): move plat_fiptool.mk to tools" into integration

Merge changes from topic "ethos-n" into integration

* changes:
docs(maintainers): update NPU driver files
docs(ethos-n): update porting-guide.rst for NPU
feat(ethos-n): add separate RO and RW

Merge changes from topic "ethos-n" into integration

* changes:
docs(maintainers): update NPU driver files
docs(ethos-n): update porting-guide.rst for NPU
feat(ethos-n): add separate RO and RW NSAIDs
feat(ethos-n)!: add protected NPU firmware setup
feat(ethos-n): add stream extends and attr support
feat(ethos-n): add reserved memory address support
feat(ethos-n): add event and aux control support
feat(ethos-n): add SMC call to get FW properties
refactor(ethos-n): split up SMC call handling
feat(ethos-n): add NPU firmware validation
feat(ethos-n): add check for NPU in SiP setup
feat(ethos-n)!: load NPU firmware at BL2
feat(juno): support ARM_IO_IN_DTB option for Juno
fix(fconf): fix FCONF_ARM_IO_UUID_NUMBER value
fix(fvp): incorrect UUID name in FVP tb_fw_config
fix(ethos-n): add workaround for erratum 2838783
feat(ethos-n): add support for NPU to cert_create
feat(ethos-n): add NPU support in fiptool
feat(ethos-n): add support to set up NSAID
build(fiptool): add object dependency generation
feat(ethos-n): add NPU sleeping SMC call
feat(ethos-n): add multiple asset allocators
feat(ethos-n): add reset type to reset SMC calls
feat(ethos-n): add protected NPU TZMP1 regions
build(ethos-n): add TZMP1 build flag

show more ...

build(fiptool): add object dependency generation

The object target in the fiptool Makefile only depends on the
corresponding source file so it won't rebuild the object, if a header
file used by the

build(fiptool): add object dependency generation

The object target in the fiptool Makefile only depends on the
corresponding source file so it won't rebuild the object, if a header
file used by the source file is changed.

To make it rebuild the object file for both source and header file
changes, a dependency file will now be generated for each object and
included in the Makefile.

Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I0468c6e9c54126242150667268d471f28e011b0d

show more ...

refactor(fiptool): move plat_fiptool.mk to tools

Move all plat_fiptool.mks into tools, change the logic to recursively
check for tools/fiptool/plat_fiptool/<plat_path>/plat_fiptool.mk

I.e. for a pl

refactor(fiptool): move plat_fiptool.mk to tools

Move all plat_fiptool.mks into tools, change the logic to recursively
check for tools/fiptool/plat_fiptool/<plat_path>/plat_fiptool.mk

I.e. for a platform that has the path "plat/arm/board/tc/platform.mk",
the makefile will now load the first existing file from:
- tools/fiptool/plat_fiptool/arm/board/tc/plat_fiptool.mk
- tools/fiptool/plat_fiptool/arm/board/plat_fiptool.mk
- tools/fiptool/plat_fiptool/arm/plat_fiptool.mk

This enables fiptool to support multiple platforms, or a specific one.

Remove file-copying previously being used to handle old default path.
Remove custom file cleaning in plat_fiptool.mk.

Change-Id: I95245bcf7143b329481d4394ab64f29bfe9de5ab
Signed-off-by: Raef Coles <raef.coles@arm.com>

show more ...

Merge "refactor(security): add OpenSSL 1.x compatibility" into integration

refactor(security): add OpenSSL 1.x compatibility

When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fa

refactor(security): add OpenSSL 1.x compatibility

When updated to work with OpenSSL 3.0, the host tools lost their
compatibility with previous versions (1.x) of OpenSSL. This is
mainly due to the fact that 1.x APIs became deprecated in 3.0 and
therefore their use cause compiling errors. In addition, updating
for a newer version of OpenSSL meant improving the stability
against security threats. However, although version 1.1.1 is
now deprecated, it still receives security updates, so it would
not imply major security issues to keep compatibility with it too.

This patch adds backwards compatibility with OpenSSL 1.x versions
by adding back 1.x API code. It defines a macro USING_OPENSSL3,
which will select the appropriate OpenSSL API version depending on
the OpenSSL library path chosen (which is determined by the
already-existing OPENSSL_DIR variable).

In addition, cleanup items were packed in functions and moved to
the proper modules in order to make the code more maintainable and
legible.

Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I8deceb5e419edc73277792861882404790ccd33c

show more ...

Merge "refactor(security): upgrade tools to OpenSSL 3.0" into integration

refactor(security): upgrade tools to OpenSSL 3.0

Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.

Changes were made following the OpenSSL 3.0 migration guide

refactor(security): upgrade tools to OpenSSL 3.0

Host tools cert_tool and encrypt_fw refactored to be fully
compatible with OpenSSL v3.0.

Changes were made following the OpenSSL 3.0 migration guide:
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
In some cases, those changes are straightforward and only
a small modification on the types or API calls was needed
(e.g.: replacing BN_pseudo_rand() with BN_rand(). Both identical
since v1.1.0).
The use of low level APIs is now deprecated. In some cases,
the new API provides a simplified solution for our goals and
therefore the code was simplified accordingly (e.g.: generating
RSA keys through EVP_RSA_gen() without the need of handling the
exponent). However, in some cases, a more
sophisticated approach was necessary, as the use of a context
object was required (e.g.: when retrieving the digest value from
an SHA file).

Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I978e8578fe7ab3e71307450ebe7e7812fbcaedb6

show more ...

Merge "fix(fiptool): respect OPENSSL_DIR" into integration