fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succee

fix(auth): properly validate X.509 extensions

get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.

This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.

This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.

Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

show more ...

fix(auth): avoid out-of-bounds read in auth_nvctr()

auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nv

fix(auth): avoid out-of-bounds read in auth_nvctr()

auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.

This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.

Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

show more ...

Merge changes from topic "bk/warnings" into integration

* changes:
docs: describe the new warning levels
build: add -Wunused-const-variable=2 to W=2
build: include -Wextra in generic builds

Merge changes from topic "bk/warnings" into integration

* changes:
docs: describe the new warning levels
build: add -Wunused-const-variable=2 to W=2
build: include -Wextra in generic builds
docs(porting-guide): update a reference
fix(st-usb): replace redundant checks with asserts
fix(brcm): add braces around bodies of conditionals
fix(renesas): align incompatible function pointers
fix(zynqmp): remove redundant api_version check
fix: remove old-style declarations
fix: unify fallthrough annotations

show more ...

fix(versal-net): enable wake interrupt during client suspend

Wakeup interrupt should be set during power down sequence to wake
processor. So enable wakeup interrupt during power down sequence.

Sign

fix(versal-net): enable wake interrupt during client suspend

Wakeup interrupt should be set during power down sequence to wake
processor. So enable wakeup interrupt during power down sequence.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I1154495c25e0468496f6e112996fd182aa516d88

show more ...

fix(versal-net): disable wakeup interrupt during client wakeup

Clear and disable wakeup interrupt during client wakeup to avoid
multiple wakeup events.

Signed-off-by: Jay Buddhabhatti <jay.buddhabh

fix(versal-net): disable wakeup interrupt during client wakeup

Clear and disable wakeup interrupt during client wakeup to avoid
multiple wakeup events.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Iebc644ae582da03001830b96e3190fce10dbac42

show more ...

fix(versal-net): clear power down bit during wakeup

Power down bit and power down interrupt needs to be cleared once core
is wakeup to avoid unnecessary power down events. So disable power down
inte

fix(versal-net): clear power down bit during wakeup

Power down bit and power down interrupt needs to be cleared once core
is wakeup to avoid unnecessary power down events. So disable power down
interrupt and clear power down bit during client wakeup.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I3445991692c441831e4ea8dae112e23b19f185a9

show more ...

fix(versal-net): fix setting power down state

Versal NET is supporting max power state to AFF_LVL_2 so set power state
for all affinity level instead of setting for only AFF_LVL_0.

Signed-off-by: J

fix(versal-net): fix setting power down state

Versal NET is supporting max power state to AFF_LVL_2 so set power state
for all affinity level instead of setting for only AFF_LVL_0.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I55a91e798b7566d2f34d7cb1fe28ca25993a7d8e

show more ...

fix(versal-net): clear power down interrupt status before enable

Currently power down interrupt status is set by default before its
getting enabled. Because of that Linux is getting crashed since it

fix(versal-net): clear power down interrupt status before enable

Currently power down interrupt status is set by default before its
getting enabled. Because of that Linux is getting crashed since its
triggering interrupt before core goes to WFI state. So clear interrupt
status before enabling power down interrupt.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ia8d047b6078a49ab3dbe3e0bf24422357f0138c2

show more ...

fix(versal-net): resolve misra rule 20.7 warnings

Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6:
- Macro parameter expands into an expression without be

fix(versal-net): resolve misra rule 20.7 warnings

Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6:
- Macro parameter expands into an expression without being wrapped
by parentheses.

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ie365d24c02bb38163005a3c073642d5c96412e2d

show more ...

fix(versal-net): resolve misra 10.6 warnings

Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6
- The value of a composite expression shall not be assigned to

fix(versal-net): resolve misra 10.6 warnings

Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6
- The value of a composite expression shall not be assigned to an
object with wider essential type

Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I74f8e5d63523f33d245a21f8e4f04d30e40b05e7

show more ...

fix(cpus): workaround for Cortex-A710 erratum 2282622

Cortex-A710 erratum 2282622 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround was earlier
applied to all

fix(cpus): workaround for Cortex-A710 erratum 2282622

Cortex-A710 erratum 2282622 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround was earlier
applied to all revisions <= r2p0, this patch extends it to r2p1.
This was thought to have been fixed in r2p1 which is not the case.

SDEN documentation:
https://developer.arm.com/documentation/SDEN1775101/latest

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Iad38a7fe57bec3f2d8977995acd601dcd9ae69c0

show more ...

fix(gicv3): fixed bug in the initialization of GICv3 SGIs/(E)PPIs interrupt priorities

Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number).

fix(gicv3): fixed bug in the initialization of GICv3 SGIs/(E)PPIs interrupt priorities

Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number). The fix makes the loop to pass INTID in range 0, 4, 8, 12, ...

Signed-off-by: Sylwester Garncarek <sylwester.garncarek@sciopta.com>
Change-Id: Iaa975f6af49f5826c2811161f55242844c28ea81

show more ...

fix(mpam): remove unwanted param for "endfunc" macro

"endfunc" macro is used to mark the end of a function. It takes the
function label as an argument. For el2_sysregs_context_save_mpam
function, "e

fix(mpam): remove unwanted param for "endfunc" macro

"endfunc" macro is used to mark the end of a function. It takes the
function label as an argument. For el2_sysregs_context_save_mpam
function, "endfunc" has been called with an assumed typo, "func", along
with the function label. Remove this unwanted param to fix the endfunc
call.

Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Change-Id: I05f958a285f936df579f01500b6fd7cb2b7753a8

show more ...

Merge "docs(changelog): add console scope" into integration

Merge "fix(libc): properly define SCHAR_MIN" into integration

Merge "docs(maintainers): update maintainers for total compute" into integration

docs(maintainers): update maintainers for total compute

Signed-off-by: Rupinderjit Singh <rupinderjit.singh@arm.com>
Change-Id: I64e7b036f404da110339d9013aa5c17ed8bf100f

Merge "fix(plat/tc): increase TC_TZC_DRAM1_SIZE" into integration

docs(changelog): add console scope

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ie9426509ee4f0a4c4f0fe0296d7a7378cc8828f5

Merge "fix(fconf): make struct fconf_populator static" into integration

fix(libc): properly define SCHAR_MIN

SCHAR_MIN definition should use SCHAR_MAX, and not itself.

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8c1751a381dac50fe3ec5fdf19d6a4918470b58

fix(fconf): make struct fconf_populator static

In FCONF_REGISTER_POPULATOR macro, add static for the fconf_populator
struct. This avoids this kind of sparse warning:
plat/st/common/stm32mp_fconf_io.

fix(fconf): make struct fconf_populator static

In FCONF_REGISTER_POPULATOR macro, add static for the fconf_populator
struct. This avoids this kind of sparse warning:
plat/st/common/stm32mp_fconf_io.c:181:1: warning:
symbol 'stm32mp_io__populator' was not declared. Should it be static?

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Icaa7da3079e82497e112585150f6348ef2ebf5e6

show more ...

Merge "feat(mt8188): update INFRA IOMMU enable flow" into integration

feat(mt8188): update INFRA IOMMU enable flow

IOMMU kernel driver has changed the function parameters, so update
IOMMU TF-A driver to be consistent with it.

Change-Id: I2adda69bdbdc31833781fac5e6c1f

feat(mt8188): update INFRA IOMMU enable flow

IOMMU kernel driver has changed the function parameters, so update
IOMMU TF-A driver to be consistent with it.

Change-Id: I2adda69bdbdc31833781fac5e6c1f4b10da161be
Signed-off-by: Chengci.Xu <chengci.xu@mediatek.com>

show more ...

Merge changes from topic "fvp_trap_rng" into integration

* changes:
feat(fvp): emulate trapped RNDR
feat(el3-runtime): introduce system register trap handler