Merge "docs(fvp): update model version documentation" into integration

docs: add a section for experimental build options

A number of features are marked experimental in the build system through
makefiles but there wasn't an explicit document to list them.
Added a dedi

docs: add a section for experimental build options

A number of features are marked experimental in the build system through
makefiles but there wasn't an explicit document to list them.
Added a dedicated experimental build options section and moved
existing experimental build option descriptions in this section.

Restoring the change from [1] removing the experimental flag on the EL3
SPMC (this has been lost in rebasing a later change).

[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/24713

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I2c458c6857c347114b265404e8b9ede9ac588463

show more ...

Merge "fix(docs): update maintainers list" into integration

feat(mediatek): remove bl32 flag for mtk_bl

Currently MediaTek platform code does not support the bl32 image.
Remove bl32 support from Makefile to prevent the build failure when
NEED_BL32 build flag

feat(mediatek): remove bl32 flag for mtk_bl

Currently MediaTek platform code does not support the bl32 image.
Remove bl32 support from Makefile to prevent the build failure when
NEED_BL32 build flag is enabled.

Change-Id: Id8d5663ea5c537390f8ff3ccb427a3a63266545e
Signed-off-by: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>

show more ...

fix(docs): update maintainers list

As part of the release process, revisit the list of maintainers to
keep it updated.

Change-Id: Ifdbbe0d0dd1c8db3e5fbc84affcceb6d3c7716d4
Signed-off-by: Bipin Ravi

fix(docs): update maintainers list

As part of the release process, revisit the list of maintainers to
keep it updated.

Change-Id: Ifdbbe0d0dd1c8db3e5fbc84affcceb6d3c7716d4
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>

show more ...

docs(fvp): update model version documentation

This change updates the model versions that we claim to be testing with
to reflect what the reality in the CI.

Change-Id: Ieb44f3f21cd0ba7149d47f768869

docs(fvp): update model version documentation

This change updates the model versions that we claim to be testing with
to reflect what the reality in the CI.

Change-Id: Ieb44f3f21cd0ba7149d47f7688698831c9eab487
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge "refactor(qemu): change way how we enable cpu features" into integration

refactor(qemu): change way how we enable cpu features

We have to handle wide selection of cpu cores in one TF-A binary:
- v8.0: a53, a57, a72
- v8.2: a55, a76, n1
- v8.4: v1
- v9.0: a710, n2

And th

refactor(qemu): change way how we enable cpu features

We have to handle wide selection of cpu cores in one TF-A binary:
- v8.0: a53, a57, a72
- v8.2: a55, a76, n1
- v8.4: v1
- v9.0: a710, n2

And then we have QEMU's hybrid: 'max' which has everything QEMU can
emulate.

TF-A for QEMU platforms was built for v8.5 architecture. But turned out
that 'max' has v8.7 flag now (HCX) which we need to have. And this
enabled set of mandatory features which made TF-A not-bootable on
v8.0/8.2 cpus.

So I decided to follow Arm FVP way and do build for v8.0 with set of
feature flags enabled. This way we have bare minimum to make v8.0 cpus
boot. And then all features from newer cores are enabled with runtime
check which makes them boot.

Tested with BSA/SBSA ACS and Debian Linux 6.5 kernel.

Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Change-Id: Ib87bdab992536c65ce0747ce1520682eafc18d39
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>

show more ...

docs(juno): update PSCI instrumentation data

Change-Id: Iadbaf3d52c5e86f53b05c09e2decce3c089ab83c
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

docs(n1sdp): update N1SDP PSCI instrumentation data

Change-Id: I11c747acfdd376668b44a116258ee75e8cba214d
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

Merge changes from topic "od/hf-doc-migration" into integration

* changes:
docs(spm-mm): remove reference to SEL2 SPMC
docs: remove SEL2 SPMC threat model
docs: remove unused SPM related diagr

Merge changes from topic "od/hf-doc-migration" into integration

* changes:
docs(spm-mm): remove reference to SEL2 SPMC
docs: remove SEL2 SPMC threat model
docs: remove unused SPM related diagrams

show more ...

docs(threat-model): add a threat model for TF-A with Arm CCA

Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few imp

docs(threat-model): add a threat model for TF-A with Arm CCA

Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.

The main changes introduced in TF-A to support Arm CCA / RME are:

- Presence of a new threat agent: realm world clients.

- Availability of Arm CCA Hardware Enforced Security (HES) to support
measured boot and trusted boot.

- Configuration of the Granule Protection Tables (GPT) for
inter-world memory protection.

This is only an initial version of the threat model and we expect to
enrich it in the future.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5

show more ...

refactor(fvp): remove RSS usage

Removed RSS usage from the Base AEM FVP platform, as it wasn't
functional on this platform. The Base AEM FVP platform lacks
support for RSS.
Instead, the TC2 platform

refactor(fvp): remove RSS usage

Removed RSS usage from the Base AEM FVP platform, as it wasn't
functional on this platform. The Base AEM FVP platform lacks
support for RSS.
Instead, the TC2 platform with RSS is available for actual RSS
interface implementation and testing.

Change-Id: I8f68157319399ab526f9e851b26dba903db5c2e7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge "docs(threat-model): cover threats inherent to receiving data over UART" into integration

Merge "build(mbedtls): add deprecation notice" into integration

Merge "refactor(auth): remove return_if_error() macro" into integration

refactor(rss)!: remove PLAT_RSS_NOT_SUPPORTED build option

Removed the PLAT_RSS_NOT_SUPPORTED build option, which was initially
introduced for building the Base AEM FVP platform platform with RSS.
H

refactor(rss)!: remove PLAT_RSS_NOT_SUPPORTED build option

Removed the PLAT_RSS_NOT_SUPPORTED build option, which was initially
introduced for building the Base AEM FVP platform platform with RSS.
However, we now have a well-defined TC2 platform with RSS, making it
unnecessary to keep this flag.

Note -
Theoretically this is a breaking change. Other platforms could be
using the PLAT_RSS_NOT_SUPPORTED build option. Among upstream platforms,
only the Base AEM FVP uses it right now but we don't know about
downstream platforms.

Change-Id: I931905a4c6ac1ebe3895ab6e0287d0fa07721707
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

refactor(auth): remove return_if_error() macro

The usage of this macro hinders the accuracy of code coverage
data. Lines of code calling this macro always appear as covered because
the test conditio

refactor(auth): remove return_if_error() macro

The usage of this macro hinders the accuracy of code coverage
data. Lines of code calling this macro always appear as covered because
the test condition within it always gets executed; however, the branch
is not necessarily taken. Consequently, we lose branch coverage
information on these error code paths.

Besides, it is debatable whether such a simple macro really improves
code readability or on the contrary obfuscates the code...

For these reasons, this patch inlines the macro code everywhere it was
called.

It also adds some error messages in all these places to help narrowing
down authentication failures. These messages only get displayed and
compiled into the binaries when building TF-A with 'LOG_VERBOSE' level
of verbosity. We use the same message string everywhere in order to
limit the memory footprint increase for 'LOG_VERBOSE' builds.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I461078bb8c6fd6811d2cbefbe3614e17e83796f2

show more ...

build(mbedtls): add deprecation notice

Add a deprecation notice for building TF-A with mbedtls-2.x
This was notified earlier in TF-A mailing list:

https://lists.trustedfirmware.org/archives/list/tf

build(mbedtls): add deprecation notice

Add a deprecation notice for building TF-A with mbedtls-2.x
This was notified earlier in TF-A mailing list:

https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/message/YDPOPASMGEQBCOI5TKUSD3V3J75NAT7A/

We will be removing support to build TF-A with mbedtls-2.x after
TF-A 2.10 release.

Change-Id: I669b423ee9af9f5c5255fce370413fffaf38e8eb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

docs(threat-model): cover threats inherent to receiving data over UART

TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF

docs(threat-model): cover threats inherent to receiving data over UART

TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF-A, which is
not covered in the threat model right now.

Fill this gap by:

- Updating the data flow diagrams. Data may flow from the UART into
TF-A (and not only the other way around).

- Documenting the threats inherent to reading untrusted data from a
UART.

Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

fix(xilinx): update correct return types

Refactor the return types to ensure code correctness and compliance
for DT console.

Change-Id: I11dc3afbe168a78ddc03427df3f5f8d10fe40d40
Signed-off-by: Pras

fix(xilinx): update correct return types

Refactor the return types to ensure code correctness and compliance
for DT console.

Change-Id: I11dc3afbe168a78ddc03427df3f5f8d10fe40d40
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>

show more ...

fix(xilinx): add FIT image check in DT console

With this change, the 'is_valid_dtb()' function has been added,
which checks for the presence of the FDT header, FDT open, and the
'/configurations' pr

fix(xilinx): add FIT image check in DT console

With this change, the 'is_valid_dtb()' function has been added,
which checks for the presence of the FDT header, FDT open, and the
'/configurations' property in the DTB. This property is only available
in FIT images. If the property is present, a warning message is
printed, and the code skips reading console information from the
FIT image. Memory mapping is not necessary because it is called in
the early setup function to collect UART information from the DTB.

Change-Id: I91335a180e7ece2cc0ec9fac4026556c48dd8cc8
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>

show more ...

fix(xilinx): add FIT image check in prepare_dtb

Introduce two new functions: 'is_valid_image()' and 'is_fit_image()'
to enhance the functionality of the system. 'is_valid_image()' will
verify the pr

fix(xilinx): add FIT image check in prepare_dtb

Introduce two new functions: 'is_valid_image()' and 'is_fit_image()'
to enhance the functionality of the system. 'is_valid_image()' will
verify the presence of the FDT header and ensure that the FDT is
open. Meanwhile, 'is_fit_image()' will be responsible for detecting
FIT images. When TF-A is built with a DTB address during compilation
and later executed from DDR memory, TF-A will dynamically reserve a
memory location in the DTB during runtime.

This approach is effective when a raw DTB is present at the specified
address location. With this change, the "is_fit_image()" function
has been introduced to verify the existence of the "/configurations"
property within the DTB.

The presence of this property is exclusive to FIT images. In case
the property is found, a warning message is displayed, and memory
space reservation for its address space in DDR is not performed by
TF-A. However, if the property is not present, TF-A continues its
usual procedure of updating the raw DTB.

Additionally, dynamic mapping has been refactored and separated into
distinct functions: "add_mmap_dynamic_region ()" and
"remove_dynamic_mmap()". This separation enhances compatibility
and maintains better code organization.

Change-Id: I9cd3f09863b44483445e58c802dee34d58dfe2e9
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>

show more ...

fix(intel): read QSPI bank buffer data in bytes

Read QSPI bank buffer data in bytes to avoid
inter-bank read failures.

Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Change-Id: If768d7cdd36

fix(intel): read QSPI bank buffer data in bytes

Read QSPI bank buffer data in bytes to avoid
inter-bank read failures.

Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Change-Id: If768d7cdd362694df3f3c86c959afad01a523f21

show more ...

Merge "fix(arm): correct the SPMC_AT_EL3 condition" into integration