fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the M

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the MMU and we can
rely on all accesses being coherent. However, this is not the case when
HW_ASSISTED_COHERENCY=0. Most of EL3's initialisation (especially on
warm boot) happens with the MMU on but with caching being off. Caches
are only enabled deep into CPU_ON processing when we can be certain the
core has entered coherency. This latter case is the subject of this
patch.

Prior to this patch, the way to work around that was to clean the
apiakey cpu_data storage right after writing it. The write would have
gone straight to memory as caches were off and the clean asserted that
nothing would be in the caches which were assumed to be invalid since
we've just came out of reset.

The problem with this is that we cannot assume that ALL caches are
invalid when coming out of reset. We can reasonably assume those private
to the core to be (so the L1 and/or the L2; those are guaranteed to be
invalidated out of reset for every Arm core) but that is not the case
for shared caches (eg an L2/L3 DSU cache) which can be on when a core
powers down. So the old keys could still be live in the shared cache, we
write new ones to memory and clean the old to memory too, undoing the
work.

So the correct thing to do is to clean and invalidate the cache prior to
writing the keys to memory and invalidate it after. This ensures that if
there is any other data after the apiakey, which shares the cache line,
it will be safely forwarded to memory and the caches will be invalid
when caching is turned on.

It is important to note at this point that this was never observed in
practice - every known configuration that uses PAuth has the apiakey as
the very last member of the cpu_data struct which is padded up to a
cache line and the usage of the apiakey is such that it was never
allocated into the shared caches. So the clean would effectively perform
an invalidate of only the apiakey and all worked well. This was only
spotted with a proposed patch that added data after the apiakey
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/39698/7).

Change-Id: I8493221dff53114c5c56dd73fbfd2a3301e2542c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(css): don't require the GICC frame to be defined on GICv3

It's used for GICv2 operation, which won't happen with v3. CSS will
always use USE_GIC_DRIVER with the correct version so we can rely on

fix(css): don't require the GICC frame to be defined on GICv3

It's used for GICv2 operation, which won't happen with v3. CSS will
always use USE_GIC_DRIVER with the correct version so we can rely on
that to skip passing the GICC frame.

Change-Id: I358b99646f98bd7c6ea398bc8d8900cc80ca15bb
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(common): error out if image load size is zero" into integration

fix(dsu): fix illegal address Coverity finding

Based on -
https://scan4.scan.coverity.com/#/project-view/68818/11439?selectedIssue=425813
https://scan4.scan.coverity.com/#/project-view/68818/11439?s

fix(dsu): fix illegal address Coverity finding

Based on -
https://scan4.scan.coverity.com/#/project-view/68818/11439?selectedIssue=425813
https://scan4.scan.coverity.com/#/project-view/68818/11439?selectedIssue=425812
CID 425812: (#1 of 1): Illegal address computation (OVERRUN)

This patch avoids the OVERRUN/illegal address Coverity finding.

Change-Id: I8b2521c9f1f1e8c815c5a2940f98464bbb59e111
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(sdei): fix coverity finding array index read

Fix - CID 463142: (#1 of 1): Overflowed array index
read (INTEGER_OVERFLOW)

Based on issue -
https://scan4.scan.coverity.com/#/project-view/68818/1

fix(sdei): fix coverity finding array index read

Fix - CID 463142: (#1 of 1): Overflowed array index
read (INTEGER_OVERFLOW)

Based on issue -
https://scan4.scan.coverity.com/#/project-view/68818/11439?selectedIssue=463142

Add boundary checks overflow checks.

Change-Id: I56022b605008f8d35231d70d058c4d449d618d34
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(common): error out if image load size is zero

Change the return value of function to error value when image size
check correctly passes (io_result == 0), but the image size is zero
(image_size =

fix(common): error out if image load size is zero

Change the return value of function to error value when image size
check correctly passes (io_result == 0), but the image size is zero
(image_size == 0). If such an edge case occurs, the function would
not load any data, but would return successful return code 0.

This edge case is already detected by the current conditional and a
warning is reported, but in this special case, return value 0 was
returned to the caller, which might have confused the caller into
thinking that a valid loading of data occurred, even if it did not.

Handle the edge case, and return error, to assure the caller can not
be confused.

Signed-off-by: Hideyuki Nitta <hideyuki.nitta.jf@hitachi.com>
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Signed-off-by: Dien Pham <dien.pham.ry@renesas.com>
Signed-off-by: Hieu Nguyen <hieu.nguyen.dn@renesas.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Change-Id: Id7e4b675540971b28f451e4590064b3fb1840fd6

show more ...

Merge "fix(context-mgmt): correct guards for PIE and POE registers" into integration

Merge changes from topic "bk/simpler_panic" into integration

* changes:
fix(aarch64): do not print EL1 registers on EL3 panic
refactor(el3-runtime): streamline cpu_data assembly offsets using th

Merge changes from topic "bk/simpler_panic" into integration

* changes:
fix(aarch64): do not print EL1 registers on EL3 panic
refactor(el3-runtime): streamline cpu_data assembly offsets using the cpu_ops template

show more ...

Merge "perf(spmd): don't initialise context on boot, do it on CPU_ON" into integration

fix(arm): derive RMM bank size from payload

Compute the RMM bank size as half of the RMM payload size instead of
using a hardcoded value. This removes duplication and keeps the bank
size automatical

fix(arm): derive RMM bank size from payload

Compute the RMM bank size as half of the RMM payload size instead of
using a hardcoded value. This removes duplication and keeps the bank
size automatically in sync with payload size changes.

Change-Id: I064390ec50115929bf6248344bf08a19fbc15344
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

fix(rmmd): correct activation condition check

Update the activation condition in rmmd_primary_activate to ensure the
function behaves correctly when the return code is zero. This change
prevents pot

fix(rmmd): correct activation condition check

Update the activation condition in rmmd_primary_activate to ensure the
function behaves correctly when the return code is zero. This change
prevents potential issues during the activation process.

Change-Id: I94d76c1e491f114b7fb32dd85dbfcfe2f5f1d3da
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

fix(rmmd): avoid race conditions in CPU finish

Create a local copy of entry point info to prevent race conditions when
accessing shared data. This change ensures that the CPU finish handler
operates

fix(rmmd): avoid race conditions in CPU finish

Create a local copy of entry point info to prevent race conditions when
accessing shared data. This change ensures that the CPU finish handler
operates on a consistent state without interference from other threads,
improving stability and reliability of the service.

Change-Id: I84fbc21672dde0f19176f63ee94afafc0084004e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

fix(arm): move lfa componet header to common and fix the helper

Move the FVP LFA component definitions to include/plat/arm/common/
so they can be shared by all Arm platforms, and update include
path

fix(arm): move lfa componet header to common and fix the helper

Move the FVP LFA component definitions to include/plat/arm/common/
so they can be shared by all Arm platforms, and update include
paths accordingly.

On FVP, rename the input parameter to lfa_component_id to match
the function declaration, and fix callers to pass the component
ID (not image_id) to the prime-complete helper.

Change-Id: Ia1485096819d6523c4bee14c602cbde3c6e144ef
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

chore(lfa): rename component_id to lfa_component_id

Refactor the function lfa_is_prime_complete to use a more specific
parameter name, lfa_component_id, enhancing code clarity. This change
improves

chore(lfa): rename component_id to lfa_component_id

Refactor the function lfa_is_prime_complete to use a more specific
parameter name, lfa_component_id, enhancing code clarity. This change
improves readability and reduces potential confusion with other
component identifiers in the codebase.

Change-Id: I00285fce4b7149bd97d6386ef471e9d1598a3fed
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

feat(el3-spmc): enable FFA_MEM_RETRIEVE_MEM_REQ from the hypervisor

pKVM calls this FF-A function to retrieve the descriptors
for regions donated/lent/shared by a VM with an SP.

Change-Id: I55f1d67

feat(el3-spmc): enable FFA_MEM_RETRIEVE_MEM_REQ from the hypervisor

pKVM calls this FF-A function to retrieve the descriptors
for regions donated/lent/shared by a VM with an SP.

Change-Id: I55f1d675db741bc8ddaaacae0d4d60245000fb34
Signed-off-by: Andrei Homescu <ahomescu@xwf.google.com>

show more ...

fix(el3-spmc): validate fragment offset

Per Table 4.3 of DEN 0140 1.3ALP0, the fragment offset passed to
FFA_MEM_FRAG_RX has the following requirement:

Offset must be equal to one of the followin

fix(el3-spmc): validate fragment offset

Per Table 4.3 of DEN 0140 1.3ALP0, the fragment offset passed to
FFA_MEM_FRAG_RX has the following requirement:

Offset must be equal to one of the following:
– The number of bytes of the transaction descriptor
transmitted prior to the invocation of this
interface.
– The offset used in the previous invocation of this
interface. This allows the Sender to re-transmit
the previous fragment if the Receiver could not
receive it due to an IMPLEMENTATION DEFINED
reason.

Keep track of the last and next fragment offsets between calls
to FFA_MEM_RETRIEVE_REQ and FFA_MEM_FRAG_RX and validate the
fragment offset, returning INVALID_PARAMETERS if it doesn't match
one of the two expected values.

BREAKING CHANGE: no longer accepts invalid fragment offsets

Change-Id: If549bb62a1960e9367d14bae842cb4e289429669
Signed-off-by: Andrei Homescu <ahomescu@xwf.google.com>

show more ...

feat(mbedtls): update mbedtls to version 3.6.5

Change-Id: Ia5366faa71007024e098a05ee391a2ff8e8676c0
Signed-off-by: Slava Andrianov <slava.andrianov@arm.com>

fix(smccc): fixed define when ENABLE_FEAT_FPMR is disabled

Define SCR_FEAT_FPMR as 0 when ENABLE_FEAT_FPMR is disabled to avoid
conditional build inconsistencies.

Signed-off-by: Arvind Ram Prakash

fix(smccc): fixed define when ENABLE_FEAT_FPMR is disabled

Define SCR_FEAT_FPMR as 0 when ENABLE_FEAT_FPMR is disabled to avoid
conditional build inconsistencies.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ibe71fa20fa4ffa98d8fff41517ccbf29755a58c3

show more ...

feat(build): setting CRYPTO_LIB via CRYPTO_SUPPORT

Setting CRYPTO_LIB based on CRYPTO_SUPPORT via the
CRYPTO_SUPPORT macro to be called by component-specific makefiles.

Signed-off-by: Lauren Wehrme

feat(build): setting CRYPTO_LIB via CRYPTO_SUPPORT

Setting CRYPTO_LIB based on CRYPTO_SUPPORT via the
CRYPTO_SUPPORT macro to be called by component-specific makefiles.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ib400e4668c60c24bb4399de6a320b5c16205affb

show more ...

feat(build): set CRYPTO_SUPPORT macro per BL

Moving the setting of CRYPTO_SUPPORT from the main Makefile to
individual component makefiles using the new build macro
make_defines for each BL-specific

feat(build): set CRYPTO_SUPPORT macro per BL

Moving the setting of CRYPTO_SUPPORT from the main Makefile to
individual component makefiles using the new build macro
make_defines for each BL-specific CPPFLAGS.

Rework romlib build command to use CRYPTO_LIB to determine mbedtls need
instead of CRYPTO_SUPPORT. If CRYPTO_SUPPORT is set for any component,
then CRYPTO_LIB will be filled, romlib can use this instead.

Add a convenience makefile macro for setting CRYPTO_SUPPORT from
component specific makefiles, have components call the macro based on
whether authenication verification (NEED_AUTH) and/or hash calculation
(NEED_HASH) is required for the specific boot stage.

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I7e81fede74fb9c04694b022e8eebed460616565c

show more ...

feat(build): create define macro to be used by BL

Adding make_defines that creates defines using make_define to be used
per the specified boot loader. This can be used for many build flags
with the

feat(build): create define macro to be used by BL

Adding make_defines that creates defines using make_define to be used
per the specified boot loader. This can be used for many build flags
with the intention to separate by BL. First, specifically for use of
CRYPTO_SUPPORT to be set separately by BL through the CPPFLAGS build
option.

This can be called per component makefile to specify build
configurations per BL, i.e. for BL1,
BL1_CPPFLAGS += $(call make_defines,CRYPTO_SUPPORT)

Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Iee40c1e673f04c83534bdbfafe8b1c1dd4898e23

show more ...

fix(context-mgmt): correct guards for PIE and POE registers

At the moment access to the POR_EL2 system register is guarded by
either FEAT_S1POE or FEAT_S2POE being implemented. However this
register

fix(context-mgmt): correct guards for PIE and POE registers

At the moment access to the POR_EL2 system register is guarded by
either FEAT_S1POE or FEAT_S2POE being implemented. However this
register exists only with FEAT_S1POE, and the two features are
independent from each other.

Similarly access to PIRE0_EL2 and PIR_EL2 is guarded by either
FEAT_S1PIE or FEAT_S2PIE yet these only exist with FEAT_S1PIE, with the
two features also independent of each other.

Change the guards to only look at FEAT_S1PIE/FEAT_S1POE, to fix crashes
when FEAT_S2PIE/FEAT_S2POE is implemented, but FEAT_S1PIE/FEAT_S1POE is
not.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
Change-Id: I5d145c0f1b388e7bdade94920b6bf5f2d7eebfcd

show more ...

Merge "fix(st): add build directory for stm32image" into integration

perf(spmd): don't initialise context on boot, do it on CPU_ON

Normal and Realm worlds setup their contexts whenever a core comes
online. This speeds up boot and as a side effect allows any cores tha

perf(spmd): don't initialise context on boot, do it on CPU_ON

Normal and Realm worlds setup their contexts whenever a core comes
online. This speeds up boot and as a side effect allows any cores that
are never turned on to not be initialised.

So do this for spmd's Secure world too. This makes all three worlds
consistent.

Change-Id: I8676d2a03a472074176e4db06910fc2b6cbf269a
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(el3-spmc): do not check NS bit for fragments" into integration