docs(build): clarify docs building instructions

Using virtual environments with pip is a generally recommended good
practice but the docs do not acknowledge it. As a result fresh installs
might fail

docs(build): clarify docs building instructions

Using virtual environments with pip is a generally recommended good
practice but the docs do not acknowledge it. As a result fresh installs
might fail builds due to missing $PATH entries. The Prerequisites
section is also a bit verbose which is difficult to read.

This patch adds the virtual environment mention and clarifies wording.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Iea447fb59dc471a502454650c8548192d93ba879

show more ...

fix(docs): prevent a sphinx warning

Some newer versions of sphinx (tried on v5.3) will warn about language
being None which will fail the build. Change it to the default (en) to
prevent this.

Signe

fix(docs): prevent a sphinx warning

Some newer versions of sphinx (tried on v5.3) will warn about language
being None which will fail the build. Change it to the default (en) to
prevent this.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ie0570481f42aeb293e885ca936e0765f6cb299a8

show more ...

fix(docs): prevent a virtual environment from failing a build

sphinx-build is passed a blanket "." to build all docs. However, if a
virtual environment is placed within the docs directory, sphinx wi

fix(docs): prevent a virtual environment from failing a build

sphinx-build is passed a blanket "." to build all docs. However, if a
virtual environment is placed within the docs directory, sphinx will try
to build it which will fail due to some weird files it has.

This excludes the most common virtual environment directories from the
build to prevent this.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ieeb14cfc5730d21c986611feb0ed379c58dfcae2

show more ...

fix(qemu-sbsa): enable SVE and SME

Commit 337ff4f1dd6604738d79fd3fa275ae74d74256b2 enabled SVE/SME for
qemu platform. Let do the same for qemu-sbsa one too.

With this change I can boot Debian 'book

fix(qemu-sbsa): enable SVE and SME

Commit 337ff4f1dd6604738d79fd3fa275ae74d74256b2 enabled SVE/SME for
qemu platform. Let do the same for qemu-sbsa one too.

With this change I can boot Debian 'bookworm' installed using Max cpu.

Info from referenced commit:

Starting with QEMU v3.1.0 (Dec 2018), QEMU's TCG emulation engine supports
the SVE architecture extension. In QEMU v7.1.0 (Aug 2022) it also gained
SME support.

As it stands today, running TF-A under QEMU with "-cpu max" makes Linux
hang, because SME and SVE accesses trap to EL3, but are never handled
there. This is because the Linux kernel sees the SVE or SME feature bits,
and assumes firmware has enabled the feature for lower exception levels.
This requirement is described in the Linux kernel booting protocol.

Enable those features in the TF-A build, so that BL31 does the proper
EL3 setup to make the feature usable in non-secure world.
We check the actual feature bits before accessing SVE or SME registers,
so this is safe even for older QEMU version or when not running with
-cpu max. As SVE and SME are AArch64 features only, do not enable them
when building for AArch32.

Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Change-Id: I9ea1f91e6b801218d944e8a7d798d5ae568ed59a

show more ...

Merge "fix(zynqmp): resolve coverity warnings" into integration

fix(zynqmp): resolve coverity warnings

Fix for coverity issues in pm_service component.
Fixed compilation error for versal platform.

Change-Id: I948f01807e67ad1e41021557e040dcbfb7b3a39e
Signed-off-

fix(zynqmp): resolve coverity warnings

Fix for coverity issues in pm_service component.
Fixed compilation error for versal platform.

Change-Id: I948f01807e67ad1e41021557e040dcbfb7b3a39e
Signed-off-by: HariBabu Gattem <haribabu.gattem@amd.com>
Signed-off-by: Naman Patel <naman.patel@amd.com>

show more ...

Merge "fix(docs): unify referenced Ubuntu versions" into integration

fix(docs): unify referenced Ubuntu versions

Documentation is inconsistent when referring to Ubuntu versioning.
Change this to a single reference that is consistent with the stated
version for TF-A t

fix(docs): unify referenced Ubuntu versions

Documentation is inconsistent when referring to Ubuntu versioning.
Change this to a single reference that is consistent with the stated
version for TF-A tests.

The change was tested with a full build on a clean install of Ubuntu 20.04.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ibb135ed938e9d92332668fa5caf274cf61b822d3

show more ...

Merge "fix(rockchip): align fdt buffer on 8 bytes" into integration

docs(spm): s-el0 partition support update

S-EL0 partitions already support indirect messaging and notifications
so add that to supported features.

Signed-off-by: J-Alves <joao.alves@arm.com>
Change

docs(spm): s-el0 partition support update

S-EL0 partitions already support indirect messaging and notifications
so add that to supported features.

Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I08e04593653ba38a2b82395f6f2d3ca7b212d494

show more ...

fix(rockchip): align fdt buffer on 8 bytes

Since commit 94b2f94bd632 ("feat(libfdt): upgrade libfdt source files"),
8-byte alignment of the FDT address is enforced to follow the DT
standard.

Rockch

fix(rockchip): align fdt buffer on 8 bytes

Since commit 94b2f94bd632 ("feat(libfdt): upgrade libfdt source files"),
8-byte alignment of the FDT address is enforced to follow the DT
standard.

Rockchip implementation of params_early_setup loads the FDT address as
passed by the bootloader into a buffer. This buffer is currently made of
uint8_t which means it is not 8-byte aligned and might result in
fdt_open_into failing.

Instead, let's make this buffer uint64_t to make it 8-byte aligned.

Cc: Quentin Schulz <foss+tf-a@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Change-Id: Ifcf0e0cf4000e3661d76d3c3a2fe3921f7fe44b9

show more ...

Merge changes I256959d7,I721376bf into integration

* changes:
fix(cpus): remove plat_can_cmo check for aarch32
fix(cpus): update doc and check for plat_can_cmo

Merge "refactor(stm32mp1): remove STM32MP_USE_STM32IMAGE" into integration

fix(cpus): remove plat_can_cmo check for aarch32

We don't need CONDITIONAL_CMO for aarch32 so let's remove it.

Signed-off-by: Okash Khawawja <okash@google.com>
Change-Id: I256959d7005df21a850ff7791

fix(cpus): remove plat_can_cmo check for aarch32

We don't need CONDITIONAL_CMO for aarch32 so let's remove it.

Signed-off-by: Okash Khawawja <okash@google.com>
Change-Id: I256959d7005df21a850ff7791c8188ea01f5c53b

show more ...

fix(cpus): update doc and check for plat_can_cmo

plat_can_cmo must not clobber x1 but the doc doesn't mention that. This
patch updates the doc to mention x1. It also adds check for plat_can_cmo
to `

fix(cpus): update doc and check for plat_can_cmo

plat_can_cmo must not clobber x1 but the doc doesn't mention that. This
patch updates the doc to mention x1. It also adds check for plat_can_cmo
to `dcsw_op_louis` which was missed out in original patch.

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I721376bf3726520d0d5b0df0f33f98ce92257287

show more ...

refactor(stm32mp1): remove STM32MP_USE_STM32IMAGE

The code managing legacy boot (without FIP) that was under
STM32MP_USE_STM32IMAGE flag is remove.

Change-Id: I04452453ed84567b0de39e900594a81526562

refactor(stm32mp1): remove STM32MP_USE_STM32IMAGE

The code managing legacy boot (without FIP) that was under
STM32MP_USE_STM32IMAGE flag is remove.

Change-Id: I04452453ed84567b0de39e900594a81526562259
Signed-off-by: Yann Gautier <yann.gautier@st.com>

show more ...

Merge changes from topic "stm32mp1-trusted-boot" into integration

* changes:
docs(st): update documentation for TRUSTED_BOARD_BOOT
fix(build): ensure that the correct rule is called for tools

Merge changes from topic "stm32mp1-trusted-boot" into integration

* changes:
docs(st): update documentation for TRUSTED_BOARD_BOOT
fix(build): ensure that the correct rule is called for tools
feat(stm32mp1): add the platform specific build for tools
fix(stm32mp13-fdts): remove secure status
feat(stm32mp1-fdts): add CoT and fuse references for authentication
feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip
feat(stm32mp1): add the decryption support
feat(stm32mp1): add the TRUSTED_BOARD_BOOT support
feat(stm32mp1): update ROM code API for header v2 management
feat(stm32mp1): remove unused function from boot API
refactor(stm32mp1): remove authentication using STM32 image mode
fix(fconf): fix type error displaying disable_auth
feat(tbbr): increase PK_DER_LEN size
fix(auth): correct sign-compare warning
feat(auth): allow to verify PublicKey with platform format PK
feat(cert-create): update for ECDSA brainpoolP256r/t1 support
feat(stm32mp1): add RNG initialization in BL2 for STM32MP13
feat(st-crypto): remove BL32 HASH driver usage
feat(stm32mp1): add a stm32mp crypto library
feat(st-crypto): add STM32 RNG driver
feat(st-crypto): add AES decrypt/auth by SAES IP
feat(st-crypto): add ECDSA signature check with PKA
feat(st-crypto): update HASH for new hardware version used in STM32MP13

show more ...

docs(st): update documentation for TRUSTED_BOARD_BOOT

Update the documentation to indicate commands needed for
TRUSTED_BOARD_BOOT management.

Change-Id: I7b8781eaa7f8b6b8d675a625c7ff2e1ee767222a
Si

docs(st): update documentation for TRUSTED_BOARD_BOOT

Update the documentation to indicate commands needed for
TRUSTED_BOARD_BOOT management.

Change-Id: I7b8781eaa7f8b6b8d675a625c7ff2e1ee767222a
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

fix(build): ensure that the correct rule is called for tools

In case of platform specific usage for both fiptool or certtool,
we need to ensure that the Makefile will use the correct rule
to generat

fix(build): ensure that the correct rule is called for tools

In case of platform specific usage for both fiptool or certtool,
we need to ensure that the Makefile will use the correct rule
to generate the binary. Add the explicit call to the "all" rule.

Change-Id: I9724b63e01b3497daaedb9365c7d6a494aac9561
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

feat(stm32mp1): add the platform specific build for tools

Add cert_create and fiptool specific files to add the platform
addons to the generic tools.

Change-Id: Ifa600241cdf32b495cc65edccddab47c379

feat(stm32mp1): add the platform specific build for tools

Add cert_create and fiptool specific files to add the platform
addons to the generic tools.

Change-Id: Ifa600241cdf32b495cc65edccddab47c3796b77d
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

fix(stm32mp13-fdts): remove secure status

Remove the secure status for PKA and SAES entries.
The peripherals are used in BL2 at EL3, context will
remain secure only.

Change-Id: I79d95bc55a9afd27f29

fix(stm32mp13-fdts): remove secure status

Remove the secure status for PKA and SAES entries.
The peripherals are used in BL2 at EL3, context will
remain secure only.

Change-Id: I79d95bc55a9afd27f295249936d7bc332c777f5e
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

feat(stm32mp1-fdts): add CoT and fuse references for authentication

Add the stm32mp1 CoT description file. Include the TRUSTED_BOARD_BOOT
entry in the platform device tree file.
Add the missing publ

feat(stm32mp1-fdts): add CoT and fuse references for authentication

Add the stm32mp1 CoT description file. Include the TRUSTED_BOARD_BOOT
entry in the platform device tree file.
Add the missing public root key reference for stm32mp15 and the
encryption key reference for stm32mp13.

Change-Id: I0ae2454979a3df6dd3e4361510317742e8fbc109
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip

Add a security check to enforce the usage of TRUSTED_BOARD_BOOT
on closed device. It will guarantee the secure bootchain.

Change-I

feat(stm32mp1): add a check on TRUSTED_BOARD_BOOT with secure chip

Add a security check to enforce the usage of TRUSTED_BOARD_BOOT
on closed device. It will guarantee the secure bootchain.

Change-Id: Id6120d0e5041e8f2d3866e5710876ec96b6d0216
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

feat(stm32mp1): add the decryption support

Add the decryption support for STM32MP1 binaries.
Decryption is limited to the BL32 loaded images.

Limitation: STM32MP15 doesn't support the feature.

Cha

feat(stm32mp1): add the decryption support

Add the decryption support for STM32MP1 binaries.
Decryption is limited to the BL32 loaded images.

Limitation: STM32MP15 doesn't support the feature.

Change-Id: I96800bac7b22109f8471eb2953fc0dc269fc4fd1
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...

feat(stm32mp1): add the TRUSTED_BOARD_BOOT support

Add the support of the TRUSTED_BOARD_BOOT to authenticate the loaded
FIP using platform CoT management.
It adds TBB platform definition, redefining

feat(stm32mp1): add the TRUSTED_BOARD_BOOT support

Add the support of the TRUSTED_BOARD_BOOT to authenticate the loaded
FIP using platform CoT management.
It adds TBB platform definition, redefining the standard image ID in
order to decrease requested size in BL2 binary.
Authentication will use mbedTLS library for parsing certificate
configured with a platform configuration.

Change-Id: I9da66b915c5e9e9293fccfce92bef2434da1e430
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

show more ...