diff options
Diffstat (limited to 'meta-arm')
211 files changed, 9542 insertions, 1457 deletions
diff --git a/meta-arm/.gitlab-ci.yml b/meta-arm/.gitlab-ci.yml index 4f16fcf318..3adea45ea7 100644 --- a/meta-arm/.gitlab-ci.yml +++ b/meta-arm/.gitlab-ci.yml @@ -72,6 +72,7 @@ stages: - if: '$KERNEL != "linux-yocto-dev"' script: - KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml + - echo KASFILES=$KASFILES - kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES - kas build $KASFILES - ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log @@ -119,6 +120,29 @@ update-repos: # VIRT: [none, xen] # TESTING: testimage +arm-systemready-ir-acs: + extends: .build + timeout: 12h + parallel: + matrix: + # arm-systemready-ir-acs must be specified after fvp-base for ordering + # purposes for the jobs-to-kas output. It is not enough to just have it + # in the job name because fvp-base.yml overwrites the target. + - PLATFORM: fvp-base + ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs + tags: + - ${ACS_TAG} + +# Validate layers are Yocto Project Compatible +check-layers: + extends: .setup + script: + - kas shell --update --force-checkout ci/base.yml:ci/meta-openembedded.yml:lockfile.yml --command \ + "yocto-check-layer-wrapper $CI_PROJECT_DIR/$LAYER --dependency $CI_PROJECT_DIR/meta-* $KAS_WORK_DIR/meta-openembedded/meta-oe --no-auto-dependency" + parallel: + matrix: + - LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain] + corstone1000-fvp: extends: .build parallel: @@ -127,6 +151,7 @@ corstone1000-fvp: TESTING: [testimage, tftf] - FIRMWARE: none TESTING: testimage + - SYSTEMREADY_FIRMWARE: arm-systemready-firmware corstone1000-mps3: extends: .build @@ -136,11 +161,35 @@ corstone1000-mps3: TESTING: [none, tftf] - FIRMWARE: none +documentation: + extends: .setup + script: + - | + # This can be removed when the kas container has python3-venv installed + sudo apt-get update && sudo apt-get install --yes python3-venv + + python3 -m venv venv + . ./venv/bin/activate + + pip3 install -r meta-arm-bsp/documentation/requirements.txt + + for CONF in meta-*/documentation/*/conf.py ; do + echo Building $CONF... + SOURCE_DIR=$(dirname $CONF) + MACHINE=$(basename $SOURCE_DIR) + sphinx-build -vW $SOURCE_DIR build-docs/$MACHINE + done + test -d build-docs/ + artifacts: + paths: + - build-docs/ + fvp-base: extends: .build parallel: matrix: - - TESTING: testimage + - TS: [none, fvp-base-ts] + TESTING: testimage - FIRMWARE: edk2 - SYSTEMREADY_FIRMWARE: arm-systemready-firmware @@ -152,7 +201,7 @@ arm-systemready-ir-acs: # arm-systemready-ir-acs must be specified after fvp-base for ordering # purposes for the jobs-to-kas output. It is not enough to just have it # in the job name because fvp-base.yml overwrites the target. - - PLATFORM: fvp-base + - PLATFORM: [fvp-base, corstone1000-fvp] ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs tags: - ${ACS_TAG} @@ -160,8 +209,14 @@ arm-systemready-ir-acs: fvps: extends: .build -generic-arm64: +genericarm64: extends: .build + parallel: + matrix: + - TOOLCHAINS: [gcc, clang] + TESTING: testimage + - KERNEL: linux-yocto-dev + TESTING: testimage juno: extends: .build @@ -170,6 +225,22 @@ juno: - TOOLCHAINS: [gcc, clang] FIRMWARE: [u-boot, edk2] +# What percentage of machines in the layer do we build +machine-coverage: + extends: .setup + script: + - ./ci/check-machine-coverage + coverage: '/Coverage: \d+/' + +metrics: + extends: .setup + artifacts: + reports: + metrics: metrics.txt + script: + - kas shell --update --force-checkout ci/base.yml --command \ + "$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt" + musca-b1: extends: .build @@ -182,15 +253,19 @@ n1sdp: matrix: - TESTING: [none, n1sdp-ts, n1sdp-optee, tftf] -qemu-generic-arm64: - extends: .build - parallel: - matrix: - - KERNEL: [linux-yocto, linux-yocto-rt] - TOOLCHAINS: [gcc, clang] - TESTING: testimage - - KERNEL: linux-yocto-dev - TESTING: testimage +pending-updates: + extends: .setup + artifacts: + paths: + - update-report + script: + - rm -fr update-report + # This configuration has all of the layers we need enabled + - kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \ + "$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)" + # Do this on x86 whilst the compilers are x86-only + tags: + - x86_64 qemuarm64-secureboot: extends: .build @@ -257,11 +332,15 @@ qemuarmv5: - DISTRO: poky-tiny TESTING: testimage -sgi575: - extends: .build - -toolchains: +sbsa-ref: extends: .build + parallel: + matrix: + - KERNEL: [linux-yocto, linux-yocto-rt] + TOOLCHAINS: [gcc, clang] + TESTING: testimage + - KERNEL: linux-yocto-dev + TESTING: testimage selftest: extends: .setup @@ -269,65 +348,8 @@ selftest: - KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml - kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests' -# Validate layers are Yocto Project Compatible -check-layers: - extends: .setup - script: - - kas shell --update --force-checkout ci/base.yml:ci/meta-openembedded.yml:lockfile.yml --command \ - "yocto-check-layer-wrapper $CI_PROJECT_DIR/$LAYER --dependency $CI_PROJECT_DIR/meta-* $KAS_WORK_DIR/meta-openembedded/meta-oe --no-auto-dependency" - parallel: - matrix: - - LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain] - -pending-updates: - extends: .setup - artifacts: - paths: - - update-report - script: - - rm -fr update-report - # This configuration has all of the layers we need enabled - - kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \ - "$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)" - # Do this on x86 whilst the compilers are x86-only - tags: - - x86_64 - -# What percentage of machines in the layer do we build -machine-coverage: - extends: .setup - script: - - ./ci/check-machine-coverage - coverage: '/Coverage: \d+/' - -metrics: - extends: .setup - artifacts: - reports: - metrics: metrics.txt - script: - - kas shell --update --force-checkout ci/base.yml --command \ - "$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt" - -documentation: - extends: .setup - script: - - | - # This can be removed when the kas container has python3-venv installed - sudo apt-get update && sudo apt-get install --yes python3-venv - - python3 -m venv venv - . ./venv/bin/activate - - pip3 install -r meta-arm-bsp/documentation/requirements.txt +sgi575: + extends: .build - for CONF in meta-*/documentation/*/conf.py ; do - echo Building $CONF... - SOURCE_DIR=$(dirname $CONF) - MACHINE=$(basename $SOURCE_DIR) - sphinx-build -vW $SOURCE_DIR build-docs/$MACHINE - done - test -d build-docs/ - artifacts: - paths: - - build-docs/ +toolchains: + extends: .build diff --git a/meta-arm/ci/arm-systemready-firmware.yml b/meta-arm/ci/arm-systemready-firmware.yml index 1854c2ab65..4b9753708f 100644 --- a/meta-arm/ci/arm-systemready-firmware.yml +++ b/meta-arm/ci/arm-systemready-firmware.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 11 includes: diff --git a/meta-arm/ci/arm-systemready-ir-acs.yml b/meta-arm/ci/arm-systemready-ir-acs.yml index 6cfead6c2d..e31a264b37 100644 --- a/meta-arm/ci/arm-systemready-ir-acs.yml +++ b/meta-arm/ci/arm-systemready-ir-acs.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 11 includes: @@ -12,3 +14,6 @@ local_conf_header: target: - arm-systemready-ir-acs + - arm-systemready-linux-distros-debian + - arm-systemready-linux-distros-opensuse + - arm-systemready-linux-distros-fedora diff --git a/meta-arm/ci/base.yml b/meta-arm/ci/base.yml index 4296d27057..a3e2c68b86 100644 --- a/meta-arm/ci/base.yml +++ b/meta-arm/ci/base.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 @@ -5,7 +7,7 @@ distro: poky defaults: repos: - branch: master + branch: scarthgap repos: meta-arm: @@ -32,7 +34,6 @@ local_conf_header: PACKAGECONFIG:remove:pn-qemu-system-native = "gtk+ sdl" PACKAGECONFIG:append:pn-perf = " coresight" INHERIT += "rm_work" - DISTRO_FEATURES:remove = "ptest" extrapackages: | CORE_IMAGE_EXTRA_INSTALL += "perf opencsd" CORE_IMAGE_EXTRA_INSTALL:append:aarch64 = " gator-daemon" diff --git a/meta-arm/ci/clang.yml b/meta-arm/ci/clang.yml index b9425fa72a..9b2d194a3a 100644 --- a/meta-arm/ci/clang.yml +++ b/meta-arm/ci/clang.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/corstone1000-common.yml b/meta-arm/ci/corstone1000-common.yml index 7fe9e8793a..3f47b3a5f1 100644 --- a/meta-arm/ci/corstone1000-common.yml +++ b/meta-arm/ci/corstone1000-common.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/corstone1000-firmware-only.yml b/meta-arm/ci/corstone1000-firmware-only.yml index 8af0146a3d..a22989108c 100644 --- a/meta-arm/ci/corstone1000-firmware-only.yml +++ b/meta-arm/ci/corstone1000-firmware-only.yml @@ -1,4 +1,5 @@ ---- +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/corstone1000-fvp.yml b/meta-arm/ci/corstone1000-fvp.yml index c4e5737947..c2bf9459d0 100644 --- a/meta-arm/ci/corstone1000-fvp.yml +++ b/meta-arm/ci/corstone1000-fvp.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/corstone1000-mps3.yml b/meta-arm/ci/corstone1000-mps3.yml index 7a1fc9efef..9b87b2593d 100644 --- a/meta-arm/ci/corstone1000-mps3.yml +++ b/meta-arm/ci/corstone1000-mps3.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/cve.yml b/meta-arm/ci/cve.yml index e2aca0e13a..d060d299ea 100644 --- a/meta-arm/ci/cve.yml +++ b/meta-arm/ci/cve.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/debug.yml b/meta-arm/ci/debug.yml index 6ca1a072bc..371035a17a 100644 --- a/meta-arm/ci/debug.yml +++ b/meta-arm/ci/debug.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/edk2.yml b/meta-arm/ci/edk2.yml index 3a5c4ce93b..d32e3645cd 100644 --- a/meta-arm/ci/edk2.yml +++ b/meta-arm/ci/edk2.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/external-gccarm.yml b/meta-arm/ci/external-gccarm.yml index a3313d8921..8985a1ba17 100644 --- a/meta-arm/ci/external-gccarm.yml +++ b/meta-arm/ci/external-gccarm.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 @@ -6,6 +8,6 @@ local_conf_header: SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain" TCMODE = "external-arm" EXTERNAL_TOOLCHAIN = "${TOPDIR}/toolchains/${TARGET_ARCH}" - # Temporary workaround for a number binaries in the toolchains that are using 32bit timer API - # This must be done here instead of the recipe because of all the libraries in the toolchain have the issue - INSANE_SKIP:append = " 32bit-time" + # Disable ptest as this pulls target compilers, which don't + # work with external toolchain currently + DISTRO_FEATURES:remove = "ptest" diff --git a/meta-arm/ci/fvp-base-ts.yml b/meta-arm/ci/fvp-base-ts.yml new file mode 100644 index 0000000000..ae74334edf --- /dev/null +++ b/meta-arm/ci/fvp-base-ts.yml @@ -0,0 +1,34 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + +header: + version: 14 + includes: + - ci/fvp-base.yml + - ci/meta-openembedded.yml + - ci/testimage.yml + +local_conf_header: + trusted_services: | + # Enable the needed test suites + TEST_SUITES = " ping ssh trusted_services" + # Include all Secure Partitions into the image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its" + MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test" + MACHINE_FEATURES:append = " ts-block-storage ts-fwu" + # Include TS demo/test tools into image + IMAGE_INSTALL:append = " packagegroup-ts-tests" + # Include TS PSA Arch tests into image + IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" + CORE_IMAGE_EXTRA_INSTALL += "optee-test" + # Set the TS environment + TS_ENV="sp" + # Enable and configure semihosting + FVP_CONFIG[cluster0.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster0.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster0.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster0.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster1.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster1.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster1.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[cluster1.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}" + FVP_CONFIG[semihosting-enable] = "True" diff --git a/meta-arm/ci/fvp-base.yml b/meta-arm/ci/fvp-base.yml index 7441ea42c0..bbc6c44db3 100644 --- a/meta-arm/ci/fvp-base.yml +++ b/meta-arm/ci/fvp-base.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: @@ -5,3 +7,7 @@ header: - ci/fvp.yml machine: fvp-base + +target: + - core-image-sato + - boot-wrapper-aarch64 diff --git a/meta-arm/ci/fvp.yml b/meta-arm/ci/fvp.yml index e9f3fa944c..2bf1cef024 100644 --- a/meta-arm/ci/fvp.yml +++ b/meta-arm/ci/fvp.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/fvps.yml b/meta-arm/ci/fvps.yml index c6516148e6..8f1de17784 100644 --- a/meta-arm/ci/fvps.yml +++ b/meta-arm/ci/fvps.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + # Simple target to build the FVPs that are publically available header: diff --git a/meta-arm/ci/gcc.yml b/meta-arm/ci/gcc.yml index 260199ae13..1f368c24dc 100644 --- a/meta-arm/ci/gcc.yml +++ b/meta-arm/ci/gcc.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/generic-arm64.yml b/meta-arm/ci/generic-arm64.yml deleted file mode 100644 index 5d944ef1ce..0000000000 --- a/meta-arm/ci/generic-arm64.yml +++ /dev/null @@ -1,6 +0,0 @@ -header: - version: 14 - includes: - - ci/base.yml - -machine: generic-arm64 diff --git a/meta-arm/ci/genericarm64.yml b/meta-arm/ci/genericarm64.yml new file mode 100644 index 0000000000..320cfae71c --- /dev/null +++ b/meta-arm/ci/genericarm64.yml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + +header: + version: 14 + includes: + - ci/base.yml + +repos: + poky: + layers: + meta-yocto-bsp: + +local_conf_header: + bootloader: | + # If running genericarm64 in a qemu we need to manually build the bootloader + EXTRA_IMAGEDEPENDS += "virtual/bootloader" + +machine: genericarm64 diff --git a/meta-arm/ci/glibc.yml b/meta-arm/ci/glibc.yml index 3c9f9eb754..0bfe026163 100644 --- a/meta-arm/ci/glibc.yml +++ b/meta-arm/ci/glibc.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/juno.yml b/meta-arm/ci/juno.yml index 552e325fd1..e812ec801d 100644 --- a/meta-arm/ci/juno.yml +++ b/meta-arm/ci/juno.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/linux-yocto-dev.yml b/meta-arm/ci/linux-yocto-dev.yml index 5ee7afbbef..1b8d976838 100644 --- a/meta-arm/ci/linux-yocto-dev.yml +++ b/meta-arm/ci/linux-yocto-dev.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/linux-yocto-rt.yml b/meta-arm/ci/linux-yocto-rt.yml index 65a276c184..9430cce5ff 100644 --- a/meta-arm/ci/linux-yocto-rt.yml +++ b/meta-arm/ci/linux-yocto-rt.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/linux-yocto.yml b/meta-arm/ci/linux-yocto.yml index e9ccdcb28d..22d57f257d 100644 --- a/meta-arm/ci/linux-yocto.yml +++ b/meta-arm/ci/linux-yocto.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/meta-openembedded.yml b/meta-arm/ci/meta-openembedded.yml index 743fdde57f..499216bfaa 100644 --- a/meta-arm/ci/meta-openembedded.yml +++ b/meta-arm/ci/meta-openembedded.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/meta-secure-core.yml b/meta-arm/ci/meta-secure-core.yml index 2d9fc2c5e2..b34562b267 100644 --- a/meta-arm/ci/meta-secure-core.yml +++ b/meta-arm/ci/meta-secure-core.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/meta-virtualization.yml b/meta-arm/ci/meta-virtualization.yml index f0f6280e8e..c0ba70ba8e 100644 --- a/meta-arm/ci/meta-virtualization.yml +++ b/meta-arm/ci/meta-virtualization.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/musca-b1.yml b/meta-arm/ci/musca-b1.yml index db2adc9bc6..1437b8ab37 100644 --- a/meta-arm/ci/musca-b1.yml +++ b/meta-arm/ci/musca-b1.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/musca-s1.yml b/meta-arm/ci/musca-s1.yml index 974badf437..a7fa680c42 100644 --- a/meta-arm/ci/musca-s1.yml +++ b/meta-arm/ci/musca-s1.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/musl.yml b/meta-arm/ci/musl.yml index 641c47092d..e20a4af42c 100644 --- a/meta-arm/ci/musl.yml +++ b/meta-arm/ci/musl.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/n1sdp-optee.yml b/meta-arm/ci/n1sdp-optee.yml index f2b50abf49..6de4abae5c 100644 --- a/meta-arm/ci/n1sdp-optee.yml +++ b/meta-arm/ci/n1sdp-optee.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/n1sdp-ts.yml b/meta-arm/ci/n1sdp-ts.yml index 641d3766cb..b100e24065 100644 --- a/meta-arm/ci/n1sdp-ts.yml +++ b/meta-arm/ci/n1sdp-ts.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/n1sdp.yml b/meta-arm/ci/n1sdp.yml index c1b654d444..2a85d00b6f 100644 --- a/meta-arm/ci/n1sdp.yml +++ b/meta-arm/ci/n1sdp.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/poky-tiny.yml b/meta-arm/ci/poky-tiny.yml index f17630106e..41f9a39eb5 100644 --- a/meta-arm/ci/poky-tiny.yml +++ b/meta-arm/ci/poky-tiny.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/poky.yml b/meta-arm/ci/poky.yml index d6887a9cb5..db139dfd77 100644 --- a/meta-arm/ci/poky.yml +++ b/meta-arm/ci/poky.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/qemu-generic-arm64.yml b/meta-arm/ci/qemu-generic-arm64.yml deleted file mode 100644 index 43ae25639f..0000000000 --- a/meta-arm/ci/qemu-generic-arm64.yml +++ /dev/null @@ -1,14 +0,0 @@ -header: - version: 14 - includes: - - ci/generic-arm64.yml - -local_conf_header: - failing_tests: | - DEFAULT_TEST_SUITES:remove = "parselogs" - -machine: qemu-generic-arm64 - -target: - - core-image-sato - - sbsa-acs diff --git a/meta-arm/ci/qemuarm-secureboot.yml b/meta-arm/ci/qemuarm-secureboot.yml index 97e99039dd..6d9f4eea30 100644 --- a/meta-arm/ci/qemuarm-secureboot.yml +++ b/meta-arm/ci/qemuarm-secureboot.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: @@ -7,6 +9,8 @@ machine: qemuarm-secureboot target: - core-image-base - - optee-examples - - optee-test - - optee-os-tadevkit + +local_conf_header: + optee: | + IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" + TEST_SUITES:append = " optee ftpm" diff --git a/meta-arm/ci/qemuarm.yml b/meta-arm/ci/qemuarm.yml index 18fef52e96..31192aee02 100644 --- a/meta-arm/ci/qemuarm.yml +++ b/meta-arm/ci/qemuarm.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/qemuarm64-secureboot-ts.yml b/meta-arm/ci/qemuarm64-secureboot-ts.yml index e18ce1a9dc..adf1f2f840 100644 --- a/meta-arm/ci/qemuarm64-secureboot-ts.yml +++ b/meta-arm/ci/qemuarm64-secureboot-ts.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/qemuarm64-secureboot.yml b/meta-arm/ci/qemuarm64-secureboot.yml index c4943cb6e4..b26941e0c4 100644 --- a/meta-arm/ci/qemuarm64-secureboot.yml +++ b/meta-arm/ci/qemuarm64-secureboot.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: @@ -7,6 +9,8 @@ machine: qemuarm64-secureboot target: - core-image-base - - optee-examples - - optee-test - - optee-os-tadevkit + +local_conf_header: + optee: | + IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" + TEST_SUITES:append = " optee ftpm" diff --git a/meta-arm/ci/qemuarm64.yml b/meta-arm/ci/qemuarm64.yml index cd03e94281..9c696365c0 100644 --- a/meta-arm/ci/qemuarm64.yml +++ b/meta-arm/ci/qemuarm64.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/qemuarmv5.yml b/meta-arm/ci/qemuarmv5.yml index c2ff6c8405..b0a8bbd2bb 100644 --- a/meta-arm/ci/qemuarmv5.yml +++ b/meta-arm/ci/qemuarmv5.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/sbsa-ref.yml b/meta-arm/ci/sbsa-ref.yml new file mode 100644 index 0000000000..99e4ed716d --- /dev/null +++ b/meta-arm/ci/sbsa-ref.yml @@ -0,0 +1,12 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + +header: + version: 14 + includes: + - ci/base.yml + +machine: sbsa-ref + +target: + - core-image-sato + - sbsa-acs diff --git a/meta-arm/ci/selftest.yml b/meta-arm/ci/selftest.yml index e519851c0f..e36d62c568 100644 --- a/meta-arm/ci/selftest.yml +++ b/meta-arm/ci/selftest.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/sgi575.yml b/meta-arm/ci/sgi575.yml index faab716db2..e431382071 100644 --- a/meta-arm/ci/sgi575.yml +++ b/meta-arm/ci/sgi575.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/sstate-mirror.yml b/meta-arm/ci/sstate-mirror.yml new file mode 100644 index 0000000000..4bcbd760c5 --- /dev/null +++ b/meta-arm/ci/sstate-mirror.yml @@ -0,0 +1,11 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + +header: + version: 14 + +local_conf_header: + sstate_mirror: | + BB_HASHSERVE_UPSTREAM = "wss://hashserv.yoctoproject.org/ws" + SSTATE_MIRRORS = "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH" + BB_HASHSERVE = "auto" + BB_SIGNATURE_HANDLER = "OEEquivHash" diff --git a/meta-arm/ci/testimage.yml b/meta-arm/ci/testimage.yml index a0e90250b2..a9b13d9a78 100644 --- a/meta-arm/ci/testimage.yml +++ b/meta-arm/ci/testimage.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: @@ -12,7 +14,7 @@ local_conf_header: slirp: | TEST_RUNQEMUPARAMS = "slirp" sshd: | - IMAGE_FEATURES:append = " ssh-server-dropbear" + IMAGE_FEATURES += "ssh-server-dropbear" sshkeys: | CORE_IMAGE_EXTRA_INSTALL += "ssh-pregen-hostkeys" universally_failing_tests: | diff --git a/meta-arm/ci/tftf.yml b/meta-arm/ci/tftf.yml index 33a8a4f5f6..af1c486471 100644 --- a/meta-arm/ci/tftf.yml +++ b/meta-arm/ci/tftf.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/toolchains.yml b/meta-arm/ci/toolchains.yml index 056269b2bd..c323fbe71d 100644 --- a/meta-arm/ci/toolchains.yml +++ b/meta-arm/ci/toolchains.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/ci/u-boot.yml b/meta-arm/ci/u-boot.yml index c693b8b0ad..be59543be7 100644 --- a/meta-arm/ci/u-boot.yml +++ b/meta-arm/ci/u-boot.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 diff --git a/meta-arm/ci/xen.yml b/meta-arm/ci/xen.yml index f4a8f9a453..d855369a65 100644 --- a/meta-arm/ci/xen.yml +++ b/meta-arm/ci/xen.yml @@ -1,3 +1,5 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + header: version: 14 includes: diff --git a/meta-arm/documentation/trusted-services.md b/meta-arm/documentation/trusted-services.md index 70826f681e..c37b10bf3c 100644 --- a/meta-arm/documentation/trusted-services.md +++ b/meta-arm/documentation/trusted-services.md @@ -18,17 +18,18 @@ features for each [Secure Partition][^2] you would like to include: | ----------------- | --------------- | | Attestation | ts-attesation | | Crypto | ts-crypto | +| Firmware Update | ts-fwu | Internal Storage | ts-its | | Protected Storage | ts-storage | | se-proxy | ts-se-proxy | | smm-gateway | ts-smm-gateway | -| spm-test[1-3] | optee-spmc-test | +| spm-test[1-4] | optee-spmc-test | Other steps depend on your machine/platform definition: 1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y` is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. - (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.) + (Please see ` meta-arm/recipes-kernel/arm-tstee`.) For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled. @@ -44,9 +45,13 @@ Other steps depend on your machine/platform definition: and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. +4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be + set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation. + + ## Normal World applications -Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes +Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes [Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests. ## OEQA Trusted Services tests @@ -62,4 +67,4 @@ See `ci/trusted-services.yml` for an example how to include them into an image. [^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html -[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
\ No newline at end of file +[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html diff --git a/meta-arm/kas/arm-systemready-linux-distros-fedora.yml b/meta-arm/kas/arm-systemready-linux-distros-fedora.yml new file mode 100644 index 0000000000..b2b23d7853 --- /dev/null +++ b/meta-arm/kas/arm-systemready-linux-distros-fedora.yml @@ -0,0 +1,7 @@ +header: + version: 16 + includes: + - kas/arm-systemready-firmware.yml + +target: + - arm-systemready-linux-distros-fedora diff --git a/meta-arm/kas/corstone1000-base.yml b/meta-arm/kas/corstone1000-base.yml index a8b986030b..33f64f11f2 100644 --- a/meta-arm/kas/corstone1000-base.yml +++ b/meta-arm/kas/corstone1000-base.yml @@ -5,7 +5,7 @@ distro: poky defaults: repos: - branch: master + branch: scarthgap repos: meta-arm: @@ -16,14 +16,14 @@ repos: poky: url: https://git.yoctoproject.org/git/poky - # commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff + commit: c5df9c829a549ca002c36afd6bdf23639831502e layers: meta: meta-poky: meta-openembedded: url: https://git.openembedded.org/meta-openembedded - # commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d + commit: 6de0ab744341ad61b0661aa28d78dc6767ce0786 layers: meta-oe: meta-python: @@ -31,7 +31,7 @@ repos: meta-secure-core: url: https://github.com/wind-river/meta-secure-core.git - # commit: e29165a1031dcf601edbed1733cedd64826672a5 + commit: 13cb4867fb1245581c80da3b94b72c4b4f15d67e layers: meta-secure-core-common: meta-signing-key: diff --git a/meta-arm/kas/corstone1000-firmware-only.yml b/meta-arm/kas/corstone1000-firmware-only.yml index f16403676c..6192a40872 100644 --- a/meta-arm/kas/corstone1000-firmware-only.yml +++ b/meta-arm/kas/corstone1000-firmware-only.yml @@ -4,6 +4,8 @@ header: local_conf_header: firmwarebuild: | + BBMULTICONFIG:remove = "firmware" + # Need to ensure the rescue linux options are selected OVERRIDES .= ":firmware" diff --git a/meta-arm/kas/corstone1000-fvp.yml b/meta-arm/kas/corstone1000-fvp.yml index 0d6d5feeed..527fd1d804 100644 --- a/meta-arm/kas/corstone1000-fvp.yml +++ b/meta-arm/kas/corstone1000-fvp.yml @@ -13,7 +13,6 @@ env: local_conf_header: testimagefvp: | - LICENSE_FLAGS_ACCEPTED += "Arm-FVP-EULA" IMAGE_CLASSES += "fvpboot" mass-storage: | diff --git a/meta-arm/kas/corstone1000-image-configuration.yml b/meta-arm/kas/corstone1000-image-configuration.yml index 2b2852230b..4c3172a5a9 100644 --- a/meta-arm/kas/corstone1000-image-configuration.yml +++ b/meta-arm/kas/corstone1000-image-configuration.yml @@ -15,8 +15,8 @@ local_conf_header: initramfsetup: | # Telling the build system which image is responsible of the generation of the initramfs rootfs INITRAMFS_IMAGE_BUNDLE:firmware = "1" - INITRAMFS_IMAGE:firmware ?= "core-image-minimal" - IMAGE_FSTYPES:firmware:pn-core-image-minimal = "${INITRAMFS_FSTYPES}" + INITRAMFS_IMAGE:firmware ?= "corstone1000-recovery-image" + IMAGE_FSTYPES:firmware:pn-corstone1000-recovery-image = "${INITRAMFS_FSTYPES}" IMAGE_NAME_SUFFIX:firmware = "" # enable mdev/busybox for init @@ -38,3 +38,12 @@ local_conf_header: # TS PSA API tests commands for crypto, its, ps and iat CORE_IMAGE_EXTRA_INSTALL += "packagegroup-ts-tests-psa" + CORE_IMAGE_EXTRA_INSTALL:firmware += "packagegroup-ts-tests-psa" + + # external system firmware + CORE_IMAGE_EXTRA_INSTALL:firmware += "external-system-elf" + + capsule: | + CAPSULE_EXTENSION = "uefi.capsule" + CAPSULE_FW_VERSION = "6" + CAPSULE_NAME = "${MACHINE}-v${CAPSULE_FW_VERSION}" diff --git a/meta-arm/meta-arm-bsp/conf/layer.conf b/meta-arm/meta-arm-bsp/conf/layer.conf index 9013d11f8a..1a45840083 100644 --- a/meta-arm/meta-arm-bsp/conf/layer.conf +++ b/meta-arm/meta-arm-bsp/conf/layer.conf @@ -26,3 +26,5 @@ BBFILES_DYNAMIC += " \ " WARN_QA:append:layer-meta-arm-bsp = " patch-status" + +addpylib ${LAYERDIR}/lib oeqa diff --git a/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf b/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf index b15c0faaa7..2c724bfeb2 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf +++ b/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf @@ -14,7 +14,10 @@ TEST_SUITES = "fvp_boot" # FVP Config FVP_PROVIDER ?= "fvp-corstone1000-native" FVP_EXE ?= "FVP_Corstone-1000" -FVP_CONSOLE ?= "host_terminal_0" +FVP_CONSOLES[default] = "host_terminal_0" +FVP_CONSOLES[tf-a] = "host_terminal_1" +FVP_CONSOLES[se] = "secenc_terminal" +FVP_CONSOLES[extsys] = "extsys_terminal" #Disable Time Annotation FASTSIM_DISABLE_TA = "0" @@ -49,7 +52,7 @@ FVP_TERMINALS[extsys0.extsys_terminal] ?= "Cortex M3" # MMC card configuration FVP_CONFIG[board.msd_mmc.card_type] ?= "SDHC" FVP_CONFIG[board.msd_mmc.p_fast_access] ?= "0" -FVP_CONFIG[board.msd_mmc.diagnostics] ?= "2" +FVP_CONFIG[board.msd_mmc.diagnostics] ?= "0" FVP_CONFIG[board.msd_mmc.p_max_block_count] ?= "0xFFFF" FVP_CONFIG[board.msd_config.pl180_fifo_depth] ?= "16" FVP_CONFIG[board.msd_mmc.support_unpadded_images] ?= "true" @@ -58,10 +61,11 @@ FVP_CONFIG[board.msd_mmc.p_mmc_file] ?= "${IMAGE_NAME}.wic" # MMC2 card configuration FVP_CONFIG[board.msd_mmc_2.card_type] ?= "SDHC" FVP_CONFIG[board.msd_mmc_2.p_fast_access] ?= "0" -FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "2" +FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "0" FVP_CONFIG[board.msd_mmc_2.p_max_block_count] ?= "0xFFFF" FVP_CONFIG[board.msd_config_2.pl180_fifo_depth] ?= "16" FVP_CONFIG[board.msd_mmc_2.support_unpadded_images] ?= "true" +FVP_CONFIG[board.msd_mmc_2.p_mmc_file] ?= "corstone1000-esp-image-${MACHINE}.wic" # Virtio-Net configuration FVP_CONFIG[board.virtio_net.enabled] ?= "1" diff --git a/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf b/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf index 39ef38be56..17fb5023cc 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf +++ b/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf @@ -47,6 +47,10 @@ FVP_CONFIG[bp.virtio_net.hostbridge.userNetworking] ?= "1" FVP_CONFIG[bp.virtio_net.hostbridge.userNetPorts] = "2222=22" FVP_CONFIG[bp.virtio_rng.enabled] ?= "1" FVP_CONFIG[cache_state_modelled] ?= "0" +FVP_CONFIG[cluster0.check_memory_attributes] ?= "0" +FVP_CONFIG[cluster1.check_memory_attributes] ?= "0" +FVP_CONFIG[cluster0.stage12_tlb_size] ?= "1024" +FVP_CONFIG[cluster1.stage12_tlb_size] ?= "1024" FVP_CONFIG[bp.secureflashloader.fname] ?= "bl1-fvp.bin" FVP_CONFIG[bp.flashloader0.fname] ?= "fip-fvp.bin" FVP_CONFIG[bp.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic" @@ -58,3 +62,4 @@ FVP_TERMINALS[bp.terminal_0] ?= "Console" FVP_TERMINALS[bp.terminal_1] ?= "" FVP_TERMINALS[bp.terminal_2] ?= "" FVP_TERMINALS[bp.terminal_3] ?= "" +FVP_CONFIG[bp.secure_memory] ?= "1"
\ No newline at end of file diff --git a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc index 7a8905d7ee..c78cc061bc 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -55,6 +55,11 @@ WKS_FILE:firmware ?= "corstone1000-flash-firmware.wks.in" WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}" # If not building under the firmware multiconf we need to build the actual firmware -FIRMWARE_DEPLOYEMENT ?= "firmware-deploy-image" -FIRMWARE_DEPLOYEMENT:firmware ?= "" -EXTRA_IMAGEDEPENDS += "${FIRMWARE_DEPLOYEMENT}" +FIRMWARE_DEPLOYMENT ?= "firmware-deploy-image" +FIRMWARE_DEPLOYMENT:firmware ?= "" +EXTRA_IMAGEDEPENDS += "${FIRMWARE_DEPLOYMENT}" + +ARM_SYSTEMREADY_FIRMWARE = "${FIRMWARE_DEPLOYMENT}:do_deploy \ + corstone1000-esp-image:do_image_complete \ + " +ARM_SYSTEMREADY_ACS_CONSOLE ?= "default" diff --git a/meta-arm/meta-arm/conf/machine/qemu-generic-arm64.conf b/meta-arm/meta-arm-bsp/conf/machine/sbsa-ref.conf index 6925854fce..ccfc45a8e2 100644 --- a/meta-arm/meta-arm/conf/machine/qemu-generic-arm64.conf +++ b/meta-arm/meta-arm-bsp/conf/machine/sbsa-ref.conf @@ -1,14 +1,17 @@ #@TYPE: Machine -#@NAME: qemu-generic-arm64 -#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which -#have working firmware and boot via EFI. +#@NAME: sbsa-ref +#@DESCRIPTION: Reference SBSA machine in qemu-system-aarch64 on Neoverse N2 -MACHINEOVERRIDES =. "generic-arm64:" - -require conf/machine/generic-arm64.conf +require conf/machine/include/arm/armv9a/tune-neoversen2.inc require conf/machine/include/qemu.inc -EXTRA_IMAGEDEPENDS += "edk2-firmware" +PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto" +KERNEL_IMAGETYPE = "Image" +MACHINE_EXTRA_RRECOMMENDS += "kernel-modules" + +MACHINE_FEATURES = " alsa bluetooth efi qemu-usermode rtc screen usbhost vfat wifi" + +IMAGE_FSTYPES += "wic.qcow2" # This unique WIC file is necessary because kernel boot args cannot be passed # because there is no default kernel (see below). There is no default kernel @@ -17,17 +20,23 @@ EXTRA_IMAGEDEPENDS += "edk2-firmware" # boot arg (which we need for testimage), we have to have a WIC file unique to # this platform. WKS_FILE = "qemu-efi-disk.wks.in" -IMAGE_FSTYPES += "wic.qcow2" + +EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}" + +SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0" + +EXTRA_IMAGEDEPENDS += "edk2-firmware" QB_SYSTEM_NAME = "qemu-system-aarch64" QB_MACHINE = "-machine sbsa-ref" +QB_CPU = "-cpu neoverse-n2" QB_MEM = "-m 1024" QB_DEFAULT_FSTYPE = "wic.qcow2" QB_NETWORK_DEVICE = "-device virtio-net-pci,netdev=net0,mac=@MAC@" QB_DRIVE_TYPE = "/dev/hd" QB_ROOTFS_OPT = "-drive file=@ROOTFS@,if=ide,format=qcow2" QB_DEFAULT_KERNEL = "none" -QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH0.fd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH1.fd" +QB_OPT_APPEND = "-device usb-tablet -device usb-kbd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH0.fd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH1.fd" QB_SERIAL_OPT = "-device virtio-serial-pci -chardev null,id=virtcon -device virtconsole,chardev=virtcon" QB_TCPSERIAL_OPT = "-device virtio-serial-pci -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device virtconsole,chardev=virtcon" # sbsa-ref is a true virtual machine so can't use KVM diff --git a/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf b/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf index 7f2a285ac0..3c2c94b6dc 100644 --- a/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf +++ b/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf @@ -9,7 +9,6 @@ require conf/machine/include/arm/armv8-2a/tune-cortexa75.inc EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware" EXTRA_IMAGEDEPENDS += "trusted-firmware-a" -PREFERRED_VERSION_trusted-firmware-a ?= "2.9.%" KERNEL_IMAGETYPE ?= "Image" PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto" diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst index 173823b6c2..f22a99c2c0 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022-2023, Arm Limited. + # Copyright (c) 2022-2024, Arm Limited. # # SPDX-License-Identifier: MIT @@ -10,6 +10,78 @@ Change Log This document contains a summary of the new features, changes and fixes in each release of Corstone-1000 software stack. + +*************** +Version 2024.06 +*************** + +Changes +======= + +- Re-enabling support for the External System using linux remoteproc (only supporting switching on and off the External System) +- UEFI Secure Boot and Authenticated Variable support +- RSE Comms replaces OpenAMP +- The EFI System partition image is now created by the meta-arm build system. + This image is mounted on the second MMC card by default in the FVP. +- The capsule generation script is now part of the meta-arm build system. + Corstone1000-flash-firmware-image recipe generates a capsule binary using the U-Boot capsule generation tool that includes + all the firmware binaries and recovery kernel image. +- SW components upgrades +- Bug fixes + + +Corstone-1000 components versions +================================= + ++-------------------------------------------+-----------------------------------------------------+ +| arm-tstee | 2.0.0 | ++-------------------------------------------+-----------------------------------------------------+ +| linux-yocto | 6.6.23 | ++-------------------------------------------+-----------------------------------------------------+ +| u-boot | 2023.07.02 | ++-------------------------------------------+-----------------------------------------------------+ +| external-system | 0.1.0 | ++-------------------------------------------+-----------------------------------------------------+ +| optee-client | 4.1.0 | ++-------------------------------------------+-----------------------------------------------------+ +| optee-os | 4.1.0 | ++-------------------------------------------+-----------------------------------------------------+ +| trusted-firmware-a | 2.10.4 | ++-------------------------------------------+-----------------------------------------------------+ +| trusted-firmware-m | 2.0.0 | ++-------------------------------------------+-----------------------------------------------------+ +| libts | 602be60719 | ++-------------------------------------------+-----------------------------------------------------+ +| ts-newlib | 4.1.0 | ++-------------------------------------------+-----------------------------------------------------+ +| ts-psa-{crypto, iat, its. ps}-api-test | 602be60719 | ++-------------------------------------------+-----------------------------------------------------+ +| ts-sp-{se-proxy, smm-gateway} | 602be60719 | ++-------------------------------------------+-----------------------------------------------------+ + +Yocto distribution components versions +====================================== + ++-------------------------------------------+------------------------------+ +| meta-arm | scarthgap | ++-------------------------------------------+------------------------------+ +| poky | scarthgap | ++-------------------------------------------+------------------------------+ +| meta-openembedded | scarthgap | ++-------------------------------------------+------------------------------+ +| meta-secure-core | scarthgap | ++-------------------------------------------+------------------------------+ +| busybox | 1.36.1 | ++-------------------------------------------+------------------------------+ +| musl | 1.2.4 | ++-------------------------------------------+------------------------------+ +| gcc-arm-none-eabi | 13.2.Rel1 | ++-------------------------------------------+------------------------------+ +| gcc-cross-aarch64 | 13.2.0 | ++-------------------------------------------+------------------------------+ +| openssl | 3.2.1 | ++-------------------------------------------+------------------------------+ + *************** Version 2023.11 *************** @@ -298,4 +370,4 @@ Changes -------------- -*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* +*Copyright (c) 2022-2024, Arm Limited. All rights reserved.* diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png Binary files differindex 88bb1259f6..5ed2a28516 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureBootChain.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png Binary files differindex 1e37d803b7..ff7a2703ed 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/SecureServices.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst index 501a153ed7..0cad02666e 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022-2023, Arm Limited. + # Copyright (c) 2022-2024, Arm Limited. # # SPDX-License-Identifier: MIT @@ -20,6 +20,25 @@ prove defective, you assume the entire cost of all necessary servicing, repair or correction. *********************** +Release notes - 2024.06 +*********************** + +Known Issues or Limitations +--------------------------- + + - Use Ethernet over VirtIO due to lan91c111 Ethernet driver support dropped from U-Boot. + - Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang). + - Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3. + - See previous release notes for the known limitations regarding ACS tests. + +Platform Support +----------------- + - This software release is tested on Corstone-1000 FPGA version AN550_v2 + https://developer.arm.com/downloads/-/download-fpga-images + - This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25 + https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps + +*********************** Release notes - 2023.11 *********************** @@ -213,7 +232,7 @@ Support ------- For technical support email: support-subsystem-iot@arm.com -For all security issues, contact Arm by email at arm-security@arm.com. +For all security issues, contact Arm by email at psirt@arm.com. -------------- diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst index 6bc8aceab8..42278e387b 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst @@ -1,5 +1,5 @@ .. - # Copyright (c) 2022-2023, Arm Limited. + # Copyright (c) 2022-2024, Arm Limited. # # SPDX-License-Identifier: MIT @@ -52,8 +52,8 @@ secure flash. Software running on the Secure Enclave is isolated via hardware for enhanced security. Communication with the Secure Encalve is achieved using Message Handling Units (MHUs) and shared memory. On system power on, the Secure Enclave boots first. Its software -comprises of a ROM code (TF-M BL1), Mcuboot BL2, and -TrustedFirmware-M(`TF-M`_) as runtime software. The software design on +comprises of a ROM code (TF-M BL1), MCUboot BL2, and +TrustedFirmware-M(`TF-M`_) as runtime software. The software design on Secure Enclave follows Firmware Framework for M class processor (`FF-M`_) specification. @@ -61,7 +61,7 @@ The Host System is based on ARM Cotex-A35 processor with standardized peripherals to allow for the booting of a Linux OS. The Cortex-A35 has the TrustZone technology that allows secure and non-secure security states in the processor. The software design in the Host System follows -Firmware Framework for A class procseeor (`FF-A`_) specification. +Firmware Framework for A class processor (`FF-A`_) specification. The boot process follows Trusted Boot Base Requirement (`TBBR`_). The Host Subsystem is taken out of reset by the Secure Enclave system during its final stages of the initialization. The Host subsystem runs @@ -70,12 +70,12 @@ FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS linux (`linux repo`_) in the non-secure world. The communication between non-secure and the secure world is performed via FF-A messages. -An external system is intended to implement use-case specific -functionality. The system is based on Cortex-M3 and run RTX RTOS. -Communication between the external system and Host (Cortex-A35) is performed -using MHU as transport mechanism and rpmsg messaging system (the external system -support in Linux is disabled in this release. More info about this change can be found in the -release-notes). +An external system is intended to implement use-case specific functionality. +The system is based on Cortex-M3 and run RTX RTOS. Communication between the +external system and Host (Cortex-A35) can be performed using MHU as transport +mechanism. The current software release supports switching on and off the +external system. Support for OpenAMP-based communication is under +development. Overall, the Corstone-1000 architecture is designed to cover a range of Power, Performance, and Area (PPA) applications, and enable extension @@ -93,30 +93,64 @@ and loads the following software in the chain. For the boot chain process to work, the start of the chain should be trusted, forming the Root of Trust (RoT) of the device. The RoT of the device is immutable in nature and encoded into the device by the device owner before it -is deployed into the field. In Corstone-1000, the BL1 image of the secure -enclave and content of the CC312 OTP (One Time Programmable) memory -forms the RoT. The BL1 image exists in ROM (Read Only Memory). +is deployed into the field. In Corstone-1000, the content of the ROM +and CC312 OTP (One Time Programmable) memory forms the RoT. + +Verification of an image can happen either by comparing the computed and +stored hashes, or by checking the signature of the image if the image +is signed. .. image:: images/SecureBootChain.png :width: 870 :alt: SecureBootChain It is a lengthy chain to boot the software on Corstone-1000. On power on, -the secure enclave starts executing BL1 code from the ROM which is the RoT -of the device. Authentication of an image involves the steps listed below: - -- Load image from flash to dynamic RAM. +the Secure Enclave starts executing BL1_1 code from the ROM which is the RoT +of the device. The BL1_1 is the immutable bootloader of the system, it handles +the provisioning on the first boot, hardware initialization and verification +of the next stage. + +The BL1_2 code, hashes and keys are written into the OTP during the provisioning. +The next bootstage is the BL1_2 which is copied from the OTP into the RAM. The +BL1_1 also compares the BL1_2 hash with the hash saved to the OTP. The BL1_2 +verifies and transfers control to the next bootstage which is the BL2. During the +verification, the BL1_2 compares the BL2 image's computed hash with the BL2 hash in +the OTP. The BL2 is MCUBoot in the system. BL2 can provision additional keys on the +first boot and it authenticates the initial bootloader of the host (Host TF-A BL2) +and TF-M by checking the signatures of the images. +The MCUBoot handles the image verification the following way: + +- Load image from a non-volatile memory to dynamic RAM. - The public key present in the image header is validated by comparing with the hash. Depending on the image, the hash of the public key is either stored in the OTP or part of the software which is being already verified in the previous stages. - The image is validated using the public key. -In the secure enclave, BL1 authenticates the BL2 and passes the execution -control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2) -and TF-M. The execution control is now passed to TF-M. TF-M being the run -time executable of secure enclave which initializes itself and, at the end, -brings the host CPU out of rest. The host follows the boot standard defined -in the `TBBR`_ to authenticate the secure and non-secure software. + +The execution control is passed to TF-M after the verification. TF-M being +the runtime executable of the Secure Enclave which initializes itself and, at the end, +brings the host CPU out of rest. + +The TF-M BL1 design details and reasoning can be found in the `TF-M design documents +<https://tf-m-user-guide.trustedfirmware.org/design_docs/booting/bl1.html>`_. + +The Corstone-1000 has some differences compared to this design due to memory (OTP/ROM) +limitations: + +- The provisioning bundle that contains the BL1_2 code is located in the ROM. + This means the BL1_2 cannot be updated during provisioning time. +- The BL1_1 handles most of the hardware initialization instead of the BL1_2. This + results in a bigger BL1_1 code size than needed. +- The BL1_2 does not use the post-quantum LMS verification. The BL2 is verified by + comparing the computed hash to the hash which is stored in the OTP. This means the + BL2 is not updatable. + +The host follows the boot standard defined in the `TBBR`_ to authenticate the +secure and non-secure software. + +For UEFI Secure Boot, authenticated variables can be accessed from the secure flash. +The feature has been integrated in U-Boot, which authenticates the images as per the UEFI +specification before executing them. *************** Secure Services @@ -124,11 +158,11 @@ Secure Services Corstone-1000 is unique in providing a secure environment to run a secure workload. The platform has TrustZone technology in the Host subsystem but -it also has hardware isolated secure enclave environment to run such secure +it also has hardware isolated Secure Enclave environment to run such secure workloads. In Corstone-1000, known Secure Services such as Crypto, Protected Storage, Internal Trusted Storage and Attestation are available via PSA Functional APIs in TF-M. There is no difference for a user communicating to -these services which are running on a secure enclave instead of the +these services which are running on a Secure Enclave instead of the secure world of the host subsystem. The below diagram presents the data flow path for such calls. @@ -139,15 +173,18 @@ flow path for such calls. The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition -managed by OPTEE which forwards such calls to the secure enclave. The -solution relies on OpenAMP which uses shared memory and MHU interrupts as -a doorbell for communication between two cores. Corstone-1000 implements -isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement -isolation level 2. +managed by OPTEE which forwards such calls to the Secure Enclave. The +solution relies on the `RSE communication protocol +<https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_ +which is a lightweight serialization of the psa_call() API. It can use shared +memory and MHU interrupts as a doorbell for communication between two cores +but currently the whole message is forwarded through the MHU channels in Corstone-1000. +Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection +Unit) is used to implement isolation level 2. For a user to define its own secure service, both the options of the host secure world or secure encalve are available. It's a trade-off between -lower latency vs higher security. Services running on a secure enclave are +lower latency vs higher security. Services running on a Secure Enclave are secure by real hardware isolation but have a higher latency path. In the second scenario, the services running on the secure world of the host subsystem have lower latency but virtual hardware isolation created by @@ -174,7 +211,7 @@ Image (the initramfs bundle). The new images are accepted in the form of a UEFI :width: 690 :alt: ExternalFlash -When Firmware update is triggered, u-boot verifies the capsule by checking the +When Firmware update is triggered, U-Boot verifies the capsule by checking the capsule signature, version number and size. Then it signals the Secure Enclave that can start writing UEFI capsule into the flash. Once this operation finishes ,Secure Enclave resets the entire system. @@ -210,7 +247,7 @@ service. The below diagram presents the data flow to store UEFI variables. The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to communicate with the SMM Service in the secure world. The backend of the SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS -calls are forwarded to the secure enclave as explained above. +calls are forwarded to the Secure Enclave as explained above. .. image:: images/UEFISupport.png diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst index 06353b5d3e..5dc956428b 100644 --- a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst +++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst @@ -3,9 +3,9 @@ # # SPDX-License-Identifier: MIT -########## -User Guide -########## +##################################### +User Guide: Build & run the software +##################################### Notice ------ @@ -43,7 +43,7 @@ Targets Yocto stable branch ------------------- -Corstone-1000 software stack is built on top of Yocto mickledore. +Corstone-1000 software stack is built on top of Yocto scarthgap. Provided components ------------------- @@ -71,7 +71,7 @@ Based on `Trusted Firmware-A <https://git.trustedfirmware.org/TF-A/trusted-firmw +----------+-------------------------------------------------------------------------------------------------+ | bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend | +----------+-------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb | +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb | +----------+-------------------------------------------------------------------------------------------------+ OP-TEE @@ -79,9 +79,9 @@ OP-TEE Based on `OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__ +----------+----------------------------------------------------------------------------------------+ -| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bbappend | +| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend | +----------+----------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb | +| Recipe |<_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_4.1.0.bb | +----------+----------------------------------------------------------------------------------------+ U-Boot @@ -107,7 +107,7 @@ recipe responsible for building a tiny version of Linux is listed below. +-----------+----------------------------------------------------------------------------------------------+ | bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend | +-----------+----------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_6.5.bb | +| Recipe | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb | +-----------+----------------------------------------------------------------------------------------------+ | defconfig | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig | +-----------+----------------------------------------------------------------------------------------------+ @@ -120,7 +120,7 @@ Based on `Trusted Firmware-M <https://git.trustedfirmware.org/TF-M/trusted-firmw +----------+-----------------------------------------------------------------------------------------------------+ | bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend | +----------+-----------------------------------------------------------------------------------------------------+ -| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_1.8.1.bb | +| Recipe | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb | +----------+-----------------------------------------------------------------------------------------------------+ ******************************** @@ -158,7 +158,7 @@ In the top directory of the workspace ``<_workspace>``, run: :: - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.11 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.06 To build a Corstone-1000 image for MPS3 FPGA, run: @@ -364,6 +364,22 @@ The host will boot trusted-firmware-a, OP-TEE, U-Boot and then Linux, and presen Login using the username root. +Using FVP on Windows or AArch64 Linux +------------------------------------- + +The user should follow the build instructions in this document to build on a Linux host machine. +Then, copy the output binaries to the Windows or Aarch64 Linux machine where the FVP is located. +Then, launch the FVP binary. + +Security Issue Reporting +------------------------ + +To report any security issues identified with Corstone-1000, please send an email to psirt@arm.com. + +########################### +User Guide: Provided tests +########################### + SystemReady-IR tests -------------------- @@ -395,77 +411,13 @@ running the ACS tests. **Common to FVP and FPGA:** -#. Create an empty 100 MB partition: - :: - - dd if=/dev/zero of=corstone1000-efi-partition.img iflag=fullblock bs=512 count=204800 && sync - -#. Use OpenSuse Raw image to copy the contents of EFI partition. - - To download OpenSUSE Tumbleweed raw image: - - Under `OpenSUSE Tumbleweed appliances <http://download.opensuse.org/ports/aarch64/tumbleweed/appliances/>`__ - - The user should look for a Tumbleweed-ARM-JeOS-efi.aarch64-* Snapshot, for example, - ``openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw.xz`` - - Once the .raw.xz file is downloaded, the raw image file needs to be extracted: - - :: - - unxz <file-name.raw.xz> - - - The above command will generate a file ending with extension .raw image. Use the - following command to get address of the first partition - - :: - - fdisk -lu <path-to-img>/openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw - -> Device Start End Sectors Size Type - <path-to-img>/openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw1 8192 40959 32768 16M EFI System - <path-to-img>/openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw2 40960 1064959 1024000 500M Linux swap - <path-to-img>/openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw3 1064960 5369822 4304863 2.1G Linux filesystem - - -> <blockaddress_1st_partition> = 8192 - -> <sectorsize_1st_partition> = 32768 - -#. Copy the ESP from opensuse image to empty image: - - :: - - dd conv=notrunc if=openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw skip=<blockaddress_1st_partition> of=corstone1000-efi-partition.img seek=<blockaddress_1st_partition> iflag=fullblock seek=<blockaddress_1st_partition> bs=512 count=<sectorsize_1s_partition> && sync - - -#. Create the file efi_disk.layout locally. Copy the content of provided disk layout below to the efi_disk.layout to label the ESP correctly. - - efi_disk.layout - :: - - label: gpt - label-id: AC53D121-B818-4515-9031-BE02CCEB8701 - device: corstone1000-efi-partition.img - unit: sectors - first-lba: 34 - last-lba: 204766 - - corstone1000-efi-partition.img : start=8192, size=32768, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=792D821F-98AE-46E3-BABD-948003A650F8, name="p.UEFI" - - And use the following command the label the newly created ESP. - - :: - - sfdisk corstone1000-efi-partition.img < efi_disk.layout - - To test the image, you can now mount the disk image - - :: - - fdisk -lu corstone1000-efi-partition.img - -> Device Start End Sectors Size Type - corstone1000-efi-partition.img1 8192 40959 32768 16M EFI System +:: - <offset_1st_partition> = 8192 * 512 (sector size) = 4194304 + kas build meta-arm/kas/corstone1000-{mps3,fvp}.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image - sudo mount -o loop,offset=4194304 corstone1000-efi-partition.img /mount_point +Once the build is successful ``corstone1000-esp-image-corstone1000-{mps3,fvp}.wic`` will be available in either: + - ``<_workspace>/build/tmp/deploy/images/corstone1000-fvp/`` folder for FVP build; + - ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3/`` folder for FPGA build. **Using ESP in FPGA:** @@ -477,18 +429,14 @@ USB drive. Run the following commands to prepare the ACS image in USB stick: :: - sudo dd if=corstone1000-efi-partition.img of=/dev/sdb iflag=direct oflag=direct status=progress bs=512; sync; + sudo dd if=corstone1000-esp-image-corstone1000-mps3.wic of=/dev/sdb iflag=direct oflag=direct status=progress bs=512; sync; Now you can plug this USB stick to the board together with ACS test USB stick. **Using ESP in FVP:** -The ESP disk image can directly be used in Corstone-1000 FVP by simply passing it as -the 2nd MMC card image. - -:: +The ESP disk image once created will be used automatically in the Corstone-1000 FVP as the 2nd MMC card image. It will be used when the SystemReady-IR tests will be performed on the FVP in the later section. - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp -- -C board.msd_mmc.p_mmc_file="${<path-to-img>/ir_acs_live_image.img}" -C board.msd_mmc_2.p_mmc_file="${<path-to-img>/corstone1000-efi-partition.img}" Clean Secure Flash Before Testing (applicable to FPGA only) =========================================================== @@ -500,8 +448,8 @@ boot. Run following commands to build such image. :: cd <_workspace> - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2023.11 - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.11 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.06 + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06 cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm cd meta-arm git apply 0001-embedded-a-corstone1000-clean-secure-flash.patch @@ -534,7 +482,7 @@ includes a set of examples of the invariant behaviors that are provided by a set of specifications for enterprise systems (For example: SBSA, SBBR, etc.), so that implementers can verify if these behaviours have been interpreted correctly. -ACS image contains two partitions. BOOT partition and RESULT partition. +The ACS image contains a BOOT partition. Following test suites and bootable applications are under BOOT partition: * SCT @@ -560,11 +508,14 @@ BOOT partition contains the following: ├── grub ├── grub.cfg ├── Image - └── ramdisk-busybox.img + ├── ramdisk-busybox.img + └── acs_results -RESULT partition is used to store the test results. -**NOTE**: PLEASE MAKE SURE THAT "acs_results" FOLDER UNDER THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS -WILL NOT BE CONSISTENT +The BOOT partition is also used to store the test results. The +results are stored in the `acs_results` folder. + +**NOTE**: PLEASE ENSURE THAT the `acs_results` FOLDER UNDER THE BOOT PARTITION IS +EMPTY BEFORE YOU START TESTING. OTHERWISE THE TEST RESULTS WILL NOT BE CONSISTENT. FPGA instructions for ACS image =============================== @@ -583,7 +534,7 @@ certifications of SystemReady-IR. To download the repository, run command: git clone https://github.com/ARM-software/arm-systemready.git Once the repository is successfully downloaded, the prebuilt ACS live image can be found in: - - ``<_workspace>/arm-systemready/IR/prebuilt_images/v23.03_2.0.0/ir-acs-live-image-generic-arm64.wic.xz`` + - ``<_workspace>/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic.xz`` **NOTE**: This prebuilt ACS image includes v5.13 kernel, which doesn't provide USB driver support for Corstone-1000. The ACS image with newer kernel version @@ -597,7 +548,7 @@ USB drive. Run the following commands to prepare the ACS image in USB stick: :: - cd <_workspace>/arm-systemready/IR/prebuilt_images/v23.03_2.0.0 + cd <_workspace>/arm-systemready/IR/prebuilt_images/v23.09_2.1.0 unxz ir-acs-live-image-generic-arm64.wic.xz sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdb iflag=direct oflag=direct bs=1M status=progress; sync @@ -616,49 +567,17 @@ the platform is booted to linux at the end of the ACS tests. FVP instructions for ACS image and run ====================================== -Download ACS image from: - - ``https://gitlab.arm.com/systemready/acs/arm-systemready/-/tree/main/IR/prebuilt_images/v23.03_2.0.0`` - -Use the below command to run the FVP with EFI and ACS image support in the -SD cards. +The FVP has been integrated in the meta-arm-systemready layer so the running of the ACS tests can be handled automatically as follows :: - unxz ${<path-to-img>/ir-acs-live-image-generic-arm64.wic.xz} - - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic -C board.msd_mmc_2.p_mmc_file="${<path-to-img>/corstone1000-efi-partition.img}" - -The test results can be fetched using following commands: + kas build meta-arm/ci/corstone1000-fvp.yml:meta-arm/ci/debug.yml:kas/arm-systemready-ir-acs.yml -:: - - sudo mkdir /mnt/test - sudo mount -o rw,offset=<offset_3rd_partition> <path-to-img>/ir-acs-live-image-generic-arm64.wic /mnt/test/ - fdisk -lu <path-to-img>/ir-acs-live-image-generic-arm64.wic - -> Device Start End Sectors Size Type - <path-to-img>/ir-acs-live-image-generic-arm64.wic1 2048 206847 204800 100M Microsoft basic data - <path-to-img>/ir-acs-live-image-generic-arm64.wic2 206848 1024239 817392 399.1M Linux filesystem - <path-to-img>/ir-acs-live-image-generic-arm64.wic3 1026048 1128447 102400 50M Microsoft basic data +The details of how this layer works can be found in : ``<_workspace>/meta-arm-systemready/README.md`` - -> <offset_3rd_partition> = 1026048 * 512 (sector size) = 525336576 +**NOTE:** You can't use the standard meta-arm/kas/corstone1000-fvp.yml kas file as it sets the build up for only building firmware -The FVP will reset multiple times during the test, and it might take up to 1 day to finish -the test. At the end of test, the FVP host terminal will halt showing a shell prompt. -Once test is finished, the FVP can be stoped, and result can be copied following above -instructions. - -**NOTE:** A rare issue has been noticed (5-6% occurence) during which the FVP hangs during booting the system while running ACS tests. -If this happens, please apply the following patch, rebuild the software stack for FVP and re-run the ACS tests. - -:: - - cd <_workspace> - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.11 - cp -f systemready-patch/embedded-a/corstone1000/sr_ir_workaround/0001-embedded-a-corstone1000-sr-ir-workaround.patch meta-arm - cd meta-arm - git am 0001-embedded-a-corstone1000-sr-ir-workaround.patch - cd .. - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "bitbake u-boot -c cleanall; bitbake trusted-firmware-a -c cleanall; bitbake corstone1000-flash-firmware-image -c cleanall; bitbake corstone1000-flash-firmware-image" +**NOTE:** These test might take up to 1 day to finish Common to FVP and FPGA @@ -672,106 +591,70 @@ automatically in the following sequence: - UEFI BSA - FWTS -The results can be fetched from the ``acs_results`` folder in the RESULT partition of the USB stick (FPGA) / SD Card (FVP). +The results can be fetched from the `acs_results` folder in the BOOT partition of the USB stick (FPGA) / SD Card (FVP). + +**NOTE:** The FVP uses the ``<_workspace>/build/tmp-glibc/work/corstone1000_fvp-oe-linux/arm-systemready-ir-acs/2.0.0/deploy-arm-systemready-ir-acs/arm-systemready-ir-acs-corstone1000-fvp.wic`` image if the meta-arm-systemready layer is used. +The result can be checked in this image. ##################################################### Manual capsule update and ESRT checks ------------------------------------- -The following section describes running manual capsule update. - -The steps described in this section perform manual capsule update and show how to use the ESRT feature -to retrieve the installed capsule details. - -For the following tests two capsules are needed to perform 2 capsule updates. A positive update and a negative update. - -A positive test case capsule which boots the platform correctly until the Linux prompt, and a negative test case with an -incorrect capsule (corrupted or outdated) which fails to boot to the host software. - -Check the "Run SystemReady-IR ACS tests" section above to download and unpack the ACS image file - - ``ir-acs-live-image-generic-arm64.wic.xz`` - - -Download u-boot under <_workspace> and install tools: +The following section describes running manual capsule updates by going through +a negative and positive test. Two capsules are needed to perform the positive +and negative updates. The steps also show how to use the EFI System Resource Table +(ESRT) to retrieve the installed capsule details. -:: - - git clone https://github.com/u-boot/u-boot.git - cd u-boot - git checkout 83aa0ed1e93e1ffac24888d98d37a5b04ed3fb07 - make tools-only_defconfig - make tools-only - -**NOTE:** The following error could happen if the linux build system does not have "libgnutls28-dev". - **error: "tools/mkeficapsule.c:21:10: fatal error: gnutls/gnutls.h: No such file or directory"**. If that's the case please install libgnutls28-dev and its dependencies by using the following command. - -:: - - sudo apt-get install -y libgnutls28-dev - -Download systemready-patch repo under <_workspace>: -:: +In the positive test, a valid capsule is used and the platform boots correctly +until the Linux prompt after the update. In the negative test, an outdated +capsule is used that has a smaller version number. This capsule gets rejected +because of being outdated and the previous firmware will be used instead. - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.11 ******************* Generating Capsules ******************* -Generating FPGA Capsules -======================== - -:: - - cd <_workspace>/build/tmp/deploy/images/corstone1000-mps3/ - sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d mps3 - -This will generate a file called "corstone1000_image.nopt" which will be used to -generate a UEFI capsule. - -:: - - cd <_workspace> - - ./u-boot/tools/mkeficapsule --monotonic-count 1 --private-key build/tmp/deploy/images/corstone1000-mps3/corstone1000_capsule_key.key \ - --certificate build/tmp/deploy/images/corstone1000-mps3/corstone1000_capsule_cert.crt --index 1 --guid df1865d1-90fb-4d59-9c38-c9f2c1bba8cc \ - --fw-version 6 build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt cs1k_cap_mps3_v6 - - ./u-boot/tools/mkeficapsule --monotonic-count 1 --private-key build/tmp/deploy/images/corstone1000-mps3/corstone1000_capsule_key.key \ - --certificate build/tmp/deploy/images/corstone1000-mps3/corstone1000_capsule_cert.crt --index 1 --guid df1865d1-90fb-4d59-9c38-c9f2c1bba8cc \ - --fw-version 5 build/tmp/deploy/images/corstone1000-mps3/corstone1000_image.nopt cs1k_cap_mps3_v5 - -Generating FVP Capsules -======================= - -:: +A no-partition image is needed for the capsule generation. This image is +created automatically during a clean Yocto build and it can be found in +``build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>_image.nopt``. +A capsule is also automatically generated with U-Boot's ``mkeficapsule`` tool +during the Yocto build that uses this ``corstone1000-<fvp/mps3>_image.nopt``. The +capsule's default metadata, that is passed to the ``mkeficapsule`` tool, +can be found in the ``meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb`` +and ``meta-arm/kas/corstone1000-image-configuration.yml`` files. These +data can be modified before the Yocto build if it is needed. It is +assumed that the default values are used in the following steps. + +The automatically generated capsule can be found in +``build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>-v6.uefi.capsule``. +This capsule will be used as the positive capsule during the test in the following +steps. + +Generating Capsules Manually +============================ - cd <_workspace>/build/tmp/deploy/images/corstone1000-fvp/ - sh <_workspace>/systemready-patch/embedded-a/corstone1000/capsule_gen/capsule_gen.sh -d fvp +If a new capsule has to be generated with different metadata after the build +process, then it can be done manually by using the ``u-boot-tools``'s +``mkeficapsule`` and the previously created ``.nopt`` image. The +``mkeficapsule`` tool is built automatically for the host machine +during the Yocto build. -This will generate a file called "corstone1000_image.nopt" which will be used to -generate a UEFI capsule. +The negative capsule needs a lower ``fw-version`` than the positive +capsule. For example if the host's architecture is x86_64, this can +be generated by using the following command: :: cd <_workspace> - ./u-boot/tools/mkeficapsule --monotonic-count 1 --private-key build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ - --certificate build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt --index 1 --guid 989f3a4e-46e0-4cd0-9877-a25c70c01329 \ - --fw-version 6 build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt cs1k_cap_fvp_v6 - ./u-boot/tools/mkeficapsule --monotonic-count 1 --private-key build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ - --certificate build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt --index 1 --guid 989f3a4e-46e0-4cd0-9877-a25c70c01329 \ - --fw-version 5 build/tmp/deploy/images/corstone1000-fvp/corstone1000_image.nopt cs1k_cap_fvp_v5 + ./build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule --monotonic-count 1 \ + --private-key build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000_capsule_key.key \ + --certificate build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000_capsule_cert.crt --index 1 --guid df1865d1-90fb-4d59-9c38-c9f2c1bba8cc \ + --fw-version 5 build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>_image.nopt corstone1000-<fvp/mps3>-v5.uefi.capsule - -Common Notes for FVP and FPGA -============================= - -The capsule binary size (wic file) should be less than 15 MB. - -Based on the user's requirement, the user can change the firmware version -number given to ``--fw-version`` option (the version number needs to be >= 1). +This command will put the negative capsule to the ``<_workspace>`` directory. **************** @@ -782,33 +665,52 @@ Copying the FPGA capsules ========================= The user should prepare a USB stick as explained in ACS image section `FPGA instructions for ACS image`_. -Place the generated ``cs1k_cap`` files in the root directory of the boot partition -in the USB stick. Note: As we are running the direct method, the ``cs1k_cap`` file +Place the generated ``corstone1000-mps3-v<5/6>.uefi.capsule`` files in the root directory of the boot partition +in the USB stick. Note: As we are running the direct method, the ``corstone1000-mps3-v<5/6>.uefi.capsule`` files should not be under the EFI/UpdateCapsule directory as this may or may not trigger the on disk method. :: - sudo cp cs1k_cap_mps3_v6 <mounting path>/BOOT/ - sudo cp cs1k_cap_mps3_v5 <mounting path>/BOOT/ + sudo cp <capsule path>/corstone1000-mps3-v6.uefi.capsule <mounting path>/BOOT/ + sudo cp <capsule path>/corstone1000-mps3-v5.uefi.capsule <mounting path>/BOOT/ sync Copying the FVP capsules ======================== -First, mount the IR image: +The ACS image should be used for the FVP as well. Downloaded and extract the +image the same way as for the FPGA `FPGA instructions for ACS image`_. +Creating an USB stick with the image is not needed for the FVP. + +After getting the ACS image, find the 1st partition's offset of the +``ir-acs-live-image-generic-arm64.wic`` image. The partition table can be +listed using the ``fdisk`` tool. + +:: + + fdisk -lu <path-to-img>/ir-acs-live-image-generic-arm64.wic + Device Start End Sectors Size Type + <path-to-img>/ir-acs-live-image-generic-arm64.wic1 2048 309247 307200 150M Microsoft basic data + <path-to-img>/ir-acs-live-image-generic-arm64.wic2 309248 1343339 1034092 505M Linux filesystem + + +The first partition starts at the 2048th sector. This has to be multiplied +by the sector size which is 512 so the offset is 2048 * 512 = 1048576. + +Next, mount the IR image using the previously calculated offset: :: sudo mkdir /mnt/test - sudo mount -o rw,offset=1048576 <path-to-img>/ir-acs-live-image-generic-arm64.wic /mnt/test + sudo mount -o rw,offset=<first_partition_offset> <path-to-img>/ir-acs-live-image-generic-arm64.wic /mnt/test Then, copy the capsules: :: - sudo cp cs1k_cap_fvp_v6 /mnt/test/ - sudo cp cs1k_cap_fvp_v5 /mnt/test/ + sudo cp <capsule path>/corstone1000-fvp-v6.uefi.capsule /mnt/test/ + sudo cp <capsule path>/corstone1000-fvp-v5.uefi.capsule /mnt/test/ sync Then, unmount the IR image: @@ -817,14 +719,21 @@ Then, unmount the IR image: sudo umount /mnt/test -**NOTE:** Please refer to `FVP instructions for ACS image and run`_ section to find the first partition offset. - ****************************** Performing the capsule update ****************************** -During this section we will be using the capsule with the higher version (cs1k_cap_<fvp/mps3>_v6) for the positive scenario -and the capsule with the lower version (cs1k_cap_<fvp/mps3>_v5) for the negative scenario. +During this section we will be using the capsule with the higher version +(``corstone1000-<fvp/mps3>-v6.uefi.capsule``) for the positive scenario +and then the capsule with the lower version (``corstone1000-<fvp/mps3>-v5.uefi.capsule``) +for the negative scenario. The two tests have to be done after each other +in the correct order to make sure that the negative capsule will get rejected. + +Running the FPGA with the IR prebuilt image +=========================================== + +Insert the prepared USB stick which has the IR prebuilt image and two capsules, +then Power cycle the MPS3 board. Running the FVP with the IR prebuilt image ========================================== @@ -836,16 +745,14 @@ Run the FVP with the IR prebuilt image: kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic" **NOTE:** <path-to-img> must start from the root directory. make sure there are no spaces before or after of "=". board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic. - -Running the FPGA with the IR prebuilt image -=========================================== - -Insert the prepared USB stick then Power cycle the MPS3 board. +**NOTE:** Do not restart the FVP between the positive and negative test because it will start from a clean state. Executing capsule update for FVP and FPGA ========================================= -Reach u-boot then interrupt the boot to reach the EFI shell. +Wait until U-boot loads EFI from the ACS image stick and interrupt the EFI +shell by pressing ESC when the following prompt is displayed in the Host +terminal (ttyUSB2). :: @@ -857,19 +764,30 @@ Then, type FS0: as shown below: FS0: -In case of the positive scenario run the update with the higher version capsule as shown below: +Then start the CapsuleApp application. Use the positive capsule +(corstone1000-<fvp/mps3>-v6.uefi.capsule) first. :: - EFI/BOOT/app/CapsuleApp.efi cs1k_cap_<fvp/mps3>_v6 + EFI/BOOT/app/CapsuleApp.efi corstone1000-<fvp/mps3>-v6.uefi.capsule + +The capsule update will be started. + +**NOTE:** On the FVP it takes around 15-30 minutes, on the FPGA it takes less time. -After successfully updating the capsule the system will reset. +After successfully updating the capsule the system will reset. Make sure the +Corstone-1000's Poky Distro is booted after the reset so the ESRT can be checked. +It is described in the `Select Corstone-1000 Linux kernel boot`_ section how to +boot the Poky distro after the capsule update. +The `Positive scenario`_ sections describes how the result should be inspected. +After the result is checked, the system can be rebooted with the ``reboot`` command in the Host +terminal (ttyUSB2). -In case of the negative scenario run the update with the lower version capsule as shown below: +Interrupt the EFI shell again and now start the capsule update with the negative capsule: :: - EFI/BOOT/app/CapsuleApp.efi cs1k_cap_<fvp/mps3>_v5 + EFI/BOOT/app/CapsuleApp.efi corstone1000-<fvp/mps3>-v5.uefi.capsule The command above should fail and in the TF-M logs the following message should appear: @@ -883,17 +801,14 @@ Then, reboot manually: Shell> reset -FPGA: Select Corstone-1000 Linux kernel boot -============================================ +Make sure the Corstone-1000's Poky Distro is booted again +(`Select Corstone-1000 Linux kernel boot`_) in order to check the results +`Negative scenario`_. -Remove the USB stick before u-boot is reached so the Corstone-1000 kernel will be detected and used for booting. - -**NOTE:** Otherwise, the execution ends up in the ACS live image. - -FVP: Select Corstone-1000 Linux kernel boot -=========================================== +Select Corstone-1000 Linux kernel boot +====================================== -Interrupt the u-boot shell. +Interrupt the U-Boot shell. :: @@ -917,9 +832,12 @@ Capsule update status Positive scenario ================= -In the positive case scenario, the user should see following log in TF-M log, -indicating the new capsule image is successfully applied, and the board boots -correctly. +In the positive case scenario, the software stack copies the capsule to the +External Flash, which is shared between the Secure Enclave and Host, +then a reboot is triggered. The TF-M accepts the capsule. +The user should see following TF-M log in the Secure Enclave terminal (ttyUSB1) +before the system reboots automatically, indicating the new capsule +image is successfully applied, and the board boots correctly. :: @@ -933,6 +851,18 @@ correctly. corstone1000_fwu_flash_image: exit: ret = 0 ... +And after the reboot: + +:: + + ... + fmp_set_image_info:133 Enter + FMP image update: image id = 0 + FMP image update: status = 0version=6 last_attempt_version=6. + fmp_set_image_info:157 Exit. + corstone1000_fwu_host_ack: exit: ret = 0 + ... + It's possible to check the content of the ESRT table after the system fully boots. @@ -961,11 +891,14 @@ In the Linux command-line run the following: lowest_supported_fw_ver: 0 -Negative scenario (Applicable to FPGA only) -=========================================== +Negative scenario +================= -In the negative case scenario (rollback the capsule version), the user should -see appropriate logs in the secure enclave terminal. +In the negative case scenario (rollback the capsule version), +the TF-M detects that the new capsule's version number is +smaller then the current version. The capsule is rejected because +of this. +The user should see appropriate logs in the Secure Enclave terminal (ttyUSB1) before the system reboots itself. :: @@ -989,7 +922,7 @@ see appropriate logs in the secure enclave terminal. If capsule pass initial verification, but fails verifications performed during -boot time, secure enclave will try new images predetermined number of times +boot time, Secure Enclave will try new images predetermined number of times (defined in the code), before reverting back to the previous good bank. :: @@ -1025,11 +958,6 @@ In the Linux command-line run the following: last_attempt_version: 5 lowest_supported_fw_ver: 0 -**Note**: This test is currently not working properly in Corstone-1000 FVP. -However, it is not part of the System-Ready IR tests, and it won't affect the -SR-IR certification. All the compulsory `capsule update tests for SR-IR -<https://developer.arm.com/documentation/DUI1101/2-1/Test-SystemReady-IR/Test-UpdateCapsule>`__ -works on both Corstone-1000 FVP and FPGA. Linux distros tests ------------------- @@ -1043,7 +971,7 @@ provided with the Debian installer image (see below). This bug causes a fatal error when attempting to boot media installer for Debian, and it resets the platform before installation starts. A patch to be applied to the Corstone-1000 stack (only applicable when installing Debian) is provided to -`Skip the Shim <https://gitlab.arm.com/arm-reference-solutions/systemready-patch/-/blob/CORSTONE1000-2023.11/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch>`__. +`Skip the Shim <https://gitlab.arm.com/arm-reference-solutions/systemready-patch/-/blob/CORSTONE1000-2024.06/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch>`__. This patch makes U-Boot automatically bypass the Shim and run grub and allows the user to proceed with a normal installation. If at the moment of reading this document the problem is solved in the Shim, the user is encouraged to try the @@ -1055,18 +983,20 @@ documentation. :: cd <_workspace> - git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.11 + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06 cp -f systemready-patch/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch meta-arm cd meta-arm git am 0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch cd .. **On FPGA** + :: kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml -c="bitbake u-boot trusted-firmware-a corstone1000-flash-firmware-image -c cleansstate; bitbake corstone1000-flash-firmware-image" **On FVP** + :: kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c="bitbake u-boot trusted-firmware-a corstone1000-flash-firmware-image -c cleansstate; bitbake corstone1000-flash-firmware-image" @@ -1087,8 +1017,8 @@ Preparing the Installation Media ************************************************* Download one of following Linux distro images: - - `Debian installer image <https://cdimage.debian.org/debian-cd/current/arm64/iso-dvd/>`__ (Tested on: debian-12.2.0-arm64-DVD-1.iso) - - `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ (Tested on: openSUSE-Tumbleweed-DVD-aarch64-Snapshot20231120-Media.iso) + - `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.4.0/arm64/iso-dvd/>`__ + - `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ (Tested on: openSUSE-Tumbleweed-DVD-aarch64-Snapshot20240516-Media.iso) **NOTE:** For OpenSUSE Tumbleweed, the user should look for a DVD Snapshot like openSUSE-Tumbleweed-DVD-aarch64-Snapshot<date>-Media.iso @@ -1123,9 +1053,9 @@ With a minimum size of 8GB formatted with gpt. :: - #Generating mmc2 - dd if=/dev/zero of=<_workspace>/mmc2_file.img bs=1 count=0 seek=8G; sync; - parted -s mmc2_file.img mklabel gpt + #Generating os_file + dd if=/dev/zero of=<_workspace>/os_file.img bs=1 count=0 seek=10G; sync; + parted -s os_file.img mklabel gpt ************************************************* @@ -1157,10 +1087,10 @@ FVP :: - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file="<path-to-iso_file>" -C board.msd_mmc_2.p_mmc_file="<_workspace>/mmc2_file.img" + kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<_workspace>/os_file.img -C board.msd_mmc_2.p_mmc_file=<path-to-iso_file>" The installer should now start. -The os will be installed on the second mmc 'mmc2_file.img'. +The OS will be installed on 'os_file.img'. ******************************************************* Debian install clarifications @@ -1213,17 +1143,22 @@ after entering the password for the root user. FVP ============== -Once the installation is complete, you will need to exit the shell instance -and run this command to boot into the installed OS: +The platform should automatically boot into the installed OS image. -:: +To cold boot: + + :: + + kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<_workspace>/os_file.img" - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file="<path-to-iso_file>" -C board.msd_mmc.p_mmc_file="<_workspace>/mmc2_file.img" -Once the FVP begins booting, you will need to quickly change the boot option in grub, -to boot into recovery mode. +The board will then enter recovery mode, from which the user can access a shell +after entering the password for the root user. -**NOTE:** This option will disappear quickly, so it's best to preempt it. + +**NOTE:** To manually enter recovery mode, once the FVP begins booting, you can quickly +change the boot option in grub, to boot into recovery mode. This option will disappear +quickly, so it's best to preempt it. Select 'Advanced Options for '<OS>' and then '<OS> (recovery mode)'. @@ -1295,19 +1230,19 @@ First, load FF-A TEE kernel module: :: - insmod /lib/modules/*-yocto-standard/updates/arm-ffa-tee.ko + insmod /lib/modules/*-yocto-standard/updates/arm-tstee.ko Then, check whether the FF-A TEE driver is loaded correctly by using the following command: :: - cat /proc/modules | grep arm_ffa_tee + cat /proc/modules | grep arm_tstee -The output should be: +The output should be similar to: :: - arm_ffa_tee <ID> - - Live <address> (O) + arm_tstee 16384 - - Live 0xffffffc000510000 (O) Now, run the PSA API tests in the following order: @@ -1318,22 +1253,216 @@ Now, run the PSA API tests in the following order: psa-its-api-test psa-ps-api-test -**NOTE:** The psa-crypto-api-test takes between 30 minutes to 1 hour to run. -Tests results -------------- +UEFI Secureboot (SB) test +------------------------- -As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2023.11) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2023.11>`__ -can be found `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/master/embedded-a/corstone1000>`__. +Before running the SB test, the user should make sure that the `FVP and FPGA software has been compiled and the ESP image for both the FVP and FPGA has been created` as mentioned in the previous sections and user should use the same workspace directory under which sources have been compiled. +The SB test is applicable on both the FVP and the FPGA and this involves testing both the signed and unsigned kernel images. Successful test results in executing the signed image correctly and not allowing the unsigned image to run at all. -Running the software on FVP on Windows or AArch64 Linux ------------------------------------------------------------- +*********************************************************** +Below steps are applicable to FVP as well as FPGA +*********************************************************** +Firstly, the flash firmware image has to be built for both the FVP and FPGA as follows: -The user should follow the build instructions in this document to build on a Linux host machine. Then, copy the output binaries to the Windows or Aarch64 Linux machine where the FVP is located. Then, launch the FVP binary. +For FVP, -Security Issue Reporting ------------------------- -To report any security issues identified with Corstone-1000, please send an email to arm-security@arm.com. +:: + + kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c bitbake -c build corstone1000-flash-firmware-image" + + +For FPGA, + +:: + + kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml -c bitbake -c build corstone1000-flash-firmware-image" + +In order to test SB for FVP and FPGA, a bash script is available in the systemready-patch repo which is responsible in creating the relevant keys, sign the respective kernel images, and copy the same in their corresponding ESP images. + +Clone the systemready-patch repo under <_workspace. Then, change directory to where the script `create_keys_and_sign.sh` is and execute the script as follows: + +:: + + git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06 + cd systemready-patch/embedded-a/corstone1000/secureboot/ + +**NOTE:** The efitools package is required to execute the script. Install the efitools package on your system, if it doesn't exist. + +The script is responsible to create the required UEFI secureboot keys, sign the kernel images and copy the public keys and the kernel images (both signed and unsigned) to the ESP image for both the FVP and FPGA. + +:: + + ./create_keys_and_sign.sh -w <Absolute path to <workdir> directory under which sources have been compiled> -v <certification validity in days> + For ex: ./create_keys_and_sign.sh -w "/home/xyz/workspace/meta-arm" -v 365 + For help: ./create_keys_and_sign.sh -h + +**NOTE:** The above script is interactive and contains some commands that would require sudo password/permissions. + +After executing the above script, the relevant keys and the signed/unsigned kernel images will be copied to the ESP images for both the FVP and FGPA. The modified ESP images can be found at the same location i.e. + +:: + + For MPS3 FPGA : _workspace/meta-arm/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic + For FVP : _workspace/meta-arm/build/tmp/deploy/images/corstone1000-fvp/corstone1000-esp-image-corstone1000-fvp.wic + +Now, it is time to test the SB for the Corstone-1000 + + +*********************************************************** +Steps to test SB on FVP +*********************************************************** +Now, as mentioned in the previous section **Prepare EFI System Partition**, the ESP image will be used automatically in the Corstone-1000 FVP as the 2nd MMC card image. Change directory to your workspace and run the FVP as follows: + +:: + + kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm" + +When the script is executed, three terminal instances will be launched, one for the boot processor (aka Secure Enclave) processing element and two for the Host processing element. On the host side, stop the execution at the U-Boot prompt which looks like `corstone1000#`. There is a timeout of 3 seconds to stop the execution at the U-Boot prompt. At the U-Boot prompt, run the following commands: + +Set the current mmc device + +:: + + corstone1000# mmc dev 1 + +Enroll the four UEFI Secureboot authenticated variables + +:: + + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize KEK + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize db + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize dbx + +Now, load the unsigned FVP kernel image and execute it. This unsigned kernel image should not boot and result as follows + +:: + + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_fvp_images/Image_fvp + corstone1000# loadm $loadaddr $kernel_addr_r $filesize + corstone1000# bootefi $kernel_addr_r $fdtcontroladdr + + Booting /MemoryMapped(0x0,0x88200000,0x236aa00) + Image not authenticated + Loading image failed + +The next step is to verify the signed linux kernel image. Load the signed kernel image and execute it as follows: + +:: + + corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_fvp_images/Image_fvp.signed + corstone1000# loadm $loadaddr $kernel_addr_r $filesize + corstone1000# bootefi $kernel_addr_r $fdtcontroladdr + +The above set of commands should result in booting of signed linux kernel image successfully. + + +*********************************************************** +Steps to test SB on MPS3 FPGA +*********************************************************** +Now, as mentioned in the previous section **Prepare EFI System Partition**, the ESP image for MPS3 FPGA needs to be copied to the USB drive. +Follow the steps mentioned in the same section for MPS3 FPGA to prepare the USB drive with the ESP image. The modified ESP image corresponds to MPS3 FPGA can be found at the location as mentioned before i.e. `_workspace/meta-arm/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic`. +Insert this USB drive to the MPS3 FPGA and boot, and stop the execution at the U-Boot prompt similar to the FVP. At the U-Boot prompt, run the following commands: + +Reset the USB + +:: + + corstone1000# usb reset + resetting USB... + Bus usb@40200000: isp1763 bus width: 16, oc: not available + USB ISP 1763 HW rev. 32 started + scanning bus usb@40200000 for devices... port 1 high speed + 3 USB Device(s) found + scanning usb for storage devices... 1 Storage Device(s) found + +**NOTE:** Sometimes, the usb reset doesn't recognize the USB device. It is recomended to rerun the usb reset command. + +Set the current USB device + +:: + + corstone1000# usb dev 0 + +Enroll the four UEFI Secureboot authenticated variables + +:: + + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx + + +Now, load the unsigned MPS3 FPGA linux kernel image and execute it. This unsigned kernel image should not boot and result as follows + +:: + + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3 + corstone1000# loadm $loadaddr $kernel_addr_r $filesize + corstone1000# bootefi $kernel_addr_r $fdtcontroladdr + + Booting /MemoryMapped(0x0,0x88200000,0x236aa00) + Image not authenticated + Loading image failed + +The next step is to verify the signed linux kernel image. Load the signed kernel image and execute it as follows: + +:: + + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3.signed + corstone1000# loadm $loadaddr $kernel_addr_r $filesize + corstone1000# bootefi $kernel_addr_r $fdtcontroladdr + +The above set of commands should result in booting of signed linux kernel image successfully. + +*********************************************************** +Steps to disable Secureboot on both FVP and MPS3 FPGA +*********************************************************** +Now, after testing the SB, UEFI authenticated variables get stored in the secure flash. When you try to reboot, the U-Boot will automatically read the UEFI authenticated variables and authenticates the images before executing them. In normal booting scenario, the linux kernel images will not be signed and hence this will not allow the system to boot, as image authentication will fail. We need to delete the Platform Key (one of the UEFI authenticated variable for SB) in order to disable the SB. At the U-Boot prompt, run the following commands. + +On the FVP + +:: + + corstone1000# mmc dev 1 + corstone1000# load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK + corstone1000# boot + +On the MPS3 FPGA + +:: + + corstone1000# usb reset + corstone1000# usb dev 0 + corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK + corstone1000# boot + +The above commands will delete the Platform key (PK) and allow the normal system boot flow without SB. + + +Testing the External System +--------------------------- + +During Linux boot the remoteproc subsystem automatically starts +the external system. + +The external system can be switched on/off on demand with the following commands: + +:: + + echo stop > /sys/class/remoteproc/remoteproc0/state + +:: + + echo start > /sys/class/remoteproc/remoteproc0/state + +Tests results +------------- + +As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2024.06) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06>`__ +can be found `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.06/embedded-a/corstone1000/CORSTONE1000-2024.06?ref_type=tags>`__. -------------- diff --git a/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-sbsa-ref.txt b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-sbsa-ref.txt new file mode 100644 index 0000000000..dd47799603 --- /dev/null +++ b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-sbsa-ref.txt @@ -0,0 +1,5 @@ +# The release of EDK2 after 202402 should fix this +NUMA: Failed to initialise from firmware + +# TODO: we should be using bochsdrm over efifb? +efifb: cannot reserve video memory at 0x80000000 diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_%.bbappend new file mode 100644 index 0000000000..0e2812eab5 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_%.bbappend @@ -0,0 +1 @@ +COMPATIBLE_MACHINE:fvp-base = "fvp-base" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb index 18649ceeaf..8bd1161638 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb +++ b/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb @@ -38,15 +38,20 @@ do_compile() { do_compile[cleandirs] = "${B}" do_install() { - install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.bin ${D}/firmware/es_flashfw.bin + install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.bin ${D}${nonarch_base_libdir}/firmware/es_flashfw.bin + install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.elf ${D}${nonarch_base_libdir}/firmware/es_flashfw.elf } -FILES:${PN} = "/firmware" -SYSROOT_DIRS += "/firmware" +FILES:${PN} = "${nonarch_base_libdir}/firmware/es_flashfw.bin" +FILES:${PN}-elf = "${nonarch_base_libdir}/firmware/es_flashfw.elf" +PACKAGES += "${PN}-elf" +INSANE_SKIP:${PN}-elf += "arch" + +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" inherit deploy do_deploy() { - cp -rf ${D}/firmware/* ${DEPLOYDIR}/ + cp -rf ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/ } addtask deploy after do_install diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-esp-image.bb b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-esp-image.bb new file mode 100644 index 0000000000..bd1a206a81 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-esp-image.bb @@ -0,0 +1,25 @@ +SUMMARY = "Corstone1000 platform esp Image" +DESCRIPTION = "This builds a simple image file that only contains an esp \ + partition for use when running the SystemReady IR ACS tests." +LICENSE = "MIT" + +COMPATIBLE_MACHINE = "corstone1000" + +# IMAGE_FSTYPES must be set before 'inherit image' +# https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_FSTYPES +IMAGE_FSTYPES = "wic" + +inherit image + +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + +PACKAGE_INSTALL = "" + +# This builds a very specific image so we can ignore any customization +WKS_FILE = "efi-disk-esp-only.wks.in" +WKS_FILE:firmware = "efi-disk-esp-only.wks.in" + +EXTRA_IMAGEDEPENDS = "" +# Don't write an fvp configuration file for this image as it can't run +IMAGE_POSTPROCESS_COMMAND:remove = "do_write_fvpboot_conf;" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-firmware-deploy-image.inc b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-firmware-deploy-image.inc index 2d192745fd..f959573d80 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-firmware-deploy-image.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-firmware-deploy-image.inc @@ -3,7 +3,7 @@ COMPATIBLE_MACHINE = "corstone1000" FIRMWARE_BINARIES = "corstone1000-flash-firmware-image-${MACHINE}.wic \ bl1.bin \ es_flashfw.bin \ - corstone1000-flash-firmware-image-${MACHINE}.wic.uefi.capsule \ + ${CAPSULE_NAME}.${CAPSULE_EXTENSION} \ corstone1000_capsule_cert.crt \ corstone1000_capsule_key.key \ " diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb index 73fc17664d..4a32192d6a 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb +++ b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb @@ -1,4 +1,4 @@ -SUMARY = "Corstone1000 platform Image" +SUMMARY = "Corstone1000 platform Image" DESCRIPTION = "This is the main image which is the container of all the binaries \ generated for the Corstone1000 platform." LICENSE = "MIT" @@ -12,10 +12,12 @@ IMAGE_FSTYPES = "wic uefi_capsule" inherit image inherit tfm_sign_image inherit uefi_capsule +inherit deploy DEPENDS += "external-system \ trusted-firmware-a \ trusted-firmware-m \ + u-boot \ " IMAGE_FEATURES = "" @@ -23,9 +25,21 @@ IMAGE_LINGUAS = "" PACKAGE_INSTALL = "" -UEFI_FIRMWARE_BINARY = "${IMAGE_LINK_NAME}.${CAPSULE_IMGTYPE}" -UEFI_CAPSULE_CONFIG = "${THISDIR}/files/${PN}-capsule-update-image.json" -CAPSULE_IMGTYPE = "wic" +# The generated ${MACHINE}_image.nopt is used instead of the default wic image +# for the capsule generation. The uefi.capsule image type doesn't have to +# depend on the wic because of this. +# +# The corstone1000_capsule_cert.crt and corstone1000_capsule_key.key are installed +# by the U-Boot recipe so this recipe has to depend on that. +CAPSULE_IMGTYPE = "" +CAPSULE_CERTIFICATE_PATH = "${DEPLOY_DIR_IMAGE}/corstone1000_capsule_cert.crt" +CAPSULE_GUID:corstone1000-fvp ?= "989f3a4e-46e0-4cd0-9877-a25c70c01329" +CAPSULE_GUID:corstone1000-mps3 ?= "df1865d1-90fb-4d59-9c38-c9f2c1bba8cc" +CAPSULE_IMGLOCATION = "${DEPLOY_DIR_IMAGE}" +CAPSULE_INDEX = "1" +CAPSULE_MONOTONIC_COUNT = "1" +CAPSULE_PRIVATE_KEY_PATH = "${DEPLOY_DIR_IMAGE}/corstone1000_capsule_key.key" +UEFI_FIRMWARE_BINARY = "${B}/${MACHINE}_image.nopt" # TF-A settings for signing host images TFA_BL2_BINARY = "bl2-corstone1000.bin" @@ -38,6 +52,11 @@ RE_LAYOUT_WRAPPER_VERSION = "0.0.7" TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem" RE_IMAGE_OFFSET = "0x1000" +# Offsets for the .nopt image generation +TFM_OFFSET = "102400" +FIP_OFFSET = "479232" +KERNEL_OFFSET = "2576384" + do_sign_images() { # Sign TF-A BL2 sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \ @@ -56,3 +75,22 @@ do_sign_images() { do_sign_images[depends] = "\ fiptool-native:do_populate_sysroot \ " + +# This .nopt image is not the same as the one which is generated by meta-arm/meta-arm/classes/wic_nopt.bbclass. +# The meta-arm/meta-arm/classes/wic_nopt.bbclass removes the partition table from the wic image, but keeps the +# second bank. This function creates a no-partition image with only the first bank. +create_nopt_image() { + dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/bl2_signed.bin of=${B}/${MACHINE}_image.nopt + dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/tfm_s_signed.bin of=${B}/${MACHINE}_image.nopt seek=${TFM_OFFSET} + dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/signed_fip-corstone1000.bin of=${B}/${MACHINE}_image.nopt seek=${FIP_OFFSET} + dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/Image.gz-initramfs-${MACHINE}.bin of=${B}/${MACHINE}_image.nopt seek=${KERNEL_OFFSET} +} +do_image_uefi_capsule[depends] += " linux-yocto:do_deploy" +do_image_uefi_capsule[mcdepends] += " ${@bb.utils.contains('BBMULTICONFIG', 'firmware', 'mc::firmware:linux-yocto:do_deploy', '', d)}" +do_image_uefi_capsule[prefuncs] += "create_nopt_image" + +do_deploy() { + install -m 0755 ${B}/${MACHINE}_image.nopt ${DEPLOYDIR} +} + +addtask deploy after do_image_uefi_capsule diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-recovery-image.bb b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-recovery-image.bb new file mode 100644 index 0000000000..5ee9adfb8c --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-recovery-image.bb @@ -0,0 +1,7 @@ +require recipes-core/images/core-image-minimal.bb + +# The core-image-minimal is used for the initramfs bundle for the +# Corstone1000 but the testimage task caused hanging errors. This is +# why the core-image-minimal is forked here so the testimage task can +# be disabled as it is not relevant for the Corstone1000. +IMAGE_CLASSES:remove = "testimage" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/files/corstone1000-flash-firmware-image-capsule-update-image.json b/meta-arm/meta-arm-bsp/recipes-bsp/images/files/corstone1000-flash-firmware-image-capsule-update-image.json deleted file mode 100644 index 0f011ff740..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/images/files/corstone1000-flash-firmware-image-capsule-update-image.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "Payloads": [ - { - "FwVersion": "5", - "Guid": "e2bb9c06-70e9-4b14-97a3-5a7913176e3f", - "LowestSupportedVersion": "1", - "Payload": "$UEFI_FIRMWARE_BINARY", - "UpdateImageIndex": "0" - } - ] -} diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch new file mode 100644 index 0000000000..6028204860 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch @@ -0,0 +1,92 @@ +From 19600e6718e1a5b2ac8ec27d471acdafce0e433e Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <Emekcan.Aras@arm.com> +Date: Thu, 25 Apr 2024 11:30:58 +0100 +Subject: [PATCH] fix(corstone1000): remove unused NS_SHARED_RAM region + +After enabling additional features in Trusted Services, the size of BL32 image +(OP-TEE + Trusted Services SPs) is larger now. To create more space in secure RAM +for BL32 image, this patch removes NS_SHARED_RAM region which is not currently used by +corstone1000 platform. + +Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> +Upstream-Status: Pending +--- + .../corstone1000/common/corstone1000_plat.c | 1 - + .../common/include/platform_def.h | 19 +------------------ + 2 files changed, 1 insertion(+), 19 deletions(-) + +diff --git a/plat/arm/board/corstone1000/common/corstone1000_plat.c b/plat/arm/board/corstone1000/common/corstone1000_plat.c +index ed3801caa..a9475859a 100644 +--- a/plat/arm/board/corstone1000/common/corstone1000_plat.c ++++ b/plat/arm/board/corstone1000/common/corstone1000_plat.c +@@ -23,7 +23,6 @@ + + const mmap_region_t plat_arm_mmap[] = { + ARM_MAP_SHARED_RAM, +- ARM_MAP_NS_SHARED_RAM, + ARM_MAP_NS_DRAM1, + CORSTONE1000_MAP_DEVICE, + CORSTONE1000_EXTERNAL_FLASH, +diff --git a/plat/arm/board/corstone1000/common/include/platform_def.h b/plat/arm/board/corstone1000/common/include/platform_def.h +index 442d187f0..18fce4486 100644 +--- a/plat/arm/board/corstone1000/common/include/platform_def.h ++++ b/plat/arm/board/corstone1000/common/include/platform_def.h +@@ -90,9 +90,6 @@ + * partition size: 176 KB + * content: BL2 + * +- * <ARM_NS_SHARED_RAM_BASE> = <ARM_TRUSTED_SRAM_BASE> + 1 MB +- * partition size: 512 KB +- * content: BL33 (u-boot) + */ + + /* DDR memory */ +@@ -117,11 +114,7 @@ + /* The remaining Trusted SRAM is used to load the BL images */ + #define TOTAL_SRAM_SIZE (SZ_4M) /* 4 MB */ + +-/* Last 512KB of CVM is allocated for shared RAM as an example openAMP */ +-#define ARM_NS_SHARED_RAM_SIZE (512 * SZ_1K) +- + #define PLAT_ARM_TRUSTED_SRAM_SIZE (TOTAL_SRAM_SIZE - \ +- ARM_NS_SHARED_RAM_SIZE - \ + ARM_SHARED_RAM_SIZE) + + #define PLAT_ARM_MAX_BL2_SIZE (180 * SZ_1K) /* 180 KB */ +@@ -160,11 +153,6 @@ + + /* NS memory */ + +-/* The last 512KB of the SRAM is allocated as shared memory */ +-#define ARM_NS_SHARED_RAM_BASE (ARM_TRUSTED_SRAM_BASE + TOTAL_SRAM_SIZE - \ +- (PLAT_ARM_MAX_BL31_SIZE + \ +- PLAT_ARM_MAX_BL32_SIZE)) +- + #define BL33_BASE ARM_DRAM1_BASE + #define PLAT_ARM_MAX_BL33_SIZE (12 * SZ_1M) /* 12 MB*/ + #define BL33_LIMIT (ARM_DRAM1_BASE + PLAT_ARM_MAX_BL33_SIZE) +@@ -266,7 +254,7 @@ + #define PLAT_ARM_TRUSTED_MAILBOX_BASE ARM_TRUSTED_SRAM_BASE + #define PLAT_ARM_NSTIMER_FRAME_ID U(1) + +-#define PLAT_ARM_NS_IMAGE_BASE (ARM_NS_SHARED_RAM_BASE) ++#define PLAT_ARM_NS_IMAGE_BASE (BL33_BASE) + + #define PLAT_PHY_ADDR_SPACE_SIZE (1ULL << 32) + #define PLAT_VIRT_ADDR_SPACE_SIZE (1ULL << 32) +@@ -295,11 +283,6 @@ + ARM_SHARED_RAM_SIZE, \ + MT_MEMORY | MT_RW | MT_SECURE) + +-#define ARM_MAP_NS_SHARED_RAM MAP_REGION_FLAT( \ +- ARM_NS_SHARED_RAM_BASE, \ +- ARM_NS_SHARED_RAM_SIZE, \ +- MT_MEMORY | MT_RW | MT_NS) +- + #define ARM_MAP_NS_DRAM1 MAP_REGION_FLAT( \ + ARM_NS_DRAM1_BASE, \ + ARM_NS_DRAM1_SIZE, \ +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch new file mode 100644 index 0000000000..a45b657713 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch @@ -0,0 +1,46 @@ +From 37f92eeb4361626072e690adb3b0bb20db7c2fca Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <Emekcan.Aras@arm.com> +Date: Wed, 15 May 2024 13:54:51 +0100 +Subject: [PATCH] fix(corstone1000): clean the cache and disable interrupt + before system reset + +Corstone1000 does not properly clean the cache and disable gic interrupts +before the reset. This causes a race condition especially in FVP after reset. +This adds proper sequence before resetting the platform. + +Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> +Upstream-Status: Pending +--- + plat/arm/board/corstone1000/common/corstone1000_pm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c +index 4b0a791e7..a52e945bf 100644 +--- a/plat/arm/board/corstone1000/common/corstone1000_pm.c ++++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c +@@ -7,6 +7,7 @@ + #include <lib/psci/psci.h> + #include <plat/arm/common/plat_arm.h> + #include <platform_def.h> ++#include <drivers/arm/gicv2.h> + /******************************************************************************* + * Export the platform handlers via plat_arm_psci_pm_ops. The ARM Standard + * platform layer will take care of registering the handlers with PSCI. +@@ -18,6 +19,14 @@ static void __dead2 corstone1000_system_reset(void) + uint32_t volatile * const watchdog_ctrl_reg = (uint32_t *) SECURE_WATCHDOG_ADDR_CTRL_REG; + uint32_t volatile * const watchdog_val_reg = (uint32_t *) SECURE_WATCHDOG_ADDR_VAL_REG; + ++ /* Flush and invalidate data cache */ ++ dcsw_op_all(DCCISW); ++ /* ++ * Disable GIC CPU interface to prevent pending interrupt ++ * from waking up the AP from WFI. ++ */ ++ gicv2_cpuif_disable(); ++ + *(watchdog_val_reg) = SECURE_WATCHDOG_COUNTDOWN_VAL; + *watchdog_ctrl_reg = SECURE_WATCHDOG_MASK_ENABLE; + while (1) { +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts new file mode 100644 index 0000000000..748da3098b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts @@ -0,0 +1,116 @@ +/* SPDX-License-Identifier: BSD-3-Clause */ +/* + * Copyright (c) 2022-2023, Arm Limited. All rights reserved. + */ + + +/* + * The content of the SPMC manifest may depend on integration settings like the + * set of deployed SP. This information lives in the integration system and + * hence this file should be store in meta-arm. This avoids indirect + * dependencies between integration systems using the same file which would + * enforce some from of cooperation. + */ + +/dts-v1/; + +/ { + compatible = "arm,ffa-core-manifest-1.0"; + #address-cells = <2>; + #size-cells = <1>; + + attribute { + spmc_id = <0x8000>; + maj_ver = <0x1>; + min_ver = <0x0>; + exec_state = <0x0>; + load_address = <0x0 0x6000000>; + entrypoint = <0x0 0x6000000>; + binary_size = <0x80000>; + }; + +/* + * This file will be preprocessed by TF-A's build system. If Measured Boot is + * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro + * to the preprocessor arguments. + */ +#if MEASURED_BOOT + tpm_event_log { + compatible = "arm,tpm_event_log"; + tpm_event_log_addr = <0x0 0x0>; + tpm_event_log_size = <0x0>; + tpm_event_log_max_size = <0x0>; + }; +#endif + +/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ +#ifdef ARM_BL2_SP_LIST_DTS + sp_packages { + compatible = "arm,sp_pkg"; +#if !SPMC_TESTS + block_storage { + uuid = <0x806e6463 0x2f4652eb 0xdf8c4fac 0x9c518739>; + load-address = <0x0 0x7a00000>; + }; + internal_trusted_storage { + uuid = <0x48ef1edc 0xcf4c7ab1 0xcfdf8bac 0x141b71f7>; + load-address = <0x0 0x7a80000>; + }; + + protected_storage_sp { + uuid = <0x01f81b75 0x6847de3d 0x100f14a5 0x9017edae>; + load-address = <0x0 0x7b00000>; + }; + + crypto_sp { + uuid = <0xd552dfd9 0xb24ba216 0x6dd2a49a 0xc0e8843b>; + load-address = <0x0 0x7b80000>; + }; + +#if MEASURED_BOOT + initial_attestation_sp { + uuid = <0x55f1baa1 0x95467688 0x95547c8f 0x74b98d5e>; + load-address = <0x0 0x7c80000>; + }; +#endif + +#if TS_SMM_GATEWAY + smm_gateway { + uuid = <0x33d532ed 0x0942e699 0x722dc09c 0xa798d9cd>; + load-address = <0x0 0x7d00000>; + }; +#endif /* TS_SMM_GATEWAY */ + +#if TS_FW_UPDATE + fwu { + uuid = <0x38a82368 0x0e47061b 0xce0c7497 0xfd53fb8b>; + load-address = <0x0 0x7d80000>; + }; +#endif /* TS_FW_UPDATE */ + +#else /* SPMC_TESTS */ + test_sp1 { + uuid = <0xc3db9e5c 0x67433a7b 0x197c839f 0x376ae81a>; + load-address = <0x0 0x7a00000>; + }; + + test_sp2 { + uuid = <0x4c161778 0x1a4d0cc4 0xb29b7a86 0x1af48c27>; + load-address = <0x0 0x7a20000>; + }; + + test_sp3 { + uuid = <0x0001eb23 0x97442ae3 0x112f5290 0xa6af84e5>; + load-address = <0x0 0x7a40000>; + }; + + test_sp4 { + /* SP binary UUID */ + uuid = <0xed623742 0x6f407277 0x270cd899 0xf8bb0ada>; + load-address = <0x0 0x7a80000>; + }; +#endif /* SPMC_TESTS */ + + }; +#endif /* ARM_BL2_SP_LIST_DTS */ +}; diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb deleted file mode 100644 index 58ee1dcac0..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb +++ /dev/null @@ -1,33 +0,0 @@ -# Firmware Image Package (FIP) -# It is a packaging format used by TF-A to package the -# firmware images in a single binary. - -DESCRIPTION = "fiptool - Trusted Firmware tool for packaging" -LICENSE = "BSD-3-Clause" - -SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https" -SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};destsuffix=fiptool-${PV};branch=${SRCBRANCH}" -LIC_FILES_CHKSUM = "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" - -# Use fiptool from TF-A v2.9.0 -SRCREV = "d3e71ead6ea5bc3555ac90a446efec84ef6c6122" -SRCBRANCH = "master" - -DEPENDS += "openssl-native" - -inherit native - -EXTRA_OEMAKE = "V=1 HOSTCC='${BUILD_CC}' OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}" - -do_compile () { - # This is still needed to have the native fiptool executing properly by - # setting the RPATH - sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile - sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile - - oe_runmake fiptool -} - -do_install () { - install -D -p -m 0755 tools/fiptool/fiptool ${D}${bindir}/fiptool -} diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index e061b94480..f5737ca47c 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -7,6 +7,8 @@ SRC_URI:append = " \ file://0001-Fix-FF-A-version-in-SPMC-manifest.patch \ file://0002-fix-corstone1000-pass-spsr-value-explicitly.patch \ file://0003-fix-spmd-remove-EL3-interrupt-registration.patch \ + file://0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch \ + file://0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch \ " TFA_DEBUG = "1" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc index 5fafe292d8..4c37f7cb72 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc @@ -4,17 +4,62 @@ # Armv8-A Base Platform FVP # -FILESEXTRAPATHS:prepend := "${THISDIR}/files/:" -SRC_URI:append = " file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch" +FILESEXTRAPATHS:prepend := "${THISDIR}/files/:${THISDIR}/files/fvp-base" +SRC_URI:append = " \ + file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch \ + file://optee_spmc_maifest.dts;subdir=git/plat/arm/board/fvp/fdts \ +" + +# OP-TEE SPMC related configuration +SPMC_IS_OPTEE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', '0' \ + if d.getVar('SEL2_SPMC') == '1' else '1', '0', d)}" +# Configure the SPMC manifest file. +TFA_ARM_SPMC_MANIFEST_DTS = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \ + '${S}/plat/arm/board/fvp/fdts/optee_spmc_maifest.dts', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES','arm-ffa', \ + 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' \ + if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}" + +# Set OP-TEE SPMC specific TF-A config settings +TFA_SPMD_SPM_AT_SEL2 := '0' +TFA_SPD := "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'spmd', \ + d.getVar('TFA_SPD'), d)}" +DEPENDS += " ${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'optee-os', '', d)}" + +# Configure measured boot if the attestation SP is deployed. +TFA_MB_FLAGS += " \ + ARM_ROTPK_LOCATION=devel_rsa \ + EVENT_LOG_LEVEL=20 \ + GENERATE_COT=1 \ + MBOOT_EL_HASH_ALG=sha256 \ + MEASURED_BOOT=1 \ + ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ + TRUSTED_BOARD_BOOT=1 \ +" +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\ + '${TFA_MB_FLAGS}','', d)}" + +# Add OP-TEE as BL32. +BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\ + '${RECIPE_SYSROOT}/${nonarch_base_libdir}/firmware/tee-pager_v2.bin',\ + '', d)}" +EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \ + ' BL32=${BL32}', '', d)}" + +# Generic configuration COMPATIBLE_MACHINE = "fvp-base" TFA_PLATFORM = "fvp" -TFA_DEBUG = "1" -TFA_MBEDTLS = "1" +# Disable debug build if measured boot is enabled. +TFA_DEBUG := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', '0',\ + d.getVar('TFA_DEBUG'), d)}" +# Add mbedtls if measured boot is enabled +TFA_MBEDTLS := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\ + '1', d.getVar('TFA_MBEDTLS'), d)}" TFA_UBOOT ?= "1" TFA_BUILD_TARGET = "bl1 bl2 bl31 dtbs fip" -EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t" +EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t FVP_USE_GIC_DRIVER=FVP_GICV3" # Our fvp-base machine explicitly has v8.4 cores EXTRA_OEMAKE += "ARM_ARCH_MAJOR=8 ARM_ARCH_MINOR=4" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-sbsa-ref.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-sbsa-ref.inc new file mode 100644 index 0000000000..150613972e --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-sbsa-ref.inc @@ -0,0 +1,6 @@ +# sbsa-ref specific TF-A support + +COMPATIBLE_MACHINE = "sbsa-ref" + +TFA_PLATFORM = "qemu_sbsa" +TFA_INSTALL_TARGET = "bl1 fip" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index cb482a6f4d..214996a970 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -7,6 +7,7 @@ MACHINE_TFA_REQUIRE:corstone1000 = "trusted-firmware-a-corstone1000.inc" MACHINE_TFA_REQUIRE:fvp-base = "trusted-firmware-a-fvp-base.inc" MACHINE_TFA_REQUIRE:juno = "trusted-firmware-a-juno.inc" MACHINE_TFA_REQUIRE:n1sdp = "trusted-firmware-a-n1sdp.inc" +MACHINE_TFA_REQUIRE:sbsa-ref = "trusted-firmware-a-sbsa-ref.inc" MACHINE_TFA_REQUIRE:sgi575 = "trusted-firmware-a-sgi575.inc" MACHINE_TFA_REQUIRE:tc = "trusted-firmware-a-tc.inc" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb deleted file mode 100644 index d9fdf32972..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb +++ /dev/null @@ -1,16 +0,0 @@ -require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc - -# TF-A v2.9.0 -SRCREV_tfa = "d3e71ead6ea5bc3555ac90a446efec84ef6c6122" - -LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" - -# mbedtls-3.4.0 -SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=master" -SRCREV_mbedtls = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" - -LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" - -do_compile:prepend() { - sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile -} diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0002-arm-trusted-firmware-m-disable-address-warnings-into.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0001-arm-trusted-firmware-m-disable-address-warnings-into.patch index 1f19f55c48..1f19f55c48 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0002-arm-trusted-firmware-m-disable-address-warnings-into.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0001-arm-trusted-firmware-m-disable-address-warnings-into.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0001-cmake-modify-path-to-libmetal-version-file.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0001-cmake-modify-path-to-libmetal-version-file.patch deleted file mode 100644 index d53524ad0d..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/0001-cmake-modify-path-to-libmetal-version-file.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 6b38b9990c4dab0cb8524506ef129d4f326f3800 Mon Sep 17 00:00:00 2001 -From: Jon Mason <jon.mason@arm.com> -Date: Thu, 14 Dec 2023 09:23:09 -0500 -Subject: [PATCH] cmake: modify path to libmetal version file - -Commit ad87802d6e01e97946de20b6c2fa28aed184ed20 changed how the -versioning is done and created a version file. Due to this change, -the VERSION file is not being found when building because the source dir -is pointing to tf-m. Modify to point where we want it. - -Upstream-Status: Inappropriate [Build workaround] - -Signed-off-by: Jon Mason <jon.mason@arm.com> ---- - cmake/options.cmake | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cmake/options.cmake b/cmake/options.cmake -index a7b4ef8bdf03..a06009b6acc4 100644 ---- a/cmake/options.cmake -+++ b/cmake/options.cmake -@@ -1,4 +1,4 @@ --file(READ ${LIBMETAL_ROOT_DIR}/VERSION ver) -+file(READ ${LIBMETAL_ROOT_DIR}/../libmetal/VERSION ver) - - string(REGEX MATCH "VERSION_MAJOR = ([0-9]*)" _ ${ver}) - set(PROJECT_VERSION_MAJOR ${CMAKE_MATCH_1}) diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-Platform-corstone1000-Fix-issues-due-to-adjustment-M.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-Platform-corstone1000-Fix-issues-due-to-adjustment-M.patch deleted file mode 100644 index 2360992101..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-Platform-corstone1000-Fix-issues-due-to-adjustment-M.patch +++ /dev/null @@ -1,76 +0,0 @@ -From f7b58b5ba5b48e071eb360c1bcfc4d31290a77c1 Mon Sep 17 00:00:00 2001 -From: Ali Can Ozaslan <ali.oezaslan@arm.com> -Date: Tue, 5 Mar 2024 21:01:59 +0000 -Subject: [PATCH] Platform:corstone1000:Fix issues due to adjustment Mailbox - Agent params - -Adjust Mailbox Agent API parameters patch changed memory check and -related parameters. As a result, platform-specific issues occurred. -Secure side client IDs are converted to negative values. Control -parameter is created. - -Signed-off-by: Bence Balogh <bence.balogh@arm.com> -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> -Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com> -Upstream-Status: Pending - ---- - .../tfm_spe_dual_core_psa_client_secure_lib.c | 23 +++++++++++++++---- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c -index d2eabe144..39e11b8cd 100644 ---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c -+++ b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c -@@ -18,6 +18,9 @@ - #include "utilities.h" - #include "thread.h" - -+#define SE_PROXY_SP_UID 0 -+#define SMM_GW_SP_UID 0x8003 -+ - /** - * In linux environment and for psa_call type client api, - * the layout of the reply from tf-m to linux is as following. -@@ -174,7 +177,14 @@ static psa_status_t prepare_params_for_psa_call(struct client_params_t *params, - { - psa_status_t ret = PSA_SUCCESS; - -- params->ns_client_id_stateless = s_map_entry->msg.client_id; -+ if (s_map_entry->msg.client_id == SE_PROXY_SP_UID) { -+ params->ns_client_id_stateless = -1; -+ } -+ else if (s_map_entry->msg.client_id == SMM_GW_SP_UID) { -+ params->ns_client_id_stateless = -1 * s_map_entry->msg.client_id; -+ } else { -+ params->ns_client_id_stateless = s_map_entry->msg.client_id; -+ } - - params->p_outvecs = NULL; - ret = alloc_and_prepare_out_vecs(¶ms->p_outvecs, s_map_entry); -@@ -250,6 +260,9 @@ void deliver_msg_to_tfm_spe(void *private) - struct client_params_t params = {0}; - psa_status_t psa_ret = PSA_ERROR_GENERIC_ERROR; - unordered_map_entry_t* s_map_entry = (unordered_map_entry_t*)private; -+ uint32_t control = PARAM_PACK(s_map_entry->msg.params.psa_call_params.type, -+ s_map_entry->msg.params.psa_call_params.in_len, -+ s_map_entry->msg.params.psa_call_params.out_len); - - switch(s_map_entry->msg.call_type) { - case OPENAMP_PSA_FRAMEWORK_VERSION: -@@ -266,11 +279,11 @@ void deliver_msg_to_tfm_spe(void *private) - send_service_reply_to_non_secure(psa_ret, s_map_entry); - break; - } -+ control = PARAM_SET_NS_INVEC(control); -+ control = PARAM_SET_NS_OUTVEC(control); -+ control = PARAM_SET_NS_VEC(control); - psa_ret = tfm_rpc_psa_call(s_map_entry->msg.params.psa_call_params.handle, -- PARAM_PACK(s_map_entry->msg.params.psa_call_params.type, -- s_map_entry->msg.params.psa_call_params.in_len, -- s_map_entry->msg.params.psa_call_params.out_len), -- ¶ms, NULL); -+ control, ¶ms, NULL); - if (psa_ret != PSA_SUCCESS) { - send_service_reply_to_non_secure(psa_ret, s_map_entry); - break; diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-platform-corstone1000-align-capsule-update-structs.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-platform-corstone1000-align-capsule-update-structs.patch index 7aeecfa31b..7aeecfa31b 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-platform-corstone1000-align-capsule-update-structs.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-platform-corstone1000-align-capsule-update-structs.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-skip-the-first-nv-counter.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-Corstone1000-skip-the-first-nv-counter.patch index 4c486e69f2..4c486e69f2 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-skip-the-first-nv-counter.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-Corstone1000-skip-the-first-nv-counter.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-add-unique-guid-for-mps3.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-add-unique-guid-for-mps3.patch index 3711b8ce36..3711b8ce36 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-add-unique-guid-for-mps3.patch +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-add-unique-guid-for-mps3.patch diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-fix-synchronization-issue-on-o.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-fix-synchronization-issue-on-o.patch deleted file mode 100644 index be6bde6f8a..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-fix-synchronization-issue-on-o.patch +++ /dev/null @@ -1,50 +0,0 @@ -From b70dd14eed59d7c5833ded8469cf99e631951e14 Mon Sep 17 00:00:00 2001 -From: Emekcan Aras <emekcan.aras@arm.com> -Date: Wed, 15 Nov 2023 09:52:19 +0000 -Subject: [PATCH] platform: corstone1000: fix synchronization issue on openamp - notification - -This fixes a race that is observed rarely in the FVP. It occurs in FVP -when tfm sends the notication ack in openamp, and then reset the access -request which resets the mhu registers before received by the host -processor. This solution introduces polling on the status register of -mhu until the notificaiton is read by the host processor. (Inspired by -signal_and_wait_for_signal function in mhu_wrapper_v2_x.c in trusted-firmware-m -https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/arm/rss/common/native_drivers/mhu_wrapper_v2_x.c#n61) - -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> -Upstream-Status: Pending [Not submitted to upstream yet] ---- - .../corstone1000/openamp/platform_spe_dual_core_hal.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c b/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c -index 7613345ffc..b58088032f 100644 ---- a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c -+++ b/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c -@@ -83,7 +83,7 @@ enum tfm_plat_err_t tfm_dual_core_hal_init(void) - - enum tfm_plat_err_t tfm_hal_notify_peer(void) - { -- uint32_t access_ready; -+ uint32_t access_ready,val; - enum mhu_v2_x_error_t status; - struct mhu_v2_x_dev_t* dev = &MHU1_SE_TO_HOST_DEV; - -@@ -108,6 +108,13 @@ enum tfm_plat_err_t tfm_hal_notify_peer(void) - return TFM_PLAT_ERR_SYSTEM_ERR; - } - -+ do { -+ status = mhu_v2_x_channel_poll(dev, MHU1_SEH_NOTIFY_CH, &val); -+ if (status != MHU_V_2_X_ERR_NONE) { -+ break; -+ } -+ } while(val != 0); -+ - status = mhu_v2_x_reset_access_request(dev); - if (status != MHU_V_2_X_ERR_NONE) { - SPMLOG_ERRMSGVAL("mhu_v2_x_reset_access_request : ", status); --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch new file mode 100644 index 0000000000..4f15da2217 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch @@ -0,0 +1,177 @@ +From 1410dc5504d60219279581b1cf6442f81551cfe7 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <Emekcan.Aras@arm.com> +Date: Wed, 3 Apr 2024 13:37:40 +0100 +Subject: [PATCH] Platform: Corstone1000: Enable host firewall in FVP + +Enables host firewall and mpu setup for FVP. It also fixes secure-ram +configuration and disable access rights to secure ram from both normal world +for both mps3 and fvp. + +Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> +Upstream-Status: Pending [Not submitted to upstream yet] +--- + .../Device/Include/platform_base_address.h | 2 +- + .../arm/corstone1000/bl1/boot_hal_bl1_1.c | 42 ++++--------------- + .../arm/corstone1000/bl2/flash_map_bl2.c | 2 +- + 3 files changed, 11 insertions(+), 35 deletions(-) + +diff --git a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h +index 416f0ebcd..101cad9e7 100644 +--- a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h ++++ b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h +@@ -67,7 +67,7 @@ + * required by the SE are defined here */ + #define CORSTONE1000_HOST_ADDRESS_SPACE_BASE (0x60000000U) /* Host Address Space */ + #define CORSTONE1000_HOST_BIR_BASE (0x60000000U) /* Boot Instruction Register */ +-#define CORSTONE1000_HOST_SHARED_RAM_BASE (0x62000000U) /* Shared RAM */ ++#define CORSTONE1000_HOST_TRUSTED_RAM_BASE (0x62000000U) /* Secure RAM */ + #define CORSTONE1000_HOST_XNVM_BASE (0x68000000U) /* XNVM */ + #define CORSTONE1000_HOST_BASE_SYSTEM_CONTROL_BASE (0x7A010000U) /* Host SCB */ + #define CORSTONE1000_EXT_SYS_RESET_REG (0x7A010310U) /* external system (cortex-M3) */ +diff --git a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c +index a5fee66af..7988c2392 100644 +--- a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c ++++ b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c +@@ -35,7 +35,7 @@ REGION_DECLARE(Image$$, ER_DATA, $$Base)[]; + REGION_DECLARE(Image$$, ARM_LIB_HEAP, $$ZI$$Limit)[]; + + #define HOST_ADDRESS_SPACE_BASE 0x00000000 +-#define HOST_SHARED_RAM_BASE 0x02000000 ++#define HOST_TRUSTED_RAM_BASE 0x02000000 + #define HOST_XNVM_BASE 0x08000000 + #define HOST_BASE_SYSTEM_CONTROL_BASE 0x1A010000 + #define HOST_FIREWALL_BASE 0x1A800000 +@@ -347,7 +347,7 @@ static void setup_host_firewall(void) + + fc_pe_enable(); + +- /* CVM - Shared RAM */ ++ /* CVM - Secure RAM */ + fc_select((void *)CORSTONE1000_HOST_FIREWALL_BASE, COMP_CVM); + fc_disable_bypass(); + fc_pe_disable(); +@@ -355,15 +355,12 @@ static void setup_host_firewall(void) + fc_select_region(1); + fc_disable_regions(); + fc_disable_mpe(RGN_MPE0); +- fc_prog_rgn(RGN_SIZE_4MB, HOST_SHARED_RAM_BASE); ++ fc_prog_rgn(RGN_SIZE_4MB, HOST_TRUSTED_RAM_BASE); + fc_init_mpl(RGN_MPE0); + + mpl_rights = (RGN_MPL_ANY_MST_MASK | RGN_MPL_SECURE_READ_MASK | + RGN_MPL_SECURE_WRITE_MASK | +- RGN_MPL_SECURE_EXECUTE_MASK | +- RGN_MPL_NONSECURE_READ_MASK | +- RGN_MPL_NONSECURE_WRITE_MASK | +- RGN_MPL_NONSECURE_EXECUTE_MASK); ++ RGN_MPL_SECURE_EXECUTE_MASK); + + fc_enable_mpl(RGN_MPE0, mpl_rights); + fc_disable_mpl(RGN_MPE0, ~mpl_rights); +@@ -398,7 +395,9 @@ static void setup_host_firewall(void) + + fc_pe_enable(); + +- /* Host Expansion Master 0 */ ++#if !(PLATFORM_IS_FVP) ++ /* Host Expansion Master 0 (Due to the difference in the models only ++ * programming this for MPS3) */ + fc_select((void *)CORSTONE1000_HOST_FIREWALL_BASE, COMP_EXPMST0); + fc_disable_bypass(); + fc_pe_disable(); +@@ -433,7 +432,6 @@ static void setup_host_firewall(void) + fc_enable_regions(); + fc_rgn_lock(); + +-#if !(PLATFORM_IS_FVP) + fc_select_region(3); + fc_disable_regions(); + fc_disable_mpe(RGN_MPE0); +@@ -461,16 +459,14 @@ static void setup_host_firewall(void) + fc_enable_mpe(RGN_MPE0); + fc_enable_regions(); + fc_rgn_lock(); +-#endif + + fc_pe_enable(); + +- /* Host Expansion Master 0 */ ++ /* Host Expansion Master 1*/ + fc_select((void *)CORSTONE1000_HOST_FIREWALL_BASE, COMP_EXPMST1); + fc_disable_bypass(); + fc_pe_disable(); + +-#if !(PLATFORM_IS_FVP) + fc_select_region(1); + fc_disable_regions(); + fc_disable_mpe(RGN_MPE0); +@@ -484,22 +480,6 @@ static void setup_host_firewall(void) + fc_enable_mpe(RGN_MPE0); + fc_enable_regions(); + fc_rgn_lock(); +-#else +- fc_select_region(1); +- fc_disable_regions(); +- fc_disable_mpe(RGN_MPE0); +- fc_prog_rgn(RGN_SIZE_8MB, HOST_SE_SECURE_FLASH_BASE_FVP); +- fc_init_mpl(RGN_MPE0); +- +- mpl_rights = (RGN_MPL_ANY_MST_MASK | RGN_MPL_SECURE_READ_MASK | +- RGN_MPL_SECURE_WRITE_MASK); +- +- fc_enable_mpl(RGN_MPE0, mpl_rights); +- fc_enable_mpe(RGN_MPE0); +- fc_enable_regions(); +- fc_rgn_lock(); +-#endif +- + fc_pe_enable(); + + /* Always ON Host Peripherals */ +@@ -527,7 +507,6 @@ static void setup_host_firewall(void) + } + + fc_pe_enable(); +- + /* Host System Peripherals */ + fc_select((void *)CORSTONE1000_HOST_FIREWALL_BASE, COMP_SYSPERIPH); + fc_disable_bypass(); +@@ -553,6 +532,7 @@ static void setup_host_firewall(void) + } + + fc_pe_enable(); ++#endif + + /* Host System Peripherals */ + fc_select((void *)CORSTONE1000_HOST_FIREWALL_BASE, COMP_DBGPERIPH); +@@ -592,13 +572,9 @@ int32_t boot_platform_init(void) + if (result != ARM_DRIVER_OK) { + return 1; + } +-#if !(PLATFORM_IS_FVP) + setup_mpu(); +-#endif + setup_se_firewall(); +-#if !(PLATFORM_IS_FVP) + setup_host_firewall(); +-#endif + + #if defined(TFM_BL1_LOGGING) || defined(TEST_BL1_1) || defined(TEST_BL1_2) + stdio_init(); +diff --git a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c +index 2b1cdfa19..06cc3f0f5 100644 +--- a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c ++++ b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c +@@ -70,7 +70,7 @@ int boot_get_image_exec_ram_info(uint32_t image_id, + rc = 0; + } + else if (image_id == 1 || image_id == 2) { +- (*exec_ram_start) = CORSTONE1000_HOST_SHARED_RAM_BASE; ++ (*exec_ram_start) = CORSTONE1000_HOST_TRUSTED_RAM_BASE; + (*exec_ram_size) = 0x20000000U; + rc = 0; + } +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch new file mode 100644 index 0000000000..e831f0343f --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch @@ -0,0 +1,27 @@ +From 2edf197735bd0efb1428c1710443dddcb376d930 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Wed, 17 Apr 2024 11:34:45 +0000 +Subject: [PATCH] platform: corstone1000: Increase ITS max asset size + +Increases the max asset size for ITS to enable parsec services & tests +​ +Upstream-Status: Pending +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Signed-off-by: Vikas Katariya <vikas.katariya@arm.com> +--- + platform/ext/target/arm/corstone1000/config_tfm_target.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h +index 2c7341afd4..2eb0924770 100644 +--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h ++++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h +@@ -20,4 +20,8 @@ + /* The maximum number of assets to be stored in the Protected Storage area. */ + #define PS_NUM_ASSETS 20 + ++/* The maximum size of asset to be stored in the Internal Trusted Storage area. */ ++#undef ITS_MAX_ASSET_SIZE ++#define ITS_MAX_ASSET_SIZE 2048 ++ + #endif /* __CONFIG_TFM_TARGET_H__ */ diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch new file mode 100644 index 0000000000..3e0acbe3b9 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch @@ -0,0 +1,3620 @@ +From 5e0e5207fe7edf7f9b47f0800388c7b3c9d69a1c Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Mon, 26 Feb 2024 10:20:54 +0100 +Subject: [PATCH] Platform: CS1000: Replace OpenAMP with RSE_COMMS + +The RSE_COMMS files were copied from the arm/rse platform (e7fcf4e0) +Did not copy the ATU and pointer access protocol related files as +they are not supported yet in Corstone-1000. + +There were some modifications in the files: +- Remove ATU support because Corstone-1000 doesn't have ATU +- Update and extend platform specific memory and permission checks +- Remove Armv8.1-M specific calls + +The OpenAMP related files were removed from Corstone-1000. + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Backport [75a980b37fb726dff8720b50de121c8196b70e4e] +--- + docs/platform/arm/corstone1000/readme.rst | 5 +- + .../target/arm/corstone1000/CMakeLists.txt | 5 +- + .../arm/corstone1000/Native_Driver/mhu.h | 140 +++++++ + .../Native_Driver/mhu_wrapper_v2_x.c | 353 ++++++++++++++++++ + .../ext/target/arm/corstone1000/config.cmake | 8 - + .../arm/corstone1000/openamp/CMakeLists.txt | 57 --- + ...ogger-when-the-build-type-is-release.patch | 27 -- + .../openamp/ext/libmetal/CMakeLists.txt | 23 -- + .../openamp/ext/libopenamp/CMakeLists.txt | 21 -- + .../openamp/platform_spe_dual_core_hal.c | 152 -------- + .../corstone1000/openamp/tfm_openamp_lib.h | 128 ------- + .../tfm_spe_dual_core_psa_client_secure_lib.c | 304 --------------- + .../tfm_spe_dual_core_psa_client_secure_lib.h | 39 -- + .../openamp/tfm_spe_openamp_interface.h | 39 -- + .../openamp/tfm_spe_openamp_interface_impl.c | 248 ------------ + .../tfm_spe_openamp_platform_interconnect.c | 114 ------ + .../tfm_spe_openamp_platform_interface.h | 31 -- + .../tfm_spe_psa_client_lib_unordered_map.c | 151 -------- + .../tfm_spe_psa_client_lib_unordered_map.h | 50 --- + .../openamp/tfm_spe_shm_openamp.h | 39 -- + .../arm/corstone1000/partition/region_defs.h | 12 +- + .../arm/corstone1000/rse_comms/CMakeLists.txt | 34 ++ + .../arm/corstone1000/rse_comms/rse_comms.c | 176 +++++++++ + .../arm/corstone1000/rse_comms/rse_comms.h | 48 +++ + .../corstone1000/rse_comms/rse_comms_hal.c | 232 ++++++++++++ + .../corstone1000/rse_comms/rse_comms_hal.h | 56 +++ + .../rse_comms/rse_comms_permissions_hal.h | 58 +++ + .../rse_comms/rse_comms_protocol.c | 120 ++++++ + .../rse_comms/rse_comms_protocol.h | 129 +++++++ + .../rse_comms/rse_comms_protocol_embed.c | 105 ++++++ + .../rse_comms/rse_comms_protocol_embed.h | 50 +++ + .../corstone1000/rse_comms/rse_comms_queue.c | 64 ++++ + .../corstone1000/rse_comms/rse_comms_queue.h | 25 ++ + .../corstone1000/rse_comms_permissions_hal.c | 177 +++++++++ + .../target/arm/corstone1000/tfm_interrupts.c | 51 +++ + 35 files changed, 1831 insertions(+), 1440 deletions(-) + create mode 100644 platform/ext/target/arm/corstone1000/Native_Driver/mhu.h + create mode 100644 platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h + delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h + create mode 100644 platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c + create mode 100644 platform/ext/target/arm/corstone1000/tfm_interrupts.c + +diff --git a/docs/platform/arm/corstone1000/readme.rst b/docs/platform/arm/corstone1000/readme.rst +index 59b167d8f..d46a6460e 100644 +--- a/docs/platform/arm/corstone1000/readme.rst ++++ b/docs/platform/arm/corstone1000/readme.rst +@@ -19,7 +19,8 @@ and boots the software ecosystem based on linux, u-boot, UEFI run time + services, TF-A, Secure Partitions and Optee. + + The communication between NSPE and SPE is based on PSA IPC protocol running on +-top of FF-A/OpenAMP. ++top of the RSE communication protocol. The Corstone-1000 supports only the ++`Embed protocol`, and the ATU support is removed. + + .. toctree:: + :maxdepth: 1 +@@ -116,7 +117,7 @@ Other test configurations are: + - -DTEST_S_PS=ON/OFF + - -DTEST_S_PLATFORM=ON/OFF + +-*Copyright (c) 2021-2023, Arm Limited. All rights reserved.* ++*Copyright (c) 2021-2024, Arm Limited. All rights reserved.* + + .. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps + .. _Arm Corstone-1000 User Guide: https://corstone1000.docs.arm.com/en/corstone1000-2022.11.23/user-guide.html +diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt +index 541504368..e2a7ac302 100644 +--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt ++++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt +@@ -87,7 +87,7 @@ target_add_scatter_file(bl1_2 + + #========================= Platform Secure ====================================# + +-add_subdirectory(openamp) ++add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/rse_comms rse_comms) + + add_subdirectory(${PLATFORM_DIR}/ext/accelerator/cc312/cc312-rom cc312-rom) + +@@ -124,6 +124,7 @@ target_sources(platform_s + Device/Source/system_core_init.c + ${PLATFORM_DIR}/ext/target/arm/drivers/usart/pl011/uart_pl011_drv.c + Native_Driver/mhu_v2_x.c ++ Native_Driver/mhu_wrapper_v2_x.c + Native_Driver/watchdog.c + Native_Driver/arm_watchdog_drv.c + $<$<BOOL:TFM_PARTITION_PLATFORM>:${CMAKE_CURRENT_SOURCE_DIR}/services/src/tfm_platform_system.c> +@@ -137,6 +138,7 @@ target_sources(platform_s + partition/partition.c + partition/gpt.c + $<$<NOT:$<BOOL:${PLATFORM_DEFAULT_OTP}>>:${PLATFORM_DIR}/ext/accelerator/cc312/otp_cc312.c> ++ rse_comms_permissions_hal.c + ) + + if (PLATFORM_IS_FVP) +@@ -376,6 +378,7 @@ target_sources(tfm_psa_rot_partition_ns_agent_mailbox + + target_sources(tfm_spm + PRIVATE ++ tfm_interrupts.c + tfm_hal_isolation.c + tfm_hal_platform.c + $<$<BOOL:${TFM_S_REG_TEST}>:${CMAKE_CURRENT_SOURCE_DIR}/target_cfg.c> +diff --git a/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h b/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h +new file mode 100644 +index 000000000..a02fdd883 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h +@@ -0,0 +1,140 @@ ++/* ++ * Copyright (c) 2022-2023 Arm Limited. All rights reserved. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#ifndef __MHU_H__ ++#define __MHU_H__ ++ ++#include <stddef.h> ++#include <stdint.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * Generic MHU error enumeration types. ++ */ ++enum mhu_error_t { ++ MHU_ERR_NONE = 0, ++ MHU_ERR_NOT_INIT = -1, ++ MHU_ERR_ALREADY_INIT = -2, ++ MHU_ERR_UNSUPPORTED_VERSION = -3, ++ MHU_ERR_UNSUPPORTED = -4, ++ MHU_ERR_INVALID_ARG = -5, ++ MHU_ERR_BUFFER_TOO_SMALL = -6, ++ MHU_ERR_GENERAL = -7, ++}; ++ ++/** ++ * \brief Initializes sender MHU. ++ * ++ * \param[in] mhu_sender_dev Pointer to the sender MHU. ++ * ++ * \return Returns mhu_error_t error code. ++ * ++ * \note This function must be called before mhu_send_data(). ++ */ ++enum mhu_error_t mhu_init_sender(void *mhu_sender_dev); ++ ++/** ++ * \brief Initializes receiver MHU. ++ * ++ * \param[in] mhu_receiver_dev Pointer to the receiver MHU. ++ * ++ * \return Returns mhu_error_t error code. ++ * ++ * \note This function must be called before mhu_receive_data(). ++ */ ++enum mhu_error_t mhu_init_receiver(void *mhu_receiver_dev); ++ ++/** ++ * \brief Sends data over MHU. ++ * ++ * \param[in] mhu_sender_dev Pointer to the sender MHU. ++ * \param[in] send_buffer Pointer to buffer containing the data to be ++ * transmitted. ++ * \param[in] size Size of the data to be transmitted in bytes. ++ * ++ * \return Returns mhu_error_t error code. ++ * ++ * \note The send_buffer must be 4-byte aligned and its length must be at least ++ * (4 - (size % 4)) bytes bigger than the data size to prevent buffer ++ * over-reading. ++ */ ++enum mhu_error_t mhu_send_data(void *mhu_sender_dev, ++ const uint8_t *send_buffer, ++ size_t size); ++ ++/** ++ * \brief Wait for data from MHU. ++ * ++ * \param[in] mhu_receiver_dev Pointer to the receiver MHU. ++ * ++ * \return Returns mhu_error_t error code. ++ * ++ * \note This function must be called before mhu_receive_data() if the MHU ++ * receiver interrupt is not used. ++ */ ++enum mhu_error_t mhu_wait_data(void *mhu_receiver_dev); ++ ++/** ++ * \brief Receives data from MHU. ++ * ++ * \param[in] mhu_receiver_dev Pointer to the receiver MHU. ++ * \param[out] receive_buffer Pointer the buffer where to store the ++ * received data. ++ * \param[in,out] size As input the size of the receive_buffer, ++ * as output the number of bytes received. ++ * As a limitation, the size of the buffer ++ * must be a multiple of 4. ++ * ++ * \return Returns mhu_error_t error code. ++ * ++ * \note The receive_buffer must be 4-byte aligned and its length must be a ++ * multiple of 4. ++ */ ++enum mhu_error_t mhu_receive_data(void *mhu_receiver_dev, ++ uint8_t *receive_buffer, ++ size_t *size); ++ ++/** ++ * \brief Signals an interrupt over the last available channel and wait for the ++ * values to be cleared by the receiver. ++ * ++ * \param[in] mhu_sender_dev Pointer to the sender MHU. ++ * \param[in] value Value that will be used while signaling. ++ * ++ * \return Returns mhu_error_t error code. ++ */ ++enum mhu_error_t signal_and_wait_for_clear(void *mhu_sender_dev, ++ uint32_t value); ++ ++/** ++ * \brief Wait for signal on the last available channel in a loop and ++ * acknowledge the transfer by clearing the status on that channel. ++ * ++ * \param[in] mhu_receiver_dev Pointer to the receiver MHU. ++ * \param[in] value Value that will be used while waiting. ++ * ++ * \return Returns mhu_error_t error code. ++ */ ++enum mhu_error_t wait_for_signal_and_clear(void *mhu_receiver_dev, ++ uint32_t value); ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __MHU_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c b/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c +new file mode 100644 +index 000000000..f749f7661 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c +@@ -0,0 +1,353 @@ ++/* ++ * Copyright (c) 2022-2023 Arm Limited. All rights reserved. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#include "mhu.h" ++ ++#include <stddef.h> ++#include <stdint.h> ++ ++#include "mhu_v2_x.h" ++ ++#define MHU_NOTIFY_VALUE (1234u) ++ ++static enum mhu_error_t ++error_mapping_to_mhu_error_t(enum mhu_v2_x_error_t err) ++{ ++ switch (err) { ++ case MHU_V_2_X_ERR_NONE: ++ return MHU_ERR_NONE; ++ case MHU_V_2_X_ERR_NOT_INIT: ++ return MHU_ERR_NOT_INIT; ++ case MHU_V_2_X_ERR_ALREADY_INIT: ++ return MHU_ERR_ALREADY_INIT; ++ case MHU_V_2_X_ERR_UNSUPPORTED_VERSION: ++ return MHU_ERR_UNSUPPORTED_VERSION; ++ case MHU_V_2_X_ERR_INVALID_ARG: ++ return MHU_ERR_INVALID_ARG; ++ case MHU_V_2_X_ERR_GENERAL: ++ return MHU_ERR_GENERAL; ++ default: ++ return MHU_ERR_GENERAL; ++ } ++} ++ ++enum mhu_error_t ++signal_and_wait_for_clear(void *mhu_sender_dev, uint32_t value) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev; ++ uint32_t channel_notify; ++ uint32_t wait_val; ++ ++ if (mhu_sender_dev == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ dev = (struct mhu_v2_x_dev_t *)mhu_sender_dev; ++ ++ /* Use the last channel for notifications */ ++ channel_notify = mhu_v2_x_get_num_channel_implemented(dev) - 1; ++ ++ /* FIXME: Avoid wasting a whole channel for notifying */ ++ err = mhu_v2_x_channel_send(dev, channel_notify, value); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ do { ++ err = mhu_v2_x_channel_poll(dev, channel_notify, &wait_val); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ break; ++ } ++ } while (wait_val != 0); ++ ++ return error_mapping_to_mhu_error_t(err); ++} ++ ++enum mhu_error_t ++wait_for_signal_and_clear(void *mhu_receiver_dev, uint32_t value) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev; ++ uint32_t channel_notify; ++ uint32_t wait_val; ++ ++ if (mhu_receiver_dev == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ dev = (struct mhu_v2_x_dev_t *)mhu_receiver_dev; ++ ++ /* Use the last channel for notifications */ ++ channel_notify = mhu_v2_x_get_num_channel_implemented(dev) - 1; ++ ++ do { ++ /* Using the last channel for notifications */ ++ err = mhu_v2_x_channel_receive(dev, channel_notify, &wait_val); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ } while (wait_val != value); ++ ++ /* Clear the last channel */ ++ err = mhu_v2_x_channel_clear(dev, channel_notify); ++ ++ return error_mapping_to_mhu_error_t(err); ++} ++ ++static enum mhu_v2_x_error_t ++clear_and_wait_for_signal(struct mhu_v2_x_dev_t *dev) ++{ ++ enum mhu_v2_x_error_t err; ++ uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev); ++ uint32_t val, i; ++ ++ /* Clear all channels */ ++ for (i = 0; i < num_channels; ++i) { ++ err = mhu_v2_x_channel_clear(dev, i); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return err; ++ } ++ } ++ ++ do { ++ /* Using the last channel for notifications */ ++ err = mhu_v2_x_channel_receive(dev, num_channels - 1, &val); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ break; ++ } ++ } while (val != MHU_NOTIFY_VALUE); ++ ++ return err; ++} ++ ++enum mhu_error_t mhu_init_sender(void *mhu_sender_dev) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev = mhu_sender_dev; ++ ++ if (dev == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ err = mhu_v2_x_driver_init(dev, MHU_REV_READ_FROM_HW); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ /* This wrapper requires at least two channels to be implemented */ ++ if (mhu_v2_x_get_num_channel_implemented(dev) < 2) { ++ return MHU_ERR_UNSUPPORTED; ++ } ++ ++ return MHU_ERR_NONE; ++} ++ ++enum mhu_error_t mhu_init_receiver(void *mhu_receiver_dev) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev = mhu_receiver_dev; ++ uint32_t num_channels, i; ++ ++ if (dev == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ err = mhu_v2_x_driver_init(dev, MHU_REV_READ_FROM_HW); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ num_channels = mhu_v2_x_get_num_channel_implemented(dev); ++ ++ /* This wrapper requires at least two channels to be implemented */ ++ if (num_channels < 2) { ++ return MHU_ERR_UNSUPPORTED; ++ } ++ ++ /* Mask all channels except the notifying channel */ ++ for (i = 0; i < (num_channels - 1); ++i) { ++ err = mhu_v2_x_channel_mask_set(dev, i, UINT32_MAX); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ } ++ ++ /* The last channel is used for notifications */ ++ err = mhu_v2_x_channel_mask_clear(dev, (num_channels - 1), UINT32_MAX); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ err = mhu_v2_x_interrupt_enable(dev, MHU_2_1_INTR_CHCOMB_MASK); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ return MHU_ERR_NONE; ++} ++ ++enum mhu_error_t mhu_send_data(void *mhu_sender_dev, ++ const uint8_t *send_buffer, ++ size_t size) ++{ ++ enum mhu_v2_x_error_t err; ++ enum mhu_error_t mhu_err; ++ struct mhu_v2_x_dev_t *dev = mhu_sender_dev; ++ uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev); ++ uint32_t chan = 0; ++ uint32_t i; ++ uint32_t *p; ++ ++ if (dev == NULL || send_buffer == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } else if (size == 0) { ++ return MHU_ERR_NONE; ++ } ++ ++ /* For simplicity, require the send_buffer to be 4-byte aligned. */ ++ if ((uintptr_t)send_buffer & 0x3u) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ err = mhu_v2_x_initiate_transfer(dev); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ /* First send over the size of the actual message. */ ++ err = mhu_v2_x_channel_send(dev, chan, (uint32_t)size); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ chan++; ++ ++ p = (uint32_t *)send_buffer; ++ for (i = 0; i < size; i += 4) { ++ err = mhu_v2_x_channel_send(dev, chan, *p++); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ if (++chan == (num_channels - 1)) { ++ mhu_err = signal_and_wait_for_clear(dev, MHU_NOTIFY_VALUE); ++ if (mhu_err != MHU_ERR_NONE) { ++ return mhu_err; ++ } ++ chan = 0; ++ } ++ } ++ ++ /* Signal the end of transfer. ++ * It's not required to send a signal when the message was ++ * perfectly-aligned ((num_channels - 1) channels were used in the last ++ * round) preventing it from signaling twice at the end of transfer. ++ */ ++ if (chan != 0) { ++ mhu_err = signal_and_wait_for_clear(dev, MHU_NOTIFY_VALUE); ++ if (mhu_err != MHU_ERR_NONE) { ++ return mhu_err; ++ } ++ } ++ ++ err = mhu_v2_x_close_transfer(dev); ++ return error_mapping_to_mhu_error_t(err); ++} ++ ++enum mhu_error_t mhu_wait_data(void *mhu_receiver_dev) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev = mhu_receiver_dev; ++ uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev); ++ uint32_t val; ++ ++ do { ++ /* Using the last channel for notifications */ ++ err = mhu_v2_x_channel_receive(dev, num_channels - 1, &val); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ break; ++ } ++ } while (val != MHU_NOTIFY_VALUE); ++ ++ return error_mapping_to_mhu_error_t(err); ++} ++ ++enum mhu_error_t mhu_receive_data(void *mhu_receiver_dev, ++ uint8_t *receive_buffer, ++ size_t *size) ++{ ++ enum mhu_v2_x_error_t err; ++ struct mhu_v2_x_dev_t *dev = mhu_receiver_dev; ++ uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev); ++ uint32_t chan = 0; ++ uint32_t message_len; ++ uint32_t i; ++ uint32_t *p; ++ ++ if (dev == NULL || receive_buffer == NULL) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ /* For simplicity, require: ++ * - the receive_buffer to be 4-byte aligned, ++ * - the buffer size to be a multiple of 4. ++ */ ++ if (((uintptr_t)receive_buffer & 0x3u) || (*size & 0x3u)) { ++ return MHU_ERR_INVALID_ARG; ++ } ++ ++ /* The first word is the length of the actual message. */ ++ err = mhu_v2_x_channel_receive(dev, chan, &message_len); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ chan++; ++ ++ if (message_len > *size) { ++ /* Message buffer too small */ ++ *size = message_len; ++ return MHU_ERR_BUFFER_TOO_SMALL; ++ } ++ ++ p = (uint32_t *)receive_buffer; ++ for (i = 0; i < message_len; i += 4) { ++ err = mhu_v2_x_channel_receive(dev, chan, p++); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ ++ /* Only wait for next transfer if there is still missing data. */ ++ if (++chan == (num_channels - 1) && (message_len - i) > 4) { ++ /* Busy wait for next transfer */ ++ err = clear_and_wait_for_signal(dev); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ chan = 0; ++ } ++ } ++ ++ /* Clear all channels */ ++ for (i = 0; i < num_channels; ++i) { ++ err = mhu_v2_x_channel_clear(dev, i); ++ if (err != MHU_V_2_X_ERR_NONE) { ++ return error_mapping_to_mhu_error_t(err); ++ } ++ } ++ ++ *size = message_len; ++ ++ return MHU_ERR_NONE; ++} +diff --git a/platform/ext/target/arm/corstone1000/config.cmake b/platform/ext/target/arm/corstone1000/config.cmake +index 70bbcdafd..6a805a122 100644 +--- a/platform/ext/target/arm/corstone1000/config.cmake ++++ b/platform/ext/target/arm/corstone1000/config.cmake +@@ -37,14 +37,6 @@ set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cryp + set(NS FALSE CACHE BOOL "Whether to build NS app") + set(EXTERNAL_SYSTEM_SUPPORT OFF CACHE BOOL "Whether to include external system support.") + +-# External dependency on OpenAMP and Libmetal +-set(LIBMETAL_SRC_PATH "DOWNLOAD" CACHE PATH "Path to Libmetal (or DOWNLOAD to fetch automatically") +-set(LIBMETAL_VERSION "f252f0e007fbfb8b3a52b1d5901250ddac96baad" CACHE STRING "The version of libmetal to use") +-set(LIBMETAL_FORCE_PATCH OFF CACHE BOOL "Always apply Libmetal patches") +- +-set(LIBOPENAMP_SRC_PATH "DOWNLOAD" CACHE PATH "Path to Libopenamp (or DOWNLOAD to fetch automatically") +-set(OPENAMP_VERSION "347397decaa43372fc4d00f965640ebde042966d" CACHE STRING "The version of openamp to use") +- + if (${PLATFORM_IS_FVP}) + set(PLATFORM_PSA_ADAC_SECURE_DEBUG FALSE CACHE BOOL "Whether to use psa-adac secure debug.") + else() +diff --git a/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt +deleted file mode 100644 +index 32c0def25..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt ++++ /dev/null +@@ -1,57 +0,0 @@ +-#------------------------------------------------------------------------------- +-# Copyright (c) 2021, Arm Limited. All rights reserved. +-# +-# SPDX-License-Identifier: BSD-3-Clause +-# +-#------------------------------------------------------------------------------- +- +-add_subdirectory(ext/libmetal) +-add_subdirectory(ext/libopenamp) +- +-set(CMAKE_SYSTEM_PROCESSOR "arm") +-set(MACHINE "template") +-set(LIBMETAL_INCLUDE_DIR "${LIBMETAL_BIN_PATH}/lib/include") +-set(LIBMETAL_LIB "${LIBMETAL_BIN_PATH}/lib") +- +-add_subdirectory(${LIBMETAL_SRC_PATH} ${LIBMETAL_BIN_PATH}) +-add_subdirectory(${LIBOPENAMP_SRC_PATH} ${LIBOPENAMP_BIN_PATH}) +- +-target_include_directories(platform_s +- PRIVATE +- ${LIBMETAL_BIN_PATH}/lib/include +- ${LIBOPENAMP_SRC_PATH}/lib/include +-) +- +-target_include_directories(platform_s +- PUBLIC +- . +-) +- +-target_sources(platform_s +- PRIVATE +- tfm_spe_openamp_platform_interconnect.c +- tfm_spe_dual_core_psa_client_secure_lib.c +- tfm_spe_openamp_interface_impl.c +- platform_spe_dual_core_hal.c +- tfm_spe_psa_client_lib_unordered_map.c +-) +- +-target_link_libraries(open_amp-static +- PRIVATE +- metal-static +-) +- +-target_compile_definitions(open_amp-static +- PRIVATE +- RPMSG_BUFFER_SIZE=8192 +-) +- +-target_link_libraries(platform_s +- PRIVATE +- open_amp-static +-) +- +-# Export header file shared with non-secure side +-install(FILES tfm_openamp_lib.h +- DESTINATION ${INSTALL_INTERFACE_INC_DIR} +-) +diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch b/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch +deleted file mode 100644 +index 7c5eacc9f..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch ++++ /dev/null +@@ -1,27 +0,0 @@ +-From d9d92c8848e4567f208f1900aff57e6a234c8130 Mon Sep 17 00:00:00 2001 +-From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> +-Date: Wed, 7 Dec 2022 12:37:22 +0000 +-Subject: [PATCH] Disable logger when the build type is release +- +-Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> +---- +- cmake/options.cmake | 3 ++- +- 1 file changed, 2 insertions(+), 1 deletion(-) +- +-diff --git a/cmake/options.cmake b/cmake/options.cmake +-index 25c7c96..7a2b116 100644 +---- a/cmake/options.cmake +-+++ b/cmake/options.cmake +-@@ -55,7 +55,8 @@ if (WITH_ZEPHYR) +- option (WITH_ZEPHYR_LIB "Build libmetal as a zephyr library" OFF) +- endif (WITH_ZEPHYR) +- +--option (WITH_DEFAULT_LOGGER "Build with default logger" ON) +-+include(CMakeDependentOption) +-+cmake_dependent_option(WITH_DEFAULT_LOGGER "Build with default logger" ON "${CMAKE_BUILD_TYPE} STREQUAL Debug" OFF) +- +- option (WITH_DOC "Build with documentation" ON) +- +--- +-2.25.1 +- +diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt +deleted file mode 100644 +index fa37fd6be..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt ++++ /dev/null +@@ -1,23 +0,0 @@ +-#------------------------------------------------------------------------------- +-# Copyright (c) 2021-2022, Arm Limited. All rights reserved. +-# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company) +-# or an affiliate of Cypress Semiconductor Corporation. All rights reserved. +-# +-# SPDX-License-Identifier: BSD-3-Clause +-# +-#------------------------------------------------------------------------------- +- +-fetch_remote_library( +- LIB_NAME libmetal +- LIB_SOURCE_PATH_VAR LIBMETAL_SRC_PATH +- LIB_BINARY_PATH_VAR LIBMETAL_BIN_PATH +- LIB_PATCH_DIR ${CMAKE_CURRENT_LIST_DIR} +- LIB_FORCE_PATCH LIBMETAL_FORCE_PATCH +- FETCH_CONTENT_ARGS +- GIT_TAG ${LIBMETAL_VERSION} +- GIT_REPOSITORY https://github.com/OpenAMP/libmetal.git +-) +- +-if (NOT LIB_BINARY_PATH_VAR) +-set(LIBMETAL_BIN_PATH "${CMAKE_SOURCE_DIR}/build/lib/ext/libmetal-subbuild" CACHE PATH "Path to build directory of libmetal.") +-endif() +diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt +deleted file mode 100644 +index 28c5fa284..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt ++++ /dev/null +@@ -1,21 +0,0 @@ +-#------------------------------------------------------------------------------- +-# Copyright (c) 2020-2022, Arm Limited. All rights reserved. +-# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company) +-# or an affiliate of Cypress Semiconductor Corporation. All rights reserved. +-# +-# SPDX-License-Identifier: BSD-3-Clause +-# +-#------------------------------------------------------------------------------- +- +-fetch_remote_library( +- LIB_NAME libopenamp +- LIB_SOURCE_PATH_VAR LIBOPENAMP_SRC_PATH +- LIB_BINARY_PATH_VAR LIBOPENAMP_BIN_PATH +- FETCH_CONTENT_ARGS +- GIT_TAG ${OPENAMP_VERSION} +- GIT_REPOSITORY https://github.com/OpenAMP/open-amp.git +-) +- +-if (NOT LIB_BINARY_PATH_VAR) +-set(LIBOPENAMP_BIN_PATH "${CMAKE_SOURCE_DIR}/build/lib/ext/libopenamp-subbuild" CACHE PATH "Path to build directory of open-amp.") +-endif() +diff --git a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c b/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c +deleted file mode 100644 +index 7613345ff..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c ++++ /dev/null +@@ -1,152 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * Copyright (c) 2021-2022 Cypress Semiconductor Corporation (an Infineon +- * company) or an affiliate of Cypress Semiconductor Corporation. All rights +- * reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- */ +- +-#include "tfm_spe_openamp_platform_interface.h" +-#include "device_cfg.h" +-#include "device_definition.h" +-#include "load/interrupt_defs.h" +-#include "mhu_v2_x.h" +-#include "tfm_plat_defs.h" +-#include "tfm_spm_log.h" +-#include "cmsis.h" +- +-#define MHU1_SEH_NOTIFY_CH 0 +-#define MHU1_SEH_NOTIFY_VAL 1234 +- +-static enum tfm_plat_err_t initialize_secure_enclave_to_host_mhu(void) +-{ +- enum mhu_v2_x_error_t status; +- +- status = mhu_v2_x_driver_init(&MHU1_SE_TO_HOST_DEV, MHU_REV_READ_FROM_HW); +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("Secure-enclave to Host MHU driver initialization failed: ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- SPMLOG_INFMSG("Secure-enclave to Host MHU Driver initialized successfully.\r\n"); +- +- return TFM_PLAT_ERR_SUCCESS; +-} +- +-static enum tfm_plat_err_t initialize_host_to_secure_enclave_mhu(void) +-{ +- enum mhu_v2_x_error_t status; +- +- status = mhu_v2_x_driver_init(&MHU1_HOST_TO_SE_DEV, MHU_REV_READ_FROM_HW); +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("Host to secure-enclave MHU driver initialization failed: ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- SPMLOG_INFMSG("Host to secure-enclave MHU Driver initialized successfully.\r\n"); +- +- NVIC_EnableIRQ(HSE1_RECEIVER_COMBINED_IRQn); +- +- return TFM_PLAT_ERR_SUCCESS; +-} +- +-static struct irq_t mbox_irq_info = {0}; +- +-void HSE1_RECEIVER_COMBINED_IRQHandler(void) +-{ +- spm_handle_interrupt(mbox_irq_info.p_pt, mbox_irq_info.p_ildi); +- +- mhu_v2_x_channel_clear(&MHU1_HOST_TO_SE_DEV, 0); +- NVIC_ClearPendingIRQ(HSE1_RECEIVER_COMBINED_IRQn); +-} +- +-enum tfm_hal_status_t mailbox_irq_init(void *p_pt, +- const struct irq_load_info_t *p_ildi) +-{ +- mbox_irq_info.p_pt = p_pt; +- mbox_irq_info.p_ildi = p_ildi; +- +- return TFM_HAL_SUCCESS; +-} +- +-enum tfm_plat_err_t tfm_dual_core_hal_init(void) +-{ +- enum tfm_plat_err_t status; +- +- status = initialize_host_to_secure_enclave_mhu(); +- if (status) { +- return status; +- } +- status = initialize_secure_enclave_to_host_mhu(); +- +- return status; +-} +- +-enum tfm_plat_err_t tfm_hal_notify_peer(void) +-{ +- uint32_t access_ready; +- enum mhu_v2_x_error_t status; +- struct mhu_v2_x_dev_t* dev = &MHU1_SE_TO_HOST_DEV; +- +- status = mhu_v2_x_set_access_request(dev); +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("mhu_v2_x_set_access_request failed : ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- +- do { +- status = mhu_v2_x_get_access_ready(dev, &access_ready); +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("mhu_v2_x_get_access_ready failed : ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- } while(!access_ready); +- +- status = mhu_v2_x_channel_send(dev, MHU1_SEH_NOTIFY_CH, MHU1_SEH_NOTIFY_VAL); +- +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("mhu_v2_x_channel_send : ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- +- status = mhu_v2_x_reset_access_request(dev); +- if (status != MHU_V_2_X_ERR_NONE) { +- SPMLOG_ERRMSGVAL("mhu_v2_x_reset_access_request : ", status); +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- return TFM_PLAT_ERR_SUCCESS; +-} +- +-/* +- * The function is implemented to support libmetal's mutex and spinlock +- * implementation. The GCC does not support a respective builtin +- * functions for Cortex M0+. So below function provides the +- * missing link for libmetal compilation. +- * This function will prevent race condition between PendSV context (where +- * entries are inserted into unordered map) and service threads (where +- * entries are removed from the unordered map). +- */ +-bool __atomic_compare_exchange_4(volatile void *mem, void *expected, +- uint32_t desired, bool var, int success, int failure) +-{ +- bool ret = false; +- volatile uint32_t *location = mem; +- volatile uint32_t *old_val = expected; +- /* unused variables */ +- (void)var; +- (void)success; +- (void)failure; +- +- NVIC_DisableIRQ(PendSV_IRQn); +- +- do { +- if (*location != *old_val) { +- break; +- } +- *location = desired; +- ret = true; +- } while (0); +- +- NVIC_EnableIRQ(PendSV_IRQn); +- +- return ret; +-} +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h b/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h +deleted file mode 100644 +index 2996ba9a8..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h ++++ /dev/null +@@ -1,128 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-/* +- * This header file is common to NSPE and SPE PSA client libraries. +- */ +- +-#ifndef __TFM_OPENAMP_LIB_H__ +-#define __TFM_OPENAMP_LIB_H__ +- +-#include <stdint.h> +-#include "psa/client.h" +- +-#ifdef __cplusplus +-extern "C" { +-#endif +- +-/* PSA client call type value */ +-#define OPENAMP_PSA_FRAMEWORK_VERSION (0x1) +-#define OPENAMP_PSA_VERSION (0x2) +-#define OPENAMP_PSA_CONNECT (0x3) +-#define OPENAMP_PSA_CALL (0x4) +-#define OPENAMP_PSA_CLOSE (0x5) +- +-/* Return code of openamp APIs */ +-#define OPENAMP_SUCCESS (0) +-#define OPENAMP_MAP_FULL (INT32_MIN + 1) +-#define OPENAMP_MAP_ERROR (INT32_MIN + 2) +-#define OPENAMP_INVAL_PARAMS (INT32_MIN + 3) +-#define OPENAMP_NO_PERMS (INT32_MIN + 4) +-#define OPENAMP_NO_PEND_EVENT (INT32_MIN + 5) +-#define OPENAMP_CHAN_BUSY (INT32_MIN + 6) +-#define OPENAMP_CALLBACK_REG_ERROR (INT32_MIN + 7) +-#define OPENAMP_INIT_ERROR (INT32_MIN + 8) +- +-#define HOLD_INPUT_BUFFER (1) /* IF true, TF-M Library will hold the openamp +- * buffer so that openamp shared memory buffer +- * does not get freed. +- */ +- +-/* +- * This structure holds the parameters used in a PSA client call. +- */ +-typedef struct __attribute__((packed)) psa_client_in_params { +- union { +- struct __attribute__((packed)) { +- uint32_t sid; +- } psa_version_params; +- +- struct __attribute__((packed)) { +- uint32_t sid; +- uint32_t version; +- } psa_connect_params; +- +- struct __attribute__((packed)) { +- psa_handle_t handle; +- int32_t type; +- uint32_t in_vec; +- uint32_t in_len; +- uint32_t out_vec; +- uint32_t out_len; +- } psa_call_params; +- +- struct __attribute__((packed)) { +- psa_handle_t handle; +- } psa_close_params; +- }; +-} psa_client_in_params_t; +- +-/* Openamp message passed from NSPE to SPE to deliver a PSA client call */ +-typedef struct __attribute__((packed)) ns_openamp_msg { +- uint32_t call_type; /* PSA client call type */ +- psa_client_in_params_t params; /* Contain parameters used in PSA +- * client call +- */ +- +- int32_t client_id; /* Optional client ID of the +- * non-secure caller. +- * It is required to identify the +- * non-secure task when NSPE OS +- * enforces non-secure task +- * isolation +- */ +- int32_t request_id; /* This is the unique ID for a +- * request send to TF-M by the +- * non-secure core. TF-M forward +- * the ID back to non-secure on the +- * reply to a given request. Using +- * this id, the non-secure library +- * can identify the request for +- * which the reply has received. +- */ +-} ns_openamp_msg_t; +- +-/* +- * This structure holds the location of the out data of the PSA client call. +- */ +-typedef struct __attribute__((packed)) psa_client_out_params { +- uint32_t out_vec; +- uint32_t out_len; +-} psa_client_out_params_t; +- +- +-/* Openamp message from SPE to NSPE delivering the reply back for a PSA client +- * call. +- */ +-typedef struct __attribute__((packed)) s_openamp_msg { +- int32_t request_id; /* Using this id, the non-secure +- * library identifies the request. +- * TF-M forwards the same +- * request-id received on the +- * initial request. +- */ +- int32_t reply; /* Reply of the PSA client call */ +- psa_client_out_params_t params; /* Contain out data result of the +- * PSA client call. +- */ +-} s_openamp_msg_t; +- +-#ifdef __cplusplus +-} +-#endif +- +-#endif /* __TFM_OPENAMP_LIB_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c +deleted file mode 100644 +index d2eabe144..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c ++++ /dev/null +@@ -1,304 +0,0 @@ +-/* +- * Copyright (c) 2021-2022, Arm Limited. All rights reserved. +- * Copyright (c) 2021-2023 Cypress Semiconductor Corporation (an Infineon company) +- * or an affiliate of Cypress Semiconductor Corporation. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#include "config_impl.h" +-#include "tfm_psa_call_pack.h" +-#include "tfm_spe_dual_core_psa_client_secure_lib.h" +-#include "tfm_rpc.h" +-#include "tfm_spe_openamp_interface.h" +-#include "tfm_spm_log.h" +-#include "tfm_spe_psa_client_lib_unordered_map.h" +-#include "psa/error.h" +-#include "utilities.h" +-#include "thread.h" +- +-/** +- * In linux environment and for psa_call type client api, +- * the layout of the reply from tf-m to linux is as following. +- */ +-typedef struct output_buffer_with_payload { +- s_openamp_msg_t header; +- psa_outvec outvec[PSA_MAX_IOVEC]; +- uint8_t payload[]; /* outdata follows */ +-} output_buffer_with_payload_t; +- +-static void prepare_and_send_output_msg(int32_t reply, int32_t request_id) +-{ +- s_openamp_msg_t msg; +- +- msg.request_id = request_id; +- msg.reply = reply; +- +- msg.params.out_vec = 0; +- msg.params.out_len = 0; +- +- tfm_to_openamp_reply_back(&msg, sizeof(msg)); +-} +- +-static void prepare_and_send_preallocated_output_msg(int32_t reply, +- const unordered_map_entry_t* s_map_entry) +-{ +- uint32_t out_len = s_map_entry->msg.params.psa_call_params.out_len; +- output_buffer_with_payload_t *output_msg = (output_buffer_with_payload_t*)s_map_entry->output_buffer; +- +- output_msg->header.request_id = s_map_entry->msg.request_id; +- output_msg->header.reply = reply; +- +- output_msg->header.params.out_vec = +- (uint32_t)tfm_to_openamp_translate_secure_to_non_secure_ptr( +- output_msg->outvec); +- output_msg->header.params.out_len = out_len; +- +- for (int i = 0; i < out_len; i++) { +- output_msg->outvec[i].base = tfm_to_openamp_translate_secure_to_non_secure_ptr( +- output_msg->outvec[i].base); +- } +- +- /* send msg to non-secure side */ +- tfm_to_openamp_reply_back_no_copy(output_msg, s_map_entry->output_buffer_len); +-} +- +-void send_service_reply_to_non_secure(int32_t reply, void *private) +-{ +- unordered_map_handle_t handle; +- const unordered_map_entry_t* s_map_entry = (const unordered_map_entry_t*)private; +- +- if (s_map_entry->is_input_buffer_hold) { +- tfm_to_openamp_release_buffer(s_map_entry->input_buffer); +- } +- +- if (s_map_entry->is_output_buffer) { +- prepare_and_send_preallocated_output_msg(reply, s_map_entry); +- } else { +- prepare_and_send_output_msg(reply, s_map_entry->msg.request_id); +- } +- +- handle = unordered_map_get_entry_handle(s_map_entry); +- if (handle == INVALID_MAP_HANDLE) { +- SPMLOG_ERRMSG("FATAL_ERROR: Map handle not valid\r\n"); +- SPM_ASSERT(0); +- } +- unordered_map_free(handle); +-} +- +-static psa_invec * prepare_in_vecs(unordered_map_entry_t* s_map_entry) +-{ +- uint32_t in_len = s_map_entry->msg.params.psa_call_params.in_len; +- SPM_ASSERT(in_len <= PSA_MAX_IOVEC); +- +- psa_invec *input_buffer_in_vec = (psa_invec*)tfm_to_openamp_translate_non_secure_to_secure_ptr( +- (void*)s_map_entry->msg.params.psa_call_params.in_vec); +- for (int i = 0; i < in_len; i++) { +- input_buffer_in_vec[i].base = tfm_to_openamp_translate_non_secure_to_secure_ptr( +- input_buffer_in_vec[i].base); +- } +- +- return input_buffer_in_vec; +-} +- +-static void * alloc_output_buffer_in_shared_mem(size_t length, +- unordered_map_entry_t* s_map_entry) +-{ +- uint32_t buffer_sz = 0; +- +- /* pre allocate output_buffer space from openamp shared memory */ +- s_map_entry->output_buffer = tfm_to_openamp_get_buffer(&buffer_sz); +- SPM_ASSERT((s_map_entry->output_buffer != NULL) && (buffer_sz >= length)); +- s_map_entry->is_output_buffer = true; +- s_map_entry->output_buffer_len = length; +- spm_memset(s_map_entry->output_buffer, 0x0, length); +- +- return s_map_entry->output_buffer; +-} +- +-static psa_status_t alloc_and_prepare_out_vecs(psa_outvec **out_vec_start_ptr, +- unordered_map_entry_t* s_map_entry) +-{ +- psa_outvec *input_buffer_outvec = NULL; +- size_t output_buffer_len = 0; +- size_t current_outdata_len = 0; +- output_buffer_with_payload_t *out_buffer = NULL; +- int max_shared_mem_buffer_size = 0; +- uint32_t out_len = s_map_entry->msg.params.psa_call_params.out_len; +- +- SPM_ASSERT(out_len <= PSA_MAX_IOVEC); +- *out_vec_start_ptr = NULL; +- +- if (out_len == 0) { +- return PSA_SUCCESS; +- } +- +- input_buffer_outvec = (psa_outvec*)tfm_to_openamp_translate_non_secure_to_secure_ptr( +- (void*)s_map_entry->msg.params.psa_call_params.out_vec); +- +- /* calculate and validate out data len */ +- output_buffer_len = sizeof(output_buffer_with_payload_t); +- for (int i = 0; i < out_len; i++) { +- output_buffer_len += input_buffer_outvec[i].len; +- } +- max_shared_mem_buffer_size = tfm_to_openamp_get_buffer_size(); +- if (output_buffer_len > max_shared_mem_buffer_size) { +- SPMLOG_ERRMSGVAL("required buffer size : ", output_buffer_len); +- SPMLOG_ERRMSGVAL(" is more than maximum available : ", max_shared_mem_buffer_size); +- return PSA_ERROR_INVALID_ARGUMENT; +- } +- +- /* prepare output buffer layout */ +- out_buffer = (output_buffer_with_payload_t*)alloc_output_buffer_in_shared_mem( +- output_buffer_len, s_map_entry); +- +- for (int i = 0; i < PSA_MAX_IOVEC; i++) { +- if (i < out_len) { +- out_buffer->outvec[i].base = &out_buffer->payload[current_outdata_len]; +- out_buffer->outvec[i].len = input_buffer_outvec[i].len; +- current_outdata_len += input_buffer_outvec[i].len; +- } else { +- out_buffer->outvec[i].base = NULL; +- out_buffer->outvec[i].len = 0; +- } +- } +- +- *out_vec_start_ptr = out_buffer->outvec; +- +- return PSA_SUCCESS; +-} +- +-static psa_status_t prepare_params_for_psa_call(struct client_params_t *params, +- unordered_map_entry_t* s_map_entry) +-{ +- psa_status_t ret = PSA_SUCCESS; +- +- params->ns_client_id_stateless = s_map_entry->msg.client_id; +- +- params->p_outvecs = NULL; +- ret = alloc_and_prepare_out_vecs(¶ms->p_outvecs, s_map_entry); +- if (ret != PSA_SUCCESS) { +- return ret; +- } +- +- params->p_invecs = prepare_in_vecs(s_map_entry); +- +- /* hold the input shared memory */ +- tfm_to_openamp_hold_buffer(s_map_entry->input_buffer); +- s_map_entry->is_input_buffer_hold = true; +- +- return ret; +-} +- +-__STATIC_INLINE int32_t check_msg(const ns_openamp_msg_t *msg) +-{ +- /* +- * TODO +- * Comprehensive check of openamp msessage content can be implemented here. +- */ +- (void)msg; +- return OPENAMP_SUCCESS; +-} +- +-static void send_error_to_non_secure(int32_t reply, int32_t request_id) +-{ +- prepare_and_send_output_msg(reply, request_id); +-} +- +-int32_t register_msg_to_spe_and_verify(void **private, const void *data, size_t len) +-{ +- unordered_map_entry_t *s_map_entry; +- ns_openamp_msg_t *ns_msg; +- unordered_map_handle_t map_handle; +- int32_t ret = OPENAMP_SUCCESS; +- +- *private = NULL; +- +- if (len < sizeof(ns_openamp_msg_t)) { +- SPMLOG_ERRMSG("Invalid parameters.\r\n"); +- send_error_to_non_secure(OPENAMP_INVAL_PARAMS, 0); +- return OPENAMP_INVAL_PARAMS; +- } +- +- /* start of the data is with "ns_openamp_msg_t" */ +- ns_msg = (ns_openamp_msg_t*)data; +- ret = unordered_map_insert(ns_msg, data, &map_handle); +- if (ret) { +- SPMLOG_ERRMSG("Map insert failed\r\n"); +- send_error_to_non_secure(OPENAMP_MAP_FULL, ns_msg->request_id); +- return OPENAMP_MAP_FULL; +- } +- +- s_map_entry = unordered_map_get_entry_ptr(map_handle); +- +- /* verify msg after copy to the secure memory */ +- if (check_msg(&s_map_entry->msg)) { +- SPMLOG_ERRMSG("Message is invalid\r\n"); +- send_error_to_non_secure(OPENAMP_INVAL_PARAMS, ns_msg->request_id); +- unordered_map_free(map_handle); +- return OPENAMP_INVAL_PARAMS; +- } +- +- *private = s_map_entry; +- +- return ret; +-} +- +-void deliver_msg_to_tfm_spe(void *private) +-{ +- struct client_params_t params = {0}; +- psa_status_t psa_ret = PSA_ERROR_GENERIC_ERROR; +- unordered_map_entry_t* s_map_entry = (unordered_map_entry_t*)private; +- +- switch(s_map_entry->msg.call_type) { +- case OPENAMP_PSA_FRAMEWORK_VERSION: +- psa_ret = tfm_rpc_psa_framework_version(); +- send_service_reply_to_non_secure(psa_ret, s_map_entry); +- break; +- case OPENAMP_PSA_VERSION: +- psa_ret = tfm_rpc_psa_version(s_map_entry->msg.params.psa_version_params.sid); +- send_service_reply_to_non_secure(psa_ret, s_map_entry); +- break; +- case OPENAMP_PSA_CALL: +- psa_ret = prepare_params_for_psa_call(¶ms, s_map_entry); +- if (psa_ret != PSA_SUCCESS) { +- send_service_reply_to_non_secure(psa_ret, s_map_entry); +- break; +- } +- psa_ret = tfm_rpc_psa_call(s_map_entry->msg.params.psa_call_params.handle, +- PARAM_PACK(s_map_entry->msg.params.psa_call_params.type, +- s_map_entry->msg.params.psa_call_params.in_len, +- s_map_entry->msg.params.psa_call_params.out_len), +- ¶ms, NULL); +- if (psa_ret != PSA_SUCCESS) { +- send_service_reply_to_non_secure(psa_ret, s_map_entry); +- break; +- } +- break; +-#if CONFIG_TFM_CONNECTION_BASED_SERVICE_API == 1 +- case OPENAMP_PSA_CONNECT: +- psa_ret = tfm_rpc_psa_connect(s_map_entry->msg.params.psa_connect_params.sid, +- s_map_entry->msg.params.psa_connect_params.version, +- s_map_entry->msg.client_id, +- NULL); +- if (psa_ret != PSA_SUCCESS) { +- send_service_reply_to_non_secure(psa_ret, s_map_entry); +- } +- break; +- case OPENAMP_PSA_CLOSE: +- tfm_rpc_psa_close(s_map_entry->msg.params.psa_close_params.handle); +- break; +-#endif /* CONFIG_TFM_CONNECTION_BASED_SERVICE_API == 1 */ +- default: +- SPMLOG_ERRMSG("msg type did not recognized\r\n"); +- send_error_to_non_secure(OPENAMP_INVAL_PARAMS, s_map_entry->msg.request_id); +- unordered_map_free(unordered_map_get_entry_handle(s_map_entry)); +- break; +- } +-} +- +-void init_dual_core_psa_client_secure_lib(void) +-{ +- unordered_map_init(); +-} +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h +deleted file mode 100644 +index de7891b83..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#ifndef __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__ +-#define __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__ +- +-#include "tfm_openamp_lib.h" +- +-/** +- * \brief Initializes the library. +- */ +-void init_dual_core_psa_client_secure_lib(void); +- +-/** +- * \brief Decodes the messages received from the NSPE before sending +- * to SPE. +- */ +-void deliver_msg_to_tfm_spe(void *private); +- +-/** +- * \brief Encodes the reply of service before sending it to NSPE. +- */ +-void send_service_reply_to_non_secure(int32_t reply, void *private); +- +-/** +- * \brief Validate and register the message. The message details are +- * copied inside the unordered_map. +- * +- * \retval OPENAMP_SUCCESS Successfully registered the message. +- * \retval Other return code Operation failed with an error code. +- */ +-int32_t register_msg_to_spe_and_verify(void **private, +- const void *data, size_t len); +- +-#endif /* __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h +deleted file mode 100644 +index 25afd5017..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * Copyright (c) 2020 Linaro Limited +- * +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#ifndef TFM_SPE_OPENAMP_INTERFACE_H_ +-#define TFM_SPE_OPENAMP_INTERFACE_H_ +- +-#define SUCCESS (0) +-#define ERROR (INT32_MIN + 1) +- +- +-typedef void (*openamp_to_tfm_callback)(const void *data, +- size_t len); +-typedef void (*openamp_to_tfm_notify)(void); +- +-/* +- * These functions are the logical interface from TF-M to +- * OpenAMP. +- */ +-int32_t tfm_to_openamp_init(openamp_to_tfm_callback cb, +- openamp_to_tfm_notify notify); +-void tfm_to_openamp_notify(void); +-void tfm_to_openamp_spe_map_spinlock_acquire(void); +-void tfm_to_openamp_spe_map_spinlock_release(void); +-void tfm_to_openamp_reply_back(const void* data, size_t len); +-void tfm_to_openamp_reply_back_no_copy(const void* data, size_t len); +-void tfm_to_openamp_hold_buffer(const void *buffer); +-void tfm_to_openamp_release_buffer(const void *buffer); +-void *tfm_to_openamp_get_buffer(uint32_t *len); +-int tfm_to_openamp_get_buffer_size(void); +-void *tfm_to_openamp_translate_non_secure_to_secure_ptr(const void *ptr); +-void *tfm_to_openamp_translate_secure_to_non_secure_ptr(const void *ptr); +- +-#endif /* TFM_SPE_OPENAMP_INTERFACE_H_ */ +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c +deleted file mode 100644 +index aa16e9929..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c ++++ /dev/null +@@ -1,248 +0,0 @@ +-/* +- * Copyright (c) 2020 Linaro Limited +- * +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#include <metal/device.h> +-#include <metal/spinlock.h> +-#include <openamp/open_amp.h> +- +-#include "tfm_spe_openamp_interface.h" +-#include "tfm_spm_log.h" +-#include "tfm_spe_shm_openamp.h" +- +-static metal_phys_addr_t shm_physmap[] = { SHM_START_PHY_ADDR }; +-static struct metal_device shm_device = { +- .name = SHM_DEVICE_NAME, +- .bus = NULL, +- .num_regions = 1, +- { +- { +- .virt = (void *) SHM_START_VIRT_ADDR, +- .physmap = shm_physmap, +- .size = SHM_SIZE, +- .page_shift = 0xffffffff, +- .page_mask = 0xffffffff, +- .mem_flags = 0, +- .ops = { NULL }, +- }, +- }, +- .node = { NULL }, +- .irq_num = 0, +- .irq_info = NULL +-}; +- +-/* Space to be used by virtqueues */ +-#define VQ_STATIC_SIZE (sizeof(struct virtqueue) + (VRING_SIZE * sizeof(struct vq_desc_extra))) +-uint8_t vq1_static_space[VQ_STATIC_SIZE]; +-uint8_t vq2_static_space[VQ_STATIC_SIZE]; +- +-static struct virtio_vring_info rvrings[2]; +- +-static struct virtio_device vdev; +-static struct rpmsg_virtio_device rvdev; +-static struct metal_io_region *io; +-static struct virtqueue *vq[2]; +-static struct rpmsg_virtio_shm_pool shpool; +-static struct rpmsg_endpoint tfm_ept; +-static struct rpmsg_endpoint *ep = &tfm_ept; +-static struct metal_spinlock spe_map_slock; +-static openamp_to_tfm_callback tfm_callback = NULL; +-static openamp_to_tfm_notify tfm_notify = NULL; +- +-static unsigned char virtio_get_status(struct virtio_device *vdev) +-{ +- (void)vdev; +- uint32_t status = *(uint32_t *)VDEV_STATUS_ADDR; +- return status; +-} +- +-static void virtio_set_status(struct virtio_device *vdev, unsigned char status) +-{ +- (void)vdev; +- *(uint32_t *)VDEV_STATUS_ADDR = status; +-} +- +-static uint32_t virtio_get_features(struct virtio_device *vdev) +-{ +- (void)vdev; +- return 1 << VIRTIO_RPMSG_F_NS; +-} +- +-static void virtio_notify(struct virtqueue *vq) +-{ +- (void)vq; +- tfm_notify(); +-} +- +-static struct virtio_dispatch dispatch = { +- .get_status = virtio_get_status, +- .set_status = virtio_set_status, +- .get_features = virtio_get_features, +- .notify = virtio_notify, +-}; +- +-int endpoint_cb(struct rpmsg_endpoint *ept, void *data, +- size_t len, uint32_t src, void *priv) +-{ +- (void)ept; +- (void)src; +- (void)priv; +- tfm_callback(data, len); +- return 0; +-} +- +-static void rpmsg_service_unbind(struct rpmsg_endpoint *ept) +-{ +- (void)ept; +- rpmsg_destroy_ept(ep); +-} +- +-void ns_bind_cb(struct rpmsg_device *rdev, const char *name, uint32_t dest) +-{ +- (void)rpmsg_create_ept(ep, rdev, name, +- RPMSG_ADDR_ANY, dest, +- endpoint_cb, +- rpmsg_service_unbind); +-} +- +-void tfm_to_openamp_notify(void) +-{ +- virtqueue_notification(vq[0]); +-} +- +-void tfm_to_openamp_spe_map_spinlock_acquire(void) +-{ +- metal_spinlock_acquire(&spe_map_slock); +-} +- +-void tfm_to_openamp_spe_map_spinlock_release(void) +-{ +- metal_spinlock_release(&spe_map_slock); +-} +- +-void tfm_to_openamp_reply_back(const void* data, size_t len) +-{ +- rpmsg_send(ep, data, len); +-} +- +-void tfm_to_openamp_reply_back_no_copy(const void* data, size_t len) +-{ +- rpmsg_send_nocopy(ep, data, len); +-} +- +-void tfm_to_openamp_hold_buffer(const void *buffer) +-{ +- rpmsg_hold_rx_buffer(ep, (void*)buffer); +-} +- +-void tfm_to_openamp_release_buffer(const void *buffer) +-{ +- rpmsg_release_rx_buffer(ep, (void*)buffer); +-} +- +-void *tfm_to_openamp_get_buffer(uint32_t *len) +-{ +- return rpmsg_get_tx_payload_buffer(ep, len, 1); +-} +- +-int tfm_to_openamp_get_buffer_size(void) +-{ +- return rpmsg_virtio_get_buffer_size(&rvdev.rdev); +-} +- +-void *tfm_to_openamp_translate_non_secure_to_secure_ptr(const void *ptr) +-{ +- metal_phys_addr_t phys = 0; +- phys = (metal_phys_addr_t)ptr; +- return metal_io_phys_to_virt(io, phys); +-} +- +-void *tfm_to_openamp_translate_secure_to_non_secure_ptr(const void *ptr) +-{ +- metal_phys_addr_t phys = metal_io_virt_to_phys(io, (void*)ptr); +- return (void*)phys; +-} +- +-int32_t tfm_to_openamp_init(openamp_to_tfm_callback cb, +- openamp_to_tfm_notify notify) +-{ +- int status = 0; +- struct metal_device *device; +- struct metal_init_params metal_params = METAL_INIT_DEFAULTS; +- +- SPMLOG_INFMSG("TF-M OpenAMP[master] starting initialization...\r\n"); +- +- if (cb == NULL || notify == NULL) { +- SPMLOG_ERRMSG("invalid parameters\r\n"); +- return ERROR; +- } +- tfm_callback = cb; +- tfm_notify = notify; +- +- metal_spinlock_init(&spe_map_slock); +- +- status = metal_init(&metal_params); +- if (status != 0) { +- SPMLOG_ERRMSG("metal_init: failed - error code\r\n"); +- return ERROR; +- } +- +- status = metal_register_generic_device(&shm_device); +- if (status != 0) { +- SPMLOG_ERRMSG("Couldn't register shared memory device\r\n"); +- return ERROR; +- } +- +- status = metal_device_open("generic", SHM_DEVICE_NAME, &device); +- if (status != 0) { +- SPMLOG_ERRMSG("metal_device_open failed\r\n"); +- return ERROR; +- } +- +- io = metal_device_io_region(device, 0); +- if (io == NULL) { +- SPMLOG_ERRMSG("metal_device_io_region failed to get region\r\n"); +- return ERROR; +- } +- +- /* setup vdev */ +- +- memset(vq1_static_space, 0x0, VQ_STATIC_SIZE); +- vq[0] = (struct virtqueue *)vq1_static_space; +- +- memset(vq2_static_space, 0x0, VQ_STATIC_SIZE); +- vq[1] = (struct virtqueue *)vq2_static_space; +- +- vdev.role = RPMSG_MASTER; +- vdev.vrings_num = VRING_COUNT; +- vdev.func = &dispatch; +- rvrings[0].io = io; +- rvrings[0].info.vaddr = (void *)VRING_TX_ADDRESS; +- rvrings[0].info.num_descs = VRING_SIZE; +- rvrings[0].info.align = VRING_ALIGNMENT; +- rvrings[0].vq = vq[0]; +- +- rvrings[1].io = io; +- rvrings[1].info.vaddr = (void *)VRING_RX_ADDRESS; +- rvrings[1].info.num_descs = VRING_SIZE; +- rvrings[1].info.align = VRING_ALIGNMENT; +- rvrings[1].vq = vq[1]; +- +- vdev.vrings_info = &rvrings[0]; +- +- /* setup rvdev */ +- rpmsg_virtio_init_shm_pool(&shpool, (void *)SHM_START_VIRT_ADDR, SHM_SIZE); +- status = rpmsg_init_vdev(&rvdev, &vdev, ns_bind_cb, io, &shpool); +- if (status != 0) { +- SPMLOG_ERRMSGVAL("rpmsg_init_vdev failed : ", status); +- return ERROR; +- } +- SPMLOG_INFMSG("rpmsg_init_vdev Done!\r\n"); +- +- return SUCCESS; +-} +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c +deleted file mode 100644 +index db8e8ac8b..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c ++++ /dev/null +@@ -1,114 +0,0 @@ +-/* +- * Copyright (c) 2021-2022, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#include "tfm_spe_openamp_platform_interface.h" +-#include "tfm_spe_dual_core_psa_client_secure_lib.h" +-#include "tfm_rpc.h" +-#include "tfm_spe_openamp_interface.h" +-#include "tfm_multi_core.h" +-#include "tfm_spm_log.h" +-#include "utilities.h" +- +-static void *registered_msg = NULL; +- +-/* Process call from the other core. */ +-void callback_from_openamp(const void *ns_msg, size_t len) +-{ +- int32_t ret = OPENAMP_SUCCESS; +- void *priv = NULL; +- +- ret = register_msg_to_spe_and_verify(&priv, ns_msg, len); +- if (ret != OPENAMP_SUCCESS) { +- return; +- } +- +- /* +- * registered_msg will be used inside get_caller_private_data. +- * get_caller_private_data will be called in the same context: +- * deliver_msg* => tfm_rpc_xxx => tfm_spm_xxx => spm_init_connection +- * => tfm_rpc_set_caller_data => get_caller_private_data +- */ +- registered_msg = priv; +- +- deliver_msg_to_tfm_spe(priv); +-} +- +-/* RPC reply() callback */ +-static void service_reply(const void *priv, int32_t ret) +-{ +- send_service_reply_to_non_secure(ret, (void*)priv); +-} +- +-/* RPC get_caller_data() callback */ +-static const void *get_caller_private_data(int32_t client_id) +-{ +- if (!registered_msg) { +- SPMLOG_ERRMSG("FATAL_ERROR: Map pointer cannot be NULL.\r\n"); +- SPM_ASSERT(0); +- } +- +- return registered_msg; +-} +- +-/* Openamp specific operations callback for TF-M RPC */ +-static const struct tfm_rpc_ops_t openamp_rpc_ops = { +- .handle_req = tfm_to_openamp_notify, /* notify openamp for pendsv/irq +- * received from the non-secure */ +- .reply = service_reply, +- .get_caller_data = get_caller_private_data, +-}; +- +-void notify_request_from_openamp(void) +-{ +- int32_t ret; +- +- ret = tfm_hal_notify_peer(); +- if (ret) { +- SPMLOG_ERRMSGVAL("tfm_hal_notify_peer failed ", ret); +- } +- return; +-} +- +-/* Openmap initialization */ +-static int32_t tfm_spe_openamp_lib_init(void) +-{ +- int32_t ret; +- +- ret = tfm_dual_core_hal_init(); +- if (ret) { +- SPMLOG_ERRMSGVAL("tfm_dual_core_hal_init failed ", ret); +- return OPENAMP_INIT_ERROR; +- } +- +- ret = tfm_to_openamp_init(callback_from_openamp, +- notify_request_from_openamp); +- if (ret) { +- SPMLOG_ERRMSGVAL("tfm_to_openamp_init failed ", ret); +- return OPENAMP_INIT_ERROR; +- } +- +- init_dual_core_psa_client_secure_lib(); +- +- /* Register RPC callbacks */ +- ret = tfm_rpc_register_ops(&openamp_rpc_ops); +- if (ret) { +- SPMLOG_ERRMSGVAL("tfm_rpc_register_ops failed ", ret); +- return OPENAMP_CALLBACK_REG_ERROR; +- } +- +- SPMLOG_INFMSG("tfm_spe_openamp_lib_init initialized success.\r\n"); +- return OPENAMP_SUCCESS; +-} +- +-int32_t tfm_inter_core_comm_init(void) +-{ +- if (tfm_spe_openamp_lib_init()) { +- return TFM_PLAT_ERR_SYSTEM_ERR; +- } +- +- return TFM_PLAT_ERR_SUCCESS; +-} +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h +deleted file mode 100644 +index 4c720b731..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#ifndef __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__ +-#define __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__ +- +-#include "tfm_openamp_lib.h" +-#include "tfm_plat_defs.h" +- +-/** +- * \brief Platform specific initialization of SPE openamp. +- * +- * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. +- * \retval Other return code Operation failed with an error code. +- */ +-enum tfm_plat_err_t tfm_dual_core_hal_init(void); +- +-/** +- * \brief Notify NSPE that a PSA client call return result is replied. +- * Implemented by platform specific inter-processor communication driver. +- * +- * \retval TFM_PLAT_ERR_SUCCESS The notification is successfully sent out. +- * \retval Other return code Operation failed with an error code. +- */ +-enum tfm_plat_err_t tfm_hal_notify_peer(void); +- +-#endif /* __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c +deleted file mode 100644 +index 007a675bd..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c ++++ /dev/null +@@ -1,151 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#include "tfm_spe_psa_client_lib_unordered_map.h" +-#include "utilities.h" +-#include "tfm_spe_openamp_interface.h" +-#include "tfm_spe_shm_openamp.h" +-#include <stdbool.h> +-#include <stddef.h> +-#include <string.h> +- +-/* +- * SPE map where tf-m copies the psa_client parameters +- * from non-secure memory to its local secure memory. +- */ +-typedef struct unordered_map { +- /* +- * Aligned with TFM_MAX_MESSAGES. A more sophisticated approach is +- * required if the intent is to increase TFM_MAX_MESSAGES beyond +- * 32 bits. +- */ +- uint32_t busy_slots; /* protected by a spinlock */ +- unordered_map_entry_t map[TFM_MAX_MESSAGES]; +-} unordered_map_t; +- +- +-/* +- * TF-M secure memory map: the parameters are copied to secure memory +- * from openamp non-secure memory. This is to avoid TOCTOU attack. +- */ +-static unordered_map_t psa_client_lib_map_; +- +-static inline int find_first_unset_bit(uint32_t n) +-{ +- int index = -1; +- n = ~n & (n+1); +- while(n>0) { +- n >>= 1; +- index++; +- } +- return index; +-} +- +-static inline bool is_map_full(unordered_map_t *m) +-{ +- return (~(m->busy_slots) == 0); +-} +- +-static inline void set_bit(uint32_t *n, int index) +-{ +- *n = (*n | (1 << index)); +-} +- +-static inline bool is_bit_set(uint32_t n, int index) +-{ +- return ((n & (1 << index)) != 0); +-} +- +-static inline void unset_bit(uint32_t *n, int index) +-{ +- uint32_t mask = 0; +- mask |= (1 << index); +- *n = (*n & ~mask); +-} +- +-void unordered_map_init(void) +-{ +- tfm_to_openamp_spe_map_spinlock_acquire(); +- psa_client_lib_map_.busy_slots = 0; +- tfm_to_openamp_spe_map_spinlock_release(); +-} +- +-static int32_t alloc_map_entry(unordered_map_handle_t *handle) +-{ +- int32_t ret; +- tfm_to_openamp_spe_map_spinlock_acquire(); +- do { +- if (is_map_full(&psa_client_lib_map_)) { +- ret = OPENAMP_MAP_FULL; +- break; +- } +- *handle = find_first_unset_bit(psa_client_lib_map_.busy_slots); +- set_bit(&psa_client_lib_map_.busy_slots, *handle); +- ret = OPENAMP_SUCCESS; +- } while (0); +- tfm_to_openamp_spe_map_spinlock_release(); +- return ret; +-} +- +-int32_t unordered_map_insert(const ns_openamp_msg_t *ns_msg, const void *in, +- unordered_map_handle_t *handle) +-{ +- int32_t ret; +- +- ret = alloc_map_entry(handle); +- if (ret) { +- return ret; +- } +- +- memcpy(&psa_client_lib_map_.map[*handle].msg, ns_msg, +- sizeof(ns_openamp_msg_t)); +- +- psa_client_lib_map_.map[*handle].input_buffer = in; +- psa_client_lib_map_.map[*handle].output_buffer = NULL; +- psa_client_lib_map_.map[*handle].output_buffer_len = 0; +- psa_client_lib_map_.map[*handle].is_input_buffer_hold = false; +- psa_client_lib_map_.map[*handle].is_output_buffer = false; +- +- psa_client_lib_map_.map[*handle].handle = *handle; +- +- return OPENAMP_SUCCESS; +-} +- +-void unordered_map_free(unordered_map_handle_t handle) +-{ +- if (handle >= TFM_MAX_MESSAGES || handle < 0) { +- return; +- } +- spm_memset(&psa_client_lib_map_.map[handle], 0, +- sizeof(unordered_map_entry_t)); +- +- tfm_to_openamp_spe_map_spinlock_acquire(); +- unset_bit(&psa_client_lib_map_.busy_slots, handle); +- tfm_to_openamp_spe_map_spinlock_release(); +-} +- +-unordered_map_entry_t* unordered_map_get_entry_ptr(unordered_map_handle_t handle) +-{ +- if (handle >= TFM_MAX_MESSAGES || handle < 0) { +- return NULL; +- } +- if (!is_bit_set(psa_client_lib_map_.busy_slots, handle)) { +- return NULL; +- } +- return &psa_client_lib_map_.map[handle]; +-} +- +-unordered_map_handle_t unordered_map_get_entry_handle( +- const unordered_map_entry_t *ptr) +-{ +- if (!ptr) { +- return INVALID_MAP_HANDLE; +- } +- +- return ptr->handle; +-} +- +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h +deleted file mode 100644 +index 1d094133b..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h ++++ /dev/null +@@ -1,50 +0,0 @@ +-/* +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#ifndef __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__ +-#define __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__ +- +-#include <stdbool.h> +-#include "tfm_openamp_lib.h" +- +-/* 16 bits are sufficient to store the handle. Also +- * choosing 16bits allow for better packing inside +- * the struct unordered_map_entry_t. +- */ +-typedef int16_t unordered_map_handle_t; +-#define INVALID_MAP_HANDLE -1 +- +-/* An entry structure of map data structure */ +-typedef struct unordered_map_entry { +- ns_openamp_msg_t msg; +- const void *input_buffer; +- void *output_buffer; +- size_t output_buffer_len; +- unordered_map_handle_t handle; /* entry handle */ +- bool is_input_buffer_hold; /* true when input buffer is held */ +- bool is_output_buffer; /* true when output buffer is preallocated */ +-} unordered_map_entry_t; +- +-/* Initialize the map data structure */ +-void unordered_map_init(void); +- +-/* Insert entry into the map and return a handle to the entry */ +-int32_t unordered_map_insert(const ns_openamp_msg_t *msg, const void *in, +- unordered_map_handle_t *handle); +- +-/* Free respective entry into the map represented by the handle */ +-void unordered_map_free(unordered_map_handle_t handle); +- +-/* Using a handle return the memory pointer of the entry */ +-unordered_map_entry_t* unordered_map_get_entry_ptr( +- unordered_map_handle_t handle); +- +-/* Using a entry memory location, return respective handle */ +-unordered_map_handle_t unordered_map_get_entry_handle( +- const unordered_map_entry_t *ptr); +- +-#endif /* __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h +deleted file mode 100644 +index 6e8cde8f4..000000000 +--- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * Copyright (c) 2020 Linaro Limited +- * +- * Copyright (c) 2021, Arm Limited. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- * +- */ +- +-#ifndef TFM_SPE_SHM_OPEN_AMP_H_ +-#define TFM_SPE_SHM_OPEN_AMP_H_ +- +-#include "region_defs.h" +- +-#define VDEV_STATUS_ADDR (OPENAMP_SE_SHARED_MEMORY_START_ADDR) +-#define VDEV_STATUS_SIZE (0x1000) // 4 KB +-#define SHM_START_VIRT_ADDR (OPENAMP_SE_SHARED_MEMORY_START_ADDR + VDEV_STATUS_SIZE) +-#define SHM_START_PHY_ADDR (OPENAMP_HOST_SHARED_MEMORY_START_ADDR + VDEV_STATUS_SIZE) +-#define SHM_SIZE OPENAMP_SHARED_MEMORY_SIZE - VDEV_STATUS_SIZE +-#define SHM_DEVICE_NAME "cvm.shm" +- +-#define VRING_COUNT 2 +-#define VRING_MEM_SIZE (0x1000) // 4 KB +-#define VRING_TX_ADDRESS (SHM_START_VIRT_ADDR + SHM_SIZE - VRING_MEM_SIZE) +-#define VRING_RX_ADDRESS (SHM_START_VIRT_ADDR + SHM_SIZE - (2 * VRING_MEM_SIZE)) +-#define VRING_ALIGNMENT 4 +-#define VRING_SIZE 16 +- +-/* +- * The tf-m can only accept MAX_MESSAGES at a given time. +- * The Host should set RPMSG_BUFFER_SIZE accrodingly +- * such that tf-m does not recieve more than +- * TFM_MAX_MESSAGES messages. +- * Changing this macro DOES NOT increase TF-M capabilities +- * to handle more messages. +- */ +-#define TFM_MAX_MESSAGES (32) +- +-#endif /* TFM_SPE_SHM_OPEN_AMP_H_ */ +diff --git a/platform/ext/target/arm/corstone1000/partition/region_defs.h b/platform/ext/target/arm/corstone1000/partition/region_defs.h +index 64ab786e5..a80b07737 100644 +--- a/platform/ext/target/arm/corstone1000/partition/region_defs.h ++++ b/platform/ext/target/arm/corstone1000/partition/region_defs.h +@@ -59,13 +59,13 @@ + #define S_DATA_LIMIT (S_DATA_START + S_DATA_SIZE - 1) + #define S_DATA_PRIV_START (S_DATA_START + S_UNPRIV_DATA_SIZE) + +-/* OpenAMP shared memory region */ +-#define OPENAMP_SE_SHARED_MEMORY_START_ADDR 0xA8000000 +-#define OPENAMP_HOST_SHARED_MEMORY_START_ADDR 0x88000000 +-#define OPENAMP_SHARED_MEMORY_SIZE (1024 * 1024) /* 1MB */ ++/* Shared memory region */ ++#define INTER_PROCESSOR_SE_SHARED_MEMORY_START_ADDR 0xA8000000 ++#define INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR 0x88000000 ++#define INTER_PROCESSOR_SHARED_MEMORY_SIZE (1024 * 1024) /* 1MB */ + +-#define NS_DATA_START OPENAMP_SE_SHARED_MEMORY_START_ADDR +-#define NS_DATA_SIZE OPENAMP_SHARED_MEMORY_SIZE ++#define NS_DATA_START INTER_PROCESSOR_SE_SHARED_MEMORY_START_ADDR ++#define NS_DATA_SIZE INTER_PROCESSOR_SHARED_MEMORY_SIZE + + #define S_CODE_VECTOR_TABLE_SIZE (0xc0) + +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt b/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt +new file mode 100644 +index 000000000..7c4bc0fef +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt +@@ -0,0 +1,34 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++ ++target_include_directories(platform_s ++ PUBLIC ++ . ++) ++ ++target_sources(platform_s ++ PRIVATE ++ rse_comms.c ++ rse_comms_hal.c ++ rse_comms_queue.c ++ rse_comms_protocol.c ++ rse_comms_protocol_embed.c ++) ++ ++target_compile_definitions(platform_s ++ PRIVATE ++ RSE_COMMS_MAX_CONCURRENT_REQ=1 ++ RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ $<$<BOOL:${CONFIG_TFM_HALT_ON_CORE_PANIC}>:CONFIG_TFM_HALT_ON_CORE_PANIC> ++) ++ ++# For spm_log_msgval ++target_link_libraries(platform_s ++ PRIVATE ++ tfm_spm ++ tfm_sprt ++) +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c +new file mode 100644 +index 000000000..df2b6bffa +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c +@@ -0,0 +1,176 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * Copyright (c) 2023 Cypress Semiconductor Corporation (an Infineon company) ++ * or an affiliate of Cypress Semiconductor Corporation. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms.h" ++ ++#include <stddef.h> ++#include <stdint.h> ++ ++#include "rse_comms_hal.h" ++#include "rse_comms_queue.h" ++#include "tfm_rpc.h" ++#include "tfm_multi_core.h" ++#include "tfm_hal_multi_core.h" ++#include "tfm_psa_call_pack.h" ++#include "tfm_spm_log.h" ++#include "rse_comms_permissions_hal.h" ++ ++static struct client_request_t *req_to_process; ++ ++static psa_status_t message_dispatch(struct client_request_t *req) ++{ ++ int32_t client_id; ++ enum tfm_plat_err_t plat_err; ++ ++ /* Create the call parameters */ ++ struct client_params_t params = { ++ .p_invecs = req->in_vec, ++ .p_outvecs = req->out_vec, ++ }; ++ ++ SPMLOG_DBGMSG("[RSE-COMMS] Dispatching message\r\n"); ++ SPMLOG_DBGMSGVAL("handle=", req->handle); ++ SPMLOG_DBGMSGVAL("type=", req->type); ++ SPMLOG_DBGMSGVAL("in_len=", req->in_len); ++ SPMLOG_DBGMSGVAL("out_len=", req->out_len); ++ if (req->in_len > 0) { ++ SPMLOG_DBGMSGVAL("in_vec[0].len=", req->in_vec[0].len); ++ } ++ if (req->in_len > 1) { ++ SPMLOG_DBGMSGVAL("in_vec[1].len=", req->in_vec[1].len); ++ } ++ if (req->in_len > 2) { ++ SPMLOG_DBGMSGVAL("in_vec[2].len=", req->in_vec[2].len); ++ } ++ if (req->in_len > 3) { ++ SPMLOG_DBGMSGVAL("in_vec[3].len=", req->in_vec[3].len); ++ } ++ if (req->out_len > 0) { ++ SPMLOG_DBGMSGVAL("out_vec[0].len=", req->out_vec[0].len); ++ } ++ if (req->out_len > 1) { ++ SPMLOG_DBGMSGVAL("out_vec[1].len=", req->out_vec[1].len); ++ } ++ if (req->out_len > 2) { ++ SPMLOG_DBGMSGVAL("out_vec[2].len=", req->out_vec[2].len); ++ } ++ if (req->out_len > 3) { ++ SPMLOG_DBGMSGVAL("out_vec[3].len=", req->out_vec[3].len); ++ } ++ ++ plat_err = comms_permissions_service_check(req->handle, ++ req->in_vec, ++ req->in_len, ++ req->type); ++ if (plat_err != TFM_PLAT_ERR_SUCCESS) { ++ SPMLOG_ERRMSG("[RSE-COMMS] Call not permitted\r\n"); ++ return PSA_ERROR_NOT_PERMITTED; ++ } ++ ++ client_id = tfm_hal_client_id_translate(req->mhu_sender_dev, ++ (int32_t)(req->client_id)); ++ if (client_id >= 0) { ++ SPMLOG_ERRMSGVAL("[RSE-COMMS] Invalid client_id: ", ++ (uint32_t)(req->client_id)); ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ params.ns_client_id_stateless = client_id; ++ ++ return tfm_rpc_psa_call(req->handle, ++ PARAM_PACK(req->type, ++ req->in_len, ++ req->out_len), ++ ¶ms, ++ NULL); ++} ++ ++static void rse_comms_reply(const void *owner, int32_t ret) ++{ ++ struct client_request_t *req = (struct client_request_t *)owner; ++ ++ req->return_val = ret; ++ ++ SPMLOG_DBGMSG("[RSE-COMMS] Sending reply\r\n"); ++ SPMLOG_DBGMSGVAL("protocol_ver=", req->protocol_ver); ++ SPMLOG_DBGMSGVAL("seq_num=", req->seq_num); ++ SPMLOG_DBGMSGVAL("client_id=", req->client_id); ++ SPMLOG_DBGMSGVAL("return_val=", req->return_val); ++ SPMLOG_DBGMSGVAL("out_vec[0].len=", req->out_vec[0].len); ++ SPMLOG_DBGMSGVAL("out_vec[1].len=", req->out_vec[1].len); ++ SPMLOG_DBGMSGVAL("out_vec[2].len=", req->out_vec[2].len); ++ SPMLOG_DBGMSGVAL("out_vec[3].len=", req->out_vec[3].len); ++ ++ if (tfm_multi_core_hal_reply(req) != TFM_PLAT_ERR_SUCCESS) { ++ SPMLOG_DBGMSG("[RSE-COMMS] Sending reply failed!\r\n"); ++ } ++} ++ ++static void rse_comms_handle_req(void) ++{ ++ psa_status_t status; ++ void *queue_entry; ++ ++ /* FIXME: consider memory limitations that may prevent dispatching all ++ * messages in one go. ++ */ ++ while (queue_dequeue(&queue_entry) == 0) { ++ /* Deliver PSA Client call request to handler in SPM. */ ++ req_to_process = queue_entry; ++ status = message_dispatch(req_to_process); ++#if CONFIG_TFM_SPM_BACKEND_IPC == 1 ++ /* ++ * If status == PSA_SUCCESS, peer will be replied when mailbox agent ++ * partition receives a 'ASYNC_MSG_REPLY' signal from the requested ++ * service partition. ++ * If status != PSA_SUCCESS, the service call has been finished. ++ * Reply to the peer directly. ++ */ ++ if (status != PSA_SUCCESS) { ++ SPMLOG_DBGMSGVAL("[RSE-COMMS] Message dispatch failed: ", status); ++ rse_comms_reply(req_to_process, status); ++ } ++#else ++ /* In SFN model, the service call has been finished. Reply to the peer directly. */ ++ rse_comms_reply(req_to_process, status); ++#endif ++ } ++} ++ ++static const void *rss_comms_get_caller_data(int32_t client_id) ++{ ++ (void)client_id; ++ ++ return req_to_process; ++} ++ ++static struct tfm_rpc_ops_t rpc_ops = { ++ .handle_req = rse_comms_handle_req, ++ .reply = rse_comms_reply, ++ .get_caller_data = rss_comms_get_caller_data, ++}; ++ ++int32_t tfm_inter_core_comm_init(void) ++{ ++ int32_t ret; ++ ++ /* Register RPC callbacks */ ++ ret = tfm_rpc_register_ops(&rpc_ops); ++ if (ret != TFM_RPC_SUCCESS) { ++ return ret; ++ } ++ ++ /* Platform specific initialization */ ++ ret = tfm_multi_core_hal_init(); ++ if (ret != TFM_PLAT_ERR_SUCCESS) { ++ tfm_rpc_unregister_ops(); ++ return ret; ++ } ++ ++ return TFM_RPC_SUCCESS; ++} +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h +new file mode 100644 +index 000000000..6d79dd3bf +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h +@@ -0,0 +1,48 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_H__ ++#define __RSE_COMMS_H__ ++ ++#include "psa/client.h" ++#include "cmsis_compiler.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++ /* size suits to fit the largest message too (EFI variables) */ ++#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x2100) ++ ++/* ++ * Allocated for each client request. ++ * ++ * TODO: Sizing of payload_buf, this should be platform dependent: ++ * - sum in_vec size ++ * - sum out_vec size ++ */ ++struct client_request_t { ++ void *mhu_sender_dev; /* Pointer to MHU sender device to reply on */ ++ uint8_t protocol_ver; ++ uint8_t seq_num; ++ uint16_t client_id; ++ psa_handle_t handle; ++ int32_t type; ++ uint32_t in_len; ++ uint32_t out_len; ++ psa_invec in_vec[PSA_MAX_IOVEC]; ++ psa_outvec out_vec[PSA_MAX_IOVEC]; ++ int32_t return_val; ++ uint64_t out_vec_host_addr[PSA_MAX_IOVEC]; ++ uint8_t param_copy_buf[RSE_COMMS_PAYLOAD_MAX_SIZE]; ++}; ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c +new file mode 100644 +index 000000000..ef6fb9e02 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms_hal.h" ++ ++#include "rse_comms.h" ++#include "rse_comms_queue.h" ++#include "mhu.h" ++#include "cmsis.h" ++#include "device_definition.h" ++#include "tfm_peripherals_def.h" ++#include "tfm_spm_log.h" ++#include "tfm_pools.h" ++#include "rse_comms_protocol.h" ++#include <string.h> ++ ++/* Declared statically to avoid using huge amounts of stack space. Maybe revisit ++ * if functions not being reentrant becomes a problem. ++ */ ++static __ALIGNED(4) struct serialized_psa_msg_t msg; ++static __ALIGNED(4) struct serialized_psa_reply_t reply; ++ ++/* The 32bit client ID is constructed as following: ++ * bit31: always 1 ++ * bit30~bit16: client source identifier. ++ 0x0000 First mailbox agent client(MHU) (by default) ++ 0x1000 Second mailbox agent client(MHU) ++ ... ++ * bit15~bit0: client input client ID ++ */ ++#define CLIENT_ID_USER_INPUT_OFFSET (0) ++#define CLIENT_ID_USER_INPUT_MASK (0xFFFFUL << CLIENT_ID_USER_INPUT_OFFSET) ++ ++#define CLIENT_ID_MHU_BASE_OFFSET (16) ++#define CLIENT_ID_MHU_BASE_MASK (0x7FFFUL << CLIENT_ID_MHU_BASE_OFFSET) ++ ++#define NS_CLIENT_ID_FLAG_OFFSET (31) ++#define NS_CLIENT_ID_FLAG_MASK (0x1UL << NS_CLIENT_ID_FLAG_OFFSET) ++ ++/* MHU for RSE <> AP_MONITOR communication */ ++#ifndef MHU0_CLIENT_ID_BASE ++#define MHU0_CLIENT_ID_BASE (0x0000UL << CLIENT_ID_MHU_BASE_OFFSET) ++#endif ++ ++#ifdef MHU_RSE_TO_AP_NS ++/* MHU for RSE <> AP_NS communication */ ++#ifndef MHU1_CLIENT_ID_BASE ++#define MHU1_CLIENT_ID_BASE (0x1000UL << CLIENT_ID_MHU_BASE_OFFSET) ++#endif ++#endif /* MHU_RSE_TO_AP_NS */ ++ ++TFM_POOL_DECLARE(req_pool, sizeof(struct client_request_t), ++ RSE_COMMS_MAX_CONCURRENT_REQ); ++ ++static enum tfm_plat_err_t initialize_mhu(void) ++{ ++ enum mhu_error_t err; ++ ++ err = mhu_init_sender(&MHU1_SE_TO_HOST_DEV); ++ if (err != MHU_ERR_NONE) { ++ SPMLOG_ERRMSGVAL("[COMMS] RSE to AP_MONITOR MHU driver init failed: ", ++ err); ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++ ++ err = mhu_init_receiver(&MHU1_HOST_TO_SE_DEV); ++ if (err != MHU_ERR_NONE) { ++ SPMLOG_ERRMSGVAL("[COMMS] AP_MONITOR to RSE MHU driver init failed: ", ++ err); ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++ ++#ifdef MHU_RSE_TO_AP_NS ++ err = mhu_init_sender(&MHU_RSE_TO_AP_NS_DEV); ++ if (err != MHU_ERR_NONE) { ++ SPMLOG_ERRMSGVAL("[COMMS] RSE to AP_NS MHU driver init failed: ", err); ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++ ++ err = mhu_init_receiver(&MHU_AP_NS_TO_RSE_DEV); ++ if (err != MHU_ERR_NONE) { ++ SPMLOG_ERRMSGVAL("[COMMS] AP_NS to RSE MHU driver init failed: ", err); ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++#endif /* MHU_RSE_TO_AP_NS */ ++ ++ SPMLOG_DBGMSG("[COMMS] MHU driver initialized successfully.\r\n"); ++ return TFM_PLAT_ERR_SUCCESS; ++} ++ ++enum tfm_plat_err_t tfm_multi_core_hal_receive(void *mhu_receiver_dev, ++ void *mhu_sender_dev, ++ uint32_t source) ++{ ++ enum mhu_error_t mhu_err; ++ enum tfm_plat_err_t err; ++ size_t msg_len = sizeof(msg); ++ size_t reply_size; ++ ++ memset(&msg, 0, sizeof(msg)); ++ memset(&reply, 0, sizeof(reply)); ++ ++ /* Receive complete message */ ++ mhu_err = mhu_receive_data(mhu_receiver_dev, (uint8_t *)&msg, &msg_len); ++ ++ /* Clear the pending interrupt for this MHU. This prevents the mailbox ++ * interrupt handler from being called without the next request arriving ++ * through the mailbox ++ */ ++ NVIC_ClearPendingIRQ(source); ++ ++ if (mhu_err != MHU_ERR_NONE) { ++ SPMLOG_DBGMSGVAL("[COMMS] MHU receive failed: ", mhu_err); ++ /* Can't respond, since we don't know anything about the message */ ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++ ++ SPMLOG_DBGMSG("[COMMS] Received message\r\n"); ++ SPMLOG_DBGMSGVAL("[COMMS] size=", msg_len); ++ SPMLOG_DBGMSGVAL("[COMMS] seq_num=", msg.header.seq_num); ++ ++ struct client_request_t *req = tfm_pool_alloc(req_pool); ++ if (!req) { ++ /* No free capacity, drop message */ ++ err = TFM_PLAT_ERR_SYSTEM_ERR; ++ goto out_return_err; ++ } ++ memset(req, 0, sizeof(struct client_request_t)); ++ ++ /* Record the MHU sender device to be used for the reply */ ++ req->mhu_sender_dev = mhu_sender_dev; ++ ++ err = rse_protocol_deserialize_msg(req, &msg, msg_len); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ /* Deserialisation failed, drop message */ ++ SPMLOG_DBGMSGVAL("[COMMS] Deserialize message failed: ", err); ++ goto out_return_err; ++ } ++ ++ if (queue_enqueue(req) != 0) { ++ /* No queue capacity, drop message */ ++ err = TFM_PLAT_ERR_SYSTEM_ERR; ++ goto out_return_err; ++ } ++ ++ /* Message successfully received */ ++ return TFM_PLAT_ERR_SUCCESS; ++ ++out_return_err: ++ /* Attempt to respond with a failure message */ ++ if (rse_protocol_serialize_error(req, &msg.header, ++ PSA_ERROR_CONNECTION_BUSY, ++ &reply, &reply_size) ++ == TFM_PLAT_ERR_SUCCESS) { ++ mhu_send_data(mhu_sender_dev, (uint8_t *)&reply, reply_size); ++ } ++ ++ if (req) { ++ tfm_pool_free(req_pool, req); ++ } ++ ++ return err; ++} ++ ++enum tfm_plat_err_t tfm_multi_core_hal_reply(struct client_request_t *req) ++{ ++ enum tfm_plat_err_t err; ++ enum mhu_error_t mhu_err; ++ size_t reply_size; ++ ++ /* This function is called by the mailbox partition with Thread priority, so ++ * MHU interrupts must be disabled to prevent concurrent accesses by ++ * tfm_multi_core_hal_receive(). ++ */ ++ NVIC_DisableIRQ(MAILBOX_IRQ); ++ ++ if (!is_valid_chunk_data_in_pool(req_pool, (uint8_t *)req)) { ++ err = TFM_PLAT_ERR_SYSTEM_ERR; ++ goto out; ++ } ++ ++ err = rse_protocol_serialize_reply(req, &reply, &reply_size); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ SPMLOG_DBGMSGVAL("[COMMS] Serialize reply failed: ", err); ++ goto out_free_req; ++ } ++ ++ mhu_err = mhu_send_data(req->mhu_sender_dev, (uint8_t *)&reply, reply_size); ++ if (mhu_err != MHU_ERR_NONE) { ++ SPMLOG_DBGMSGVAL("[COMMS] MHU send failed: ", mhu_err); ++ err = TFM_PLAT_ERR_SYSTEM_ERR; ++ goto out_free_req; ++ } ++ ++ SPMLOG_DBGMSG("[COMMS] Sent reply\r\n"); ++ ++out_free_req: ++ tfm_pool_free(req_pool, req); ++out: ++ NVIC_EnableIRQ(MAILBOX_IRQ); ++ return err; ++} ++ ++enum tfm_plat_err_t tfm_multi_core_hal_init(void) ++{ ++ int32_t spm_err; ++ ++ spm_err = tfm_pool_init(req_pool, POOL_BUFFER_SIZE(req_pool), ++ sizeof(struct client_request_t), ++ RSE_COMMS_MAX_CONCURRENT_REQ); ++ if (spm_err) { ++ return TFM_PLAT_ERR_SYSTEM_ERR; ++ } ++ ++ return initialize_mhu(); ++} ++ ++int32_t tfm_hal_client_id_translate(void *owner, int32_t client_id_in) ++{ ++ if ((uintptr_t)owner == (uintptr_t)&MHU1_SE_TO_HOST_DEV) { ++ return ((client_id_in & CLIENT_ID_USER_INPUT_MASK) | ++ (MHU0_CLIENT_ID_BASE & CLIENT_ID_MHU_BASE_MASK) | ++ (NS_CLIENT_ID_FLAG_MASK)); ++ } else { ++ SPMLOG_DBGMSG("[COMMS] client_id translation failed: invalid owner\r\n"); ++ return 0; ++ } ++} +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h +new file mode 100644 +index 000000000..c4676cb2e +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h +@@ -0,0 +1,56 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_HAL_H__ ++#define __RSE_COMMS_HAL_H__ ++ ++#include "rse_comms.h" ++#include "tfm_plat_defs.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * \brief Platform specific initialization of SPE multi-core. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t tfm_multi_core_hal_init(void); ++ ++/** ++ * \brief Receive PSA client call request from NSPE. ++ * Implemented by platform specific inter-processor communication driver. ++ * ++ * \param[in] mhu_receiver_dev Pointer to MHU receiver device on which to read ++ * the message. ++ * \param[in] mhu_sender_dev Pointer to MHU sender device on which to write ++ * the reply. ++ * \param[in] source The number of the IRQ source for this MHU. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t tfm_multi_core_hal_receive(void *mhu_receiver_dev, ++ void *mhu_sender_dev, ++ uint32_t source); ++ ++/** ++ * \brief Notify NSPE that a PSA client call return result is replied. ++ * Implemented by platform specific inter-processor communication driver. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS The notification is successfully sent out. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t tfm_multi_core_hal_reply(struct client_request_t *req); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_HAL_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h +new file mode 100644 +index 000000000..5bd0124a6 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h +@@ -0,0 +1,58 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_PERMISSIONS_HAL_H__ ++#define __RSE_COMMS_PERMISSIONS_HAL_H__ ++ ++#include "psa/client.h" ++#include "tfm_plat_defs.h" ++#include "stdbool.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * \brief Check that RSE comms callers have permission to access a memory ++ * buffer. ++ * ++ * \param[in] owner The owner of host memory against which the ++ * memory access is checked (e.g. MHU device). ++ * \param[in] host_ptr Address of the memory region to be accessed. ++ * \param[in] size Size of the memory region to be accessed. ++ * \param[in] is_write True, if the memory access is a write ++ * operation, False otherwise. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Caller has permission to access buffer. ++ * \retval Other return code Caller does not have permission, or an error ++ * occurred. ++ */ ++enum tfm_plat_err_t comms_permissions_memory_check(void *owner, ++ uint64_t host_ptr, ++ uint32_t size, ++ bool is_write); ++ ++/** ++ * \brief Check that RSE comms callers have permission to access a service. ++ * ++ * \note in_vec and in_len are passed in as the Crypto partition encodes which ++ * function is requested in the first in_vec. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Caller has permission to access service. ++ * \retval Other return code Caller does not have permission, or an error ++ * occurred. ++ */ ++enum tfm_plat_err_t comms_permissions_service_check(psa_handle_t handle, ++ const psa_invec *in_vec, ++ size_t in_len, ++ int32_t type); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_PERMISSIONS_HAL_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c +new file mode 100644 +index 000000000..94b7995b9 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c +@@ -0,0 +1,120 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms_protocol.h" ++ ++#include "tfm_spm_log.h" ++#include <string.h> ++ ++enum tfm_plat_err_t rse_protocol_deserialize_msg( ++ struct client_request_t *req, struct serialized_psa_msg_t *msg, ++ size_t msg_len) ++{ ++ if (msg_len < sizeof(msg->header)) { ++ return TFM_PLAT_ERR_INVALID_INPUT; ++ } ++ ++ req->protocol_ver = msg->header.protocol_ver; ++ req->seq_num = msg->header.seq_num; ++ req->client_id = msg->header.client_id; ++ ++ switch (msg->header.protocol_ver) { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ case RSE_COMMS_PROTOCOL_EMBED: ++ SPMLOG_DBGMSG("[COMMS] Deserializing as embed message\r\n"); ++ return rse_protocol_embed_deserialize_msg(req, &msg->msg.embed, ++ msg_len - sizeof(struct serialized_rse_comms_header_t)); ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ case RSE_COMMS_PROTOCOL_POINTER_ACCESS: ++ SPMLOG_DBGMSG("[COMMS] Deserializing as pointer_access message\r\n"); ++ return rse_protocol_pointer_access_deserialize_msg(req, &msg->msg.pointer_access, ++ msg_len - sizeof(struct serialized_rse_comms_header_t)); ++#endif ++ default: ++ return TFM_PLAT_ERR_UNSUPPORTED; ++ } ++} ++ ++enum tfm_plat_err_t rse_protocol_serialize_reply(struct client_request_t *req, ++ struct serialized_psa_reply_t *reply, size_t *reply_size) ++{ ++ enum tfm_plat_err_t err; ++ ++ memset(reply, 0, sizeof(struct serialized_psa_reply_t)); ++ ++ reply->header.protocol_ver = req->protocol_ver; ++ reply->header.seq_num = req->seq_num; ++ reply->header.client_id = req->client_id; ++ ++ switch (reply->header.protocol_ver) { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ case RSE_COMMS_PROTOCOL_EMBED: ++ err = rse_protocol_embed_serialize_reply(req, &reply->reply.embed, ++ reply_size); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ return err; ++ } ++ break; ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ case RSE_COMMS_PROTOCOL_POINTER_ACCESS: ++ err = rse_protocol_pointer_access_serialize_reply(req, ++ &reply->reply.pointer_access, reply_size); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ return err; ++ } ++ break; ++#endif ++ default: ++ return TFM_PLAT_ERR_UNSUPPORTED; ++ } ++ ++ *reply_size += sizeof(struct serialized_rse_comms_header_t); ++ ++ return TFM_PLAT_ERR_SUCCESS; ++} ++ ++enum tfm_plat_err_t rse_protocol_serialize_error( ++ struct client_request_t *req, ++ struct serialized_rse_comms_header_t *header, psa_status_t error, ++ struct serialized_psa_reply_t *reply, size_t *reply_size) ++{ ++ enum tfm_plat_err_t err; ++ ++ memset(reply, 0, sizeof(struct serialized_psa_reply_t)); ++ memcpy(&reply->header, header, ++ sizeof(struct serialized_rse_comms_header_t)); ++ ++ switch (reply->header.protocol_ver) { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ case RSE_COMMS_PROTOCOL_EMBED: ++ err = rse_protocol_embed_serialize_error(req, error, ++ &reply->reply.embed, ++ reply_size); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ return err; ++ } ++ break; ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ case RSE_COMMS_PROTOCOL_POINTER_ACCESS: ++ err = rse_protocol_pointer_access_serialize_error(req, error, ++ &reply->reply.pointer_access, reply_size); ++ if (err != TFM_PLAT_ERR_SUCCESS) { ++ return err; ++ } ++ break; ++#endif ++ default: ++ return TFM_PLAT_ERR_UNSUPPORTED; ++ } ++ ++ *reply_size += sizeof(struct serialized_rse_comms_header_t); ++ ++ return TFM_PLAT_ERR_SUCCESS; ++} +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h +new file mode 100644 +index 000000000..c30825f4c +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h +@@ -0,0 +1,129 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_PROTOCOL_H__ ++#define __RSE_COMMS_PROTOCOL_H__ ++ ++#include "psa/client.h" ++#include "cmsis_compiler.h" ++#include "rse_comms.h" ++#include "tfm_platform_system.h" ++ ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++#include "rse_comms_protocol_embed.h" ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++#include "rse_comms_protocol_pointer_access.h" ++#endif /* RSE_MHU_PROTOCOL_V0_ENABLED */ ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++enum rse_comms_protocol_version_t { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ RSE_COMMS_PROTOCOL_EMBED = 0, ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ RSE_COMMS_PROTOCOL_POINTER_ACCESS = 1, ++#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */ ++}; ++ ++ ++__PACKED_STRUCT serialized_rse_comms_header_t { ++ uint8_t protocol_ver; ++ uint8_t seq_num; ++ uint16_t client_id; ++}; ++ ++/* MHU message passed from NSPE to SPE to deliver a PSA client call */ ++__PACKED_STRUCT serialized_psa_msg_t { ++ struct serialized_rse_comms_header_t header; ++ __PACKED_UNION { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ struct rse_embed_msg_t embed; ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ struct rse_pointer_access_msg_t pointer_access; ++#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */ ++ } msg; ++}; ++ ++/* MHU reply message to hold the PSA client call return result from SPE */ ++__PACKED_STRUCT serialized_psa_reply_t { ++ struct serialized_rse_comms_header_t header; ++ __PACKED_UNION { ++#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED ++ struct rse_embed_reply_t embed; ++#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */ ++#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED ++ struct rse_pointer_access_reply_t pointer_access; ++#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */ ++ } reply; ++}; ++ ++/** ++ * \brief Convert a serialized message to a client_request_t. ++ * ++ * \param[out] req The client_request_t to fill. ++ * \param[in] msg The serialized message to extract data from. ++ * \param[in] msg_len The size of the message. ++ * ++ * \note The sanitization of the client request structure is the ++ * responsibility of the caller. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t rse_protocol_deserialize_msg(struct client_request_t *req, ++ struct serialized_psa_msg_t *msg, size_t msg_len); ++ ++/** ++ * \brief Convert a a client_request_t to a serialized reply. ++ * ++ * \param[in] req The client_request_t to serialize data from. ++ * \param[out] reply The reply to fill. ++ * \param[out] reply_size The size of the reply that was filled. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t rse_protocol_serialize_reply(struct client_request_t *req, ++ struct serialized_psa_reply_t *reply, size_t *reply_size); ++ ++/** ++ * \brief Create a serialised error reply from a header and an error code. ++ * Intended to for the RSE to notify the AP of errors during the message ++ * deserialization phase. ++ * ++ * \param[in] req The client_request_t to serialize data from. If ++ * the error occured in allocation this pointer ++ * may be NULL. This may not contain message ++ * header information if the message ++ * deserialize failed. ++ * \param[in] header The header of the received ++ * serialized_psa_msg_t whose deserialization ++ * caused the error. ++ * \param[in] error The error code to be transmitted to the AP. ++ * \param[out] reply The reply to fill. ++ * \param[out] reply_size The size of the reply that was filled. ++ * ++ * \retval TFM_PLAT_ERR_SUCCESS Operation succeeded. ++ * \retval Other return code Operation failed with an error code. ++ */ ++enum tfm_plat_err_t rse_protocol_serialize_error( ++ struct client_request_t *req, ++ struct serialized_rse_comms_header_t *header, psa_status_t error, ++ struct serialized_psa_reply_t *reply, size_t *reply_size); ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_PROTOCOL_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c +new file mode 100644 +index 000000000..5544f9fb8 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c +@@ -0,0 +1,105 @@ ++/* ++ * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms_protocol_embed.h" ++ ++#include <string.h> ++ ++#include "tfm_psa_call_pack.h" ++ ++enum tfm_plat_err_t rse_protocol_embed_deserialize_msg( ++ struct client_request_t *req, struct rse_embed_msg_t *msg, ++ size_t msg_len) ++{ ++ uint32_t payload_size = 0; ++ uint32_t i; ++ ++ if (msg_len < (sizeof(*msg) - sizeof(msg->payload))) { ++ return TFM_PLAT_ERR_INVALID_INPUT; ++ } ++ ++ req->in_len = PARAM_UNPACK_IN_LEN(msg->ctrl_param); ++ req->out_len = PARAM_UNPACK_OUT_LEN(msg->ctrl_param); ++ req->type = PARAM_UNPACK_TYPE(msg->ctrl_param); ++ req->handle = msg->handle; ++ ++ /* Only support 4 iovecs */ ++ if (req->in_len + req->out_len > 4) { ++ return TFM_PLAT_ERR_UNSUPPORTED; ++ } ++ ++ /* Invecs */ ++ for (i = 0; i < req->in_len; ++i) { ++ req->in_vec[i].base = req->param_copy_buf + payload_size; ++ req->in_vec[i].len = msg->io_size[i]; ++ payload_size += msg->io_size[i]; ++ } ++ ++ /* Check payload is not too big */ ++ if (payload_size > sizeof(req->param_copy_buf) ++ || payload_size > sizeof(msg->payload) ++ || sizeof(*msg) - sizeof(msg->payload) + payload_size > msg_len ) { ++ return TFM_PLAT_ERR_INVALID_INPUT; ++ } ++ ++ /* Copy payload into the buffer */ ++ memcpy(req->param_copy_buf, msg->payload, payload_size); ++ ++ /* Outvecs */ ++ for (i = 0; i < req->out_len; ++i) { ++ req->out_vec[i].base = req->param_copy_buf + payload_size; ++ req->out_vec[i].len = msg->io_size[req->in_len + i]; ++ payload_size += msg->io_size[req->in_len + i]; ++ } ++ ++ /* Check payload is not too big */ ++ if (payload_size > sizeof(req->param_copy_buf)) { ++ return TFM_PLAT_ERR_INVALID_INPUT; ++ } ++ ++ return TFM_PLAT_ERR_SUCCESS; ++} ++ ++enum tfm_plat_err_t rse_protocol_embed_serialize_reply( ++ struct client_request_t *req, struct rse_embed_reply_t *reply, ++ size_t *reply_size) ++{ ++ size_t payload_size = 0; ++ size_t len; ++ uint32_t i; ++ ++ reply->return_val = req->return_val; ++ ++ /* Outvecs */ ++ for (i = 0; i < req->out_len; ++i) { ++ len = req->out_vec[i].len; ++ ++ if (payload_size + len > sizeof(reply->payload)) { ++ return TFM_PLAT_ERR_UNSUPPORTED; ++ } ++ ++ memcpy(reply->payload + payload_size, req->out_vec[i].base, len); ++ reply->out_size[i] = len; ++ payload_size += len; ++ } ++ ++ *reply_size = sizeof(*reply) - sizeof(reply->payload) + payload_size; ++ ++ return TFM_PLAT_ERR_SUCCESS; ++} ++ ++enum tfm_plat_err_t rse_protocol_embed_serialize_error( ++ struct client_request_t *req, psa_status_t err, ++ struct rse_embed_reply_t *reply, size_t *reply_size) ++{ ++ reply->return_val = err; ++ ++ /* Return the minimum reply size, as the out_sizes are all zeroed */ ++ *reply_size = sizeof(*reply) - sizeof(reply->payload); ++ ++ return TFM_PLAT_ERR_SUCCESS; ++} +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h +new file mode 100644 +index 000000000..e1ca1d0c9 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_PROTOCOL_EMBED_H__ ++#define __RSE_COMMS_PROTOCOL_EMBED_H__ ++ ++#include "psa/client.h" ++#include "cmsis_compiler.h" ++#include "rse_comms.h" ++#include "tfm_platform_system.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++__PACKED_STRUCT rse_embed_msg_t { ++ psa_handle_t handle; ++ uint32_t ctrl_param; /* type, in_len, out_len */ ++ uint16_t io_size[PSA_MAX_IOVEC]; ++ uint8_t payload[RSE_COMMS_PAYLOAD_MAX_SIZE]; ++}; ++ ++__PACKED_STRUCT rse_embed_reply_t { ++ int32_t return_val; ++ uint16_t out_size[PSA_MAX_IOVEC]; ++ uint8_t payload[RSE_COMMS_PAYLOAD_MAX_SIZE]; ++}; ++ ++enum tfm_plat_err_t rse_protocol_embed_deserialize_msg( ++ struct client_request_t *req, struct rse_embed_msg_t *msg, ++ size_t msg_len); ++ ++enum tfm_plat_err_t rse_protocol_embed_serialize_reply( ++ struct client_request_t *req, struct rse_embed_reply_t *reply, ++ size_t *reply_size); ++ ++enum tfm_plat_err_t rse_protocol_embed_serialize_error( ++ struct client_request_t *req, psa_status_t err, ++ struct rse_embed_reply_t *reply, size_t *reply_size); ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_PROTOCOL_EMBED_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c +new file mode 100644 +index 000000000..d7f244db6 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c +@@ -0,0 +1,64 @@ ++/* ++ * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms_queue.h" ++ ++#include <stdbool.h> ++#include <stddef.h> ++ ++#define QUEUE_SIZE (RSE_COMMS_MAX_CONCURRENT_REQ + 1) ++ ++struct queue_t { ++ void *buf[QUEUE_SIZE]; ++ size_t head; ++ size_t tail; ++}; ++ ++static struct queue_t queue; ++ ++/* Advance head or tail */ ++static size_t advance(size_t index) ++{ ++ if (++index == QUEUE_SIZE) { ++ index = 0; ++ } ++ return index; ++} ++ ++static inline bool is_empty(void) ++{ ++ return queue.head == queue.tail; ++} ++ ++static inline bool is_full(void) ++{ ++ return advance(queue.head) == queue.tail; ++} ++ ++int32_t queue_enqueue(void *entry) ++{ ++ if (is_full()) { ++ return -1; ++ } ++ ++ queue.buf[queue.head] = entry; ++ queue.head = advance(queue.head); ++ ++ return 0; ++} ++ ++int32_t queue_dequeue(void **entry) ++{ ++ if (is_empty()) { ++ return -1; ++ } ++ ++ *entry = queue.buf[queue.tail]; ++ queue.tail = advance(queue.tail); ++ ++ return 0; ++} +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h +new file mode 100644 +index 000000000..d3db1dd2e +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h +@@ -0,0 +1,25 @@ ++/* ++ * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#ifndef __RSE_COMMS_QUEUE_H__ ++#define __RSE_COMMS_QUEUE_H__ ++ ++#include <stdint.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++int32_t queue_enqueue(void *entry); ++ ++int32_t queue_dequeue(void **entry); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* __RSE_COMMS_QUEUE_H__ */ +diff --git a/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c b/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c +new file mode 100644 +index 000000000..59724bc94 +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c +@@ -0,0 +1,177 @@ ++/* ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "rse_comms_permissions_hal.h" ++ ++#include "device_definition.h" ++#include "psa_manifest/sid.h" ++#include "region_defs.h" ++#include "tfm_hal_platform.h" ++ ++#ifdef TFM_PARTITION_INITIAL_ATTESTATION ++#include "tfm_attest_defs.h" ++#endif /* TFM_PARTITION_INITIAL_ATTESTATION */ ++#ifdef TFM_PARTITION_MEASURED_BOOT ++#include "measured_boot_defs.h" ++#endif /* TFM_PARTITION_MEASURED_BOOT */ ++#ifdef TFM_PARTITION_DELEGATED_ATTESTATION ++#include "tfm_delegated_attest_defs.h" ++#endif /* TFM_PARTITION_DELEGATED_ATTESTATION */ ++#ifdef TFM_PARTITION_CRYPTO ++#include "tfm_crypto_defs.h" ++#endif /*TFM_PARTITION_CRYPTO */ ++#ifdef TFM_PARTITION_PLATFORM ++#include "tfm_platform_api.h" ++#endif /* TFM_PARTITION_PLATFORM */ ++#ifdef TFM_PARTITION_PROTECTED_STORAGE ++#include "tfm_ps_defs.h" ++#endif /* TFM_PARTITION_PROTECTED_STORAGE */ ++#ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ++#include "tfm_its_defs.h" ++#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */ ++ ++#define INVALID_REGION_COUNTER_MAX 128 ++#define INVALID_SERVICE_COUNTER_MAX 64 ++ ++static uint32_t invalid_region_counter = 0; ++static uint32_t invalid_service_counter = 0; ++ ++/* Check if the interface is getting a lot of invalid requests, and shutdown ++ * the system if it exceeds the threshold. This is intended to make fuzzing the ++ * interface difficult. ++ */ ++static void counter_check(void) { ++ if (invalid_region_counter > INVALID_REGION_COUNTER_MAX) { ++#ifdef CONFIG_TFM_HALT_ON_CORE_PANIC ++ tfm_hal_system_halt(); ++#else ++ tfm_hal_system_reset(); ++#endif /* CONFIG_TFM_HALT_ON_CORE_PANIC */ ++ } ++ ++ if (invalid_service_counter > INVALID_SERVICE_COUNTER_MAX) { ++#ifdef CONFIG_TFM_HALT_ON_CORE_PANIC ++ tfm_hal_system_halt(); ++#else ++ tfm_hal_system_reset(); ++#endif /* CONFIG_TFM_HALT_ON_CORE_PANIC */ ++ } ++ ++ return; ++} ++ ++enum tfm_plat_err_t comms_permissions_memory_check(void *owner, ++ uint64_t host_ptr, ++ uint32_t size, ++ bool is_write) ++{ ++ /* Is fully within the shared memory */ ++ if ((host_ptr >= INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR) && ++ ((host_ptr + size) < (INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR + ++ INTER_PROCESSOR_SHARED_MEMORY_SIZE))) { ++ return TFM_PLAT_ERR_SUCCESS; ++ } ++ ++ invalid_region_counter++; ++ counter_check(); ++ ++ return TFM_PLAT_ERR_UNSUPPORTED; ++} ++ ++enum tfm_plat_err_t comms_permissions_service_check(psa_handle_t handle, ++ const psa_invec *in_vec, ++ size_t in_len, ++ int32_t type) ++{ ++ switch(handle) { ++#ifdef TFM_PARTITION_PROTECTED_STORAGE ++ case TFM_PROTECTED_STORAGE_SERVICE_HANDLE: ++ switch(type) { ++ case TFM_PS_SET: ++ case TFM_PS_GET: ++ case TFM_PS_GET_INFO: ++ case TFM_PS_REMOVE: ++ case TFM_PS_GET_SUPPORT: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */ ++ ++#ifdef TFM_PARTITION_INITIAL_ATTESTATION ++ case TFM_ATTESTATION_SERVICE_HANDLE: ++ switch(type) { ++ case TFM_ATTEST_GET_TOKEN: ++ case TFM_ATTEST_GET_TOKEN_SIZE: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_INITIAL_ATTESTATION */ ++#ifdef TFM_PARTITION_DELEGATED_ATTESTATION ++ case TFM_DELEGATED_ATTESTATION_HANDLE: ++ switch(type) { ++ case DELEGATED_ATTEST_GET_DELEGATED_KEY: ++ case DELEGATED_ATTEST_GET_PLATFORM_TOKEN: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_DELEGATED_ATTESTATION */ ++#ifdef TFM_PARTITION_MEASURED_BOOT ++ case TFM_MEASURED_BOOT_HANDLE: ++ switch(type) { ++ case TFM_MEASURED_BOOT_EXTEND: ++ case TFM_MEASURED_BOOT_READ: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_MEASURED_BOOT */ ++#ifdef TFM_PARTITION_CRYPTO ++ case TFM_CRYPTO_HANDLE: ++ /* Every crypto operation is done by the SE */ ++ return TFM_PLAT_ERR_SUCCESS; ++#endif /* TFM_PARTITION_CRYPTO */ ++#ifdef TFM_PARTITION_PLATFORM ++ case TFM_PLATFORM_SERVICE_HANDLE: ++ switch(type) { ++ case TFM_PLATFORM_API_ID_NV_READ: ++ case TFM_PLATFORM_API_ID_NV_INCREMENT: ++ case TFM_PLATFORM_API_ID_SYSTEM_RESET: ++ case TFM_PLATFORM_API_ID_IOCTL: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_PLATFORM */ ++#ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ++ case TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE: ++ switch(type) { ++ case TFM_ITS_SET: ++ case TFM_ITS_GET: ++ case TFM_ITS_GET_INFO: ++ case TFM_ITS_REMOVE: ++ return TFM_PLAT_ERR_SUCCESS; ++ default: ++ goto out_err; ++ } ++#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */ ++#ifdef TFM_PARTITION_DPE ++ case TFM_DPE_SERVICE_HANDLE: ++ return TFM_PLAT_ERR_SUCCESS; ++#endif /* TFM_PARTITION_DPE */ ++ default: ++ goto out_err; ++ } ++ ++out_err: ++ invalid_service_counter++; ++ counter_check(); ++ ++ return TFM_PLAT_ERR_UNSUPPORTED; ++} +diff --git a/platform/ext/target/arm/corstone1000/tfm_interrupts.c b/platform/ext/target/arm/corstone1000/tfm_interrupts.c +new file mode 100644 +index 000000000..47a6c9d7b +--- /dev/null ++++ b/platform/ext/target/arm/corstone1000/tfm_interrupts.c +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021-2023, Arm Limited. All rights reserved. ++ * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon ++ * company) or an affiliate of Cypress Semiconductor Corporation. All rights ++ * reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ * ++ */ ++ ++#include "cmsis.h" ++#include "device_definition.h" ++#include "spm.h" ++#include "tfm_hal_interrupt.h" ++#include "tfm_peripherals_def.h" ++#include "interrupt.h" ++#include "load/interrupt_defs.h" ++#include "platform_irq.h" ++#include "rse_comms_hal.h" ++ ++static struct irq_t mbox_irq_info = {0}; ++ ++/* Platform specific inter-processor communication interrupt handler. */ ++void HSE1_RECEIVER_COMBINED_IRQHandler(void) ++{ ++ (void)tfm_multi_core_hal_receive(&MHU1_HOST_TO_SE_DEV, ++ &MHU1_SE_TO_HOST_DEV, ++ mbox_irq_info.p_ildi->source); ++ ++ /* ++ * SPM will send a MAILBOX_SIGNAL to the corresponding partition ++ * indicating that a message has arrived and can be processed. ++ */ ++ spm_handle_interrupt(mbox_irq_info.p_pt, mbox_irq_info.p_ildi); ++} ++ ++enum tfm_hal_status_t mailbox_irq_init(void *p_pt, ++ const struct irq_load_info_t *p_ildi) ++{ ++ mbox_irq_info.p_pt = p_pt; ++ mbox_irq_info.p_ildi = p_ildi; ++ ++ /* Set MHU interrupt priority to the same as PendSV (the lowest) ++ * TODO: Consider advantages/disadvantages of setting it one higher ++ */ ++ NVIC_SetPriority(HSE1_RECEIVER_COMBINED_IRQn, NVIC_GetPriority(PendSV_IRQn)); ++ ++ NVIC_DisableIRQ(HSE1_RECEIVER_COMBINED_IRQn); ++ ++ return TFM_HAL_SUCCESS; ++} +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch new file mode 100644 index 0000000000..3269c0e045 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch @@ -0,0 +1,28 @@ +From 21b0c9f028b6b04fa2f027510ec90969735f4dd1 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Wed, 17 Apr 2024 19:31:03 +0200 +Subject: [PATCH] platform: corstone1000: Increase RSE_COMMS buffer size + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Pending +--- + platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h +index 6d79dd3bf..f079f6504 100644 +--- a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h ++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h +@@ -16,7 +16,7 @@ extern "C" { + #endif + + /* size suits to fit the largest message too (EFI variables) */ +-#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x2100) ++#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x43C0) + + /* + * Allocated for each client request. +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch new file mode 100644 index 0000000000..3d1b35e46b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch @@ -0,0 +1,31 @@ +From a8aeaafd6c26d6bc3066164d12aabc5cb754fe1c Mon Sep 17 00:00:00 2001 +From: Ali Can Ozaslan <ali.oezaslan@arm.com> +Date: Wed, 15 May 2024 12:12:15 +0000 +Subject: [PATCH] CC312: alignment of cc312 differences between fvp and mps3 + corstone1000 platforms + +Configures CC312 mps3 model same as predefined cc312 FVP +configuration while keeping debug ports closed. + +Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com> + +Upstream-Status: Inappropriate [Requires an aligment cc3xx with mps3 hw and fvp sw models] + +--- + lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c b/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c +index 31e4332be..4d7e6fa61 100644 +--- a/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c ++++ b/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c +@@ -207,6 +207,9 @@ CClibRetCode_t CC_LibInit(CCRndContext_t *rndContext_ptr, CCRndWorkBuff_t *rndW + goto InitErr2; + } + ++ /* configuring secure debug to align cc312 with corstone 1000 */ ++ CC_HAL_WRITE_REGISTER(CC_REG_OFFSET(HOST_RGF,HOST_DCU_EN0), 0xffffe7fc); ++ + /* turn off the DFA since Cerberus doen't support it */ + reg = CC_HAL_READ_REGISTER(CC_REG_OFFSET(HOST_RGF, HOST_AO_LOCK_BITS)); + CC_REG_FLD_SET(0, HOST_AO_LOCK_BITS, HOST_FORCE_DFA_ENABLE, reg, 0x0); diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch new file mode 100644 index 0000000000..abf7038909 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch @@ -0,0 +1,45 @@ +From d7725e629c9ba93523589cc9d8af3186db19d4e8 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Wed, 15 May 2024 22:37:51 +0200 +Subject: [PATCH] Platform: corstone1000: Increase buffers for EFI vars + +The UEFI variables are stored in the Protected Storage. The size of +the variables metadata have been increased so the related buffer sizes +have to be increased. + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Pending +--- + .../ext/target/arm/corstone1000/config_tfm_target.h | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h +index 2eb0924770..6ee823a7dc 100644 +--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h ++++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * +@@ -24,4 +24,15 @@ + #undef ITS_MAX_ASSET_SIZE + #define ITS_MAX_ASSET_SIZE 2048 + ++/* The maximum asset size to be stored in the Protected Storage */ ++#undef PS_MAX_ASSET_SIZE ++#define PS_MAX_ASSET_SIZE 2592 ++ ++/* This is needed to be able to process the EFI variables during PS writes. */ ++#undef CRYPTO_ENGINE_BUF_SIZE ++#define CRYPTO_ENGINE_BUF_SIZE 0x5000 ++ ++/* This is also has to be increased to fit the EFI variables into the iovecs. */ ++#undef CRYPTO_IOVEC_BUFFER_SIZE ++#define CRYPTO_IOVEC_BUFFER_SIZE 6000 + #endif /* __CONFIG_TFM_TARGET_H__ */ +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-corstone1000-Remove-reset-after-capsule-update.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-corstone1000-Remove-reset-after-capsule-update.patch new file mode 100644 index 0000000000..8ffd567b66 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-corstone1000-Remove-reset-after-capsule-update.patch @@ -0,0 +1,28 @@ +From 78db43f80676f8038b35edd6674d22fb5ff85c12 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Mon, 27 May 2024 17:11:31 +0200 +Subject: [PATCH] corstone1000: Remove reset after capsule update + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/29065] +--- + .../target/arm/corstone1000/services/src/tfm_platform_system.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/platform/ext/target/arm/corstone1000/services/src/tfm_platform_system.c b/platform/ext/target/arm/corstone1000/services/src/tfm_platform_system.c +index 41305ed966..1e837ce3b5 100644 +--- a/platform/ext/target/arm/corstone1000/services/src/tfm_platform_system.c ++++ b/platform/ext/target/arm/corstone1000/services/src/tfm_platform_system.c +@@ -28,9 +28,6 @@ enum tfm_platform_err_t tfm_platform_hal_ioctl(tfm_platform_ioctl_req_t request, + + case IOCTL_CORSTONE1000_FWU_FLASH_IMAGES: + result = corstone1000_fwu_flash_image(); +- if (!result) { +- NVIC_SystemReset(); +- } + break; + + case IOCTL_CORSTONE1000_FWU_HOST_ACK: +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc index e098da721c..dcba79ef0c 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc @@ -11,35 +11,24 @@ TFM_PLATFORM_IS_FVP ?= "FALSE" EXTRA_OECMAKE += "-DPLATFORM_IS_FVP=${TFM_PLATFORM_IS_FVP}" EXTRA_OECMAKE += "-DCC312_LEGACY_DRIVER_API_ENABLED=OFF" -# libmetal v2023.04.0 -LICENSE += "& BSD-3-Clause" -LIC_FILES_CHKSUM += "file://../libmetal/LICENSE.md;md5=f4d5df0f12dcea1b1a0124219c0dbab4" -SRC_URI += "git://github.com/OpenAMP/libmetal.git;protocol=https;branch=main;name=libmetal;destsuffix=git/libmetal \ - file://0001-cmake-modify-path-to-libmetal-version-file.patch;patchdir=../libmetal \ - file://0002-arm-trusted-firmware-m-disable-address-warnings-into.patch \ +SRC_URI += " \ + file://0001-arm-trusted-firmware-m-disable-address-warnings-into.patch \ " -SRCREV_libmetal = "28fa2351d6a8121ce6c1c2ac5ee43ce08d38dbae" -EXTRA_OECMAKE += "-DLIBMETAL_SRC_PATH=${S}/../libmetal -DLIBMETAL_BIN_PATH=${B}/libmetal-build" -# The configuration can fail if libmetal tries to generate the docs and the doxygen bin is found -EXTRA_OECMAKE += "-DWITH_DOC=False" - -# OpenAMP v2023.04.0 -LICENSE += "& BSD-2-Clause & BSD-3-Clause" -LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=ab88daf995c0bd0071c2e1e55f3d3505" -SRC_URI += "git://github.com/OpenAMP/open-amp.git;protocol=https;branch=main;name=openamp;destsuffix=git/openamp" -SRCREV_openamp = "accac4d3610cbb268f3c3fe3c31dc45dd4c4dd17" -EXTRA_OECMAKE += "-DLIBOPENAMP_SRC_PATH=${S}/../openamp -DLIBOPENAMP_BIN_PATH=${B}/libopenamp-build" - FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI:append:corstone1000 = " \ file://0001-platform-corstone1000-Update-MPU-configuration.patch \ file://0002-platform-corstone1000-Cover-S_DATA-with-MPU.patch \ - file://0003-Platform-corstone1000-Fix-issues-due-to-adjustment-M.patch \ - file://0004-platform-corstone1000-align-capsule-update-structs.patch \ - file://0005-platform-corstone1000-fix-synchronization-issue-on-o.patch \ - file://0006-Platform-Corstone1000-skip-the-first-nv-counter.patch \ - file://0007-platform-corstone1000-add-unique-guid-for-mps3.patch \ + file://0003-platform-corstone1000-align-capsule-update-structs.patch \ + file://0004-Platform-Corstone1000-skip-the-first-nv-counter.patch \ + file://0005-platform-corstone1000-add-unique-guid-for-mps3.patch \ + file://0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch \ + file://0007-platform-corstone1000-Increase-ITS-max-asset-size.patch \ + file://0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch \ + file://0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch \ + file://0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch \ + file://0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch \ + file://0012-corstone1000-Remove-reset-after-capsule-update.patch \ " # TF-M ships patches for external dependencies that needs to be applied diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc index c0a029e9da..82049c4327 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc @@ -60,6 +60,10 @@ SRC_URI:append = " \ file://0042-corstone1000-enable-virtio-net-support.patch \ file://0043-firmware-psci-Fix-bind_smccc_features-psci-check.patch \ file://0044-corstone1000-set-unique-GUID-for-fvp-and-mps3.patch \ + file://0045-efi-corstone1000-fwu-update-RPC-ABI.patch \ + file://0046-Corstone1000-Change-MMCOMM-buffer-location.patch \ + file://0047-corstone1000-dts-add-external-system-node.patch \ + file://0048-corstone1000-Enable-UEFI-Secure-boot.patch \ " do_configure:append() { diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc index 9aca993f5c..9f8c178a29 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc @@ -4,4 +4,5 @@ SRC_URI:append = " \ file://0001-vexpress64-Set-the-DM_RNG-property.patch \ file://0002-vexpress64-Select-PSCI-RESET-by-default.patch \ file://0003-vexpress64-Imply-CONFIG_ARM64_CRC32-by-default.patch \ + file://tick.patch \ " diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0045-efi-corstone1000-fwu-update-RPC-ABI.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0045-efi-corstone1000-fwu-update-RPC-ABI.patch new file mode 100644 index 0000000000..00fc1f0720 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0045-efi-corstone1000-fwu-update-RPC-ABI.patch @@ -0,0 +1,75 @@ +From 7c25404d64ef8efec63c154ce38b0bb38845680f Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Tue, 5 Dec 2023 20:23:55 +0100 +Subject: [PATCH] efi: corstone1000: fwu: update RPC ABI + +The Trusted Services RPC protocol format changed: the +data has to be placed in w3 and the memory handle has +to be placed in w4-w5. + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Pending [Not submitted to upstream yet] +--- + lib/efi_loader/efi_capsule.c | 14 +++++++++++--- + lib/efi_loader/efi_setup.c | 14 +++++++++++--- + 2 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c +index f3326b1f67..1d966e3f26 100644 +--- a/lib/efi_loader/efi_capsule.c ++++ b/lib/efi_loader/efi_capsule.c +@@ -790,12 +790,20 @@ static int __efi_runtime efi_corstone1000_buffer_ready_event(u32 capsule_image_s + } + + /* +- * setting the buffer ready event arguments in register w4: ++ * setting the buffer ready event arguments in register w3: + * - capsule update interface ID (31:16) + * - the buffer ready event ID (15:0) + */ +- msg.data1 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | +- PREP_SEPROXY_EVT(CORSTONE1000_BUFFER_READY_EVT); /* w4 */ ++ msg.data0 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | ++ PREP_SEPROXY_EVT(CORSTONE1000_BUFFER_READY_EVT); /* w3 */ ++ ++ /* ++ * setting the memory handle fields to ++ * FFA_MEM_HANDLE_INVALID (0xFFFF_FFFF_FFFF_FFFF) ++ * to signal that there is no shared memory used ++ */ ++ msg.data1 = 0xFFFFFFFF; /* w4 */ ++ msg.data2 = 0xFFFFFFFF; /* w5 */ + + return ffa_sync_send_receive(dev, CORSTONE1000_SEPROXY_PART_ID, &msg, 0); + } +diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c +index d20568c1c8..c31e74532f 100644 +--- a/lib/efi_loader/efi_setup.c ++++ b/lib/efi_loader/efi_setup.c +@@ -157,12 +157,20 @@ static int efi_corstone1000_uboot_efi_started_event(void) + } + + /* +- * setting the kernel started event arguments: ++ * setting the kernel started event arguments in register w3:: + * setting capsule update interface ID(31:16) + * the kernel started event ID(15:0) + */ +- msg.data1 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | +- PREP_SEPROXY_EVT(CORSTONE1000_UBOOT_EFI_STARTED_EVT); /* w4 */ ++ msg.data0 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | ++ PREP_SEPROXY_EVT(CORSTONE1000_UBOOT_EFI_STARTED_EVT); /* w3 */ ++ ++ /* ++ * setting the memory handle fields to ++ * FFA_MEM_HANDLE_INVALID (0xFFFF_FFFF_FFFF_FFFF) ++ * to signal that there is no shared memory used ++ */ ++ msg.data1 = 0xFFFFFFFF; /* w4 */ ++ msg.data2 = 0xFFFFFFFF; /* w5 */ + + return ffa_sync_send_receive(dev, CORSTONE1000_SEPROXY_PART_ID, &msg, 0); + } +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0046-Corstone1000-Change-MMCOMM-buffer-location.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0046-Corstone1000-Change-MMCOMM-buffer-location.patch new file mode 100644 index 0000000000..500db81e6a --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0046-Corstone1000-Change-MMCOMM-buffer-location.patch @@ -0,0 +1,47 @@ +From 7721d33dfc87b40db72cefa399c46b25b1255247 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Wed, 3 Apr 2024 14:02:42 +0100 +Subject: [PATCH] Corstone1000: Change MMCOMM buffer location + +MM Communicate buffer is accessed by normal world but at the moment +it's allocated in the secure ram. This moves mm communicate buffer +to the DDR and also fixes the capsule buffer size since it cannot be +more than the bank size. + +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Upstream-Status: Pending [Not submitted to upstream yet] +--- + configs/corstone1000_defconfig | 2 +- + include/configs/corstone1000.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index 8770b474e2..ae164be030 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -62,7 +62,7 @@ CONFIG_NVMXIP_QSPI=y + CONFIG_EFI_MM_COMM_TEE=y + CONFIG_FFA_SHARED_MM_BUF_SIZE=4096 + CONFIG_FFA_SHARED_MM_BUF_OFFSET=0 +-CONFIG_FFA_SHARED_MM_BUF_ADDR=0x02000000 ++CONFIG_FFA_SHARED_MM_BUF_ADDR=0x81FFF000 + CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y + CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y + CONFIG_FWU_NUM_IMAGES_PER_BANK=4 +diff --git a/include/configs/corstone1000.h b/include/configs/corstone1000.h +index 8622565a87..fe5b064c85 100644 +--- a/include/configs/corstone1000.h ++++ b/include/configs/corstone1000.h +@@ -31,7 +31,7 @@ + #define PREP_SEPROXY_EVT(x) (FIELD_PREP(PREP_SEPROXY_EVT_MASK, (x))) + + /* Size in 4KB pages of the EFI capsule buffer */ +-#define CORSTONE1000_CAPSULE_BUFFER_SIZE (8192) /* 32 MB */ ++#define CORSTONE1000_CAPSULE_BUFFER_SIZE (4096) /* 16 MB */ + + /* Capsule GUID */ + #define EFI_CORSTONE1000_CAPSULE_ID_GUID \ +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0047-corstone1000-dts-add-external-system-node.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0047-corstone1000-dts-add-external-system-node.patch new file mode 100644 index 0000000000..1c87300146 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0047-corstone1000-dts-add-external-system-node.patch @@ -0,0 +1,34 @@ +From 03df80671f1f2102b04baa810b59ffb6edaece0b Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Date: Mon, 18 Mar 2024 17:00:56 +0000 +Subject: [PATCH] corstone1000: dts: add external system node + +add the external system node + +Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Upstream-Status: Pending [Not submitted to upstream yet] +--- + arch/arm/dts/corstone1000.dtsi | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/arm/dts/corstone1000.dtsi b/arch/arm/dts/corstone1000.dtsi +index 077673dd44..5cc4c26bac 100644 +--- a/arch/arm/dts/corstone1000.dtsi ++++ b/arch/arm/dts/corstone1000.dtsi +@@ -122,6 +122,13 @@ + interrupt-parent = <&gic>; + ranges; + ++ extsys0: remoteproc@1a010310 { ++ compatible = "arm,corstone1000-extsys"; ++ reg = <0x1a010310 0x4>, <0x1a010314 0x4>; ++ reg-names = "reset-control", "reset-status"; ++ firmware-name = "es_flashfw.elf"; ++ }; ++ + timer@1a220000 { + compatible = "arm,armv7-timer-mem"; + reg = <0x1a220000 0x1000>; +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0048-corstone1000-Enable-UEFI-Secure-boot.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0048-corstone1000-Enable-UEFI-Secure-boot.patch new file mode 100644 index 0000000000..1e91249aab --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0048-corstone1000-Enable-UEFI-Secure-boot.patch @@ -0,0 +1,28 @@ +From b2ef7318686d13cfa2ac76d6f2d69c17135328df Mon Sep 17 00:00:00 2001 +From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +Date: Thu, 11 Apr 2024 13:35:54 +0000 +Subject: [PATCH] corstone1000: Enable UEFI Secure boot + +Enable secure boot and related configurations for corstone1000 + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +--- + configs/corstone1000_defconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/configs/corstone1000_defconfig b/configs/corstone1000_defconfig +index 8770b474e2..0ecba096d5 100644 +--- a/configs/corstone1000_defconfig ++++ b/configs/corstone1000_defconfig +@@ -80,3 +80,7 @@ CONFIG_EFI_SET_TIME=y + CONFIG_EFI_GET_TIME=y + CONFIG_VIRTIO_NET=y + CONFIG_VIRTIO_MMIO=y ++CONFIG_EFI_SECURE_BOOT=y ++CONFIG_FIT_SIGNATURE=y ++CONFIG_EFI_LOADER=y ++CONFIG_CMD_NVEDIT_EFI=y +-- +2.34.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tick.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tick.patch new file mode 100644 index 0000000000..88c9b0568b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tick.patch @@ -0,0 +1,188 @@ +From 1023728e7925443032fc7f7733c12ed37142523d Mon Sep 17 00:00:00 2001 +From: Peter Hoyes <Peter.Hoyes@arm.com> +Date: Tue, 23 Apr 2024 09:10:04 +0100 +Subject: [PATCH 1/2] arm: Move sev() and wfe() definitions to common Arm + header file + +The sev() and wfe() asm macros are currently defined only for +mach-exynos. As these are common Arm instructions, move them to the +common asm/system.h header file, for both Armv7 and Armv8, so they +can be used by other machines. + +wfe may theoretically trigger a context switch if an interrupt occurs +so add a memory barrier to this call. + +Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com> + +Upstream-Status: Submitted [https://lore.kernel.org/u-boot/20240423081005.23218-1-peter.hoyes@arm.com/] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + arch/arm/include/asm/system.h | 9 +++++++++ + arch/arm/mach-exynos/include/mach/system.h | 19 ------------------- + 2 files changed, 9 insertions(+), 19 deletions(-) + +diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h +index 43f7503571..51123c2968 100644 +--- a/arch/arm/include/asm/system.h ++++ b/arch/arm/include/asm/system.h +@@ -154,6 +154,13 @@ enum dcache_option { + "wfi" : : : "memory"); \ + }) + ++#define wfe() \ ++ ({asm volatile( \ ++ "wfe" : : : "memory"); \ ++ }) ++ ++#define sev() asm volatile("sev") ++ + static inline unsigned int current_el(void) + { + unsigned long el; +@@ -369,6 +376,8 @@ void switch_to_hypervisor_ret(void); + + #ifdef __ARM_ARCH_7A__ + #define wfi() __asm__ __volatile__ ("wfi" : : : "memory") ++#define wfe() __asm__ __volatile__ ("wfe" : : : "memory") ++#define sev() __asm__ __volatile__ ("sev") + #else + #define wfi() + #endif +diff --git a/arch/arm/mach-exynos/include/mach/system.h b/arch/arm/mach-exynos/include/mach/system.h +index 5d0bebac57..0aed4c3e2b 100644 +--- a/arch/arm/mach-exynos/include/mach/system.h ++++ b/arch/arm/mach-exynos/include/mach/system.h +@@ -36,25 +36,6 @@ struct exynos5_sysreg { + + #define USB20_PHY_CFG_HOST_LINK_EN (1 << 0) + +-/* +- * This instruction causes an event to be signaled to all cores +- * within a multiprocessor system. If SEV is implemented, +- * WFE must also be implemented. +- */ +-#define sev() __asm__ __volatile__ ("sev\n\t" : : ); +-/* +- * If the Event Register is not set, WFE suspends execution until +- * one of the following events occurs: +- * - an IRQ interrupt, unless masked by the CPSR I-bit +- * - an FIQ interrupt, unless masked by the CPSR F-bit +- * - an Imprecise Data abort, unless masked by the CPSR A-bit +- * - a Debug Entry request, if Debug is enabled +- * - an Event signaled by another processor using the SEV instruction. +- * If the Event Register is set, WFE clears it and returns immediately. +- * If WFE is implemented, SEV must also be implemented. +- */ +-#define wfe() __asm__ __volatile__ ("wfe\n\t" : : ); +- + /* Move 0xd3 value to CPSR register to enable SVC mode */ + #define svc32_mode_en() __asm__ __volatile__ \ + ("@ I&F disable, Mode: 0x13 - SVC\n\t" \ +-- +2.34.1 + + +From d96e7f07f6863e24d360924aea4eb0460d706e89 Mon Sep 17 00:00:00 2001 +From: Peter Hoyes <Peter.Hoyes@arm.com> +Date: Tue, 23 Apr 2024 09:10:05 +0100 +Subject: [PATCH 2/2] armv8: generic_timer: Use event stream for udelay + +Polling cntpct_el0 in a tight loop for delays is inefficient. +This is particularly apparent on Arm FVPs, which do not simulate +real time, meaning that a 1s sleep can take a couple of orders +of magnitude longer to execute in wall time. + +If running at EL2 or above (where CNTHCTL_EL2 is available), enable +the cntpct_el0 event stream temporarily and use wfe to implement +the delay more efficiently. The event period is chosen as a +trade-off between efficiency and the fact that Arm FVPs do not +typically simulate real time. + +This is only implemented for Armv8 boards, where an architectural +timer exists. + +Some mach-socfpga AArch64 boards already override __udelay to make +it always inline, so guard the functionality with a new +ARMV8_UDELAY_EVENT_STREAM Kconfig, enabled by default. + +Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com> +--- + arch/arm/cpu/armv8/Kconfig | 8 ++++++++ + arch/arm/cpu/armv8/generic_timer.c | 27 +++++++++++++++++++++++++++ + arch/arm/include/asm/system.h | 6 ++++-- + 3 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/cpu/armv8/Kconfig b/arch/arm/cpu/armv8/Kconfig +index 9f0fb369f7..544c5e2d74 100644 +--- a/arch/arm/cpu/armv8/Kconfig ++++ b/arch/arm/cpu/armv8/Kconfig +@@ -191,6 +191,14 @@ config ARMV8_EA_EL3_FIRST + Exception handling at all exception levels for External Abort and + SError interrupt exception are taken in EL3. + ++config ARMV8_UDELAY_EVENT_STREAM ++ bool "Use the event stream for udelay" ++ default y if !ARCH_SOCFPGA ++ help ++ Use the event stream provided by the AArch64 architectural timer for ++ delays. This is more efficient than the default polling ++ implementation. ++ + menuconfig ARMV8_CRYPTO + bool "ARM64 Accelerated Cryptographic Algorithms" + +diff --git a/arch/arm/cpu/armv8/generic_timer.c b/arch/arm/cpu/armv8/generic_timer.c +index 8f83372cbc..e18b5c8187 100644 +--- a/arch/arm/cpu/armv8/generic_timer.c ++++ b/arch/arm/cpu/armv8/generic_timer.c +@@ -115,3 +115,30 @@ ulong timer_get_boot_us(void) + + return val / get_tbclk(); + } ++ ++#if CONFIG_IS_ENABLED(ARMV8_UDELAY_EVENT_STREAM) ++void __udelay(unsigned long usec) ++{ ++ u64 target = get_ticks() + usec_to_tick(usec); ++ ++ /* At EL2 or above, use the event stream to avoid polling CNTPCT_EL0 so often */ ++ if (current_el() >= 2) { ++ u32 cnthctl_val; ++ const u8 event_period = 0x7; ++ ++ asm volatile("mrs %0, cnthctl_el2" : "=r" (cnthctl_val)); ++ asm volatile("msr cnthctl_el2, %0" : : "r" ++ (cnthctl_val | CNTHCTL_EL2_EVNT_EN | CNTHCTL_EL2_EVNT_I(event_period))); ++ ++ while (get_ticks() + (1ULL << event_period) <= target) ++ wfe(); ++ ++ /* Reset the event stream */ ++ asm volatile("msr cnthctl_el2, %0" : : "r" (cnthctl_val)); ++ } ++ ++ /* Fall back to polling CNTPCT_EL0 */ ++ while (get_ticks() <= target) ++ ; ++} ++#endif +diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h +index 51123c2968..7e30cac32a 100644 +--- a/arch/arm/include/asm/system.h ++++ b/arch/arm/include/asm/system.h +@@ -69,8 +69,10 @@ + /* + * CNTHCTL_EL2 bits definitions + */ +-#define CNTHCTL_EL2_EL1PCEN_EN (1 << 1) /* Physical timer regs accessible */ +-#define CNTHCTL_EL2_EL1PCTEN_EN (1 << 0) /* Physical counter accessible */ ++#define CNTHCTL_EL2_EVNT_EN BIT(2) /* Enable the event stream */ ++#define CNTHCTL_EL2_EVNT_I(val) ((val) << 4) /* Event stream trigger bits */ ++#define CNTHCTL_EL2_EL1PCEN_EN (1 << 1) /* Physical timer regs accessible */ ++#define CNTHCTL_EL2_EL1PCTEN_EN (1 << 0) /* Physical counter accessible */ + + /* + * HCR_EL2 bits definitions +-- +2.34.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware-sbsa-ref.inc b/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware-sbsa-ref.inc new file mode 100644 index 0000000000..450f6af27c --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware-sbsa-ref.inc @@ -0,0 +1,19 @@ +COMPATIBLE_MACHINE:sbsa-ref = "sbsa-ref" + +DEPENDS:append:sbsa-ref = " trusted-firmware-a coreutils-native" + +EDK2_PLATFORM:sbsa-ref = "SbsaQemu" +EDK2_PLATFORM_DSC:sbsa-ref = "Platform/Qemu/SbsaQemu/SbsaQemu.dsc" +EDK2_BIN_NAME:sbsa-ref = "SBSA_FLASH0.fd" + +do_compile:prepend:sbsa-ref() { + mkdir -p ${B}/Platform/Qemu/Sbsa/ + cp ${RECIPE_SYSROOT}/firmware/bl1.bin ${B}/Platform/Qemu/Sbsa/ + cp ${RECIPE_SYSROOT}/firmware/fip.bin ${B}/Platform/Qemu/Sbsa/ +} + +do_install:append:sbsa-ref() { + install ${B}/Build/${EDK2_PLATFORM}/${EDK2_BUILD_MODE}_${EDK_COMPILER}/FV/SBSA_FLASH*.fd ${D}/firmware/ + # QEMU requires that the images be minimum of 256M in size + truncate -s 256M ${D}/firmware/SBSA_FLASH*.fd +} diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware_%.bbappend index e5018bb00b..cba4846072 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/uefi/edk2-firmware_%.bbappend @@ -4,6 +4,7 @@ MACHINE_EDK2_REQUIRE ?= "" MACHINE_EDK2_REQUIRE:fvp-base = "edk2-firmware-fvp-base.inc" MACHINE_EDK2_REQUIRE:juno = "edk2-firmware-juno.inc" +MACHINE_EDK2_REQUIRE:sbsa-ref = "edk2-firmware-sbsa-ref.inc" MACHINE_EDK2_REQUIRE:sgi575 = "edk2-firmware-sgi575.inc" MACHINE_EDK2_REQUIRE:n1sdp = "edk2-firmware-n1sdp.inc" diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0001-remoteproc-Add-Arm-remoteproc-driver.patch b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0001-remoteproc-Add-Arm-remoteproc-driver.patch new file mode 100644 index 0000000000..50a6fb2bd8 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0001-remoteproc-Add-Arm-remoteproc-driver.patch @@ -0,0 +1,488 @@ +From f9881d01669cd98e6f897214f407dce8a245bdfe Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Date: Mon, 19 Feb 2024 16:01:28 +0000 +Subject: [PATCH 1/6] remoteproc: Add Arm remoteproc driver + +introduce remoteproc support for Arm remote processors + +The supported remote processors are those that come with a reset +control register and a reset status register. The driver allows to +switch on or off the remote processor. + +The current use case is Corstone-1000 External System (Cortex-M3). + +The driver can be extended to support other remote processors +controlled with a reset control and a reset status registers. + +The driver also supports control of multiple remote processors at the +same time. + +Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/] +--- + MAINTAINERS | 6 + + drivers/remoteproc/Kconfig | 18 ++ + drivers/remoteproc/Makefile | 1 + + drivers/remoteproc/arm_rproc.c | 395 +++++++++++++++++++++++++++++++++ + 4 files changed, 420 insertions(+) + create mode 100644 drivers/remoteproc/arm_rproc.c + +diff --git a/MAINTAINERS b/MAINTAINERS +index 8d1052fa6a69..54d6a40feea5 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -1764,6 +1764,12 @@ S: Maintained + F: Documentation/devicetree/bindings/interrupt-controller/arm,vic.yaml + F: drivers/irqchip/irq-vic.c + ++ARM REMOTEPROC DRIVER ++M: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> ++L: linux-remoteproc@vger.kernel.org ++S: Maintained ++F: drivers/remoteproc/arm_rproc.c ++ + ARM SMC WATCHDOG DRIVER + M: Julius Werner <jwerner@chromium.org> + R: Evan Benn <evanbenn@chromium.org> +diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig +index 48845dc8fa85..57fbac454a5d 100644 +--- a/drivers/remoteproc/Kconfig ++++ b/drivers/remoteproc/Kconfig +@@ -365,6 +365,24 @@ config XLNX_R5_REMOTEPROC + + It's safe to say N if not interested in using RPU r5f cores. + ++config ARM_REMOTEPROC ++ tristate "Arm remoteproc support" ++ depends on HAS_IOMEM && ARM64 ++ default n ++ help ++ Say y here to support Arm remote processors via the remote ++ processor framework. ++ ++ The supported processors are those that come with a reset control register ++ and a reset status register. The design can be extended to support different ++ processors meeting these requirements. ++ The driver also supports control of multiple remote cores at the same time. ++ ++ Supported remote cores: ++ Corstone-1000 External System (Cortex-M3) ++ ++ It's safe to say N here. ++ + endif # REMOTEPROC + + endmenu +diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile +index 91314a9b43ce..73126310835b 100644 +--- a/drivers/remoteproc/Makefile ++++ b/drivers/remoteproc/Makefile +@@ -39,3 +39,4 @@ obj-$(CONFIG_STM32_RPROC) += stm32_rproc.o + obj-$(CONFIG_TI_K3_DSP_REMOTEPROC) += ti_k3_dsp_remoteproc.o + obj-$(CONFIG_TI_K3_R5_REMOTEPROC) += ti_k3_r5_remoteproc.o + obj-$(CONFIG_XLNX_R5_REMOTEPROC) += xlnx_r5_remoteproc.o ++obj-$(CONFIG_ARM_REMOTEPROC) += arm_rproc.o +diff --git a/drivers/remoteproc/arm_rproc.c b/drivers/remoteproc/arm_rproc.c +new file mode 100644 +index 000000000000..6afa78ae7ad3 +--- /dev/null ++++ b/drivers/remoteproc/arm_rproc.c +@@ -0,0 +1,395 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com> ++ * ++ * Authors: ++ * Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> ++ */ ++ ++#include <linux/delay.h> ++#include <linux/err.h> ++#include <linux/firmware.h> ++#include <linux/kernel.h> ++#include <linux/module.h> ++#include <linux/of.h> ++#include <linux/platform_device.h> ++#include <linux/remoteproc.h> ++ ++#include "remoteproc_internal.h" ++ ++/** ++ * struct arm_rproc_reset_cfg - remote processor reset configuration ++ * @ctrl_reg: address of the control register ++ * @state_reg: address of the reset status register ++ */ ++struct arm_rproc_reset_cfg { ++ void __iomem *ctrl_reg; ++ void __iomem *state_reg; ++}; ++ ++struct arm_rproc; ++ ++/** ++ * struct arm_rproc_dcfg - Arm remote processor configuration ++ * @stop: stop callback function ++ * @start: start callback function ++ */ ++struct arm_rproc_dcfg { ++ int (*stop)(struct rproc *rproc); ++ int (*start)(struct rproc *rproc); ++}; ++ ++/** ++ * struct arm_rproc - Arm remote processor instance ++ * @rproc: rproc handler ++ * @core_dcfg: device configuration pointer ++ * @reset_cfg: reset configuration registers ++ */ ++struct arm_rproc { ++ struct rproc *rproc; ++ const struct arm_rproc_dcfg *core_dcfg; ++ struct arm_rproc_reset_cfg reset_cfg; ++}; ++ ++/* Definitions for Arm Corstone-1000 External System */ ++ ++#define EXTSYS_RST_CTRL_CPUWAIT BIT(0) ++#define EXTSYS_RST_CTRL_RST_REQ BIT(1) ++ ++#define EXTSYS_RST_ACK_MASK GENMASK(2, 1) ++#define EXTSYS_RST_ST_RST_ACK(x) \ ++ ((u8)(FIELD_GET(EXTSYS_RST_ACK_MASK, (x)))) ++ ++#define EXTSYS_RST_ACK_NO_RESET_REQ (0x0) ++#define EXTSYS_RST_ACK_NOT_COMPLETE (0x1) ++#define EXTSYS_RST_ACK_COMPLETE (0x2) ++#define EXTSYS_RST_ACK_RESERVED (0x3) ++ ++#define EXTSYS_RST_ACK_POLL_TRIES (3) ++#define EXTSYS_RST_ACK_POLL_TIMEOUT (1000) ++ ++/** ++ * arm_rproc_start_cs1000_extsys() - custom start function ++ * @rproc: pointer to the remote processor object ++ * ++ * Start function for Corstone-1000 External System. ++ * Allow the External System core start execute instructions. ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_start_cs1000_extsys(struct rproc *rproc) ++{ ++ struct arm_rproc *priv = rproc->priv; ++ u32 ctrl_reg; ++ ++ /* CPUWAIT signal of the External System is de-asserted */ ++ ctrl_reg = readl(priv->reset_cfg.ctrl_reg); ++ ctrl_reg &= ~EXTSYS_RST_CTRL_CPUWAIT; ++ writel(ctrl_reg, priv->reset_cfg.ctrl_reg); ++ ++ return 0; ++} ++ ++/** ++ * arm_rproc_cs1000_extsys_poll_rst_ack() - poll RST_ACK bits ++ * @rproc: pointer to the remote processor object ++ * @exp_ack: expected bits value ++ * @rst_ack: bits value read ++ * ++ * Tries to read RST_ACK bits until the timeout expires. ++ * EXTSYS_RST_ACK_POLL_TRIES tries are made, ++ * every EXTSYS_RST_ACK_POLL_TIMEOUT milliseconds. ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_cs1000_extsys_poll_rst_ack(struct rproc *rproc, ++ u8 exp_ack, u8 *rst_ack) ++{ ++ struct arm_rproc *priv = rproc->priv; ++ struct device *dev = rproc->dev.parent; ++ u32 state_reg; ++ int tries = EXTSYS_RST_ACK_POLL_TRIES; ++ unsigned long timeout; ++ ++ do { ++ state_reg = readl(priv->reset_cfg.state_reg); ++ *rst_ack = EXTSYS_RST_ST_RST_ACK(state_reg); ++ ++ if (*rst_ack == EXTSYS_RST_ACK_RESERVED) { ++ dev_err(dev, "unexpected RST_ACK value: 0x%x\n", ++ *rst_ack); ++ return -EINVAL; ++ } ++ ++ /* expected ACK value read */ ++ if ((*rst_ack & exp_ack) || (*rst_ack == exp_ack)) ++ return 0; ++ ++ timeout = msleep_interruptible(EXTSYS_RST_ACK_POLL_TIMEOUT); ++ ++ if (timeout) { ++ dev_err(dev, "polling RST_ACK aborted\n"); ++ return -ECONNABORTED; ++ } ++ } while (--tries); ++ ++ dev_err(dev, "polling RST_ACK timed out\n"); ++ ++ return -ETIMEDOUT; ++} ++ ++/** ++ * arm_rproc_stop_cs1000_extsys() - custom stop function ++ * @rproc: pointer to the remote processor object ++ * ++ * Reset all logic within the External System, the core will be in a halt state. ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_stop_cs1000_extsys(struct rproc *rproc) ++{ ++ struct arm_rproc *priv = rproc->priv; ++ struct device *dev = rproc->dev.parent; ++ u32 ctrl_reg; ++ u8 rst_ack, req_status; ++ int ret; ++ ++ ctrl_reg = readl(priv->reset_cfg.ctrl_reg); ++ ctrl_reg |= EXTSYS_RST_CTRL_RST_REQ; ++ writel(ctrl_reg, priv->reset_cfg.ctrl_reg); ++ ++ ret = arm_rproc_cs1000_extsys_poll_rst_ack(rproc, ++ EXTSYS_RST_ACK_COMPLETE | ++ EXTSYS_RST_ACK_NOT_COMPLETE, ++ &rst_ack); ++ if (ret) ++ return ret; ++ ++ req_status = rst_ack; ++ ++ ctrl_reg = readl(priv->reset_cfg.ctrl_reg); ++ ctrl_reg &= ~EXTSYS_RST_CTRL_RST_REQ; ++ writel(ctrl_reg, priv->reset_cfg.ctrl_reg); ++ ++ ret = arm_rproc_cs1000_extsys_poll_rst_ack(rproc, 0, &rst_ack); ++ if (ret) ++ return ret; ++ ++ if (req_status == EXTSYS_RST_ACK_COMPLETE) { ++ dev_dbg(dev, "the requested reset has been accepted\n"); ++ return 0; ++ } ++ ++ dev_err(dev, "the requested reset has been denied\n"); ++ return -EACCES; ++} ++ ++static const struct arm_rproc_dcfg arm_rproc_cfg_corstone1000_extsys = { ++ .stop = arm_rproc_stop_cs1000_extsys, ++ .start = arm_rproc_start_cs1000_extsys, ++}; ++ ++/** ++ * arm_rproc_stop() - Stop function for rproc_ops ++ * @rproc: pointer to the remote processor object ++ * ++ * Calls the stop() callback of the remote core ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_stop(struct rproc *rproc) ++{ ++ struct arm_rproc *priv = rproc->priv; ++ ++ return priv->core_dcfg->stop(rproc); ++} ++ ++/** ++ * arm_rproc_start() - Start function for rproc_ops ++ * @rproc: pointer to the remote processor object ++ * ++ * Calls the start() callback of the remote core ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_start(struct rproc *rproc) ++{ ++ struct arm_rproc *priv = rproc->priv; ++ ++ return priv->core_dcfg->start(rproc); ++} ++ ++/** ++ * arm_rproc_parse_fw() - Parse firmware function for rproc_ops ++ * @rproc: pointer to the remote processor object ++ * @fw: pointer to the firmware ++ * ++ * Does nothing currently. ++ * ++ * Return: ++ * ++ * 0 for success. ++ */ ++static int arm_rproc_parse_fw(struct rproc *rproc, const struct firmware *fw) ++{ ++ return 0; ++} ++ ++/** ++ * arm_rproc_load() - Load firmware to memory function for rproc_ops ++ * @rproc: pointer to the remote processor object ++ * @fw: pointer to the firmware ++ * ++ * Does nothing currently. ++ * ++ * Return: ++ * ++ * 0 for success. ++ */ ++static int arm_rproc_load(struct rproc *rproc, const struct firmware *fw) ++{ ++ return 0; ++} ++ ++static const struct rproc_ops arm_rproc_ops = { ++ .start = arm_rproc_start, ++ .stop = arm_rproc_stop, ++ .load = arm_rproc_load, ++ .parse_fw = arm_rproc_parse_fw, ++}; ++ ++/** ++ * arm_rproc_probe() - the platform device probe ++ * @pdev: the platform device ++ * ++ * Read from the device tree the properties needed to setup ++ * the reset and comms for the remote processor. ++ * Also, allocate a rproc device and register it with the remoteproc subsystem. ++ * ++ * Return: ++ * ++ * 0 on success. Otherwise, failure ++ */ ++static int arm_rproc_probe(struct platform_device *pdev) ++{ ++ const struct arm_rproc_dcfg *core_dcfg; ++ struct device *dev = &pdev->dev; ++ struct device_node *np = dev->of_node; ++ struct arm_rproc *priv; ++ struct rproc *rproc; ++ const char *fw_name; ++ int ret; ++ struct resource *res; ++ ++ core_dcfg = of_device_get_match_data(dev); ++ if (!core_dcfg) ++ return -ENODEV; ++ ++ ret = rproc_of_parse_firmware(dev, 0, &fw_name); ++ if (ret) { ++ dev_err(dev, ++ "can't parse firmware-name from device tree (%pe)\n", ++ ERR_PTR(ret)); ++ return ret; ++ } ++ ++ dev_dbg(dev, "firmware-name: %s\n", fw_name); ++ ++ rproc = rproc_alloc(dev, np->name, &arm_rproc_ops, fw_name, ++ sizeof(*priv)); ++ if (!rproc) ++ return -ENOMEM; ++ ++ priv = rproc->priv; ++ priv->rproc = rproc; ++ priv->core_dcfg = core_dcfg; ++ ++ res = platform_get_resource_byname(pdev, ++ IORESOURCE_MEM, "reset-control"); ++ priv->reset_cfg.ctrl_reg = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(priv->reset_cfg.ctrl_reg)) { ++ ret = PTR_ERR(priv->reset_cfg.ctrl_reg); ++ dev_err(dev, ++ "can't map the reset-control register (%pe)\n", ++ ERR_PTR((unsigned long)priv->reset_cfg.ctrl_reg)); ++ goto err_free_rproc; ++ } else { ++ dev_dbg(dev, "reset-control: %p\n", priv->reset_cfg.ctrl_reg); ++ } ++ ++ res = platform_get_resource_byname(pdev, ++ IORESOURCE_MEM, "reset-status"); ++ priv->reset_cfg.state_reg = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(priv->reset_cfg.state_reg)) { ++ ret = PTR_ERR(priv->reset_cfg.state_reg); ++ dev_err(dev, ++ "can't map the reset-status register (%pe)\n", ++ ERR_PTR((unsigned long)priv->reset_cfg.state_reg)); ++ goto err_free_rproc; ++ } else { ++ dev_dbg(dev, "reset-status: %p\n", ++ priv->reset_cfg.state_reg); ++ } ++ ++ platform_set_drvdata(pdev, rproc); ++ ++ ret = rproc_add(rproc); ++ if (ret) { ++ dev_err(dev, "can't add remote processor (%pe)\n", ++ ERR_PTR(ret)); ++ goto err_free_rproc; ++ } else { ++ dev_dbg(dev, "remote processor added\n"); ++ } ++ ++ return 0; ++ ++err_free_rproc: ++ rproc_free(rproc); ++ ++ return ret; ++} ++ ++/** ++ * arm_rproc_remove() - the platform device remove ++ * @pdev: the platform device ++ * ++ * Delete and free the resources used. ++ */ ++static void arm_rproc_remove(struct platform_device *pdev) ++{ ++ struct rproc *rproc = platform_get_drvdata(pdev); ++ ++ rproc_del(rproc); ++ rproc_free(rproc); ++} ++ ++static const struct of_device_id arm_rproc_of_match[] = { ++ { .compatible = "arm,corstone1000-extsys", .data = &arm_rproc_cfg_corstone1000_extsys }, ++ {}, ++}; ++MODULE_DEVICE_TABLE(of, arm_rproc_of_match); ++ ++static struct platform_driver arm_rproc_driver = { ++ .probe = arm_rproc_probe, ++ .remove_new = arm_rproc_remove, ++ .driver = { ++ .name = "arm-rproc", ++ .of_match_table = arm_rproc_of_match, ++ }, ++}; ++module_platform_driver(arm_rproc_driver); ++ ++MODULE_LICENSE("GPL"); ++MODULE_DESCRIPTION("Arm Remote Processor Control Driver"); ++MODULE_AUTHOR("Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>"); +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0002-arm64-dts-Add-corstone1000-external-system-device-no.patch b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0002-arm64-dts-Add-corstone1000-external-system-device-no.patch new file mode 100644 index 0000000000..5c1f3de4fb --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0002-arm64-dts-Add-corstone1000-external-system-device-no.patch @@ -0,0 +1,42 @@ +From 0122f194e4a6fb50750dadd08f2354e78d4dd79c Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Date: Mon, 19 Feb 2024 16:18:37 +0000 +Subject: [PATCH 2/6] arm64: dts: Add corstone1000 external system device node + +add device tree node for the external system core in Corstone-1000 + +Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/] +--- + arch/arm64/boot/dts/arm/corstone1000.dtsi | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/arm/corstone1000.dtsi b/arch/arm64/boot/dts/arm/corstone1000.dtsi +index 6ad7829f9e28..67df642363e9 100644 +--- a/arch/arm64/boot/dts/arm/corstone1000.dtsi ++++ b/arch/arm64/boot/dts/arm/corstone1000.dtsi +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR MIT + /* +- * Copyright (c) 2022, Arm Limited. All rights reserved. ++ * Copyright 2022, 2024, Arm Limited and/or its affiliates <open-source-office@arm.com> + * Copyright (c) 2022, Linaro Limited. All rights reserved. + * + */ +@@ -157,5 +157,13 @@ mhu_seh1: mailbox@1b830000 { + secure-status = "okay"; /* secure-world-only */ + status = "disabled"; + }; ++ ++ extsys0: remoteproc@1a010310 { ++ compatible = "arm,corstone1000-extsys"; ++ reg = <0x1a010310 0x4>, ++ <0x1a010314 0X4>; ++ reg-names = "reset-control", "reset-status"; ++ firmware-name = "es_flashfw.elf"; ++ }; + }; + }; +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch new file mode 100644 index 0000000000..3c7bb0ddb0 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch @@ -0,0 +1,105 @@ +From af50eca3e3b408f2f1f378c1d0c48fb6c3107c8c Mon Sep 17 00:00:00 2001 +From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Date: Mon, 19 Feb 2024 20:47:26 +0000 +Subject: [PATCH 3/6] dt-bindings: remoteproc: Add Arm remoteproc + +introduce the bindings for Arm remoteproc support. + +Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> +Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/] +--- + .../bindings/remoteproc/arm,rproc.yaml | 69 +++++++++++++++++++ + MAINTAINERS | 1 + + 2 files changed, 70 insertions(+) + create mode 100644 Documentation/devicetree/bindings/remoteproc/arm,rproc.yaml + +diff --git a/Documentation/devicetree/bindings/remoteproc/arm,rproc.yaml b/Documentation/devicetree/bindings/remoteproc/arm,rproc.yaml +new file mode 100644 +index 000000000000..322197158059 +--- /dev/null ++++ b/Documentation/devicetree/bindings/remoteproc/arm,rproc.yaml +@@ -0,0 +1,69 @@ ++# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause) ++%YAML 1.2 ++--- ++$id: http://devicetree.org/schemas/remoteproc/arm,rproc.yaml# ++$schema: http://devicetree.org/meta-schemas/core.yaml# ++ ++title: Arm Remoteproc Devices ++ ++maintainers: ++ - Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> ++ ++description: | ++ Some Arm heterogeneous System-On-Chips feature remote processors that can ++ be controlled with a reset control register and a reset status register to ++ start or stop the processor. ++ ++ This document defines the bindings for these remote processors. ++ ++properties: ++ compatible: ++ enum: ++ - arm,corstone1000-extsys ++ ++ reg: ++ minItems: 2 ++ maxItems: 2 ++ description: | ++ Address and size in bytes of the reset control register ++ and the reset status register. ++ Expects the registers to be in the order as above. ++ Should contain an entry for each value in 'reg-names'. ++ ++ reg-names: ++ description: | ++ Required names for each of the reset registers defined in ++ the 'reg' property. Expects the names from the following ++ list, in the specified order, each representing the corresponding ++ reset register. ++ items: ++ - const: reset-control ++ - const: reset-status ++ ++ firmware-name: ++ description: | ++ Default name of the firmware to load to the remote processor. ++ ++required: ++ - compatible ++ - reg ++ - reg-names ++ - firmware-name ++ ++additionalProperties: false ++ ++examples: ++ - | ++ extsys0: remoteproc@1a010310 { ++ compatible = "arm,corstone1000-extsys"; ++ reg = <0x1a010310 0x4>, <0x1a010314 0x4>; ++ reg-names = "reset-control", "reset-status"; ++ firmware-name = "es0_flashfw.elf"; ++ }; ++ ++ extsys1: remoteproc@1a010318 { ++ compatible = "arm,corstone1000-extsys"; ++ reg = <0x1a010318 0x4>, <0x1a01031c 0x4>; ++ reg-names = "reset-control", "reset-status"; ++ firmware-name = "es1_flashfw.elf"; ++ }; +diff --git a/MAINTAINERS b/MAINTAINERS +index 54d6a40feea5..eddaa3841a65 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -1768,6 +1768,7 @@ ARM REMOTEPROC DRIVER + M: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> + L: linux-remoteproc@vger.kernel.org + S: Maintained ++F: Documentation/devicetree/bindings/remoteproc/arm,rproc.yaml + F: drivers/remoteproc/arm_rproc.c + + ARM SMC WATCHDOG DRIVER +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/extsys.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/extsys.cfg new file mode 100644 index 0000000000..902fd43ee9 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/extsys.cfg @@ -0,0 +1,2 @@ +CONFIG_REMOTEPROC=y +CONFIG_ARM_REMOTEPROC=y diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc index d0df9ce3a3..011586ef81 100644 --- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc @@ -16,7 +16,6 @@ SRC_URI_KMETA = "file://arm-platforms-kmeta;type=kmeta;name=arm-platforms-kmeta; SRC_URI:append:fvp-base = " ${SRC_URI_KMETA}" SRC_URI:append:juno = " ${SRC_URI_KMETA}" SRC_URI:append:n1sdp = " ${SRC_URI_KMETA}" -SRCREV:arm-platforms-kmeta = "6147e82375aa9df8f2a162d42ea6406c79c854c5" # # Corstone1000 KMACHINE @@ -38,6 +37,13 @@ SRC_URI:append:corstone1000 = " ${@bb.utils.contains('MACHINE_FEATURES', \ '', \ d)}" +SRC_URI:append:corstone1000 = " \ + file://extsys.cfg \ + file://0001-remoteproc-Add-Arm-remoteproc-driver.patch \ + file://0002-arm64-dts-Add-corstone1000-external-system-device-no.patch \ + file://0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch \ + " + # Default kernel features not needed for corstone1000 # otherwise the extra kernel modules will increase the rootfs size # corstone1000 has limited flash memory constraints @@ -49,8 +55,14 @@ KERNEL_FEATURES:corstone1000 = "" # COMPATIBLE_MACHINE:fvp-base = "fvp-base" KMACHINE:fvp-base = "fvp" -FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}" -SRC_URI:append:fvp-base = " file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch" +FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}:${ARMFILESPATHS}" +SRC_URI:append:fvp-base = " \ + file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch \ + file://tee.cfg \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'file://no-strict-devmem.cfg', '' , d)} \ +" + # # Juno KMACHINE @@ -101,3 +113,10 @@ KCONFIG_MODE:sgi575 = "--alldefconfig" COMPATIBLE_MACHINE:tc = "(tc0|tc1)" KBUILD_DEFCONFIG:tc = "defconfig" KCONFIG_MODE:tc = "--alldefconfig" + +# +# sbsa-ref KMACHINE +# +COMPATIBLE_MACHINE:sbsa-ref = "sbsa-ref" +KBUILD_DEFCONFIG:sbsa-ref = "defconfig" +KCONFIG_MODE:sbsa-ref = "--alldefconfig" diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-dev.bbappend new file mode 100644 index 0000000000..db850eaba8 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -0,0 +1,3 @@ +# Add support for Arm Platforms (boards or simulators) + +require linux-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-rt_%.bbappend index b1efabf33b..db850eaba8 100644 --- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-rt_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto-rt_%.bbappend @@ -1,5 +1,3 @@ -# Only enable linux-yocto-rt for n1sdp and the Armv8-R AArch64 AEM FVP -LINUX_YOCTO_RT_REQUIRE ?= "" -LINUX_YOCTO_RT_REQUIRE:n1sdp = "linux-arm-platforms.inc" +# Add support for Arm Platforms (boards or simulators) -require ${LINUX_YOCTO_RT_REQUIRE} +require linux-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch new file mode 100644 index 0000000000..c499a163b1 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch @@ -0,0 +1,28 @@ +From 1410d9e9c3e73b1319b98be67ad00c7630c4cb2e Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <Emekcan.Aras@arm.com> +Date: Wed, 3 Apr 2024 16:05:07 +0100 +Subject: [PATCH] increase tzdram size + +Upstream-Status: Pending +Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> +Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +--- + core/arch/arm/plat-corstone1000/conf.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/arch/arm/plat-corstone1000/conf.mk b/core/arch/arm/plat-corstone1000/conf.mk +index 98347b143..c2dd71f05 100644 +--- a/core/arch/arm/plat-corstone1000/conf.mk ++++ b/core/arch/arm/plat-corstone1000/conf.mk +@@ -34,7 +34,7 @@ CFG_TEE_CORE_NB_CORE ?= 1 + CFG_TZDRAM_START ?= 0x02002000 + + # TEE_RAM (OPTEE kernel + DATA) + TA_RAM = 3MB +-CFG_TZDRAM_SIZE ?= 0x300000 ++CFG_TZDRAM_SIZE ?= 0x340000 + CFG_SHMEM_START ?= 0x86000000 + CFG_SHMEM_SIZE ?= 0x00200000 + +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-ftpm_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-ftpm_%.bbappend new file mode 100644 index 0000000000..6e46c37172 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-ftpm_%.bbappend @@ -0,0 +1 @@ +COMPATIBLE_MACHINE:sbsa-ref = "sbsa-ref" diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc index a883c3452f..260abc059a 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc @@ -1,6 +1,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/optee-os/corstone1000:" SRC_URI:append = " \ file://0001-Handle-logging-syscall.patch \ + file://0002-increase-tzdram-size.patch \ " COMPATIBLE_MACHINE = "corstone1000" diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc new file mode 100644 index 0000000000..1ef3632923 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc @@ -0,0 +1,13 @@ +COMPATIBLE_MACHINE = "fvp-base" + +OPTEEMACHINE = "vexpress-fvp" +# Enable boot logs +EXTRA_OEMAKE += " CFG_TEE_CORE_LOG_LEVEL=4" + +# default disable latency benchmarks (over all OP-TEE layers) +EXTRA_OEMAKE += " CFG_TEE_BENCHMARK=n" + +# If FF-A is enabled configure to be the SPMC. +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CFG_CORE_HEAP_SIZE=131072 CFG_CORE_SEL1_SPMC=y CFG_DT=y', '' ,d)}" + +EXTRA_OEMAKE += " CFG_ARM_GICV3=y"
\ No newline at end of file diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-sbsa-ref.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-sbsa-ref.inc new file mode 100644 index 0000000000..6e46c37172 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-sbsa-ref.inc @@ -0,0 +1 @@ +COMPATIBLE_MACHINE:sbsa-ref = "sbsa-ref" diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend index e09c4a5ea7..c9b48be22d 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend @@ -2,5 +2,6 @@ MACHINE_OPTEE_OS_TADEVKIT_REQUIRE ?= "" MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:n1sdp = "optee-os-n1sdp.inc" +MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:fvp-base = "optee-os-fvp-base.inc" require ${MACHINE_OPTEE_OS_TADEVKIT_REQUIRE} diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend index 788a23efe5..04f7dc913a 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend @@ -2,6 +2,8 @@ # Machine specific configurations MACHINE_OPTEE_OS_REQUIRE ?= "" MACHINE_OPTEE_OS_REQUIRE:corstone1000 = "optee-os-corstone1000-common.inc" +MACHINE_OPTEE_OS_REQUIRE:fvp-base = "optee-os-fvp-base.inc" MACHINE_OPTEE_OS_REQUIRE:n1sdp = "optee-os-n1sdp.inc" +MACHINE_OPTEE_OS_REQUIRE:sbsa-ref = "optee-os-sbsa-ref.inc" require ${MACHINE_OPTEE_OS_REQUIRE} diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc new file mode 100644 index 0000000000..23dead24ab --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc @@ -0,0 +1,3 @@ +# fvp-base specific configuration + +COMPATIBLE_MACHINE = "fvp-base" diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend index 05e2abca63..249d67f08b 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend @@ -2,5 +2,6 @@ MACHINE_OPTEE_TEST_REQUIRE ?= "" MACHINE_OPTEE_TEST_REQUIRE:n1sdp = "optee-os-generic-n1sdp.inc" +MACHINE_OPTEE_TEST_REQUIRE:fvp-base = "optee-test-fvp-base.inc" require ${MACHINE_OPTEE_TEST_REQUIRE} diff --git a/meta-arm/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend b/meta-arm/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend index 20612cb1a1..35137220ad 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend @@ -1,2 +1,3 @@ COMPATIBLE_MACHINE:corstone1000 = "corstone1000" COMPATIBLE_MACHINE:n1sdp = "n1sdp" +COMPATIBLE_MACHINE:fvp-base = "fvp-base" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch index c1775b795c..0f6fab819f 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch @@ -1,7 +1,7 @@ -From a965129153a0cca340535fe2cf99dbfef9b557da Mon Sep 17 00:00:00 2001 +From 1ba2a22575c1b73b5ab09e040a00f370eca4b758 Mon Sep 17 00:00:00 2001 From: Julian Hall <julian.hall@arm.com> Date: Tue, 12 Oct 2021 15:45:41 +0100 -Subject: [PATCH 1/6] Add stub capsule update service components +Subject: [PATCH 1/8] Add stub capsule update service components To facilitate development of a capsule update service provider, stub components are added to provide a starting point for an @@ -15,7 +15,7 @@ Change-Id: I0d4049bb4de5af7ca80806403301692507085d28 Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> --- .../backend/capsule_update_backend.h | 24 ++++ - .../provider/capsule_update_provider.c | 133 ++++++++++++++++++ + .../provider/capsule_update_provider.c | 135 ++++++++++++++++++ .../provider/capsule_update_provider.h | 51 +++++++ .../capsule_update/provider/component.cmake | 13 ++ .../se-proxy/infra/corstone1000/infra.cmake | 1 + @@ -23,7 +23,7 @@ Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> .../capsule_update/capsule_update_proto.h | 13 ++ protocols/service/capsule_update/opcodes.h | 17 +++ protocols/service/capsule_update/parameters.h | 15 ++ - 9 files changed, 272 insertions(+), 4 deletions(-) + 9 files changed, 274 insertions(+), 4 deletions(-) create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h @@ -34,7 +34,7 @@ Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h new file mode 100644 -index 000000000000..f3144ff1d7d5 +index 000000000..f3144ff1d --- /dev/null +++ b/components/service/capsule_update/backend/capsule_update_backend.h @@ -0,0 +1,24 @@ @@ -64,10 +64,10 @@ index 000000000000..f3144ff1d7d5 +#endif /* CAPSULE_UPDATE_BACKEND_H */ diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c new file mode 100644 -index 000000000000..e133753f8560 +index 000000000..f35c272d2 --- /dev/null +++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -0,0 +1,133 @@ +@@ -0,0 +1,135 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * @@ -92,8 +92,8 @@ index 000000000000..e133753f8560 +}; + +/* Service request handlers */ -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req); -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req); ++static rpc_status_t update_capsule_handler(void *context, struct rpc_request *req); ++static rpc_status_t boot_confirmed_handler(void *context, struct rpc_request *req); + +/* Handler mapping table for service */ +static const struct service_handler handler_table[] = { @@ -101,21 +101,23 @@ index 000000000000..e133753f8560 + {CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} +}; + -+struct rpc_interface *capsule_update_provider_init( ++struct rpc_service_interface *capsule_update_provider_init( + struct capsule_update_provider *context) +{ -+ struct rpc_interface *rpc_interface = NULL; ++ struct rpc_service_interface *rpc_interface = NULL; ++ const struct rpc_uuid dummy_uuid = { .uuid = { 0 }}; ++ if (!context) ++ return NULL; + -+ if (context) { ++ service_provider_init( ++ &context->base_provider, ++ context, ++ &dummy_uuid, ++ handler_table, ++ sizeof(handler_table)/sizeof(struct service_handler)); + -+ service_provider_init( -+ &context->base_provider, -+ context, -+ handler_table, -+ sizeof(handler_table)/sizeof(struct service_handler)); ++ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); + -+ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); -+ } + + return rpc_interface; +} @@ -125,7 +127,7 @@ index 000000000000..e133753f8560 + (void)context; +} + -+static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) ++static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface *caller) +{ + uint32_t ioctl_id; + psa_handle_t handle; @@ -179,10 +181,10 @@ index 000000000000..e133753f8560 + +} + -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req) ++static rpc_status_t update_capsule_handler(void *context, struct rpc_request *req) +{ + struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; ++ struct rpc_caller_interface *caller = this_instance->client.session->caller; + uint32_t opcode = req->opcode; + rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; + @@ -190,10 +192,10 @@ index 000000000000..e133753f8560 + return rpc_status; +} + -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req) ++static rpc_status_t boot_confirmed_handler(void *context, struct rpc_request *req) +{ + struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; ++ struct rpc_caller_interface *caller = this_instance->client.session->caller; + uint32_t opcode = req->opcode; + rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; + @@ -203,7 +205,7 @@ index 000000000000..e133753f8560 +} diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h new file mode 100644 -index 000000000000..3de49854ea90 +index 000000000..5dc5535d6 --- /dev/null +++ b/components/service/capsule_update/provider/capsule_update_provider.h @@ -0,0 +1,51 @@ @@ -216,7 +218,7 @@ index 000000000000..3de49854ea90 +#ifndef CAPSULE_UPDATE_PROVIDER_H +#define CAPSULE_UPDATE_PROVIDER_H + -+#include <rpc/common/endpoint/rpc_interface.h> ++#include <rpc/common/endpoint/rpc_service_interface.h> +#include <service/common/provider/service_provider.h> +#include <service/common/client/service_client.h> +#include <service/capsule_update/backend/capsule_update_backend.h> @@ -240,9 +242,9 @@ index 000000000000..3de49854ea90 + * + * @param[in] context The instance to initialize + * -+ * \return An rpc_interface or NULL on failure ++ * \return An rpc_service_interface or NULL on failure + */ -+struct rpc_interface *capsule_update_provider_init( ++struct rpc_service_interface *capsule_update_provider_init( + struct capsule_update_provider *context); + +/** @@ -260,7 +262,7 @@ index 000000000000..3de49854ea90 +#endif /* CAPSULE_UPDATE_PROVIDER_H */ diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake new file mode 100644 -index 000000000000..1d412eb234d9 +index 000000000..1d412eb23 --- /dev/null +++ b/components/service/capsule_update/provider/component.cmake @@ -0,0 +1,13 @@ @@ -278,7 +280,7 @@ index 000000000000..1d412eb234d9 + "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" + ) diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake -index 4e7e2bd58028..e60b5400617f 100644 +index a52a1b711..4658c9662 100644 --- a/deployments/se-proxy/infra/corstone1000/infra.cmake +++ b/deployments/se-proxy/infra/corstone1000/infra.cmake @@ -21,6 +21,7 @@ add_components(TARGET "se-proxy" @@ -290,7 +292,7 @@ index 4e7e2bd58028..e60b5400617f 100644 ) diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h -index 48908f846990..3d4a7c204785 100644 +index 48908f846..3d4a7c204 100644 --- a/deployments/se-proxy/se_proxy_interfaces.h +++ b/deployments/se-proxy/se_proxy_interfaces.h @@ -8,9 +8,10 @@ @@ -310,7 +312,7 @@ index 48908f846990..3d4a7c204785 100644 #endif /* SE_PROXY_INTERFACES_H */ diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h new file mode 100644 -index 000000000000..8f326cd387fb +index 000000000..8f326cd38 --- /dev/null +++ b/protocols/service/capsule_update/capsule_update_proto.h @@ -0,0 +1,13 @@ @@ -329,7 +331,7 @@ index 000000000000..8f326cd387fb +#endif /* CAPSULE_UPDATE_PROTO_H */ diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h new file mode 100644 -index 000000000000..8185a0902378 +index 000000000..8185a0902 --- /dev/null +++ b/protocols/service/capsule_update/opcodes.h @@ -0,0 +1,17 @@ @@ -352,7 +354,7 @@ index 000000000000..8185a0902378 +#endif /* CAPSULE_UPDATE_OPCODES_H */ diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h new file mode 100644 -index 000000000000..285d924186be +index 000000000..285d92418 --- /dev/null +++ b/protocols/service/capsule_update/parameters.h @@ -0,0 +1,15 @@ @@ -372,5 +374,5 @@ index 000000000000..285d924186be + +#endif /* CAPSULE_UPDATE_PARAMETERS_H */ -- -2.40.0 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch index 3f3800ceb9..524d6f7af1 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch @@ -1,7 +1,7 @@ -From 51a7024967187644011c5043ef0f733cf81b26be Mon Sep 17 00:00:00 2001 +From 1923e1f4dbd8f912701c2870822fa4b61eb6082d Mon Sep 17 00:00:00 2001 From: Satish Kumar <satish.kumar01@arm.com> Date: Mon, 14 Feb 2022 08:22:25 +0000 -Subject: [PATCH 2/6] Fixes in AEAD for psa-arch test 54 and 58. +Subject: [PATCH 2/8] Fixes in AEAD for psa-arch test 54 and 58. Upstream-Status: Pending [Not submitted to upstream yet] Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com> @@ -17,10 +17,10 @@ Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> 6 files changed, 12 insertions(+), 3 deletions(-) diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -index c4ffb20cf7f8..a91f66c14008 100644 +index bf39762b0..27ffbc66e 100644 --- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont +@@ -314,6 +314,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont size_t req_len = req_fixed_len; *output_length = 0; @@ -29,7 +29,7 @@ index c4ffb20cf7f8..a91f66c14008 100644 /* Mandatory input data parameter */ diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 30aa102da581..130d27295878 100644 +index 30aa102da..130d27295 100644 --- a/components/service/crypto/include/psa/crypto_sizes.h +++ b/components/service/crypto/include/psa/crypto_sizes.h @@ -351,7 +351,7 @@ @@ -42,10 +42,10 @@ index 30aa102da581..130d27295878 100644 /** A sufficient output buffer size for psa_aead_update(). * diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c -index 14a25436b3f6..6b144db821de 100644 +index b73d88d32..6a0f96c3c 100644 --- a/components/service/crypto/provider/extension/aead/aead_provider.c +++ b/components/service/crypto/provider/extension/aead/aead_provider.c -@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) +@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) uint32_t op_handle; const uint8_t *input; size_t input_len; @@ -56,9 +56,9 @@ index 14a25436b3f6..6b144db821de 100644 - &input, &input_len); + &recv_output_size, &input, &input_len); - if (rpc_status == TS_RPC_CALL_ACCEPTED) { + if (rpc_status == RPC_SUCCESS) { -@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) +@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) if (crypto_context) { size_t output_len = 0; @@ -73,30 +73,30 @@ index 14a25436b3f6..6b144db821de 100644 psa_status = psa_aead_update(&crypto_context->op.aead, diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -index bb1a2a97e4b7..0156aaba3fe3 100644 +index be76d2bc6..590973048 100644 --- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h @@ -51,6 +51,7 @@ struct aead_provider_serializer { /* Operation: aead_update */ - rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf, + rpc_status_t (*deserialize_aead_update_req)(const struct rpc_buffer *req_buf, uint32_t *op_handle, + uint32_t *output_size, const uint8_t **input, size_t *input_len); - rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf, + rpc_status_t (*serialize_aead_update_resp)(struct rpc_buffer *resp_buf, diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -index 6f00b3e3f6f1..45c739abcbb4 100644 +index 8f8c3c7f2..922a7b651 100644 --- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf * +@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct rpc_buffer *req_ /* Operation: aead_update */ - static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf, + static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf, uint32_t *op_handle, + uint32_t *output_size, const uint8_t **input, size_t *input_len) { - rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; -@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req + rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY; +@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf memcpy(&recv_msg, req_buf->data, expected_fixed_len); *op_handle = recv_msg.op_handle; @@ -105,7 +105,7 @@ index 6f00b3e3f6f1..45c739abcbb4 100644 tlv_const_iterator_begin(&req_iter, (uint8_t*)req_buf->data + expected_fixed_len, diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h -index 0be266b52403..435fd3b523ce 100644 +index 0be266b52..435fd3b52 100644 --- a/protocols/service/crypto/packed-c/aead.h +++ b/protocols/service/crypto/packed-c/aead.h @@ -98,6 +98,7 @@ enum @@ -117,5 +117,5 @@ index 0be266b52403..435fd3b523ce 100644 /* Variable length input parameter tags */ -- -2.40.0 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch index 3d743d2827..dff9b7ffa7 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch @@ -1,7 +1,7 @@ -From 5c8ac10337ac853d8a82992fb6e1d91b122b99d2 Mon Sep 17 00:00:00 2001 +From ef6b4fef7b7a740d6df8dab12aa7c73d06bb9f3b Mon Sep 17 00:00:00 2001 From: Satish Kumar <satish.kumar01@arm.com> Date: Fri, 8 Jul 2022 09:48:06 +0100 -Subject: [PATCH 3/6] FMP Support in Corstone1000. +Subject: [PATCH 3/8] FMP Support in Corstone1000. The FMP support is used by u-boot to pupolate ESRT information for the kernel. @@ -22,7 +22,7 @@ Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.h diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index e133753f8560..991a2235cd73 100644 +index f35c272d2..bfeb7301a 100644 --- a/components/service/capsule_update/provider/capsule_update_provider.c +++ b/components/service/capsule_update/provider/capsule_update_provider.c @@ -11,6 +11,7 @@ @@ -33,16 +33,16 @@ index e133753f8560..991a2235cd73 100644 #define CAPSULE_UPDATE_REQUEST (0x1) -@@ -47,6 +48,8 @@ struct rpc_interface *capsule_update_provider_init( - rpc_interface = service_provider_get_rpc_interface(&context->base_provider); - } +@@ -49,6 +50,8 @@ struct rpc_service_interface *capsule_update_provider_init( + rpc_interface = service_provider_get_rpc_interface(&context->base_provider); -+ provision_fmp_variables_metadata(context->client.caller); + ++ provision_fmp_variables_metadata(context->client.session->caller); + return rpc_interface; } -@@ -85,6 +88,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -87,6 +90,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * } psa_call(caller,handle, PSA_IPC_CALL, in_vec,IOVEC_LEN(in_vec), NULL, 0); @@ -50,7 +50,7 @@ index e133753f8560..991a2235cd73 100644 break; case KERNEL_STARTED_EVENT: -@@ -99,6 +103,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -101,6 +105,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * } psa_call(caller,handle, PSA_IPC_CALL, in_vec,IOVEC_LEN(in_vec), NULL, 0); @@ -59,7 +59,7 @@ index e133753f8560..991a2235cd73 100644 default: EMSG("%s unsupported opcode", __func__); diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake -index 1d412eb234d9..6b0601494938 100644 +index 1d412eb23..6b0601494 100644 --- a/components/service/capsule_update/provider/component.cmake +++ b/components/service/capsule_update/provider/component.cmake @@ -10,4 +10,5 @@ endif() @@ -70,7 +70,7 @@ index 1d412eb234d9..6b0601494938 100644 ) diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c new file mode 100644 -index 000000000000..6a7a47a7ed99 +index 000000000..56ce38579 --- /dev/null +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -0,0 +1,307 @@ @@ -86,7 +86,7 @@ index 000000000000..6a7a47a7ed99 +#include <psa/storage_common.h> +#include <trace.h> + -+#include <service/smm_variable/backend/variable_index.h> ++#include <service/uefi/smm_variable/backend/variable_index.h> + +#define VARIABLE_INDEX_STORAGE_UID (0x787) + @@ -155,7 +155,7 @@ index 000000000000..6a7a47a7ed99 + }, +}; + -+static psa_status_t protected_storage_set(struct rpc_caller *caller, ++static psa_status_t protected_storage_set(struct rpc_caller_interface *caller, + psa_storage_uid_t uid, size_t data_length, const void *p_data) +{ + psa_status_t psa_status; @@ -175,7 +175,7 @@ index 000000000000..6a7a47a7ed99 + return psa_status; +} + -+static psa_status_t protected_storage_get(struct rpc_caller *caller, ++static psa_status_t protected_storage_get(struct rpc_caller_interface *caller, + psa_storage_uid_t uid, size_t data_size, void *p_data) +{ + psa_status_t psa_status; @@ -200,7 +200,7 @@ index 000000000000..6a7a47a7ed99 + } + + return psa_status; -+} ++} + +static uint64_t name_hash(EFI_GUID *guid, size_t name_size, + const int16_t *name) @@ -216,7 +216,7 @@ index 000000000000..6a7a47a7ed99 + for (int i = 0; i < 8; ++i) { + + hash = ((hash << 5) + hash) + guid->Data4[i]; -+ } ++ } + + /* Extend to cover name up to but not including null terminator */ + for (int i = 0; i < name_size / sizeof(int16_t); ++i) { @@ -241,7 +241,7 @@ index 000000000000..6a7a47a7ed99 +} + + -+void provision_fmp_variables_metadata(struct rpc_caller *caller) ++void provision_fmp_variables_metadata(struct rpc_caller_interface *caller) +{ + struct variable_metadata metadata; + psa_status_t status; @@ -314,7 +314,7 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+static psa_status_t get_image_info(struct rpc_caller *caller, ++static psa_status_t get_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle) +{ + psa_status_t status; @@ -342,12 +342,12 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+static psa_status_t set_image_info(struct rpc_caller *caller) ++static psa_status_t set_image_info(struct rpc_caller_interface *caller) +{ + psa_status_t status; + + for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { -+ ++ + status = protected_storage_set(caller, + fmp_variables_metadata[i].uid, + fmp_variables_data[i].len, fmp_variables_data[i].base); @@ -364,7 +364,7 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+void set_fmp_image_info(struct rpc_caller *caller, ++void set_fmp_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle) +{ + psa_status_t status; @@ -383,7 +383,7 @@ index 000000000000..6a7a47a7ed99 +} diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h new file mode 100644 -index 000000000000..95fba2a04d5c +index 000000000..d0023dc07 --- /dev/null +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h @@ -0,0 +1,26 @@ @@ -403,9 +403,9 @@ index 000000000000..95fba2a04d5c +#include <rpc_caller.h> +#include <psa/client.h> + -+void provision_fmp_variables_metadata(struct rpc_caller *caller); ++void provision_fmp_variables_metadata(struct rpc_caller_interface *caller); + -+void set_fmp_image_info(struct rpc_caller *caller, ++void set_fmp_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle); + +#ifdef __cplusplus @@ -414,5 +414,5 @@ index 000000000000..95fba2a04d5c + +#endif /* CORSTONE1000_FMP_SERVICE_H */ -- -2.40.0 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch deleted file mode 100644 index ed4e6e27a3..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2aa665ad2cb13bc79b645db41686449a47593aab Mon Sep 17 00:00:00 2001 -From: Emekcan <emekcan.aras@arm.com> -Date: Thu, 3 Nov 2022 17:43:40 +0000 -Subject: [PATCH] smm_gateway: GetNextVariableName Fix - -GetNextVariableName() should return EFI_BUFFER_TOO_SMALL -when NameSize is smaller than the actual NameSize. It -currently returns EFI_BUFFER_OUT_OF_RESOURCES due to setting -max_name_len incorrectly. This fixes max_name_len error by -replacing it with actual NameSize request by u-boot. - -Upstream-Status: Pending -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> ---- - .../service/smm_variable/provider/smm_variable_provider.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/components/service/smm_variable/provider/smm_variable_provider.c b/components/service/smm_variable/provider/smm_variable_provider.c -index a9679b7e..6a4b6fa7 100644 ---- a/components/service/smm_variable/provider/smm_variable_provider.c -+++ b/components/service/smm_variable/provider/smm_variable_provider.c -@@ -197,7 +197,7 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct call_re - efi_status = uefi_variable_store_get_next_variable_name( - &this_instance->variable_store, - (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data, -- max_name_len, -+ ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, - &resp_buf->data_len); - } - else { --- -2.17.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-smm_gateway-GetNextVariableName-Fix.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-smm_gateway-GetNextVariableName-Fix.patch new file mode 100644 index 0000000000..51337b2fdb --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-smm_gateway-GetNextVariableName-Fix.patch @@ -0,0 +1,45 @@ +From 660658e9f974126fae15d9d8839415a76e8d6663 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Wed, 10 Apr 2024 09:16:47 +0200 +Subject: [PATCH 4/9] smm_gateway: GetNextVariableName Fix + +GetNextVariableName() should return EFI_BUFFER_TOO_SMALL +when requested NameSize is smaller than the actual. It +currently returns EFI_BUFFER_OUT_OF_RESOURCES due to setting +max_name_len incorrectly. This change fixes the error by +using clamping the maximum size to the NameSize requested by +the client. + +Upstream-Status: Pending +Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + .../uefi/smm_variable/provider/smm_variable_provider.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/components/service/uefi/smm_variable/provider/smm_variable_provider.c b/components/service/uefi/smm_variable/provider/smm_variable_provider.c +index 1875397..ca3f7e5 100644 +--- a/components/service/uefi/smm_variable/provider/smm_variable_provider.c ++++ b/components/service/uefi/smm_variable/provider/smm_variable_provider.c +@@ -176,16 +176,14 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct rpc_req + + if (resp_buf->size >= param_len) { + struct rpc_buffer *req_buf = &req->request; +- size_t max_name_len = +- resp_buf->size - +- SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_NAME_OFFSET; + + memmove(resp_buf->data, req_buf->data, param_len); + + efi_status = uefi_variable_store_get_next_variable_name( + &this_instance->variable_store, + (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *)resp_buf->data, +- max_name_len, &resp_buf->data_length); ++ ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, ++ &resp_buf->data_length); + } else { + /* Reponse buffer not big enough */ + efi_status = EFI_BAD_BUFFER_SIZE; +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch index 5d7ab5f544..e116690516 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch @@ -1,7 +1,7 @@ -From 041d30bb9cc6857f5ef26ded154ff7126dafaa20 Mon Sep 17 00:00:00 2001 -From: Emekcan Aras <emekcan.aras@arm.com> -Date: Fri, 16 Jun 2023 10:47:48 +0100 -Subject: [PATCH] plat: corstone1000: add compile definitions for +From a7818585e1113aabf310a94eea802ff79234b0db Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Wed, 10 Apr 2024 09:17:39 +0200 +Subject: [PATCH 5/8] plat: corstone1000: add compile definitions for ECP_DP_SECP512R1 Corstone1000 runs PSA-API tests which requires this ECC algorithm. @@ -9,21 +9,20 @@ Without setting this, corstone1000 fails psa-api-crypto-test no 243. Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> Upstream-Status: Pending - --- platform/providers/arm/corstone1000/platform.cmake | 2 ++ 1 file changed, 2 insertions(+) diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index dbdf1097..e7a295dd 100644 +index 663226740..83350f788 100644 --- a/platform/providers/arm/corstone1000/platform.cmake +++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -14,3 +14,5 @@ target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 - SMM_GATEWAY_MAX_UEFI_VARIABLES=100 - ) +@@ -26,3 +26,5 @@ get_property(_platform_driver_dependencies TARGET ${TGT} + if ("mhu" IN_LIST _platform_driver_dependencies) + include(${TS_ROOT}/platform/drivers/arm/mhu_driver/mhu_v2_x/driver.cmake) + endif() + +add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -- -2.17.1 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch index 4e9d5c2e13..44e2dd85c3 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch @@ -1,9 +1,9 @@ -From a71e99045996c57a4f80509ae8b770aa4f73f6c0 Mon Sep 17 00:00:00 2001 +From c2edcd8bd3d8817765f280708eae894d6cd8d974 Mon Sep 17 00:00:00 2001 From: Emekcan Aras <emekcan.aras@arm.com> Date: Sun, 18 Jun 2023 14:38:42 +0100 -Subject: [PATCH] plat: corstone1000: Use the stateless platform service calls - Calls to psa_connect is not needed and psa_call can be called directly with a - pre defined handle. +Subject: [PATCH 6/8] plat: corstone1000: Use the stateless platform service + calls Calls to psa_connect is not needed and psa_call can be called directly + with a pre defined handle. Signed-off-by: Satish Kumar <satish.kumar01@arm.com> Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> @@ -18,18 +18,18 @@ Upstream-Status: Inappropriate [Design is to revisted] 4 files changed, 17 insertions(+), 27 deletions(-) diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index 991a2235..6809249f 100644 +index bfeb7301a..12c552dae 100644 --- a/components/service/capsule_update/provider/capsule_update_provider.c +++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -61,7 +61,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) - static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -63,7 +63,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) + static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface *caller) { uint32_t ioctl_id; - psa_handle_t handle; rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; struct psa_invec in_vec[] = { -@@ -79,31 +78,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -81,31 +80,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * case CAPSULE_UPDATE_REQUEST: /* Openamp call with IOCTL for firmware update*/ ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; @@ -67,20 +67,20 @@ index 991a2235..6809249f 100644 default: EMSG("%s unsupported opcode", __func__); diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -index 6a7a47a7..d811af9f 100644 +index 56ce38579..bebdf859f 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.c +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -238,8 +238,7 @@ static psa_status_t unpack_image_info(void *buffer, uint32_t size) return PSA_SUCCESS; } --static psa_status_t get_image_info(struct rpc_caller *caller, +-static psa_status_t get_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle) -+static psa_status_t get_image_info(struct rpc_caller *caller) ++static psa_status_t get_image_info(struct rpc_caller_interface *caller) { psa_status_t status; psa_handle_t handle; -@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller *caller, +@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller_interface *caller, memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); @@ -89,13 +89,13 @@ index 6a7a47a7..d811af9f 100644 in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); -@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller *caller) +@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller_interface *caller) return PSA_SUCCESS; } --void set_fmp_image_info(struct rpc_caller *caller, +-void set_fmp_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle) -+void set_fmp_image_info(struct rpc_caller *caller) ++void set_fmp_image_info(struct rpc_caller_interface *caller) { psa_status_t status; @@ -105,21 +105,21 @@ index 6a7a47a7..d811af9f 100644 return; } diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h -index 95fba2a0..963223e8 100644 +index d0023dc07..486fa10b4 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.h +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h @@ -16,8 +16,7 @@ extern "C" { - void provision_fmp_variables_metadata(struct rpc_caller *caller); + void provision_fmp_variables_metadata(struct rpc_caller_interface *caller); --void set_fmp_image_info(struct rpc_caller *caller, +-void set_fmp_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle); -+void set_fmp_image_info(struct rpc_caller *caller); ++void set_fmp_image_info(struct rpc_caller_interface *caller); #ifdef __cplusplus } /* extern "C" */ diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 5aaa659d..fc3a4fb0 100644 +index 5aaa659d4..fc3a4fb06 100644 --- a/components/service/common/include/psa/sid.h +++ b/components/service/common/include/psa/sid.h @@ -40,6 +40,13 @@ extern "C" { @@ -137,5 +137,5 @@ index 5aaa659d..fc3a4fb0 100644 #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -- -2.17.1 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch index 3e6f606c5d..738b5af010 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch @@ -1,78 +1,106 @@ -From b5b31064959665f4cc616733be3d989ae4356636 Mon Sep 17 00:00:00 2001 -From: Emekcan Aras <emekcan.aras@arm.com> -Date: Sun, 18 Jun 2023 16:05:27 +0100 -Subject: [PATCH] plat: corstone1000: Initialize capsule update provider +From 925a07093fa571ee1d2f2e59affcd2c52f1d5b54 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Wed, 29 Nov 2023 15:40:21 +0100 +Subject: [PATCH 7/8] plat: corstone1000: Initialize capsule update provider Initializes the capsule update service provider in se-proxy-sp.c deployment for corstone1000. Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> Upstream-Status: Inappropriate [Design is to revisted] - --- - deployments/se-proxy/env/commonsp/se_proxy_sp.c | 3 +++ - .../infra/corstone1000/service_proxy_factory.c | 17 +++++++++++++++++ - .../se-proxy/infra/service_proxy_factory.h | 1 + - 3 files changed, 21 insertions(+) + .../se-proxy/env/commonsp/se_proxy_sp.c | 14 +++++++++- + .../corstone1000/service_proxy_factory.c | 28 +++++++++++++++++++ + .../se-proxy/infra/service_proxy_factory.h | 1 + + 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -index 45fcb385..dc2a9d49 100644 +index 155e94863..a0eb03b6f 100644 --- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c +++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) +@@ -39,7 +39,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) + goto fatal_error; + } + +- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 4, 16); ++ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 5, 16); + if (rpc_status != RPC_SUCCESS) { + EMSG("Failed to initialize RPC endpoint: %d", rpc_status); + goto fatal_error; +@@ -94,6 +94,18 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) + goto fatal_error; } - rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); + rpc_iface = capsule_update_proxy_create(); -+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); ++ if (!rpc_iface) { ++ EMSG("Failed to create Capsule Update proxy"); ++ goto fatal_error; ++ } ++ ++ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, rpc_iface); ++ if (rpc_status != RPC_SUCCESS) { ++ EMSG("Failed to add service to RPC endpoint: %d", rpc_status); ++ goto fatal_error; ++ } + /* End of boot phase */ result = sp_msg_wait(&req_msg); if (result != SP_RESULT_OK) { diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index bacab1de..32d88c97 100644 +index b3b93cfd6..fc179b3c1 100644 --- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -14,6 +14,7 @@ +@@ -11,6 +11,7 @@ + #include <rpc/rss_comms/caller/sp/rss_comms_caller.h> + #include <service/attestation/provider/attest_provider.h> + #include <service/attestation/provider/serializer/packed-c/packedc_attest_provider_serializer.h> ++#include <service/capsule_update/provider/capsule_update_provider.h> #include <service/crypto/factory/crypto_provider_factory.h> #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> - #include <trace.h> -+#include <service/capsule_update/provider/capsule_update_provider.h> - - /* backends */ - #include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h> -@@ -94,3 +95,19 @@ struct rpc_interface *its_proxy_create(void) + #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" +@@ -129,3 +130,30 @@ struct rpc_service_interface *its_proxy_create(void) - return secure_storage_provider_init(&its_provider, backend); + return secure_storage_provider_init(&its_provider, backend, &its_uuid); } + -+struct rpc_interface *capsule_update_proxy_create(void) ++struct rpc_service_interface *capsule_update_proxy_create(void) +{ + static struct capsule_update_provider capsule_update_provider; -+ static struct rpc_caller *capsule_update_caller; ++ static struct secure_storage_ipc capsule_update_backend; ++ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; ++ ++ /* Static objects for proxy instance */ ++ static struct rpc_caller_interface rss_comms = { 0 }; ++ static struct rpc_caller_session rpc_session = { 0 }; + -+ capsule_update_caller = psa_ipc_caller_init(&psa_ipc); ++ rpc_status = rss_comms_caller_init(&rss_comms); ++ if (rpc_status != RPC_SUCCESS) ++ return NULL; + -+ if (!capsule_update_caller) -+ return NULL; ++ rpc_status = rpc_caller_session_open(&rpc_session, &rss_comms, &dummy_uuid, 0, 0); ++ if (rpc_status != RPC_SUCCESS) ++ return NULL; + -+ capsule_update_provider.client.caller = capsule_update_caller; ++ ++ capsule_update_provider.client.session = &rpc_session; ++ capsule_update_provider.client.rpc_status = RPC_SUCCESS; ++ capsule_update_provider.client.service_info.supported_encodings = 0; ++ capsule_update_provider.client.service_info.max_payload = 4096; + + return capsule_update_provider_init(&capsule_update_provider); +} -+ diff --git a/deployments/se-proxy/infra/service_proxy_factory.h b/deployments/se-proxy/infra/service_proxy_factory.h -index 298d407a..02aa7fe2 100644 +index caaea79ed..b981754b7 100644 --- a/deployments/se-proxy/infra/service_proxy_factory.h +++ b/deployments/se-proxy/infra/service_proxy_factory.h -@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); - struct rpc_interface *crypto_proxy_create(void); - struct rpc_interface *ps_proxy_create(void); - struct rpc_interface *its_proxy_create(void); -+struct rpc_interface *capsule_update_proxy_create(void); +@@ -17,6 +17,7 @@ struct rpc_service_interface *attest_proxy_create(void); + struct rpc_service_interface *crypto_proxy_create(void); + struct rpc_service_interface *ps_proxy_create(void); + struct rpc_service_interface *its_proxy_create(void); ++struct rpc_service_interface *capsule_update_proxy_create(void); #ifdef __cplusplus } -- -2.17.1 +2.25.1 diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-plat-corstone1000-add-client_id-for-FMP-service.patch index 2fb91f6284..3e92700057 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-plat-corstone1000-add-client_id-for-FMP-service.patch @@ -1,7 +1,7 @@ -From 52d962239207bd06827c18d0ed21abdc2002337f Mon Sep 17 00:00:00 2001 -From: emeara01 <emekcan.aras@arm.com> -Date: Thu, 7 Mar 2024 10:24:42 +0000 -Subject: [PATCH] plat: corstone1000: add client_id for FMP service +From f6ed75939f0b57e6b0e50ab11cdc3304098456dd Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Fri, 5 Apr 2024 17:31:03 +0200 +Subject: [PATCH 8/8] plat: corstone1000: add client_id for FMP service Corstone1000 uses trusted-firmware-m as secure enclave software component. Due to the changes in TF-M 2.0, psa services requires a seperate client_id now. @@ -11,11 +11,11 @@ accessed by u-boot via smm-gateway-sp. Signed-off-by: emeara01 <emekcan.aras@arm.com> Upstream-Status: Inappropriate [Design is to revisted] --- - .../capsule_update/provider/corstone1000_fmp_service.c | 5 ++++--- + .../capsule_update/provider/corstone1000_fmp_service.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -index d811af9f..354d025f 100644 +index bebdf859f..1b4813d62 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.c +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -33,6 +33,7 @@ @@ -26,7 +26,7 @@ index d811af9f..354d025f 100644 static struct variable_metadata fmp_variables_metadata[FMP_VARIABLES_COUNT] = { { -@@ -91,7 +92,7 @@ static psa_status_t protected_storage_set(struct rpc_caller *caller, +@@ -91,7 +92,7 @@ static psa_status_t protected_storage_set(struct rpc_caller_interface *caller, { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, }; @@ -35,7 +35,7 @@ index d811af9f..354d025f 100644 in_vec, IOVEC_LEN(in_vec), NULL, 0); if (psa_status < 0) EMSG("ipc_set: psa_call failed: %d", psa_status); -@@ -114,7 +115,7 @@ static psa_status_t protected_storage_get(struct rpc_caller *caller, +@@ -114,7 +115,7 @@ static psa_status_t protected_storage_get(struct rpc_caller_interface *caller, { .base = psa_ptr_to_u32(p_data), .len = data_size }, }; @@ -43,3 +43,7 @@ index d811af9f..354d025f 100644 + psa_status = psa_call_client_id(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, SMM_GW_SP_ID, TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); + +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch deleted file mode 100644 index 5d8f731854..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 06c3e612cb0927d783f115077d83ed97841c5668 Mon Sep 17 00:00:00 2001 -From: Emekcan Aras <emekcan.aras@arm.com> -Date: Tue, 14 Nov 2023 14:43:44 +0000 -Subject: [PATCH] plat: corstone1000: fix synchronization issue on openamp notification - -This fixes a race that is observed rarely in the FVP. It occurs in FVP -when Secure Enclave sends the notication ack in openamp, and then reset the access -request which resets the mhu registers before received by the SE-proxy-sp in the -host processort. This solution introduces polling on the status register of -mhu until the notificaiton is read by the host processor. (Inspired by -signal_and_wait_for_signal function in mhu_wrapper_v2_x.c in trusted-firmware-m -https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/arm/rss/common/native_drivers/mhu_wrapper_v2_x.c#n61) - -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com> -Upstream-Status: Pending [Not submitted to upstream yet] ---- - components/messaging/openamp/sp/openamp_mhu.c | 9 ++++++++- - platform/drivers/arm/mhu_driver/mhu_v2.h | 18 ++++++++++++++++++ - platform/drivers/arm/mhu_driver/mhu_v2_x.c | 17 +++++++++++++++++ - 3 files changed, 43 insertions(+), 1 deletion(-) - -diff --git a/components/messaging/openamp/sp/openamp_mhu.c b/components/messaging/openamp/sp/openamp_mhu.c -index bafba3e3..0700b8b9 100644 ---- a/components/messaging/openamp/sp/openamp_mhu.c -+++ b/components/messaging/openamp/sp/openamp_mhu.c -@@ -85,7 +85,7 @@ int openamp_mhu_notify_peer(struct openamp_messenger *openamp) - struct mhu_v2_x_dev_t *tx_dev; - enum mhu_v2_x_error_t ret; - struct openamp_mhu *mhu; -- uint32_t access_ready; -+ uint32_t access_ready,val; - - if (!openamp->transport) { - EMSG("openamp: mhu: notify transport not initialized"); -@@ -116,6 +116,13 @@ int openamp_mhu_notify_peer(struct openamp_messenger *openamp) - return -EPROTO; - } - -+ do { -+ ret = mhu_v2_x_channel_poll(tx_dev, MHU_V_2_NOTIFY_CHANNEL, &val); -+ if (ret != MHU_V_2_X_ERR_NONE) { -+ break; -+ } -+ } while (val != 0); -+ - ret = mhu_v2_x_reset_access_request(tx_dev); - if (ret != MHU_V_2_X_ERR_NONE) { - EMSG("openamp: mhu: failed reset access request"); -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2.h b/platform/drivers/arm/mhu_driver/mhu_v2.h -index 26b3a5d6..2b4d6fcb 100644 ---- a/platform/drivers/arm/mhu_driver/mhu_v2.h -+++ b/platform/drivers/arm/mhu_driver/mhu_v2.h -@@ -384,6 +384,24 @@ enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( - enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( - const struct mhu_v2_x_dev_t *dev, uint32_t *channel); - -+ -+/** -+ * \brief Polls sender channel status. -+ * -+ * \param[in] dev MHU device struct \ref mhu_v2_x_dev_t -+ * \param[in] channel Channel to poll the status of. -+ * \param[out] value Pointer to variable that will store the value. -+ * -+ * Polls sender channel status. -+ * -+ * \return Returns mhu_v2_x_error_t error code -+ * -+ * \note This function doesn't check if dev is NULL. -+ * \note This function doesn't check if channel is implemented. -+ */ -+enum mhu_v2_x_error_t mhu_v2_x_channel_poll(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t *value); -+ - #ifdef __cplusplus - } - #endif -diff --git a/platform/drivers/arm/mhu_driver/mhu_v2_x.c b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -index d7e70efa..022e287a 100644 ---- a/platform/drivers/arm/mhu_driver/mhu_v2_x.c -+++ b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -@@ -600,3 +600,20 @@ enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( - - return MHU_V_2_X_ERR_GENERAL; - } -+ -+enum mhu_v2_x_error_t mhu_v2_x_channel_poll(const struct mhu_v2_x_dev_t *dev, -+ uint32_t channel, uint32_t *value) -+{ -+ union _mhu_v2_x_frame_t *p_mhu = (union _mhu_v2_x_frame_t *)dev->base; -+ -+ if ( !(dev->is_initialized) ) { -+ return MHU_V_2_X_ERR_NOT_INIT; -+ } -+ -+ if (dev->frame == MHU_V2_X_SENDER_FRAME) { -+ *value = (SEND_FRAME(p_mhu))->send_ch_window[channel].ch_st; -+ return MHU_V_2_X_ERR_NONE; -+ } else { -+ return MHU_V_2_X_ERR_INVALID_ARG; -+ } -+} --- -2.25.1 - diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Remove-Werror-flag.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Remove-Werror-flag.patch new file mode 100644 index 0000000000..d08ebe9f7b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-Remove-Werror-flag.patch @@ -0,0 +1,84 @@ +From 6d140b21c22dda58f596bb513a1cd6bc08e914eb Mon Sep 17 00:00:00 2001 +From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +Date: Wed, 3 Apr 2024 10:18:16 +0100 +Subject: [PATCH] Remove Werror flag + +Remove Werror flag due to compilation issues for TS in yocto + +Upstream-Status: Inappropriate [Only for meta-arm] +Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +--- + deployments/smm-gateway/config/default-opteesp/CMakeLists.txt | 1 - + deployments/smm-gateway/config/default-sp/CMakeLists.txt | 1 - + environments/arm-linux/default_toolchain_file.cmake | 2 +- + environments/linux-pc/default_toolchain_file.cmake | 2 +- + environments/opteesp/default_toolchain_file.cmake | 2 +- + 5 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +index 5521467..88048a2 100644 +--- a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +@@ -99,7 +99,6 @@ target_compile_definitions(smm-gateway PRIVATE + if(CMAKE_C_COMPILER_ID STREQUAL "GNU") + target_compile_options(smm-gateway PRIVATE + -std=c11 +- -Werror + ) + + endif() +diff --git a/deployments/smm-gateway/config/default-sp/CMakeLists.txt b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +index ca563c0..4b43653 100644 +--- a/deployments/smm-gateway/config/default-sp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +@@ -97,7 +97,6 @@ target_compile_definitions(smm-gateway PRIVATE + if(CMAKE_C_COMPILER_ID STREQUAL "GNU") + target_compile_options(smm-gateway PRIVATE + -std=c11 +- -Werror + ) + + endif() +diff --git a/environments/arm-linux/default_toolchain_file.cmake b/environments/arm-linux/default_toolchain_file.cmake +index 1da144e..6909db6 100644 +--- a/environments/arm-linux/default_toolchain_file.cmake ++++ b/environments/arm-linux/default_toolchain_file.cmake +@@ -19,7 +19,7 @@ set(CMAKE_SYSTEM_PROCESSOR arm) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "-mstrict-align -march=armv8-a+crc -DARM64=1" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") + + # Set flags affecting all build types +diff --git a/environments/linux-pc/default_toolchain_file.cmake b/environments/linux-pc/default_toolchain_file.cmake +index 58f29bc..e23bb79 100644 +--- a/environments/linux-pc/default_toolchain_file.cmake ++++ b/environments/linux-pc/default_toolchain_file.cmake +@@ -11,7 +11,7 @@ include_guard(GLOBAL) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.") + + # Set flags affecting all build types +diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake +index 43c19c5..90a9418 100644 +--- a/environments/opteesp/default_toolchain_file.cmake ++++ b/environments/opteesp/default_toolchain_file.cmake +@@ -21,7 +21,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE True) + + set(TS_DEBUG_INFO_FLAGS "-fdiagnostics-show-option -gdwarf-2" CACHE STRING "Compiler flags to add debug information.") + set(TS_MANDATORY_AARCH_FLAGS "-fpic -mstrict-align -march=armv8-a+crc" CACHE STRING "Compiler flags configuring architecture specific ") +-set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.") ++set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.") + set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096" + CACHE STRING "Linker flags needed for correct builds.") + +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch new file mode 100644 index 0000000000..addf879f5d --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch @@ -0,0 +1,27 @@ +From a94bcd8af80c42adf99a7114174afea4000e6647 Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Tue, 14 May 2024 15:58:15 +0200 +Subject: [PATCH] Remove PLATFORM_HAS_ATTEST_PK define from IAT test + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Inappropriate [Should remove the flag only for CS1000] +--- + deployments/psa-api-test/initial_attestation/iat-api-test.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake +index 4d1d2b1a9..eb4db223c 100644 +--- a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake ++++ b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake +@@ -15,7 +15,7 @@ set(TS_ARCH_TEST_SUITE INITIAL_ATTESTATION CACHE STRING "Arch test suite") + # Set additional defines needed for build. + #------------------------------------------------------------------------------- + list(APPEND PSA_ARCH_TEST_EXTERNAL_DEFS +- -DPSA_ALG_MD4=0x02000002 -DPLATFORM_HAS_ATTEST_PK) ++ -DPSA_ALG_MD4=0x02000002) + + #------------------------------------------------------------------------------- + # The arch test build system puts its build output under a test suite specific +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-Avoid-redefinition-of-variables.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-Avoid-redefinition-of-variables.patch new file mode 100644 index 0000000000..d5c43bd560 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-Avoid-redefinition-of-variables.patch @@ -0,0 +1,28 @@ +From c7f2861e5c5ee209373a8dba15a608f78a97078b Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Wed, 10 Apr 2024 11:17:50 +0200 +Subject: [PATCH 1/3] Fix: Avoid redefinition of variables + +Remove variable redefinition which shadows the original one. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27954] +--- + .../service/uefi/smm_variable/client/cpp/smm_variable_client.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/components/service/uefi/smm_variable/client/cpp/smm_variable_client.cpp b/components/service/uefi/smm_variable/client/cpp/smm_variable_client.cpp +index f71d0c864..d39448900 100644 +--- a/components/service/uefi/smm_variable/client/cpp/smm_variable_client.cpp ++++ b/components/service/uefi/smm_variable/client/cpp/smm_variable_client.cpp +@@ -166,7 +166,6 @@ efi_status_t smm_variable_client::get_variable(const EFI_GUID &guid, const std:: + + if (call_handle) { + uint8_t *resp_buf; +- size_t resp_len; + service_status_t service_status; + + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *access_var = +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Fix-GetNextVariableName-NameSize-input.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Fix-GetNextVariableName-NameSize-input.patch new file mode 100644 index 0000000000..06efbb0e08 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Fix-GetNextVariableName-NameSize-input.patch @@ -0,0 +1,495 @@ +From cc4cc9f3f5f02f713cf4da1854f3085bf31e71cf Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Sat, 13 Apr 2024 14:52:23 +0200 +Subject: [PATCH 2/3] Fix GetNextVariableName NameSize input + +Based on the specification the NameSize shall be set to the available +buffer size at the first call instead of the NameSize of the +provided variable. +Change smm-gateway and the tests according this. Also remove +sanitize_get_next_var_name_param utility function, which is not +compilant with this solution. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/28022] +--- + .../backend/test/variable_store_tests.cpp | 48 +++++++-------- + .../backend/uefi_variable_store.c | 60 ++++++++++++------- + .../backend/uefi_variable_store.h | 5 +- + .../smm_variable/backend/variable_index.c | 3 + + .../provider/smm_variable_provider.c | 59 +++++------------- + .../service/smm_variable_attack_tests.cpp | 29 ++++----- + .../service/smm_variable_service_tests.cpp | 7 ++- + 7 files changed, 98 insertions(+), 113 deletions(-) + +diff --git a/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp b/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp +index fd48f13fb..72772821c 100644 +--- a/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp ++++ b/components/service/uefi/smm_variable/backend/test/variable_store_tests.cpp +@@ -501,15 +501,13 @@ TEST(UefiVariableStoreTests, bootServiceAccess) + std::vector<uint8_t> msg_buffer(VARIABLE_BUFFER_SIZE); + SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *next_name = + (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) msg_buffer.data(); +- size_t max_name_len = +- VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + + size_t total_len = 0; +- next_name->NameSize = sizeof(int16_t); ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + next_name->Name[0] = 0; + + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + + UNSIGNED_LONGLONGS_EQUAL(EFI_NOT_FOUND, status); + } +@@ -574,47 +572,48 @@ TEST(UefiVariableStoreTests, enumerateStoreContents) + std::vector<uint8_t> msg_buffer(VARIABLE_BUFFER_SIZE); + SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *next_name = + (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) msg_buffer.data(); +- size_t max_name_len = +- VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + + /* First check handling of invalid variable name */ + std::u16string bogus_name = to_variable_name(u"bogus_variable"); + size_t bogus_name_size = string_get_size_in_bytes(bogus_name); + next_name->Guid = m_common_guid; +- next_name->NameSize = bogus_name_size; ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + memcpy(next_name->Name, bogus_name.data(), bogus_name_size); + + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_INVALID_PARAMETER, status); + + /* Enumerate store contents */ + next_name->NameSize = sizeof(int16_t); + next_name->Name[0] = 0; +- /* Check if the correct NameSize is returned if max_name_len is too small */ ++ /* Check if the correct NameSize is returned if namesize is too small */ + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- 0, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_BUFFER_TOO_SMALL, status); + UNSIGNED_LONGLONGS_EQUAL(sizeof(var_name_1), next_name->NameSize); + +- /* And then used the previously received next_name->NameSize as max_name_len */ ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- next_name->NameSize, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_1, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_2, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_3, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_NOT_FOUND, status); + + power_cycle(); +@@ -622,21 +621,23 @@ TEST(UefiVariableStoreTests, enumerateStoreContents) + /* Enumerate again - should be left with just NV variables. + * Use a different but equally valid null name. + */ +- next_name->NameSize = 10 * sizeof(int16_t); ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + memset(next_name->Name, 0, next_name->NameSize); + + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_1, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_3, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_NOT_FOUND, status); + } + +@@ -672,21 +673,20 @@ TEST(UefiVariableStoreTests, failedNvSet) + std::vector<uint8_t> msg_buffer(VARIABLE_BUFFER_SIZE); + SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *next_name = + (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) msg_buffer.data(); +- size_t max_name_len = +- VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + + /* Enumerate store contents */ + size_t total_len = 0; +- next_name->NameSize = sizeof(int16_t); ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + next_name->Name[0] = 0; + + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, status); + CHECK_TRUE(compare_variable_name(var_name_1, next_name->Name, next_name->NameSize)); + ++ next_name->NameSize = VARIABLE_BUFFER_SIZE - SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_NAME_OFFSET; + status = uefi_variable_store_get_next_variable_name(&m_uefi_variable_store, next_name, +- max_name_len, &total_len); ++ &total_len); + UNSIGNED_LONGLONGS_EQUAL(EFI_NOT_FOUND, status); + } + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.c b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +index 5b46c1371..caf6698aa 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.c ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +@@ -404,9 +404,27 @@ efi_status_t uefi_variable_store_get_variable(const struct uefi_variable_store * + efi_status_t + uefi_variable_store_get_next_variable_name(const struct uefi_variable_store *context, + SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *cur, +- size_t max_name_len, size_t *total_length) ++ size_t *total_length) + { +- efi_status_t status = check_name_terminator(cur->Name, cur->NameSize); ++ efi_status_t status = EFI_SUCCESS; ++ size_t buffer_size = 0; ++ ++ if (!cur) ++ return EFI_INVALID_PARAMETER; ++ /* ++ * NameSize is set to the buffer size to store the names, ++ * let's calculate the size actually being used. ++ */ ++ buffer_size = cur->NameSize; ++ for (int i = 0; i < buffer_size / sizeof(int16_t); i++) { ++ if (cur->Name[i] == 0) { ++ /* With null terminator */ ++ cur->NameSize = 2*(i+1); ++ break; ++ } ++ } ++ ++ status = check_name_terminator(cur->Name, cur->NameSize); + + if (status != EFI_SUCCESS) + return status; +@@ -418,21 +436,11 @@ uefi_variable_store_get_next_variable_name(const struct uefi_variable_store *con + &context->variable_index, &cur->Guid, cur->NameSize, cur->Name, &status); + + if (info && (status == EFI_SUCCESS)) { +- /* The NameSize has to be set in every case according to the UEFI specs. +- * In case of EFI_BUFFER_TOO_SMALL it has to reflect the size of buffer +- * needed. +- */ +- cur->NameSize = info->metadata.name_size; +- *total_length = sizeof(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME); +- +- if (info->metadata.name_size <= max_name_len) { ++ if (info->metadata.name_size <= buffer_size) { + cur->Guid = info->metadata.guid; ++ cur->NameSize = info->metadata.name_size; + memcpy(cur->Name, info->metadata.name, info->metadata.name_size); + +- *total_length = +- SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_TOTAL_SIZE( +- cur); +- + /* + * Check if variable is accessible (e.g boot variable is not + * accessible at runtime) +@@ -442,6 +450,10 @@ uefi_variable_store_get_next_variable_name(const struct uefi_variable_store *con + if (status == EFI_SUCCESS) + break; + } else { ++ /* The VariableNameSize is updated to reflect the size of buffer needed */ ++ cur->NameSize = info->metadata.name_size; ++ memset(cur->Name, 0, buffer_size); ++ memset(&cur->Guid, 0, sizeof(EFI_GUID)); + status = EFI_BUFFER_TOO_SMALL; + break; + } +@@ -450,18 +462,24 @@ uefi_variable_store_get_next_variable_name(const struct uefi_variable_store *con + /* Do not hide original error if there is any */ + if (status == EFI_SUCCESS) + status = EFI_NOT_FOUND; ++ ++ memset(cur->Name, 0, buffer_size); ++ memset(&cur->Guid, 0, sizeof(EFI_GUID)); ++ cur->NameSize = 0; + break; + } + } + +- /* If we found no accessible variable clear the fields for security */ +- if (status != EFI_SUCCESS) { +- memset(cur->Name, 0, max_name_len); +- memset(&cur->Guid, 0, sizeof(EFI_GUID)); +- if (status != EFI_BUFFER_TOO_SMALL) +- cur->NameSize = 0; ++ if (status == EFI_SUCCESS) { ++ /* Store everything including the name */ ++ *total_length = ++ SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_TOTAL_SIZE( ++ cur); ++ } else { ++ /* Do not store the name, only the size */ ++ *total_length = ++ SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_NAME_OFFSET; + } +- + return status; + } + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.h b/components/service/uefi/smm_variable/backend/uefi_variable_store.h +index 8be5f36e6..2493ff6b4 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.h ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.h +@@ -134,8 +134,7 @@ efi_status_t uefi_variable_store_get_variable(const struct uefi_variable_store * + * Used for enumerating the store contents + * + * @param[in] context uefi_variable_store instance +- * @param[out] cur Current variable name +- * @param[in] max_name_len The maximum variable name length ++ * @param[inout] cur The size of the VariableName buffer + * @param[out] total_len The total length of the output + * + * @return EFI_SUCCESS if successful +@@ -143,7 +142,7 @@ efi_status_t uefi_variable_store_get_variable(const struct uefi_variable_store * + efi_status_t + uefi_variable_store_get_next_variable_name(const struct uefi_variable_store *context, + SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *cur, +- size_t max_name_len, size_t *total_length); ++ size_t *total_length); + + /** + * @brief Query for variable info +diff --git a/components/service/uefi/smm_variable/backend/variable_index.c b/components/service/uefi/smm_variable/backend/variable_index.c +index d850dbe18..e2fe6dd38 100644 +--- a/components/service/uefi/smm_variable/backend/variable_index.c ++++ b/components/service/uefi/smm_variable/backend/variable_index.c +@@ -27,6 +27,9 @@ static uint64_t name_hash(const EFI_GUID *guid, size_t name_size, const int16_t + + /* Extend to cover name up to but not including null terminator */ + for (size_t i = 0; i < (name_size - sizeof(int16_t)) / sizeof(int16_t); ++i) { ++ /* Only hash till the first null terminator */ ++ if (name[i] == 0) ++ break; + hash = ((hash << 5) + hash) + name[i]; + } + +diff --git a/components/service/uefi/smm_variable/provider/smm_variable_provider.c b/components/service/uefi/smm_variable/provider/smm_variable_provider.c +index ca3f7e5e5..1a5269338 100644 +--- a/components/service/uefi/smm_variable/provider/smm_variable_provider.c ++++ b/components/service/uefi/smm_variable/provider/smm_variable_provider.c +@@ -81,30 +81,6 @@ static efi_status_t sanitize_access_variable_param(struct rpc_request *req, size + return efi_status; + } + +-static efi_status_t sanitize_get_next_var_name_param(struct rpc_request *req, size_t *param_len) +-{ +- efi_status_t efi_status = EFI_INVALID_PARAMETER; +- *param_len = 0; +- const struct rpc_buffer *req_buf = &req->request; +- +- if (req_buf->data_length >= SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_NAME_OFFSET) { +- const SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *param = +- (const SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *)req_buf->data; +- +- size_t max_space_for_name = +- req_buf->data_length - +- SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_NAME_OFFSET; +- +- if (param->NameSize <= max_space_for_name) { +- *param_len = +- SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_TOTAL_SIZE(param); +- efi_status = EFI_SUCCESS; +- } +- } +- +- return efi_status; +-} +- + static efi_status_t sanitize_var_check_property_param(struct rpc_request *req, size_t *param_len) + { + efi_status_t efi_status = EFI_INVALID_PARAMETER; +@@ -146,7 +122,7 @@ static rpc_status_t get_variable_handler(void *context, struct rpc_request *req) + struct rpc_buffer *req_buf = &req->request; + size_t max_data_len = resp_buf->size - param_len; + +- memmove(resp_buf->data, req_buf->data, param_len); ++ memcpy(resp_buf->data, req_buf->data, param_len); + + efi_status = uefi_variable_store_get_variable( + &this_instance->variable_store, +@@ -167,28 +143,21 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct rpc_req + { + struct smm_variable_provider *this_instance = (struct smm_variable_provider *)context; + +- size_t param_len = 0; +- efi_status_t efi_status = sanitize_get_next_var_name_param(req, ¶m_len); ++ efi_status_t efi_status = EFI_SUCCESS; ++ size_t variable_size = 0; + +- if (efi_status == EFI_SUCCESS) { +- /* Valid get next variable name header */ +- struct rpc_buffer *resp_buf = &req->response; ++ /* Valid get next variable name header */ ++ struct rpc_buffer *resp_buf = &req->response; ++ struct rpc_buffer *req_buf = &req->request; + +- if (resp_buf->size >= param_len) { +- struct rpc_buffer *req_buf = &req->request; ++ memcpy(resp_buf->data, req_buf->data, req_buf->data_length); + +- memmove(resp_buf->data, req_buf->data, param_len); ++ efi_status = uefi_variable_store_get_next_variable_name( ++ &this_instance->variable_store, ++ (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *)resp_buf->data, ++ &variable_size); + +- efi_status = uefi_variable_store_get_next_variable_name( +- &this_instance->variable_store, +- (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *)resp_buf->data, +- ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, +- &resp_buf->data_length); +- } else { +- /* Reponse buffer not big enough */ +- efi_status = EFI_BAD_BUFFER_SIZE; +- } +- } ++ resp_buf->data_length = variable_size; + + req->service_status = efi_status; + +@@ -240,7 +209,7 @@ static rpc_status_t query_variable_info_handler(void *context, struct rpc_reques + struct rpc_buffer *resp_buf = &req->response; + + if (resp_buf->size >= req_buf->data_length) { +- memmove(resp_buf->data, req_buf->data, req_buf->data_length); ++ memcpy(resp_buf->data, req_buf->data, req_buf->data_length); + + efi_status = uefi_variable_store_query_variable_info( + &this_instance->variable_store, +@@ -308,7 +277,7 @@ static rpc_status_t get_var_check_property_handler(void *context, struct rpc_req + + if (resp_buf->size >= param_len) { + struct rpc_buffer *req_buf = &req->request; +- memmove(resp_buf->data, req_buf->data, param_len); ++ memcpy(resp_buf->data, req_buf->data, param_len); + resp_buf->data_length = param_len; + + efi_status = uefi_variable_store_get_var_check_property( +diff --git a/components/service/uefi/smm_variable/test/service/smm_variable_attack_tests.cpp b/components/service/uefi/smm_variable/test/service/smm_variable_attack_tests.cpp +index 76b62fd35..98e61fec0 100644 +--- a/components/service/uefi/smm_variable/test/service/smm_variable_attack_tests.cpp ++++ b/components/service/uefi/smm_variable/test/service/smm_variable_attack_tests.cpp +@@ -176,19 +176,6 @@ TEST(SmmVariableAttackTests, setAndGetWithSizeMaxNameSize) + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, efi_status); + } + +-TEST(SmmVariableAttackTests, enumerateWithOversizeName) +-{ +- efi_status_t efi_status = EFI_SUCCESS; +- std::u16string var_name = null_name; +- EFI_GUID guid; +- memset(&guid, 0, sizeof(guid)); +- +- efi_status = m_client->get_next_variable_name(guid, var_name, +- (var_name.size() + 1) * sizeof(int16_t) + 1); +- +- UNSIGNED_LONGLONGS_EQUAL(EFI_INVALID_PARAMETER, efi_status); +-} +- + TEST(SmmVariableAttackTests, enumerateWithSizeMaxNameSize) + { + efi_status_t efi_status = EFI_SUCCESS; +@@ -202,17 +189,23 @@ TEST(SmmVariableAttackTests, enumerateWithSizeMaxNameSize) + + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, efi_status); + +- /* Initial iteration uses good name length */ +- efi_status = m_client->get_next_variable_name(guid, var_name); ++ /* Initial iteration uses good name length for next variable */ ++ efi_status = m_client->get_next_variable_name(guid, var_name, std::numeric_limits<size_t>::max()); + + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, efi_status); + +- /* Next iteration uses invalid name length */ +- efi_status = m_client->get_next_variable_name(guid, var_name, +- std::numeric_limits<size_t>::max()); ++ /* Next iteration uses invalid name length, so a null terminator can not fit */ ++ var_name = null_name; ++ efi_status = m_client->get_next_variable_name(guid, var_name, 1); + + UNSIGNED_LONGLONGS_EQUAL(EFI_INVALID_PARAMETER, efi_status); + ++ /* Next iteration uses invalid name length, so a null terminator can not fit */ ++ var_name = null_name; ++ efi_status = m_client->get_next_variable_name(guid, var_name, 2); ++ ++ UNSIGNED_LONGLONGS_EQUAL(EFI_BUFFER_TOO_SMALL, efi_status); ++ + /* Expect to be able to remove the variable */ + efi_status = m_client->remove_variable(m_common_guid, var_name_1); + UNSIGNED_LONGLONGS_EQUAL(EFI_SUCCESS, efi_status); +diff --git a/components/service/uefi/smm_variable/test/service/smm_variable_service_tests.cpp b/components/service/uefi/smm_variable/test/service/smm_variable_service_tests.cpp +index e82a90c37..8fa4f8077 100644 +--- a/components/service/uefi/smm_variable/test/service/smm_variable_service_tests.cpp ++++ b/components/service/uefi/smm_variable/test/service/smm_variable_service_tests.cpp +@@ -9,6 +9,7 @@ + #include <cstring> + #include <locale> + #include <sstream> ++#include <limits> + + #include "util.h" + +@@ -154,7 +155,7 @@ TEST_GROUP(SmmVariableServiceTests) + #endif + + do { +- status = m_client->get_next_variable_name(guid, var_name); ++ status = m_client->get_next_variable_name(guid, var_name, max_variable_size); + + /* There are no more variables in the persistent store */ + if (status == EFI_NOT_FOUND) { +@@ -223,6 +224,8 @@ TEST_GROUP(SmmVariableServiceTests) + std::u16string m_ro_variable = to_variable_name(u"ro_variable"); + std::u16string m_boot_finished_var_name = to_variable_name(u"finished"); + ++ uint32_t max_variable_size = 4096; ++ + /* Cleanup skips these variables */ + std::vector<std::u16string *> m_non_rm_vars{ &m_ro_variable, &m_boot_finished_var_name }; + +@@ -654,7 +657,7 @@ TEST(SmmVariableServiceTests, enumerateStoreContents) + std::u16string *expected_variables[] = { &var_name_1, &var_name_2, &var_name_3 }; + + do { +- efi_status = m_client->get_next_variable_name(guid, var_name); ++ efi_status = m_client->get_next_variable_name(guid, var_name, max_variable_size); + if (efi_status != EFI_SUCCESS) + break; + +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-error-handling-of-variable-index-loading.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-error-handling-of-variable-index-loading.patch new file mode 100644 index 0000000000..978f2e52ad --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Fix-error-handling-of-variable-index-loading.patch @@ -0,0 +1,82 @@ +From c62e728bb86981219984c8b39819fb8926a41e10 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 19 Apr 2024 18:25:23 +0200 +Subject: [PATCH 3/3] Fix error handling of variable index loading + +If loading of the variable index from Protected Storage fails, SmmGW +will silently continue with empty variable store. This is a serious +fault and a potential security risk. +Change the code to produce a log output when this happens and stop +loading the SP. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/28300] +--- + .../backend/uefi_variable_store.c | 28 ++++++++++++++----- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.c b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +index caf6698aa..c1691dc8f 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.c ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +@@ -27,7 +27,7 @@ + #include "service/crypto/client/psa/crypto_client.h" + #endif + +-static void load_variable_index(struct uefi_variable_store *context); ++static efi_status_t load_variable_index(struct uefi_variable_store *context); + + static efi_status_t sync_variable_index(const struct uefi_variable_store *context); + +@@ -165,8 +165,10 @@ efi_status_t uefi_variable_store_init(struct uefi_variable_store *context, uint3 + + /* Load the variable index with NV variable info from the persistent store */ + if (context->index_sync_buffer) { +- load_variable_index(context); +- purge_orphan_index_entries(context); ++ status = load_variable_index(context); ++ ++ if (status == EFI_SUCCESS) ++ purge_orphan_index_entries(context); + } + } + +@@ -571,7 +573,7 @@ efi_status_t uefi_variable_store_get_var_check_property( + return status; + } + +-static void load_variable_index(struct uefi_variable_store *context) ++static efi_status_t load_variable_index(struct uefi_variable_store *context) + { + struct storage_backend *persistent_store = context->persistent_store.storage_backend; + +@@ -583,11 +585,23 @@ static void load_variable_index(struct uefi_variable_store *context) + SMM_VARIABLE_INDEX_STORAGE_UID, 0, context->index_sync_buffer_size, + context->index_sync_buffer, &data_len); + +- if (psa_status == PSA_SUCCESS) { +- variable_index_restore(&context->variable_index, data_len, +- context->index_sync_buffer); ++ switch(psa_status) { ++ case PSA_SUCCESS: ++ (void) variable_index_restore(&context->variable_index, data_len, ++ context->index_sync_buffer); ++ break; ++ ++ case PSA_ERROR_DOES_NOT_EXIST: ++ IMSG("Index variable does not exist in NV store, continuing with empty index"); ++ break; ++ ++ default: ++ EMSG("Loading variable index failed: %d", psa_status); ++ return EFI_LOAD_ERROR; + } + } ++ ++ return EFI_SUCCESS; + } + + static efi_status_t sync_variable_index(const struct uefi_variable_store *context) +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Provide-crypto-api-to-create-uefi-priv-var-fingerpri.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Provide-crypto-api-to-create-uefi-priv-var-fingerpri.patch new file mode 100644 index 0000000000..ae9a53fa97 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Provide-crypto-api-to-create-uefi-priv-var-fingerpri.patch @@ -0,0 +1,758 @@ +From 370811420cfa1c14146f45de308bbccf70408eb8 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 5 Apr 2024 11:19:37 +0200 +Subject: [PATCH] Provide crypto api to create uefi priv var fingerprint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add new call to the crypto backend to calculate a hash of the common +name of the signing certificate’s Subject and the tbsCertificate +of the top-level issuer certificate. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27953] +--- + .../client/caller/packed-c/crypto_caller.h | 1 + + ...aller_get_uefi_priv_auth_var_fingerprint.h | 90 ++++++++ + .../packed-c/packedc_crypto_client.cpp | 8 + + .../protocol/packed-c/packedc_crypto_client.h | 4 + + .../service/crypto/client/psa/component.cmake | 1 + + .../service/crypto/client/psa/crypto_client.h | 5 + + .../psa/get_uefi_priv_auth_var_fingerprint.c | 21 ++ + .../service/crypto/provider/crypto_provider.c | 212 +++++++++++++++--- + .../serializer/crypto_provider_serializer.h | 8 + + .../packedc_crypto_provider_serializer.c | 54 +++++ + .../backend/direct/uefi_direct_backend.c | 90 ++++++++ + deployments/smm-gateway/smm-gateway.cmake | 5 + + .../get_uefi_priv_auth_var_fingerprint.h | 21 ++ + protocols/service/crypto/packed-c/opcodes.h | 1 + + 14 files changed, 488 insertions(+), 33 deletions(-) + create mode 100644 components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h + create mode 100644 components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c + create mode 100644 protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h + +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller.h b/components/service/crypto/client/caller/packed-c/crypto_caller.h +index d834bc207..d5dd0f70d 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller.h +@@ -31,5 +31,6 @@ + #include "crypto_caller_sign_hash.h" + #include "crypto_caller_verify_hash.h" + #include "crypto_caller_verify_pkcs7_signature.h" ++#include "crypto_caller_get_uefi_priv_auth_var_fingerprint.h" + + #endif /* PACKEDC_CRYPTO_CALLER_H */ +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h b/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h +new file mode 100644 +index 000000000..d3446e445 +--- /dev/null ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_get_uefi_priv_auth_var_fingerprint.h +@@ -0,0 +1,90 @@ ++/* ++ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H ++#define PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H ++ ++#include <common/tlv/tlv.h> ++#include <protocols/common/efi/efi_status.h> ++#include <protocols/rpc/common/packed-c/status.h> ++#include <protocols/service/crypto/packed-c/opcodes.h> ++#include <protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h> ++#include <service/common/client/service_client.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline int crypto_caller_get_uefi_priv_auth_var_fingerprint(struct service_client *context, ++ const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output) ++{ ++ efi_status_t efi_status = EFI_SUCCESS; ++ size_t req_len = 0; ++ ++ if (signature_cert_len > UINT16_MAX) ++ return RPC_ERROR_INVALID_VALUE; ++ ++ struct tlv_record signature_record = { ++ .tag = TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE, ++ .length = (uint16_t)signature_cert_len, ++ .value = signature_cert ++ }; ++ ++ req_len += tlv_required_space(signature_record.length); ++ ++ rpc_call_handle call_handle; ++ uint8_t *req_buf; ++ ++ call_handle = rpc_caller_session_begin(context->session, &req_buf, req_len, 0); ++ ++ if (call_handle) { ++ uint8_t *resp_buf; ++ size_t resp_len; ++ service_status_t service_status; ++ struct tlv_iterator req_iter; ++ ++ tlv_iterator_begin(&req_iter, req_buf, req_len); ++ tlv_encode(&req_iter, &signature_record); ++ ++ context->rpc_status = rpc_caller_session_invoke( ++ call_handle, TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT, &resp_buf, &resp_len, ++ &service_status); ++ ++ if (context->rpc_status == RPC_SUCCESS) { ++ ++ if (service_status == EFI_SUCCESS) { ++ ++ struct tlv_const_iterator resp_iter; ++ struct tlv_record decoded_record; ++ tlv_const_iterator_begin(&resp_iter, resp_buf, resp_len); ++ ++ if (tlv_find_decode(&resp_iter, ++ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER, &decoded_record)) { ++ ++ memcpy(output, decoded_record.value, PSA_HASH_MAX_SIZE); ++ } ++ else { ++ /* Mandatory response parameter missing */ ++ efi_status = EFI_INVALID_PARAMETER; ++ } ++ } ++ } ++ ++ rpc_caller_session_end(call_handle); ++ } ++ ++ return efi_status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PACKEDC_CRYPTO_CALLER_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */ +diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp +index aaa71f0c8..e0f6a15a8 100644 +--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp ++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp +@@ -428,3 +428,11 @@ int packedc_crypto_client::verify_pkcs7_signature(const uint8_t *signature_cert, + hash, hash_len, public_key_cert, + public_key_cert_len); + } ++ ++int packedc_crypto_client::get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output) ++{ ++ return crypto_caller_get_uefi_priv_auth_var_fingerprint(&m_client, signature_cert, signature_cert_len, ++ output); ++} +diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h +index 8d4f60cf9..ec6c51c7f 100644 +--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h ++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h +@@ -236,6 +236,10 @@ public: + int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len, + const uint8_t *hash, uint64_t hash_len, + const uint8_t *public_key_cert, uint64_t public_key_cert_len); ++ ++ int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output); + }; + + #endif /* PACKEDC_CRYPTO_CLIENT_H */ +diff --git a/components/service/crypto/client/psa/component.cmake b/components/service/crypto/client/psa/component.cmake +index 359db3b4a..5bee0c652 100644 +--- a/components/service/crypto/client/psa/component.cmake ++++ b/components/service/crypto/client/psa/component.cmake +@@ -32,4 +32,5 @@ target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/psa_sign_message.c" + "${CMAKE_CURRENT_LIST_DIR}/psa_verify_message.c" + "${CMAKE_CURRENT_LIST_DIR}/verify_pkcs7_signature.c" ++ "${CMAKE_CURRENT_LIST_DIR}/get_uefi_priv_auth_var_fingerprint.c" + ) +diff --git a/components/service/crypto/client/psa/crypto_client.h b/components/service/crypto/client/psa/crypto_client.h +index 4b59bbe32..af04df11e 100644 +--- a/components/service/crypto/client/psa/crypto_client.h ++++ b/components/service/crypto/client/psa/crypto_client.h +@@ -7,10 +7,15 @@ + #ifndef CRYPTO_CLIENT_H + #define CRYPTO_CLIENT_H + ++#include <stddef.h> + #include <stdint.h> + + int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len, + const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert, + uint64_t public_key_cert_len); + ++int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output); ++ + #endif /* CRYPTO_CLIENT_H */ +diff --git a/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c b/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c +new file mode 100644 +index 000000000..702aaa0c4 +--- /dev/null ++++ b/components/service/crypto/client/psa/get_uefi_priv_auth_var_fingerprint.c +@@ -0,0 +1,21 @@ ++/* ++ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include "crypto_caller_selector.h" ++#include "crypto_client.h" ++#include "psa_crypto_client.h" ++ ++int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output) ++{ ++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS) ++ return psa_crypto_client_instance.init_status; ++ ++ return crypto_caller_get_uefi_priv_auth_var_fingerprint(&psa_crypto_client_instance.base, ++ signature_cert, signature_cert_len, ++ output); ++} +diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c +index 9cd520859..4535d6dbe 100644 +--- a/components/service/crypto/provider/crypto_provider.c ++++ b/components/service/crypto/provider/crypto_provider.c +@@ -3,12 +3,15 @@ + * + * SPDX-License-Identifier: BSD-3-Clause + */ ++#include <protocols/common/efi/efi_status.h> + #include <protocols/rpc/common/packed-c/status.h> + #include <protocols/service/crypto/packed-c/opcodes.h> + #include <service/crypto/backend/crypto_backend.h> + #include <service/crypto/provider/crypto_provider.h> ++#include <compiler.h> + #include <stdint.h> + #include <stdlib.h> ++#include <string.h> + + #include "crypto_partition.h" + #include "crypto_uuid.h" +@@ -28,25 +31,27 @@ static rpc_status_t copy_key_handler(void *context, struct rpc_request *req); + static rpc_status_t purge_key_handler(void *context, struct rpc_request *req); + static rpc_status_t get_key_attributes_handler(void *context, struct rpc_request *req); + static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req); ++static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req); + + /* Handler mapping table for service */ + static const struct service_handler handler_table[] = { +- { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler }, +- { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler }, +- { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler }, +- { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler }, +- { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler }, +- { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler }, +- { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler }, +- { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler }, +- { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler }, +- { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler }, +- { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler }, +- { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler }, +- { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler }, +- { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler }, +- { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler }, +- { TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, verify_pkcs7_signature_handler }, ++ { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler }, ++ { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler }, ++ { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler }, ++ { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler }, ++ { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler }, ++ { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler }, ++ { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler }, ++ { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler }, ++ { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler }, ++ { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler }, ++ { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler }, ++ { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler }, ++ { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler }, ++ { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler }, ++ { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler }, ++ { TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, verify_pkcs7_signature_handler }, ++ { TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT, get_uefi_priv_auth_var_fingerprint_handler }, + }; + + struct rpc_service_interface * +@@ -664,33 +669,44 @@ static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_req + } + + if (rpc_status == RPC_SUCCESS) { +- /* Parse the public key certificate */ +- mbedtls_x509_crt signer_certificate; ++ /* Parse the PKCS#7 DER encoded signature block */ ++ mbedtls_pkcs7 pkcs7_structure; + +- mbedtls_x509_crt_init(&signer_certificate); ++ mbedtls_pkcs7_init(&pkcs7_structure); + +- mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert, +- public_key_cert_len); ++ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert, ++ signature_cert_len); + +- if (mbedtls_status == 0) { +- /* Parse the PKCS#7 DER encoded signature block */ +- mbedtls_pkcs7 pkcs7_structure; ++ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) { + +- mbedtls_pkcs7_init(&pkcs7_structure); ++ /* ++ * If a separate public key is provided, verify the signature with it, ++ * else use the key from the pkcs7 signature structure, because it is ++ * a self-signed certificate. ++ */ ++ if(public_key_cert_len) { ++ /* Parse the public key certificate */ ++ mbedtls_x509_crt signer_certificate; + +- mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert, +- signature_cert_len); ++ mbedtls_x509_crt_init(&signer_certificate); + +- if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) { +- /* Verify hash against signed hash */ ++ mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert, ++ public_key_cert_len); ++ ++ if (mbedtls_status == 0) { ++ /* Verify hash against signed hash */ ++ mbedtls_status = mbedtls_pkcs7_signed_hash_verify( ++ &pkcs7_structure, &signer_certificate, hash, hash_len); ++ } ++ ++ mbedtls_x509_crt_free(&signer_certificate); ++ } else { + mbedtls_status = mbedtls_pkcs7_signed_hash_verify( +- &pkcs7_structure, &signer_certificate, hash, hash_len); ++ &pkcs7_structure, &pkcs7_structure.private_signed_data.private_certs, hash, hash_len); + } +- +- mbedtls_pkcs7_free(&pkcs7_structure); + } + +- mbedtls_x509_crt_free(&signer_certificate); ++ mbedtls_pkcs7_free(&pkcs7_structure); + } + + free(signature_cert); +@@ -702,6 +718,128 @@ static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_req + + return rpc_status; + } ++ ++/* ++ * Official value: http://www.oid-info.com/get/2.5.4.3 ++ * Hex converter: https://misc.daniel-marschall.de/asn.1/oid-converter/online.php ++ */ ++static const mbedtls_asn1_buf* findCommonName(const mbedtls_x509_name *name) ++{ ++ uint8_t CN_oid_tag = 0x06; ++ uint8_t CN_oid_len = 0x03; ++ uint8_t CN_oid_val[3] = {0x55, 0x04, 0x03}; ++ ++ while (name) ++ { ++ if (name->oid.tag == CN_oid_tag && name->oid.len == CN_oid_len) { ++ if (name->oid.p != NULL) { ++ if (!memcmp(name->oid.p, CN_oid_val, CN_oid_len)) ++ return &name->val; ++ } ++ } ++ ++ name = name->next; ++ } ++ ++ return NULL; ++} ++ ++static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req) ++{ ++ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; ++ struct rpc_buffer *req_buf = &req->request; ++ const struct crypto_provider_serializer *serializer = get_crypto_serializer(context, req); ++ ++ int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ uint8_t *signature_cert = NULL; ++ uint64_t signature_cert_len = 0; ++ ++ if (serializer) { ++ /* First collect the lengths of the field */ ++ rpc_status = serializer->deserialize_get_uefi_priv_auth_var_fingerprint_req( ++ req_buf, NULL, &signature_cert_len); ++ ++ if (rpc_status == RPC_SUCCESS) { ++ /* Allocate the needed space and get the data */ ++ signature_cert = (uint8_t *)malloc(signature_cert_len); ++ ++ if (signature_cert) { ++ rpc_status = serializer->deserialize_get_uefi_priv_auth_var_fingerprint_req( ++ req_buf, signature_cert, &signature_cert_len); ++ } else { ++ rpc_status = RPC_ERROR_RESOURCE_FAILURE; ++ } ++ } ++ } ++ ++ if (rpc_status == RPC_SUCCESS) { ++ /* Parse the PKCS#7 DER encoded signature block */ ++ mbedtls_pkcs7 pkcs7_structure; ++ ++ mbedtls_pkcs7_init(&pkcs7_structure); ++ ++ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert, ++ signature_cert_len); ++ ++ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) { ++ ++ uint8_t output_buffer[PSA_HASH_MAX_SIZE] = { 0 }; ++ size_t __maybe_unused output_size = 0; ++ const mbedtls_asn1_buf *signerCertCN = NULL; ++ const mbedtls_x509_crt *topLevelCert = &pkcs7_structure.private_signed_data.private_certs; ++ const mbedtls_x509_buf *toplevelCertTbs = NULL; ++ struct rpc_buffer *resp_buf = &req->response;; ++ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; ++ ++ /* Find common name field of the signing certificate, which is the first in the chain */ ++ signerCertCN = findCommonName(&topLevelCert->subject); ++ if (!signerCertCN) ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ /* Get the TopLevel certificate which is the last in the chain */ ++ while(topLevelCert->next) ++ topLevelCert = topLevelCert->next; ++ toplevelCertTbs = &topLevelCert->tbs; ++ ++ /* Hash the data to create the fingerprint */ ++ op = psa_hash_operation_init(); ++ ++ if (psa_hash_setup(&op, PSA_ALG_SHA_256) != PSA_SUCCESS) ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ if (psa_hash_update(&op, signerCertCN->p, signerCertCN->len)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ if (psa_hash_update(&op, toplevelCertTbs->p, toplevelCertTbs->len)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ if (psa_hash_finish(&op, (uint8_t*)&output_buffer, PSA_HASH_MAX_SIZE, &output_size)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ /* Clear the remaining part of the buffer for consistency */ ++ memset(&output_buffer[output_size], 0, PSA_HASH_MAX_SIZE - output_size); ++ ++ rpc_status = serializer->serialize_get_uefi_priv_auth_var_fingerprint_resp( ++ resp_buf, (uint8_t*)&output_buffer); ++ } ++ ++ mbedtls_pkcs7_free(&pkcs7_structure); ++ } ++ ++ free(signature_cert); ++ ++ /* Provide the result of the verification */ ++ req->service_status = (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) ? EFI_SUCCESS : EFI_COMPROMISED_DATA; ++ ++ return rpc_status; ++} + #else + static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req) + { +@@ -710,4 +848,12 @@ static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_req + + return RPC_ERROR_INTERNAL; + } ++ ++static rpc_status_t get_uefi_priv_auth_var_fingerprint_handler(void *context, struct rpc_request *req) ++{ ++ (void)context; ++ (void)req; ++ ++ return RPC_ERROR_INTERNAL; ++} + #endif +diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h +index bd5336c3d..2b965afdb 100644 +--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h ++++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h +@@ -126,6 +126,14 @@ struct crypto_provider_serializer { + uint8_t *hash, uint64_t *hash_len, + uint8_t *public_key_cert, + uint64_t *public_key_cert_len); ++ ++ /* Operation: get_uefi_priv_auth_var_fingerprintentifier */ ++ rpc_status_t (*deserialize_get_uefi_priv_auth_var_fingerprint_req)(const struct rpc_buffer *req_buf, ++ uint8_t *signed_data, ++ uint64_t *signed_data_len); ++ ++ rpc_status_t (*serialize_get_uefi_priv_auth_var_fingerprint_resp)(struct rpc_buffer *resp_buf, ++ const uint8_t *output); + }; + + #endif /* CRYPTO_PROVIDER_SERIALIZER_H */ +diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c +index 050ef2f7d..89e07e2c8 100644 +--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c ++++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c +@@ -22,6 +22,7 @@ + #include <protocols/service/crypto/packed-c/sign_hash.h> + #include <protocols/service/crypto/packed-c/verify_hash.h> + #include <protocols/service/crypto/packed-c/verify_pkcs7_signature.h> ++#include <protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h> + #include <service/crypto/backend/crypto_backend.h> + #include <stdlib.h> + #include <string.h> +@@ -675,6 +676,57 @@ static rpc_status_t deserialize_verify_pkcs7_signature_req( + return rpc_status; + } + ++/* Operation: get_uefi_priv_auth_var_fingerprintentifier */ ++static rpc_status_t deserialize_get_uefi_priv_auth_var_fingerprint_req(const struct rpc_buffer *req_buf, ++ uint8_t *signed_data, ++ uint64_t *signed_data_len) ++{ ++ rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY; ++ ++ if (req_buf->data_length) { ++ struct tlv_const_iterator req_iter; ++ struct tlv_record decoded_record; ++ ++ rpc_status = RPC_SUCCESS; ++ ++ tlv_const_iterator_begin(&req_iter, (uint8_t *)req_buf->data, req_buf->data_length); ++ ++ if (tlv_find_decode(&req_iter, TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE, ++ &decoded_record)) { ++ *signed_data_len = decoded_record.length; ++ ++ if (signed_data) ++ memcpy(signed_data, decoded_record.value, decoded_record.length); ++ } else { ++ /* Default to a zero length */ ++ *signed_data_len = 0; ++ } ++ } ++ ++ return rpc_status; ++} ++ ++static rpc_status_t serialize_get_uefi_priv_auth_var_fingerprint_resp(struct rpc_buffer *resp_buf, ++ const uint8_t *output) ++{ ++ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; ++ struct tlv_iterator resp_iter; ++ struct tlv_record out_record; ++ ++ out_record.tag = TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER; ++ out_record.length = PSA_HASH_MAX_SIZE; ++ out_record.value = output; ++ ++ tlv_iterator_begin(&resp_iter, resp_buf->data, resp_buf->size); ++ ++ if (tlv_encode(&resp_iter, &out_record)) { ++ resp_buf->data_length = tlv_required_space(PSA_HASH_MAX_SIZE); ++ rpc_status = RPC_SUCCESS; ++ } ++ ++ return rpc_status; ++} ++ + /* Singleton method to provide access to the serializer instance */ + const struct crypto_provider_serializer *packedc_crypto_provider_serializer_instance(void) + { +@@ -704,6 +756,8 @@ const struct crypto_provider_serializer *packedc_crypto_provider_serializer_inst + deserialize_generate_random_req, + serialize_generate_random_resp, + deserialize_verify_pkcs7_signature_req, ++ deserialize_get_uefi_priv_auth_var_fingerprint_req, ++ serialize_get_uefi_priv_auth_var_fingerprint_resp + }; + + return &instance; +diff --git a/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c b/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c +index bf978c5dd..c7ca07254 100644 +--- a/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c ++++ b/components/service/uefi/smm_variable/backend/direct/uefi_direct_backend.c +@@ -9,6 +9,8 @@ + #include <mbedtls/pkcs7.h> + #include <mbedtls/x509_crt.h> + #include <stdint.h> ++#include <string.h> ++#include <compiler.h> + + int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len, + const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert, +@@ -46,3 +48,91 @@ int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cer + + return mbedtls_status; + } ++ ++/* ++ * Official value: http://www.oid-info.com/get/2.5.4.3 ++ * Hex converter: https://misc.daniel-marschall.de/asn.1/oid-converter/online.php ++ */ ++static const mbedtls_asn1_buf* findCommonName(const mbedtls_x509_name *name) ++{ ++ uint8_t CN_oid_tag = 0x06; ++ uint8_t CN_oid_len = 0x03; ++ uint8_t CN_oid_val[3] = {0x55, 0x04, 0x03}; ++ ++ while (name) ++ { ++ if (name->oid.tag == CN_oid_tag && name->oid.len == CN_oid_len) { ++ if (name->oid.p != NULL) { ++ if (!memcmp(name->oid.p, CN_oid_val, CN_oid_len)) ++ return &name->val; ++ } ++ } ++ ++ name = name->next; ++ } ++ ++ return NULL; ++} ++ ++int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert, ++ uint64_t signature_cert_len, ++ uint8_t *output) ++{ ++ int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ /* Parse the PKCS#7 DER encoded signature block */ ++ mbedtls_pkcs7 pkcs7_structure; ++ ++ mbedtls_pkcs7_init(&pkcs7_structure); ++ ++ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert, ++ signature_cert_len); ++ ++ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) { ++ ++ uint8_t output_buffer[PSA_HASH_MAX_SIZE] = { 0 }; ++ size_t __maybe_unused output_size = 0; ++ const mbedtls_asn1_buf *signerCertCN = NULL; ++ const mbedtls_x509_crt *topLevelCert = &pkcs7_structure.private_signed_data.private_certs; ++ const mbedtls_x509_buf *toplevelCertTbs = NULL; ++ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT; ++ ++ /* Find common name field of the signing certificate, which is the first in the chain */ ++ signerCertCN = findCommonName(&topLevelCert->subject); ++ if (!signerCertCN) ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ /* Get the TopLevel certificate which is the last in the chain */ ++ while(topLevelCert->next) ++ topLevelCert = topLevelCert->next; ++ toplevelCertTbs = &topLevelCert->tbs; ++ ++ /* Hash the data to create the fingerprint */ ++ op = psa_hash_operation_init(); ++ ++ if (psa_hash_setup(&op, PSA_ALG_SHA_256) != PSA_SUCCESS) ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ ++ if (psa_hash_update(&op, signerCertCN->p, signerCertCN->len)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ if (psa_hash_update(&op, toplevelCertTbs->p, toplevelCertTbs->len)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ if (psa_hash_finish(&op, (uint8_t*)&output_buffer, PSA_HASH_MAX_SIZE, &output_size)) { ++ psa_hash_abort(&op); ++ mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; ++ } ++ ++ /* Clear the remaining part of the buffer for consistency */ ++ memset(&output_buffer[output_size], 0, PSA_HASH_MAX_SIZE - output_size); ++ } ++ ++ mbedtls_pkcs7_free(&pkcs7_structure); ++ ++ return mbedtls_status; ++} +diff --git a/deployments/smm-gateway/smm-gateway.cmake b/deployments/smm-gateway/smm-gateway.cmake +index e5ee03b60..de519892d 100644 +--- a/deployments/smm-gateway/smm-gateway.cmake ++++ b/deployments/smm-gateway/smm-gateway.cmake +@@ -17,6 +17,11 @@ include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake) + target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedcrypto) + target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedx509) + ++# Pass the location of the mbedtls config file to C preprocessor. ++target_compile_definitions(smm-gateway PRIVATE ++ MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}" ++) ++ + target_compile_definitions(smm-gateway PRIVATE + -DUEFI_INTERNAL_CRYPTO + ) +diff --git a/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h b/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h +new file mode 100644 +index 000000000..29964b33c +--- /dev/null ++++ b/protocols/service/crypto/packed-c/get_uefi_priv_auth_var_fingerprint.h +@@ -0,0 +1,21 @@ ++/* ++ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H ++#define TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H ++ ++#include <stdint.h> ++ ++/* Variable length output parameter tags */ ++enum { ++ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_OUT_TAG_IDENTIFIER = 1, ++}; ++ ++/* Variable length input parameter tags */ ++enum { ++ TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_IN_TAG_SIGNATURE = 1, ++}; ++ ++#endif /* TS_CRYPTO_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT_H */ +diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h +index 35b81599b..8bc2b49b0 100644 +--- a/protocols/service/crypto/packed-c/opcodes.h ++++ b/protocols/service/crypto/packed-c/opcodes.h +@@ -28,6 +28,7 @@ + #define TS_CRYPTO_OPCODE_SIGN_MESSAGE (TS_CRYPTO_OPCODE_BASE + 16) + #define TS_CRYPTO_OPCODE_VERIFY_MESSAGE (TS_CRYPTO_OPCODE_BASE + 17) + #define TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE (TS_CRYPTO_OPCODE_BASE + 18) ++#define TS_CRYPTO_OPCODE_GET_UEFI_PRIV_AUTH_VAR_FINGERPRINT (TS_CRYPTO_OPCODE_BASE + 19) + + /* Hash operations */ + #define TS_CRYPTO_OPCODE_HASH_BASE (0x0200) +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Add-timestamp-validation-for-uefi-variables.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Add-timestamp-validation-for-uefi-variables.patch new file mode 100644 index 0000000000..26e7df5fd2 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-Add-timestamp-validation-for-uefi-variables.patch @@ -0,0 +1,146 @@ +From 5b418e141aadcb6604406f75e156317bd143d898 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 5 Apr 2024 11:27:15 +0200 +Subject: [PATCH 1/3] Add timestamp validation for uefi variables + +Return failure if uefi variable creation or update is not +requested with newer timestamp. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27955] +--- + .../backend/uefi_variable_store.c | 35 +++++++++++++++---- + .../smm_variable/backend/variable_index.c | 1 + + .../smm_variable/backend/variable_index.h | 1 + + 3 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.c b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +index c1691dc8f..1b624f0c9 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.c ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +@@ -76,6 +76,7 @@ static efi_status_t verify_var_by_key_var(const efi_data_map *new_var, + const uint8_t *hash_buffer, size_t hash_len); + + static efi_status_t authenticate_variable(const struct uefi_variable_store *context, ++ EFI_TIME *timestamp, + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var); + #endif + +@@ -197,6 +198,7 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + const SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var) + { + bool should_sync_index = false; ++ EFI_TIME timestamp = { 0 }; + + /* Validate incoming request */ + efi_status_t status = check_name_terminator(var->Name, var->NameSize); +@@ -225,6 +227,9 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + return EFI_OUT_OF_RESOURCES; + } + ++ /* Save the timestamp into a buffer, which can be overwritten by the authentication function */ ++ memcpy(×tamp, &info->metadata.timestamp, sizeof(EFI_TIME)); ++ + /* Control access */ + status = check_access_permitted_on_set(context, info, var); + +@@ -240,7 +245,7 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + if (info->metadata.attributes & + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + status = authenticate_variable( +- context, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); ++ context, ×tamp, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); + + if (status != EFI_SUCCESS) + return status; +@@ -326,7 +331,7 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + */ + if (var->Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + status = authenticate_variable( +- context, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); ++ context, ×tamp, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); + + if (status != EFI_SUCCESS) + return status; +@@ -358,9 +363,11 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + if (should_sync_index) + status = sync_variable_index(context); + +- /* Store any variable data to the storage backend */ +- if (info->is_variable_set && (status == EFI_SUCCESS)) ++ /* Store any variable data to the storage backend with the updated metadata */ ++ if (info->is_variable_set && (status == EFI_SUCCESS)) { ++ memcpy(&info->metadata.timestamp, ×tamp, sizeof(EFI_TIME)); + status = store_variable_data(context, info, var); ++ } + } + + variable_index_remove_unused_entry(&context->variable_index, info); +@@ -1106,6 +1113,7 @@ static efi_status_t verify_var_by_key_var(const efi_data_map *new_var, + * then verifies it. + */ + static efi_status_t authenticate_variable(const struct uefi_variable_store *context, ++ EFI_TIME *timestamp, + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var) + { + efi_status_t status = EFI_SUCCESS; +@@ -1223,9 +1231,7 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + * + * UEFI: Page 253 + * 2. Verify that Pad1, Nanosecond, TimeZone, Daylight and Pad2 components +- * of the TimeStamp value are set to zero. Unless the EFI_VARIABLE_APPEND_WRITE +- * attribute is set, verify that the TimeStamp value is later than the current +- * timestamp value associated with the variable ++ * of the TimeStamp value are set to zero. + */ + if ((var_map.efi_auth_descriptor->TimeStamp.Pad1 != 0) || + (var_map.efi_auth_descriptor->TimeStamp.Pad2 != 0) || +@@ -1235,6 +1241,21 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + return EFI_SECURITY_VIOLATION; + } + ++ /** ++ * UEFI: Page 253 ++ * Unless the EFI_VARIABLE_APPEND_WRITE attribute is set, verify ++ * that the TimeStamp value is later than the current ++ * timestamp value associated with the variable ++ */ ++ if (!(var->Attributes & EFI_VARIABLE_APPEND_WRITE)) { ++ if (memcmp(&var_map.efi_auth_descriptor->TimeStamp, timestamp, sizeof(EFI_GUID)) <= 0) { ++ EMSG("Timestamp violation"); ++ return EFI_SECURITY_VIOLATION; ++ } ++ ++ /* Save new timestamp */ ++ memcpy(timestamp, &var_map.efi_auth_descriptor->TimeStamp, sizeof(EFI_TIME)); ++ } + /* Calculate hash for the variable only once */ + hash_result = calc_variable_hash(&var_map, (uint8_t *)&hash_buffer, sizeof(hash_buffer), + &hash_len); +diff --git a/components/service/uefi/smm_variable/backend/variable_index.c b/components/service/uefi/smm_variable/backend/variable_index.c +index e2fe6dd38..f4194d2d3 100644 +--- a/components/service/uefi/smm_variable/backend/variable_index.c ++++ b/components/service/uefi/smm_variable/backend/variable_index.c +@@ -198,6 +198,7 @@ static struct variable_entry *add_entry(const struct variable_index *context, co + /* Initialize metadata */ + info->metadata.uid = generate_uid(context, guid, name_size, name); + info->metadata.guid = *guid; ++ memset(&info->metadata.timestamp, 0, sizeof(EFI_TIME)); + info->metadata.attributes = 0; + info->metadata.name_size = name_size; + memcpy(info->metadata.name, name, name_size); +diff --git a/components/service/uefi/smm_variable/backend/variable_index.h b/components/service/uefi/smm_variable/backend/variable_index.h +index 5d3b7a7c6..7eef7b86b 100644 +--- a/components/service/uefi/smm_variable/backend/variable_index.h ++++ b/components/service/uefi/smm_variable/backend/variable_index.h +@@ -32,6 +32,7 @@ extern "C" { + */ + struct variable_metadata { + EFI_GUID guid; ++ EFI_TIME timestamp; + size_t name_size; + int16_t name[VARIABLE_INDEX_MAX_NAME_SIZE]; + uint32_t attributes; +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Isolate-common-uefi-variable-authentication-steps.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Isolate-common-uefi-variable-authentication-steps.patch new file mode 100644 index 0000000000..16ca63b3c2 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0016-Isolate-common-uefi-variable-authentication-steps.patch @@ -0,0 +1,282 @@ +From 19e79008e0fa3193b54bf6499516dc75cb10f6ec Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Thu, 11 Apr 2024 13:42:03 +0200 +Subject: [PATCH 2/3] Isolate common uefi variable authentication steps + +Currently all auth variables are authenticated with the secure boot +keys. To introduce corrent check for Private Authenticated Variables +first separate the common steps from the secure boot related steps. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27956] +--- + .../backend/uefi_variable_store.c | 191 ++++++++++-------- + 1 file changed, 103 insertions(+), 88 deletions(-) + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.c b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +index 1b624f0c9..1384d0def 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.c ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +@@ -78,6 +78,12 @@ static efi_status_t verify_var_by_key_var(const efi_data_map *new_var, + static efi_status_t authenticate_variable(const struct uefi_variable_store *context, + EFI_TIME *timestamp, + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var); ++ ++static efi_status_t authenticate_secure_boot_variable(const struct uefi_variable_store *context, ++ efi_data_map* var_map, ++ uint8_t* hash_buffer, ++ size_t hash_len, ++ uint64_t max_variable_size); + #endif + + static efi_status_t store_variable_data(const struct uefi_variable_store *context, +@@ -1118,30 +1124,109 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + { + efi_status_t status = EFI_SUCCESS; + EFI_GUID pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; +- EFI_GUID global_variable_guid = EFI_GLOBAL_VARIABLE; +- EFI_GUID security_database_guid = EFI_IMAGE_SECURITY_DATABASE_GUID; + SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO variable_info = { 0, 0, 0, 0 }; +- SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *pk_variable = NULL; +- size_t pk_payload_size = 0; + efi_data_map var_map = { NULL, NULL, NULL, 0, 0, NULL, 0, NULL }; + uint8_t hash_buffer[PSA_HASH_MAX_SIZE]; + size_t hash_len = 0; +- bool hash_result = false; + + /* Create a map of the fields of the new variable including the auth header */ + if (!init_efi_data_map(var, true, &var_map)) + return EFI_SECURITY_VIOLATION; + +- /* database variables can be verified by either PK or KEK while images +- * should be checked by db and dbx so the length of two will be enough. +- */ +- SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *allowed_key_store_variables[] = { NULL, NULL }; +- + /* Find the maximal size of variables for the GetVariable operation */ + status = uefi_variable_store_query_variable_info(context, &variable_info); + if (status != EFI_SUCCESS) + return EFI_SECURITY_VIOLATION; + ++ /** ++ * UEFI: Page 246 ++ * If the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute is set in a ++ * SetVariable() call, and firmware does not support signature type of the certificate ++ * included in the EFI_VARIABLE_AUTHENTICATION_2 descriptor, then the SetVariable() call ++ * shall return EFI_INVALID_PARAMETER. The list of signature types supported by the ++ * firmware is defined by the SignatureSupport variable. Signature type of the certificate ++ * is defined by its digest and encryption algorithms. ++ */ ++ /* TODO: Should support WIN_CERT_TYPE_PKCS_SIGNED_DATA and WIN_CERT_TYPE_EFI_PKCS115 */ ++ if (var_map.efi_auth_descriptor->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) ++ return EFI_INVALID_PARAMETER; ++ ++ /* Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted */ ++ if (!compare_guid(&var_map.efi_auth_descriptor->AuthInfo.CertType, &pkcs7_guid)) ++ return EFI_SECURITY_VIOLATION; ++ ++ /** ++ * Time associated with the authentication descriptor. For the TimeStamp value, ++ * components Pad1, Nanosecond, TimeZone, Daylight and Pad2 shall be set to 0. ++ * This means that the time shall always be expressed in GMT. ++ * ++ * UEFI: Page 253 ++ * 2. Verify that Pad1, Nanosecond, TimeZone, Daylight and Pad2 components ++ * of the TimeStamp value are set to zero. ++ */ ++ if ((var_map.efi_auth_descriptor->TimeStamp.Pad1 != 0) || ++ (var_map.efi_auth_descriptor->TimeStamp.Pad2 != 0) || ++ (var_map.efi_auth_descriptor->TimeStamp.Nanosecond != 0) || ++ (var_map.efi_auth_descriptor->TimeStamp.TimeZone != 0) || ++ (var_map.efi_auth_descriptor->TimeStamp.Daylight != 0)) { ++ return EFI_SECURITY_VIOLATION; ++ } ++ ++ /** ++ * UEFI: Page 253 ++ * Unless the EFI_VARIABLE_APPEND_WRITE attribute is set, verify ++ * that the TimeStamp value is later than the current ++ * timestamp value associated with the variable ++ */ ++ if (!(var->Attributes & EFI_VARIABLE_APPEND_WRITE)) { ++ if (memcmp(&var_map.efi_auth_descriptor->TimeStamp, timestamp, sizeof(EFI_GUID)) <= 0) { ++ EMSG("Timestamp violation"); ++ return EFI_SECURITY_VIOLATION; ++ } ++ ++ /* Save new timestamp */ ++ memcpy(timestamp, &var_map.efi_auth_descriptor->TimeStamp, sizeof(EFI_TIME)); ++ } ++ /* Calculate hash for the variable only once */ ++ if (calc_variable_hash(&var_map, (uint8_t *)&hash_buffer, sizeof(hash_buffer), &hash_len) == 0) { ++ status = EFI_SECURITY_VIOLATION; ++ } ++ ++ /* Run Secure Boot related authentication steps */ ++ status = authenticate_secure_boot_variable(context, &var_map, (uint8_t*) &hash_buffer, hash_len, variable_info.MaximumVariableSize); ++ ++ /* Remove the authentication header from the variable if the authentication is successful */ ++ if (status == EFI_SUCCESS) { ++ uint8_t *smm_payload = ++ (uint8_t *)var + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_DATA_OFFSET(var); ++ ++ memmove(smm_payload, var_map.payload, var_map.payload_len); ++ memset((uint8_t *)smm_payload + var_map.payload_len, 0, ++ var_map.efi_auth_descriptor_len); ++ ++ var->DataSize -= var_map.efi_auth_descriptor_len; ++ } ++ ++ return status; ++} ++ ++static efi_status_t authenticate_secure_boot_variable(const struct uefi_variable_store *context, ++ efi_data_map* var_map, ++ uint8_t* hash_buffer, ++ size_t hash_len, ++ uint64_t max_variable_size) ++{ ++ efi_status_t status = EFI_SUCCESS; ++ EFI_GUID global_variable_guid = EFI_GLOBAL_VARIABLE; ++ EFI_GUID security_database_guid = EFI_IMAGE_SECURITY_DATABASE_GUID; ++ SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *pk_variable = NULL; ++ size_t pk_payload_size = 0; ++ ++ /* database variables can be verified by either PK or KEK while images ++ * should be checked by db and dbx so the length of two will be enough. ++ */ ++ SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *allowed_key_store_variables[] = { NULL, NULL }; ++ + /** + * UEFI: Page 253 + * 3. If the variable SetupMode==1, and the variable is a secure +@@ -1166,14 +1251,14 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + * Platform Key is checked to enable or disable authentication. + */ + create_smm_variable(&pk_variable, sizeof(EFI_PLATFORM_KEY_NAME), +- variable_info.MaximumVariableSize, (uint8_t *)EFI_PLATFORM_KEY_NAME, ++ max_variable_size, (uint8_t *)EFI_PLATFORM_KEY_NAME, + &global_variable_guid); + + if (!pk_variable) + return EFI_OUT_OF_RESOURCES; + + status = uefi_variable_store_get_variable( +- context, pk_variable, variable_info.MaximumVariableSize, &pk_payload_size); ++ context, pk_variable, max_variable_size, &pk_payload_size); + + /* If PK does not exist authentication is disabled */ + if (status != EFI_SUCCESS) { +@@ -1207,66 +1292,8 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + goto end; + } + +- /** +- * UEFI: Page 246 +- * If the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute is set in a +- * SetVariable() call, and firmware does not support signature type of the certificate +- * included in the EFI_VARIABLE_AUTHENTICATION_2 descriptor, then the SetVariable() call +- * shall return EFI_INVALID_PARAMETER. The list of signature types supported by the +- * firmware is defined by the SignatureSupport variable. Signature type of the certificate +- * is defined by its digest and encryption algorithms. +- */ +- /* TODO: Should support WIN_CERT_TYPE_PKCS_SIGNED_DATA and WIN_CERT_TYPE_EFI_PKCS115 */ +- if (var_map.efi_auth_descriptor->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) +- return EFI_INVALID_PARAMETER; +- +- /* Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted */ +- if (!compare_guid(&var_map.efi_auth_descriptor->AuthInfo.CertType, &pkcs7_guid)) +- return EFI_SECURITY_VIOLATION; +- +- /** +- * Time associated with the authentication descriptor. For the TimeStamp value, +- * components Pad1, Nanosecond, TimeZone, Daylight and Pad2 shall be set to 0. +- * This means that the time shall always be expressed in GMT. +- * +- * UEFI: Page 253 +- * 2. Verify that Pad1, Nanosecond, TimeZone, Daylight and Pad2 components +- * of the TimeStamp value are set to zero. +- */ +- if ((var_map.efi_auth_descriptor->TimeStamp.Pad1 != 0) || +- (var_map.efi_auth_descriptor->TimeStamp.Pad2 != 0) || +- (var_map.efi_auth_descriptor->TimeStamp.Nanosecond != 0) || +- (var_map.efi_auth_descriptor->TimeStamp.TimeZone != 0) || +- (var_map.efi_auth_descriptor->TimeStamp.Daylight != 0)) { +- return EFI_SECURITY_VIOLATION; +- } +- +- /** +- * UEFI: Page 253 +- * Unless the EFI_VARIABLE_APPEND_WRITE attribute is set, verify +- * that the TimeStamp value is later than the current +- * timestamp value associated with the variable +- */ +- if (!(var->Attributes & EFI_VARIABLE_APPEND_WRITE)) { +- if (memcmp(&var_map.efi_auth_descriptor->TimeStamp, timestamp, sizeof(EFI_GUID)) <= 0) { +- EMSG("Timestamp violation"); +- return EFI_SECURITY_VIOLATION; +- } +- +- /* Save new timestamp */ +- memcpy(timestamp, &var_map.efi_auth_descriptor->TimeStamp, sizeof(EFI_TIME)); +- } +- /* Calculate hash for the variable only once */ +- hash_result = calc_variable_hash(&var_map, (uint8_t *)&hash_buffer, sizeof(hash_buffer), +- &hash_len); +- +- if (!hash_result) { +- status = EFI_SECURITY_VIOLATION; +- goto end; +- } +- +- status = select_verification_keys(var_map, global_variable_guid, security_database_guid, +- variable_info.MaximumVariableSize, ++ status = select_verification_keys(*var_map, global_variable_guid, security_database_guid, ++ max_variable_size, + &allowed_key_store_variables[0]); + + if (status != EFI_SUCCESS) +@@ -1280,8 +1307,8 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + continue; + + status = uefi_variable_store_get_variable(context, allowed_key_store_variables[i], +- variable_info.MaximumVariableSize, +- &actual_variable_length); ++ max_variable_size, ++ &actual_variable_length); + + if (status) { + /* When the parent does not exist it is considered verification failure */ +@@ -1297,8 +1324,8 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + goto end; + } + +- status = verify_var_by_key_var(&var_map, &allowed_key_store_var_map, +- (uint8_t *)&hash_buffer, hash_len); ++ status = verify_var_by_key_var(var_map, &allowed_key_store_var_map, ++ hash_buffer, hash_len); + + if (status == EFI_SUCCESS) + goto end; +@@ -1311,18 +1338,6 @@ end: + free(allowed_key_store_variables[i]); + } + +- /* Remove the authentication header from the variable if the authentication is successful */ +- if (status == EFI_SUCCESS) { +- uint8_t *smm_payload = +- (uint8_t *)var + SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE_DATA_OFFSET(var); +- +- memmove(smm_payload, var_map.payload, var_map.payload_len); +- memset((uint8_t *)smm_payload + var_map.payload_len, 0, +- var_map.efi_auth_descriptor_len); +- +- var->DataSize -= var_map.efi_auth_descriptor_len; +- } +- + return status; + } + #endif +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Implement-Private-Authenticated-Variable-verificatio.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Implement-Private-Authenticated-Variable-verificatio.patch new file mode 100644 index 0000000000..eb7852f0c6 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0017-Implement-Private-Authenticated-Variable-verificatio.patch @@ -0,0 +1,292 @@ +From a172c6e8269915db1b25e2749bae06dc0220cfb8 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Thu, 11 Apr 2024 13:48:14 +0200 +Subject: [PATCH 3/3] Implement Private Authenticated Variable verification + +Refactor the implementation to only use the PK, KEK, DB authentication +chain for boot variables, and implement the self authentication for +private authenticated variables. + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27957] +--- + .../backend/uefi_variable_store.c | 126 +++++++++++++++--- + .../smm_variable/backend/variable_index.c | 1 + + .../smm_variable/backend/variable_index.h | 2 + + .../config/default-opteesp/CMakeLists.txt | 2 +- + .../config/default-sp/CMakeLists.txt | 2 +- + 5 files changed, 112 insertions(+), 21 deletions(-) + +diff --git a/components/service/uefi/smm_variable/backend/uefi_variable_store.c b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +index 1384d0def..97c43dc74 100644 +--- a/components/service/uefi/smm_variable/backend/uefi_variable_store.c ++++ b/components/service/uefi/smm_variable/backend/uefi_variable_store.c +@@ -75,15 +75,25 @@ static efi_status_t verify_var_by_key_var(const efi_data_map *new_var, + const efi_data_map *key_store_var, + const uint8_t *hash_buffer, size_t hash_len); + ++static bool isPrivateAuthVar(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var); ++ + static efi_status_t authenticate_variable(const struct uefi_variable_store *context, +- EFI_TIME *timestamp, +- SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var); ++ EFI_TIME *timestamp, uint8_t (*fingerprint)[FINGERPRINT_SIZE], ++ bool new_variable, SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var); + + static efi_status_t authenticate_secure_boot_variable(const struct uefi_variable_store *context, + efi_data_map* var_map, + uint8_t* hash_buffer, + size_t hash_len, + uint64_t max_variable_size); ++ ++static efi_status_t authenticate_private_variable(const struct uefi_variable_store *context, ++ efi_data_map* var_map, ++ uint8_t* hash_buffer, ++ size_t hash_len, ++ uint64_t max_variable_size, ++ bool new_variable, ++ uint8_t (*fingerprint)[FINGERPRINT_SIZE]); + #endif + + static efi_status_t store_variable_data(const struct uefi_variable_store *context, +@@ -205,6 +215,7 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + { + bool should_sync_index = false; + EFI_TIME timestamp = { 0 }; ++ uint8_t fingerprint[FINGERPRINT_SIZE] = { 0 }; + + /* Validate incoming request */ + efi_status_t status = check_name_terminator(var->Name, var->NameSize); +@@ -233,8 +244,9 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + return EFI_OUT_OF_RESOURCES; + } + +- /* Save the timestamp into a buffer, which can be overwritten by the authentication function */ ++ /* Save the timestamp and fingerprints into a buffer, which can be overwritten by the authentication function */ + memcpy(×tamp, &info->metadata.timestamp, sizeof(EFI_TIME)); ++ memcpy(&fingerprint, &info->metadata.fingerprint, FINGERPRINT_SIZE); + + /* Control access */ + status = check_access_permitted_on_set(context, info, var); +@@ -251,7 +263,8 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + if (info->metadata.attributes & + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + status = authenticate_variable( +- context, ×tamp, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); ++ context, ×tamp, &fingerprint, false, ++ (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); + + if (status != EFI_SUCCESS) + return status; +@@ -337,7 +350,8 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + */ + if (var->Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) { + status = authenticate_variable( +- context, ×tamp, (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); ++ context, ×tamp, &fingerprint, true, ++ (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *)var); + + if (status != EFI_SUCCESS) + return status; +@@ -372,6 +386,7 @@ efi_status_t uefi_variable_store_set_variable(const struct uefi_variable_store * + /* Store any variable data to the storage backend with the updated metadata */ + if (info->is_variable_set && (status == EFI_SUCCESS)) { + memcpy(&info->metadata.timestamp, ×tamp, sizeof(EFI_TIME)); ++ memcpy(&info->metadata.fingerprint, &fingerprint, FINGERPRINT_SIZE); + status = store_variable_data(context, info, var); + } + } +@@ -1030,15 +1045,6 @@ select_verification_keys(const efi_data_map new_var, EFI_GUID global_variable_gu + create_smm_variable(&(allowed_key_store_variables[1]), + sizeof(EFI_KEY_EXCHANGE_KEY_NAME), maximum_variable_size, + (uint8_t *)EFI_KEY_EXCHANGE_KEY_NAME, &global_variable_guid); +- } else { +- /* +- * Any other variable is considered Private Authenticated Variable. +- * These are verified by db +- */ +- create_smm_variable(&(allowed_key_store_variables[0]), +- sizeof(EFI_IMAGE_SECURITY_DATABASE), maximum_variable_size, +- (uint8_t *)EFI_IMAGE_SECURITY_DATABASE, +- &security_database_guid); + } + + return EFI_SUCCESS; +@@ -1114,13 +1120,39 @@ static efi_status_t verify_var_by_key_var(const efi_data_map *new_var, + return EFI_SECURITY_VIOLATION; + } + +-/* Basic verification of the authentication header of the new variable. ++static bool isPrivateAuthVar(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var) ++{ ++ if (compare_name_to_key_store_name(var->Name, ++ var->NameSize, EFI_PLATFORM_KEY_NAME, ++ sizeof(EFI_PLATFORM_KEY_NAME)) || ++ compare_name_to_key_store_name( ++ var->Name, var->NameSize, ++ EFI_KEY_EXCHANGE_KEY_NAME, sizeof(EFI_KEY_EXCHANGE_KEY_NAME)) || ++ compare_name_to_key_store_name( ++ var->Name, var->NameSize, ++ EFI_IMAGE_SECURITY_DATABASE, sizeof(EFI_IMAGE_SECURITY_DATABASE)) || ++ compare_name_to_key_store_name( ++ var->Name, var->NameSize, ++ EFI_IMAGE_SECURITY_DATABASE1, sizeof(EFI_IMAGE_SECURITY_DATABASE1)) || ++ compare_name_to_key_store_name( ++ var->Name, var->NameSize, ++ EFI_IMAGE_SECURITY_DATABASE2, sizeof(EFI_IMAGE_SECURITY_DATABASE2)) || ++ compare_name_to_key_store_name( ++ var->Name, var->NameSize, ++ EFI_IMAGE_SECURITY_DATABASE3, sizeof(EFI_IMAGE_SECURITY_DATABASE3))) ++ return false; ++ ++ return true; ++} ++ ++/* ++ * Basic verification of the authentication header of the new variable. + * First finds the key variable responsible for the authentication of the new variable, + * then verifies it. + */ + static efi_status_t authenticate_variable(const struct uefi_variable_store *context, +- EFI_TIME *timestamp, +- SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var) ++ EFI_TIME *timestamp, uint8_t (*fingerprint)[FINGERPRINT_SIZE], ++ bool new_variable, SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *var) + { + efi_status_t status = EFI_SUCCESS; + EFI_GUID pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; +@@ -1192,8 +1224,13 @@ static efi_status_t authenticate_variable(const struct uefi_variable_store *cont + status = EFI_SECURITY_VIOLATION; + } + +- /* Run Secure Boot related authentication steps */ +- status = authenticate_secure_boot_variable(context, &var_map, (uint8_t*) &hash_buffer, hash_len, variable_info.MaximumVariableSize); ++ if (isPrivateAuthVar(var)) { ++ /* Run Private Authenticated Variable related authentication steps */ ++ status = authenticate_private_variable(context, &var_map, (uint8_t*) &hash_buffer, hash_len, variable_info.MaximumVariableSize, new_variable, fingerprint); ++ } else { ++ /* Run Secure Boot related authentication steps */ ++ status = authenticate_secure_boot_variable(context, &var_map, (uint8_t*) &hash_buffer, hash_len, variable_info.MaximumVariableSize); ++ } + + /* Remove the authentication header from the variable if the authentication is successful */ + if (status == EFI_SUCCESS) { +@@ -1340,6 +1377,57 @@ end: + + return status; + } ++ ++static efi_status_t authenticate_private_variable(const struct uefi_variable_store *context, ++ efi_data_map* var_map, ++ uint8_t* hash_buffer, ++ size_t hash_len, ++ uint64_t max_variable_size, ++ bool new_variable, ++ uint8_t (*fingerprint)[FINGERPRINT_SIZE]) ++{ ++ efi_status_t status = EFI_SUCCESS; ++ uint8_t new_fingerprint[PSA_HASH_MAX_SIZE] = { 0 }; ++ ++ /* Verify the signature of the variable */ ++ if (verify_pkcs7_signature( ++ var_map->efi_auth_descriptor->AuthInfo.CertData, ++ var_map->efi_auth_descriptor_certdata_len, hash_buffer, ++ hash_len, NULL, 0) == 0) ++ status = EFI_SUCCESS; ++ else ++ return EFI_SECURITY_VIOLATION; ++ ++ /** ++ * UEFI: Page 254 ++ * CN of the signing certificate’s Subject and the hash of the tbsCertificate of the top-level issuer certificate ++ * (or the signing certificate itself if no other certificates are present or the certificate chain is of length 1) ++ * in SignedData.certificates is registered for use in subsequent verifications of this variable. Implementations ++ * may store just a single hash of these two elements to reduce storage requirements. ++ */ ++ if (get_uefi_priv_auth_var_fingerprint_handler(var_map->efi_auth_descriptor->AuthInfo.CertData, ++ var_map->efi_auth_descriptor_certdata_len, ++ (uint8_t*)&new_fingerprint)) { ++ EMSG("Failed to querry variable fingerprint input"); ++ return EFI_SECURITY_VIOLATION; ++ } ++ ++ /* ++ * The hash is SHA256 so only 32 bytes contain non zero values. ++ * Use only that part to decrease metadata size. ++ */ ++ if (!new_variable) { ++ if (memcmp(&new_fingerprint, fingerprint, FINGERPRINT_SIZE)) { ++ EMSG("Fingerprint verification failed"); ++ return EFI_SECURITY_VIOLATION; ++ } ++ } else { ++ /* Save fingerprint */ ++ memcpy(fingerprint, &new_fingerprint, FINGERPRINT_SIZE); ++ } ++ ++ return status; ++} + #endif + + static efi_status_t store_variable_data(const struct uefi_variable_store *context, +diff --git a/components/service/uefi/smm_variable/backend/variable_index.c b/components/service/uefi/smm_variable/backend/variable_index.c +index f4194d2d3..7f2fbe0ba 100644 +--- a/components/service/uefi/smm_variable/backend/variable_index.c ++++ b/components/service/uefi/smm_variable/backend/variable_index.c +@@ -199,6 +199,7 @@ static struct variable_entry *add_entry(const struct variable_index *context, co + info->metadata.uid = generate_uid(context, guid, name_size, name); + info->metadata.guid = *guid; + memset(&info->metadata.timestamp, 0, sizeof(EFI_TIME)); ++ memset(&info->metadata.fingerprint, 0, sizeof(FINGERPRINT_SIZE)); + info->metadata.attributes = 0; + info->metadata.name_size = name_size; + memcpy(info->metadata.name, name, name_size); +diff --git a/components/service/uefi/smm_variable/backend/variable_index.h b/components/service/uefi/smm_variable/backend/variable_index.h +index 7eef7b86b..726bc985a 100644 +--- a/components/service/uefi/smm_variable/backend/variable_index.h ++++ b/components/service/uefi/smm_variable/backend/variable_index.h +@@ -24,6 +24,7 @@ extern "C" { + * Implementation limits + */ + #define VARIABLE_INDEX_MAX_NAME_SIZE (64) ++#define FINGERPRINT_SIZE (32) + + /** + * \brief variable_metadata structure definition +@@ -33,6 +34,7 @@ extern "C" { + struct variable_metadata { + EFI_GUID guid; + EFI_TIME timestamp; ++ uint8_t fingerprint[FINGERPRINT_SIZE]; + size_t name_size; + int16_t name[VARIABLE_INDEX_MAX_NAME_SIZE]; + uint32_t attributes; +diff --git a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +index 0e281a377..d3df61ded 100644 +--- a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +@@ -42,7 +42,7 @@ set(SP_BOOT_ORDER "8" CACHE STRING "Boot order of the SP") + add_platform(TARGET "smm-gateway") + + # SMM variable and RPC caller settings +-set(SMM_GATEWAY_MAX_UEFI_VARIABLES 40 CACHE STRING "Maximum UEFI variable count") ++set(SMM_GATEWAY_MAX_UEFI_VARIABLES 35 CACHE STRING "Maximum UEFI variable count") + set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 2*4096 CACHE STRING "RPC caller buffer size in SMMGW") + if (UEFI_AUTH_VAR) + set(SMM_SP_HEAP_SIZE 64*1024 CACHE STRING "SMM gateway SP heap size") +diff --git a/deployments/smm-gateway/config/default-sp/CMakeLists.txt b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +index 8df9256e4..bb97cf8e3 100644 +--- a/deployments/smm-gateway/config/default-sp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +@@ -47,7 +47,7 @@ set(SP_BOOT_ORDER "8" CACHE STRING "Boot order of the SP") + add_platform(TARGET "smm-gateway") + + # SMM variable and RPC caller settings +-set(SMM_GATEWAY_MAX_UEFI_VARIABLES 40 CACHE STRING "Maximum UEFI variable count") ++set(SMM_GATEWAY_MAX_UEFI_VARIABLES 35 CACHE STRING "Maximum UEFI variable count") + set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 2*4096 CACHE STRING "RPC caller buffer size in SMMGW") + if (UEFI_AUTH_VAR) + set(SMM_SP_HEAP_SIZE 64*1024 CACHE STRING "SMM gateway SP heap size") +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch new file mode 100644 index 0000000000..76e78fa365 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch @@ -0,0 +1,37 @@ +From e8b577d02d1d4ed2492bb0b6c3a5bb7d2656f13a Mon Sep 17 00:00:00 2001 +From: Bence Balogh <bence.balogh@arm.com> +Date: Fri, 17 May 2024 13:21:07 +0200 +Subject: [PATCH] Change RSS_COMMS cmake variables to cahce vars + +This way they can be set externally as well for the corstone1000 +platform. + +Signed-off-by: Bence Balogh <bence.balogh@arm.com> +Upstream-Status: Pending +--- + platform/providers/arm/corstone1000/platform.cmake | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index 16139c80e..82ac14f0b 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -9,11 +9,13 @@ + set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") + set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") + set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") ++set(PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSS_COMMS_PAYLOAD buffer") ++set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") + + target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 +- PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE=0x2080 +- COMMS_MHU_MSG_SIZE=0x3500 ++ PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE} ++ COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} + ) + + get_property(_platform_driver_dependencies TARGET ${TGT} +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend index 99c03f69fd..2ae28c891a 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend @@ -1,5 +1,9 @@ require ts-arm-platforms.inc -EXTRA_OECMAKE:append:corstone1000 = "-DMM_COMM_BUFFER_ADDRESS=0x02000000 \ +EXTRA_OECMAKE:append:corstone1000 = "-DMM_COMM_BUFFER_ADDRESS=0x81FFF000 \ -DMM_COMM_BUFFER_PAGE_COUNT=1 \ " + +EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS=0x81000000 \ + -DMM_COMM_BUFFER_PAGE_COUNT=8 \ + " diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 80a580569f..c186b02207 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -5,13 +5,25 @@ SRC_URI:append:corstone1000 = " \ file://0001-Add-stub-capsule-update-service-components.patch \ file://0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch \ file://0003-FMP-Support-in-Corstone1000.patch \ - file://0004-GetNextVariableName-Fix.patch \ + file://0004-smm_gateway-GetNextVariableName-Fix.patch \ file://0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch \ file://0006-plat-corstone1000-Use-the-stateless-platform-service.patch \ file://0007-plat-corstone1000-Initialize-capsule-update-provider.patch \ - file://0008-platform-corstone1000-fix-synchronization-issue.patch \ - file://0009-plat-corstone1000-fmp-client-id.patch \ + file://0008-plat-corstone1000-add-client_id-for-FMP-service.patch \ + file://0009-Remove-Werror-flag.patch \ + file://0010-Remove-PLATFORM_HAS_ATTEST_PK-define-from-IAT-test.patch \ + file://0011-Fix-Avoid-redefinition-of-variables.patch \ + file://0012-Fix-GetNextVariableName-NameSize-input.patch \ + file://0013-Fix-error-handling-of-variable-index-loading.patch \ + file://0014-Provide-crypto-api-to-create-uefi-priv-var-fingerpri.patch \ + file://0015-Add-timestamp-validation-for-uefi-variables.patch \ + file://0016-Isolate-common-uefi-variable-authentication-steps.patch \ + file://0017-Implement-Private-Authenticated-Variable-verificatio.patch \ + file://0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch \ " COMPATIBLE_MACHINE:n1sdp = "n1sdp" + +COMPATIBLE_MACHINE:fvp-base = "fvp-base" +TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend index 7417d9b0ba..77fb7ae266 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend @@ -6,3 +6,4 @@ SRC_URI:append:corstone1000 = " \ " COMPATIBLE_MACHINE:n1sdp = "n1sdp" +COMPATIBLE_MACHINE:fvp-base = "fvp-base" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend new file mode 100644 index 0000000000..5c9ef210ec --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend index eba1553235..64ab5bea09 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend @@ -1,5 +1,10 @@ require ts-arm-platforms.inc -EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x02000000" \ +EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \ -DMM_COMM_BUFFER_PAGE_COUNT="1" \ + -DSP_HEAP_SIZE=70*1024 \ " + +# Proxy is pointless on fvp-base as there is no dedicated security subsystem. It could be +# deployed configured to have dummy service providers for build testing purposes. +COMPATIBLE_MACHINE:remove:fvp-base = "fvp-base" diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend index eba1553235..628dfb4807 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend @@ -1,5 +1,12 @@ require ts-arm-platforms.inc -EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x02000000" \ +EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \ -DMM_COMM_BUFFER_PAGE_COUNT="1" \ + -DUEFI_AUTH_VAR=ON \ + -DUEFI_INTERNAL_CRYPTO=ON \ + -DSMM_GATEWAY_MAX_UEFI_VARIABLES=60 \ + " + +EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81000000" \ + -DMM_COMM_BUFFER_PAGE_COUNT="8" \ " diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend new file mode 100644 index 0000000000..5c9ef210ec --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend new file mode 100644 index 0000000000..5c9ef210ec --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend new file mode 100644 index 0000000000..5c9ef210ec --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend new file mode 100644 index 0000000000..5c9ef210ec --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm/meta-arm-bsp/wic/efi-disk-esp-only.wks.in b/meta-arm/meta-arm-bsp/wic/efi-disk-esp-only.wks.in new file mode 100644 index 0000000000..739cc5a430 --- /dev/null +++ b/meta-arm/meta-arm-bsp/wic/efi-disk-esp-only.wks.in @@ -0,0 +1,9 @@ +# short-description: Create an EFI disk image with only an ESP partition +# long-description: Creates a partitioned EFI disk image that the user +# can directly dd to boot media. This image only contains an ESP +# partition that can be used by the SystemReady ACS test to store +# EFI data and process capsule updates. + +part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid --part-name="ESP" --part-type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B --fixed-size 256M + +bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" diff --git a/meta-arm/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm/meta-arm-bsp/wic/efi-disk-no-swap.wks.in index 61902dfdad..6ae7ad9d6d 100644 --- a/meta-arm/meta-arm-bsp/wic/efi-disk-no-swap.wks.in +++ b/meta-arm/meta-arm-bsp/wic/efi-disk-no-swap.wks.in @@ -3,8 +3,8 @@ # can directly dd to boot media. This image will not contain a swap # partition but will contain custom machine specific grub arguments. -part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid +part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid --part-name="ESP" --part-type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B --fixed-size 256M -part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid +part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb index f9226c31cf..41ac2f7759 100644 --- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb +++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb @@ -41,7 +41,7 @@ file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \ " IMAGE_CLASSES:remove = "license_image" -COMPATIBLE_MACHINE = "fvp-*" +COMPATIBLE_MACHINE = "(fvp-.+|.+-fvp)" TEST_SUITES = "arm_systemready_ir_acs" diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-debian.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-debian.bb index 04faa3a937..8dbb75c3f7 100644 --- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-debian.bb +++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-debian.bb @@ -1,41 +1,105 @@ require arm-systemready-linux-distros.inc -LICENSE = "GPL-1.0-only & GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later \ - & GPL-3.0-only & GPL-3.0-or-later & LGPL-2.0-only \ - & LGPL-2.0-or-later & LGPL-2.1-only & LGPL-2.1-or-later \ - & LGPL-3.0-only & LGPL-3.0-or-later & BSD-3-Clause & BSD-4-Clause \ - & Artistic-1.0-Perl & Apache-1.0 & Apache-1.1 & Apache-2.0 & Zlib \ - & Python-2.0 & Ruby & PHP-3.01 & W3C-20150513 & OpenSSL & Sleepycat" +# The Debian project does not provide a license manifest for the distributed ISO images. +# The following list only contains the SPDX license identifiers found on the deb +# packages from the ISO image and is not exhaustive. +# For more information about Debian licenses, including the non-free ones, refer to +# https://www.debian.org/legal/licenses/. +LICENSE = "AFL-2.0 & AFL-2.1 \ + & GPL-1.0-only & GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later & GPL-2.0-with-autoconf-exception \ + & GPL-2.0-with-OpenSSL-exception & GPL-3.0-only & GPL-3.0-or-later & GPL-3.0-with-autoconf-exception \ + & GPL-3-with-bison-exception & SMAIL_GPL & LGPL-2.0-only & LGPL-2.0-or-later & LGPL-2.1-only \ + & LGPL-2.1-or-later & LGPL-3.0-only & LGPL-3.0-or-later & BSD-2-Clause & BSD-3-Clause \ + & BSD-3-Clause-Clear & BSD-4-Clause & BSD-4-Clause-UC & TCP-wrappers & OLDAP-2.8 & PSF-2.0 & BSL-1.0 \ + & bzip2-1.0.6 & CC0-1.0 & Libpng & Latex2e & Unicode-TOU & Unicode-DFS-2016 & CC-BY-3.0 & CC-BY-SA-3.0 \ + & CC-BY-SA-4.0 & curl & MS-PL & NTP & FSFAP & FSFUL & FSFULLR & FSF-Unlimited & EDL-1.0 & Vim & FTL \ + & TCL & MPL-1.1 & MPL-2.0 & GFDL-1.1-or-later & GFDL-1.2-or-later & GFDL-1.3-no-invariants-or-later \ + & GFDL-1.3-no-invariants-only & Artistic-1.0 & Artistic-2.0 & Artistic-1.0-Perl & Apache-2.0 \ + & Apache-2.0-with-LLVM-exception & Zlib & Python-2.0 & OpenSSL & Sleepycat & Spencer-86 & MIT & MIT-CMU \ + & MIT-advertising & Beerware & Intel & X11 & ISC & IPL-1.0 & SSH-OpenSSH & SSH-short & RSA-MD & OPL-1.0 & PD" + LIC_FILES_CHKSUM = "\ +file://${COMMON_LICENSE_DIR}/AFL-2.0;md5=f01c02e5eac69cff6b8c2cc474b8d468 \ +file://${COMMON_LICENSE_DIR}/AFL-2.1;md5=e40039b90e182a056bcd9ad3e47ddd71 \ file://${COMMON_LICENSE_DIR}/GPL-1.0-only;md5=e9e36a9de734199567a4d769498f743d \ file://${COMMON_LICENSE_DIR}/GPL-1.0-or-later;md5=30c0b8a5048cc2f4be5ff15ef0d8cf61 \ file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6 \ file://${COMMON_LICENSE_DIR}/GPL-2.0-or-later;md5=fed54355545ffd980b814dab4a3b312c \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-with-autoconf-exception;md5=966c02a95037a9c7ad75a7597aea9c5f \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-with-OpenSSL-exception;md5=d9e4412f125e3e6f14efba8ce7b4604f \ file://${COMMON_LICENSE_DIR}/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891 \ file://${COMMON_LICENSE_DIR}/GPL-3.0-or-later;md5=1c76c4cc354acaac30ed4d5eefea7245 \ +file://${COMMON_LICENSE_DIR}/GPL-3.0-with-autoconf-exception;md5=da26b415cb0faf9bfe6829f0ffa409ec \ +file://${COMMON_LICENSE_DIR}/GPL-3-with-bison-exception;md5=6e1bac3dc21fcc4fa049cf5c407eb7a2 \ +file://${COMMON_LICENSE_DIR}/SMAIL_GPL;md5=b948675029f79c64840e78881e91e1d4 \ file://${COMMON_LICENSE_DIR}/LGPL-2.0-only;md5=9427b8ccf5cf3df47c29110424c9641a \ file://${COMMON_LICENSE_DIR}/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7 \ file://${COMMON_LICENSE_DIR}/LGPL-2.1-only;md5=1a6d268fd218675ffea8be556788b780 \ file://${COMMON_LICENSE_DIR}/LGPL-2.1-or-later;md5=2a4f4fd2128ea2f65047ee63fbca9f68 \ file://${COMMON_LICENSE_DIR}/LGPL-3.0-only;md5=bfccfe952269fff2b407dd11f2f3083b \ file://${COMMON_LICENSE_DIR}/LGPL-3.0-or-later;md5=c51d3eef3be114124d11349ca0d7e117 \ +file://${COMMON_LICENSE_DIR}/BSD-2-Clause;md5=cb641bc04cda31daea161b1bc15da69f \ file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9 \ +file://${COMMON_LICENSE_DIR}/BSD-3-Clause-Clear;md5=7a434440b651f4a472ca93716d01033a \ file://${COMMON_LICENSE_DIR}/BSD-4-Clause;md5=624d9e67e8ac41a78f6b6c2c55a83a2b \ +file://${COMMON_LICENSE_DIR}/BSD-4-Clause-UC;md5=1da3cf8ad50cd8d5d1de3cfc53196d01 \ +file://${COMMON_LICENSE_DIR}/TCP-wrappers;md5=83b1f59c3c52689f5652193e0cd5b1cf \ +file://${COMMON_LICENSE_DIR}/OLDAP-2.8;md5=bb28ada4fbb5c3f52c233899b2e410a5 \ +file://${COMMON_LICENSE_DIR}/PSF-2.0;md5=76c1502273262a5ebefb50dfb20d7c4f \ +file://${COMMON_LICENSE_DIR}/BSL-1.0;md5=65a7df9ad57aacf825fd252c4c33288c \ +file://${COMMON_LICENSE_DIR}/bzip2-1.0.6;md5=841c5495611ae95b13e80fa4a0627333 \ +file://${COMMON_LICENSE_DIR}/CC0-1.0;md5=0ceb3372c9595f0a8067e55da801e4a1 \ +file://${COMMON_LICENSE_DIR}/Libpng;md5=12b4ec50384c800bc568f519671b120c \ +file://${COMMON_LICENSE_DIR}/Latex2e;md5=ef91d258f6a8d4d7f4db4d30adf38598 \ +file://${COMMON_LICENSE_DIR}/Unicode-TOU;md5=666362dc5dba74f477af0f44fb85bd22 \ +file://${COMMON_LICENSE_DIR}/Unicode-DFS-2016;md5=907371994d651afe53e98adc27824669 \ +file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7 \ +file://${COMMON_LICENSE_DIR}/CC-BY-SA-3.0;md5=3248afbd148270ac7337a6f3e2558be5 \ +file://${COMMON_LICENSE_DIR}/CC-BY-SA-4.0;md5=4084714af41157e38872e798eb3fe1b1 \ +file://${COMMON_LICENSE_DIR}/curl;md5=f7adb1397db248527ffed14d947e445c \ +file://${COMMON_LICENSE_DIR}/MS-PL;md5=b9cbca4f1a399b0c17b3521736e67848 \ +file://${COMMON_LICENSE_DIR}/NTP;md5=0926fd147301b2a65e45e21adb3a6f14 \ +file://${COMMON_LICENSE_DIR}/FSFAP;md5=232368338ef6dc99de71c2e05ff12176 \ +file://${COMMON_LICENSE_DIR}/FSFUL;md5=dc74327e8d4dca295527a090d2af4ba4 \ +file://${COMMON_LICENSE_DIR}/FSFULLR;md5=f0aa4b452548cc5d53a7772a9a90b3c0 \ +file://${COMMON_LICENSE_DIR}/FSF-Unlimited;md5=06fadd9ae6adbcd5d8d545dac90b15f6 \ +file://${COMMON_LICENSE_DIR}/EDL-1.0;md5=e06be17b8577bf6e2277a5c3c71b2d05 \ +file://${COMMON_LICENSE_DIR}/Vim;md5=676d28582e2dca824e7e309a9865eeb1 \ +file://${COMMON_LICENSE_DIR}/FTL;md5=f0bf6b09ee8b02121ed10709d9e49d8b \ +file://${COMMON_LICENSE_DIR}/TCL;md5=5f7b23ac10d8f7cde16737bc896bb6fb \ +file://${COMMON_LICENSE_DIR}/MPL-1.1;md5=1d38e87ed8d522c49f04e1efe0fab3ab \ +file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad \ +file://${COMMON_LICENSE_DIR}/GFDL-1.1-or-later;md5=03322744a1a73f36ebf29f98cced39a4 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.2-or-later;md5=9f58808219e9a42ff1228309d6f83dc6 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.3-no-invariants-or-later;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.3-no-invariants-only;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \ +file://${COMMON_LICENSE_DIR}/Artistic-1.0;md5=cda03bbdc3c1951996392b872397b798 \ +file://${COMMON_LICENSE_DIR}/Artistic-2.0;md5=8bbc66f0ba93cec26ef526117e280266 \ file://${COMMON_LICENSE_DIR}/Artistic-1.0-Perl;md5=8feedd169dbd5738981843bd7d931f9f \ -file://${COMMON_LICENSE_DIR}/Apache-1.0;md5=9f7a9503b805de9158a2a31a2cef4b70 \ -file://${COMMON_LICENSE_DIR}/Apache-1.1;md5=61cc638ff95ff4f38f243855bcec4317 \ file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10 \ +file://${COMMON_LICENSE_DIR}/Apache-2.0-with-LLVM-exception;md5=0bcd48c3bdfef0c9d9fd17726e4b7dab \ file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \ file://${COMMON_LICENSE_DIR}/Python-2.0;md5=a5c8025e305fb49e6d405769358851f6 \ -file://${COMMON_LICENSE_DIR}/Ruby;md5=105fc57d3f4d3122db32912f3e6107d0 \ -file://${COMMON_LICENSE_DIR}/PHP-3.01;md5=3363e286b5882ec667a6ebd86e0d9d91 \ -file://${COMMON_LICENSE_DIR}/W3C-20150513;md5=9ff23a699fca546a380855dd40d12d4f \ file://${COMMON_LICENSE_DIR}/OpenSSL;md5=4eb1764f3e65fafa1a25057f9082f2ae \ file://${COMMON_LICENSE_DIR}/Sleepycat;md5=1cbb64231c94198653282f3ccab88ffb \ +file://${COMMON_LICENSE_DIR}/Spencer-86;md5=97ba797de74f88a17676473fab224843 \ +file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ +file://${COMMON_LICENSE_DIR}/MIT-CMU;md5=91b70218e0db8e063ed88cd532cb801d \ +file://${COMMON_LICENSE_DIR}/MIT-advertising;md5=0f358dd6677661d482934070c7eeaeec \ +file://${COMMON_LICENSE_DIR}/Beerware;md5=8db32780d0d8bbbdce0fa415e514cb89 \ +file://${COMMON_LICENSE_DIR}/Intel;md5=ced5efc26449ecac834b4b71625a3410 \ +file://${COMMON_LICENSE_DIR}/X11;md5=87f08485cf6ba3c63a00eda8ecba7f1d \ +file://${COMMON_LICENSE_DIR}/ISC;md5=f3b90e78ea0cffb20bf5cca7947a896d \ +file://${COMMON_LICENSE_DIR}/IPL-1.0;md5=be739b8845e6e98f99e206221fe9293b \ +file://${COMMON_LICENSE_DIR}/SSH-OpenSSH;md5=3af632aae8cf01feb6ce2ed44bb7ed2e \ +file://${COMMON_LICENSE_DIR}/SSH-short;md5=b73783010a430cadaabdc8ec0c0748f8 \ +file://${COMMON_LICENSE_DIR}/RSA-MD;md5=9342e66a3fb8ddeebe449a85366f4acc \ +file://${COMMON_LICENSE_DIR}/OPL-1.0;md5=acdf1e4398bd93dc137e271c50316324 \ +file://${COMMON_LICENSE_DIR}/PD;md5=b3597d12946881e13cb3b548d1173851 \ " -PV = "11.7.0" +PV = "12.4.0" # netinst, DVD-1 ISO_TYPE = "netinst" SRC_URI = "https://cdimage.debian.org/mirror/cdimage/archive/${PV}/arm64/iso-cd/debian-${PV}-arm64-${ISO_TYPE}.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso" -SRC_URI[sha256sum] = "174caba674fe3172938439257156b9cb8940bb5fd5ddf124256e81ec00ec460d" +SRC_URI[sha256sum] = "d32d2c63350a932dc0d9d45665985b41413f9e01efc0eacbea981d435f553d3d" diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb new file mode 100644 index 0000000000..25990b3038 --- /dev/null +++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb @@ -0,0 +1,103 @@ +require arm-systemready-linux-distros.inc + +# The Fedora project does not provide a license manifest for the distributed ISO images. +# The following list only contains the SPDX license identifiers found on the rpm +# packages from the ISO image and is not exhaustive. +# For more information about Fedora licenses, including the non-free ones, refer to +# https://docs.fedoraproject.org/en-US/legal/fedora-linux-license/. +LICENSE = "GPL-1.0-only & GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later & GPL-2.0-with-font-exception \ + & GPL-2.0-with-GCC-exception & GPL-3.0-only & GPL-3.0-or-later & GPL-3-with-bison-exception \ + & LGPL-2.0-only & LGPL-2.0-or-later & LGPL-2.1-only & LGPL-2.1-or-later & LGPL-3.0-only & LGPL-3.0-or-later \ + & 0BSD & BSD-2-Clause & BSD-3-Clause & BSD-3-Clause-Modification & BSD-4-Clause & BSD-4-Clause-UC \ + & ClArtistic & Artistic-2.0 & Artistic-1.0-Perl & Apache-2.0 & Apache-2.0-with-LLVM-exception & Zlib \ + & zlib-acknowledgement & Sleepycat & MIT & MIT-open-group & MIT-Modern-Variant & Unlicense & ISC \ + & AFL-2.1 & AGPL-3.0-only & AGPL-3.0-or-later & FSFAP & MPL-1.1 & MPL-2.0 & CC-BY-3.0 & CC-BY-4.0 \ + & CC-BY-SA-4.0 & CC0-1.0 & NCSA & APSL-2.0 & IJG & psutils & Sendmail & blessing & NTP & BSL-1.0 \ + & GFDL-1.1-or-later & GFDL-1.2-or-later & GFDL-1.3 & GFDL-1.3-or-later & GFDL-1.3-no-invariants-or-later \ + & NPL-1.1 & libtiff & Vim & curl & EUPL-1.1 & OFL-1.1 & OFL-1.1-RFN & FTL & Info-ZIP & Interbase-1.0 \ + & Unicode-DFS-2016 & SISSL & LPPL-1.3a & SGI-B-2.0 & PSF-2.0 & X11 & OLDAP-2.8 & PostgreSQL & OPUBL-1.0" + +LIC_FILES_CHKSUM = "\ +file://${COMMON_LICENSE_DIR}/GPL-1.0-only;md5=e9e36a9de734199567a4d769498f743d \ +file://${COMMON_LICENSE_DIR}/GPL-1.0-or-later;md5=30c0b8a5048cc2f4be5ff15ef0d8cf61 \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6 \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-or-later;md5=fed54355545ffd980b814dab4a3b312c \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-with-font-exception;md5=bf93e21a513f6f923474e62fb920434d \ +file://${COMMON_LICENSE_DIR}/GPL-2.0-with-GCC-exception;md5=14c42911132e8c9008911385aede6449 \ +file://${COMMON_LICENSE_DIR}/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891 \ +file://${COMMON_LICENSE_DIR}/GPL-3.0-or-later;md5=1c76c4cc354acaac30ed4d5eefea7245 \ +file://${COMMON_LICENSE_DIR}/GPL-3-with-bison-exception;md5=6e1bac3dc21fcc4fa049cf5c407eb7a2 \ +file://${COMMON_LICENSE_DIR}/LGPL-2.0-only;md5=9427b8ccf5cf3df47c29110424c9641a \ +file://${COMMON_LICENSE_DIR}/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7 \ +file://${COMMON_LICENSE_DIR}/LGPL-2.1-only;md5=1a6d268fd218675ffea8be556788b780 \ +file://${COMMON_LICENSE_DIR}/LGPL-2.1-or-later;md5=2a4f4fd2128ea2f65047ee63fbca9f68 \ +file://${COMMON_LICENSE_DIR}/LGPL-3.0-only;md5=bfccfe952269fff2b407dd11f2f3083b \ +file://${COMMON_LICENSE_DIR}/LGPL-3.0-or-later;md5=c51d3eef3be114124d11349ca0d7e117 \ +file://${COMMON_LICENSE_DIR}/0BSD;md5=f667a3c3830a55a17ec3067709f4526c \ +file://${COMMON_LICENSE_DIR}/BSD-2-Clause;md5=cb641bc04cda31daea161b1bc15da69f \ +file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9 \ +file://${COMMON_LICENSE_DIR}/BSD-3-Clause-Modification;md5=27b46022df7bdef61a1e404fc3573f83 \ +file://${COMMON_LICENSE_DIR}/BSD-4-Clause;md5=624d9e67e8ac41a78f6b6c2c55a83a2b \ +file://${COMMON_LICENSE_DIR}/BSD-4-Clause-UC;md5=1da3cf8ad50cd8d5d1de3cfc53196d01 \ +file://${COMMON_LICENSE_DIR}/ClArtistic;md5=f633bbf0697ec33066b83adfa9ebe51d \ +file://${COMMON_LICENSE_DIR}/Artistic-2.0;md5=8bbc66f0ba93cec26ef526117e280266 \ +file://${COMMON_LICENSE_DIR}/Artistic-1.0-Perl;md5=8feedd169dbd5738981843bd7d931f9f \ +file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10 \ +file://${COMMON_LICENSE_DIR}/Apache-2.0-with-LLVM-exception;md5=0bcd48c3bdfef0c9d9fd17726e4b7dab \ +file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \ +file://${COMMON_LICENSE_DIR}/zlib-acknowledgement;md5=c76c64e2cf99efcfb5e2b26aa86b12e6 \ +file://${COMMON_LICENSE_DIR}/Sleepycat;md5=1cbb64231c94198653282f3ccab88ffb \ +file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ +file://${COMMON_LICENSE_DIR}/MIT-open-group;md5=a7c50bba311e4b09d48a526eedcef837 \ +file://${COMMON_LICENSE_DIR}/MIT-Modern-Variant;md5=272dea2b67586002978254bc04648ab2 \ +file://${COMMON_LICENSE_DIR}/Unlicense;md5=7246f848faa4e9c9fc0ea91122d6e680 \ +file://${COMMON_LICENSE_DIR}/ISC;md5=f3b90e78ea0cffb20bf5cca7947a896d \ +file://${COMMON_LICENSE_DIR}/AFL-2.1;md5=e40039b90e182a056bcd9ad3e47ddd71 \ +file://${COMMON_LICENSE_DIR}/AGPL-3.0-only;md5=73f1eb20517c55bf9493b7dd6e480788 \ +file://${COMMON_LICENSE_DIR}/AGPL-3.0-or-later;md5=a4af3f9f0c0fc9de318e4df46665906e \ +file://${COMMON_LICENSE_DIR}/FSFAP;md5=232368338ef6dc99de71c2e05ff12176 \ +file://${COMMON_LICENSE_DIR}/MPL-1.1;md5=1d38e87ed8d522c49f04e1efe0fab3ab \ +file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad \ +file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7 \ +file://${COMMON_LICENSE_DIR}/CC-BY-4.0;md5=9b33bbd06fb58995fb0e299cd38d1838 \ +file://${COMMON_LICENSE_DIR}/CC-BY-SA-4.0;md5=4084714af41157e38872e798eb3fe1b1 \ +file://${COMMON_LICENSE_DIR}/CC0-1.0;md5=0ceb3372c9595f0a8067e55da801e4a1 \ +file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7 \ +file://${COMMON_LICENSE_DIR}/APSL-2.0;md5=f9e4701d9a216a87ba145bbe25f54c58 \ +file://${COMMON_LICENSE_DIR}/IJG;md5=d9fc5ebaa95c14466091d25e0d34e688 \ +file://${COMMON_LICENSE_DIR}/psutils;md5=29046009c1f269661e7b74196fb8f6a0 \ +file://${COMMON_LICENSE_DIR}/Sendmail;md5=8037c42e05a5d4bfce06a44729fb6f1a \ +file://${COMMON_LICENSE_DIR}/blessing;md5=d5407b61870d6dc19d0bdc04ae4cc654 \ +file://${COMMON_LICENSE_DIR}/NTP;md5=0926fd147301b2a65e45e21adb3a6f14 \ +file://${COMMON_LICENSE_DIR}/BSL-1.0;md5=65a7df9ad57aacf825fd252c4c33288c \ +file://${COMMON_LICENSE_DIR}/GFDL-1.1-or-later;md5=03322744a1a73f36ebf29f98cced39a4 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.2-or-later;md5=9f58808219e9a42ff1228309d6f83dc6 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.3;md5=1083add59b39991c748ea70a92166959 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.3-or-later;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \ +file://${COMMON_LICENSE_DIR}/GFDL-1.3-no-invariants-or-later;md5=e0771ae6a62dc8a2e50b1d450fea66b7 \ +file://${COMMON_LICENSE_DIR}/NPL-1.1;md5=f9c017c062c1b02462efb915d9f2cb63 \ +file://${COMMON_LICENSE_DIR}/libtiff;md5=b99383975855adc28712577c9cd56485 \ +file://${COMMON_LICENSE_DIR}/Vim;md5=676d28582e2dca824e7e309a9865eeb1 \ +file://${COMMON_LICENSE_DIR}/curl;md5=f7adb1397db248527ffed14d947e445c \ +file://${COMMON_LICENSE_DIR}/EUPL-1.1;md5=3f12b8134016fd7ba5a010afd690abaa \ +file://${COMMON_LICENSE_DIR}/OFL-1.1;md5=fac3a519e5e9eb96316656e0ca4f2b90 \ +file://${COMMON_LICENSE_DIR}/OFL-1.1-RFN;md5=2680fce30f17e5fed9bcebd9336e5b78 \ +file://${COMMON_LICENSE_DIR}/FTL;md5=f0bf6b09ee8b02121ed10709d9e49d8b \ +file://${COMMON_LICENSE_DIR}/Info-ZIP;md5=83a1c8ea099b3b58beb6e55dcbe4c15f \ +file://${COMMON_LICENSE_DIR}/Interbase-1.0;md5=f65304bc0e87e6700fe1e4ab5affdc6f \ +file://${COMMON_LICENSE_DIR}/Unicode-DFS-2016;md5=907371994d651afe53e98adc27824669 \ +file://${COMMON_LICENSE_DIR}/SISSL;md5=fded06bff75eb4a2899bd051e2e128f5 \ +file://${COMMON_LICENSE_DIR}/LPPL-1.3a;md5=8e2e8e1428b39cd78927c2ad28734ff7 \ +file://${COMMON_LICENSE_DIR}/SGI-B-2.0;md5=5f5dd7bd973dff1594131b1e9c7981f1 \ +file://${COMMON_LICENSE_DIR}/PSF-2.0;md5=76c1502273262a5ebefb50dfb20d7c4f \ +file://${COMMON_LICENSE_DIR}/X11;md5=87f08485cf6ba3c63a00eda8ecba7f1d \ +file://${COMMON_LICENSE_DIR}/OLDAP-2.8;md5=bb28ada4fbb5c3f52c233899b2e410a5 \ +file://${COMMON_LICENSE_DIR}/PostgreSQL;md5=a9c78964f52e27f4c01140a1a16da8e2 \ +file://${COMMON_LICENSE_DIR}/OPUBL-1.0;md5=99367d4750dbf0ae6cc74209ddd52f6d \ +" + +ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE = "6144" + +PV = "39.1.5" +SRC_URI = "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-dvd-aarch64-39-1.5.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso" +SRC_URI[sha256sum] = "d19dc2a39758155fa53e6fd555d0d173ccc8175b55dea48002d499f39cb30ce0" diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb index 13e4355d40..06135d1537 100644 --- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb +++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb @@ -1,19 +1,20 @@ require arm-systemready-linux-distros.inc -LICENSE = "AGPL-3.0-only & Apache-2.0 & Artistic-1.0 & Artistic-2.0 \ +LICENSE = "AGPL-3.0-only & Apache-1.1 & Apache-2.0 & Artistic-1.0 & Artistic-2.0 \ & BSD-2-Clause-Patent & BSD-2-Clause & BSD-3-Clause & BSD-4-Clause \ - & CC-BY-3.0 & CC-BY-4.0 & CC-BY-SA-1.0 & CC-BY-SA-3.0 \ + & BSL-1.0 & CC-BY-3.0 & CC-BY-4.0 & CC-BY-SA-1.0 & CC-BY-SA-3.0 \ & CC-BY-SA-4.0 & CC0-1.0 & CDDL-1.0 & GFDL-1.1-only \ & GFDL-1.2-only & GFDL-1.3-only & GFDL-1.3-or-later \ & GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later \ - & GPL-3.0-only & GPL-3.0-or-later & HPND & ICU & IPA \ + & GPL-3.0-only & GPL-3.0-or-later & HPND & ICU & IPL-1.0 & IPA \ & ISC & LGPL-2.0-only & LGPL-2.0-or-later & LGPL-2.1-only \ & LGPL-2.1-or-later & LGPL-3.0-only & LGPL-3.0-or-later \ & LPPL-1.3c & MIT & MPL-1.1 & MPL-2.0 & OFL-1.1 & OLDAP-2.8 \ - & OpenSSL & Python-2.0 & Vim & W3C" + & OpenSSL & Python-2.0 & Sleepycat & Vim & W3C & Zlib" LIC_FILES_CHKSUM = "\ file://${COMMON_LICENSE_DIR}/AGPL-3.0-only;md5=73f1eb20517c55bf9493b7dd6e480788 \ +file://${COMMON_LICENSE_DIR}/Apache-1.1;md5=61cc638ff95ff4f38f243855bcec4317 \ file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10 \ file://${COMMON_LICENSE_DIR}/Artistic-1.0;md5=cda03bbdc3c1951996392b872397b798 \ file://${COMMON_LICENSE_DIR}/Artistic-2.0;md5=8bbc66f0ba93cec26ef526117e280266 \ @@ -21,6 +22,7 @@ file://${COMMON_LICENSE_DIR}/BSD-2-Clause-Patent;md5=0518d409dae93098cca8dfa932f file://${COMMON_LICENSE_DIR}/BSD-2-Clause;md5=cb641bc04cda31daea161b1bc15da69f \ file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9 \ file://${COMMON_LICENSE_DIR}/BSD-4-Clause;md5=624d9e67e8ac41a78f6b6c2c55a83a2b \ +file://${COMMON_LICENSE_DIR}/BSL-1.0;md5=65a7df9ad57aacf825fd252c4c33288c \ file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7 \ file://${COMMON_LICENSE_DIR}/CC-BY-4.0;md5=9b33bbd06fb58995fb0e299cd38d1838 \ file://${COMMON_LICENSE_DIR}/CC-BY-SA-1.0;md5=681ffad43a0addd90f1bebf45675104e \ @@ -40,6 +42,7 @@ file://${COMMON_LICENSE_DIR}/GPL-3.0-or-later;md5=1c76c4cc354acaac30ed4d5eefea72 file://${COMMON_LICENSE_DIR}/HPND;md5=faa364b3e3c6db0f74cc0e704ddf6b9c \ file://${COMMON_LICENSE_DIR}/ICU;md5=4d85ad1f393add71dc66bcf78e3ee584 \ file://${COMMON_LICENSE_DIR}/IPA;md5=17b18da2d8b2c43c598aa7583229ef1b \ +file://${COMMON_LICENSE_DIR}/IPL-1.0;md5=be739b8845e6e98f99e206221fe9293b \ file://${COMMON_LICENSE_DIR}/ISC;md5=f3b90e78ea0cffb20bf5cca7947a896d \ file://${COMMON_LICENSE_DIR}/LGPL-2.0-only;md5=9427b8ccf5cf3df47c29110424c9641a \ file://${COMMON_LICENSE_DIR}/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7 \ @@ -55,15 +58,17 @@ file://${COMMON_LICENSE_DIR}/OFL-1.1;md5=fac3a519e5e9eb96316656e0ca4f2b90 \ file://${COMMON_LICENSE_DIR}/OLDAP-2.8;md5=bb28ada4fbb5c3f52c233899b2e410a5 \ file://${COMMON_LICENSE_DIR}/OpenSSL;md5=4eb1764f3e65fafa1a25057f9082f2ae \ file://${COMMON_LICENSE_DIR}/Python-2.0;md5=a5c8025e305fb49e6d405769358851f6 \ +file://${COMMON_LICENSE_DIR}/Sleepycat;md5=1cbb64231c94198653282f3ccab88ffb \ file://${COMMON_LICENSE_DIR}/Vim;md5=676d28582e2dca824e7e309a9865eeb1 \ file://${COMMON_LICENSE_DIR}/W3C;md5=4b1d0384b406508a63e51f7c69687700 \ +file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \ " ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE = "6144" -PV = "15.4" +PV = "15.5" # possible value of ISO_TYPE: NET, DVD ISO_TYPE = "DVD" -BUILD_NO = "243.2" +BUILD_NO = "491.1" SRC_URI = "https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso" -SRC_URI[sha256sum] = "d87f79b2b723f9baaeedd9e2be0365c04081e51a4f7f7f08c7ab3eee0c3e0fae" +SRC_URI[sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b" diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc index e247a42799..d80cf2373e 100644 --- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc +++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc @@ -3,6 +3,7 @@ DESCRIPTION = "Arm SystemReady Linux distro CD/DVD images and installation \ target disk image" IMAGE_CLASSES:remove = "license_image testimage" +BUILDHISTORY_FEATURES:remove = "image" INHIBIT_DEFAULT_DEPS = "1" COMPATIBLE_HOST = "aarch64-*" diff --git a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb index fab1761177..49ad744270 100644 --- a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb +++ b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb @@ -316,6 +316,7 @@ PACKAGES += "\ ${PN}-staticdev \ " +INSANE_SKIP += " 32bit-time" INSANE_SKIP:${PN}-dbg = "staticdev" INSANE_SKIP:${PN}-utils += "ldflags" INSANE_SKIP:libstdc++ += "ldflags" diff --git a/meta-arm/meta-arm/classes/uefi_capsule.bbclass b/meta-arm/meta-arm/classes/uefi_capsule.bbclass index 690e7af4c3..a0709c0fd0 100644 --- a/meta-arm/meta-arm/classes/uefi_capsule.bbclass +++ b/meta-arm/meta-arm/classes/uefi_capsule.bbclass @@ -1,13 +1,10 @@ # This class generates UEFI capsules # The current class supports generating a capsule with single firmware binary -DEPENDS += "gettext-native" -inherit python3native - IMAGE_TYPES += "uefi_capsule" -# edk2 base tools should be installed in the native sysroot directory -do_image_uefi_capsule[depends] += "edk2-basetools-native:do_populate_sysroot" +# u-boot-tools should be installed in the native sysroot directory +do_image_uefi_capsule[depends] += "u-boot-tools-native:do_populate_sysroot" # By default the wic image is used to create a capsule CAPSULE_IMGTYPE ?= "wic" @@ -18,37 +15,37 @@ CAPSULE_IMGLOCATION ?= "${IMGDEPLOYDIR}" # The generated capsule by default has uefi.capsule extension CAPSULE_EXTENSION ?= "uefi.capsule" +# The generated capsule's name by default is the same as UEFI_FIRMWARE_BINARY +CAPSULE_NAME ?= "${UEFI_FIRMWARE_BINARY}" + # The following variables must be set to be able to generate a capsule update +CAPSULE_CERTIFICATE_PATH ?= "" +CAPSULE_FW_VERSION ?= "" +CAPSULE_GUID ?= "" +CAPSULE_INDEX ?= "" +CAPSULE_MONOTONIC_COUNT ?= "" +CAPSULE_PRIVATE_KEY_PATH ?= "" UEFI_FIRMWARE_BINARY ?= "" -UEFI_CAPSULE_CONFIG ?= "" # Check if the required variables are set python() { - for var in ["UEFI_FIRMWARE_BINARY", "UEFI_CAPSULE_CONFIG"]: + for var in ["CAPSULE_CERTIFICATE_PATH", "CAPSULE_FW_VERSION", \ + "CAPSULE_GUID", "CAPSULE_INDEX", \ + "CAPSULE_MONOTONIC_COUNT", "CAPSULE_PRIVATE_KEY_PATH", \ + "UEFI_FIRMWARE_BINARY"]: if not d.getVar(var): raise bb.parse.SkipRecipe(f"{var} not set") } IMAGE_CMD:uefi_capsule(){ - - # Force the GenerateCapsule script to use python3 - export PYTHON_COMMAND=${PYTHON} - - # Copy the firmware and the capsule config json to current directory - if [ -e ${CAPSULE_IMGLOCATION}/${UEFI_FIRMWARE_BINARY} ]; then - cp ${CAPSULE_IMGLOCATION}/${UEFI_FIRMWARE_BINARY} . ; - fi - - export UEFI_FIRMWARE_BINARY=${UEFI_FIRMWARE_BINARY} - envsubst < ${UEFI_CAPSULE_CONFIG} > ./${MACHINE}-capsule-update-image.json - - ${STAGING_DIR_NATIVE}/usr/bin/edk2-BaseTools/BinWrappers/PosixLike/GenerateCapsule \ - -e -o ${IMGDEPLOYDIR}/${UEFI_FIRMWARE_BINARY}.${CAPSULE_EXTENSION} -j \ - ${MACHINE}-capsule-update-image.json - - # Remove the firmware to avoid contamination of IMGDEPLOYDIR - rm ${UEFI_FIRMWARE_BINARY} - + mkeficapsule --certificate ${CAPSULE_CERTIFICATE_PATH} \ + --fw-version ${CAPSULE_FW_VERSION} \ + --guid ${CAPSULE_GUID} \ + --index ${CAPSULE_INDEX} \ + --monotonic-count ${CAPSULE_MONOTONIC_COUNT} \ + --private-key ${CAPSULE_PRIVATE_KEY_PATH} \ + ${UEFI_FIRMWARE_BINARY} \ + ${CAPSULE_IMGLOCATION}/${CAPSULE_NAME}.${CAPSULE_EXTENSION} } # The firmware binary should be created before generating the capsule diff --git a/meta-arm/meta-arm/classes/wic_nopt.bbclass b/meta-arm/meta-arm/classes/wic_nopt.bbclass deleted file mode 100644 index 529bf138a4..0000000000 --- a/meta-arm/meta-arm/classes/wic_nopt.bbclass +++ /dev/null @@ -1,9 +0,0 @@ -# This class removes the empty partition table header -# in the WIC file when --no-table WKS option is used - -IMAGE_TYPES:append = " wic.nopt" - -CONVERSIONTYPES += "nopt" - -# 1024 bytes are skipped which corresponds to the size of the partition table header to remove -CONVERSION_CMD:nopt = "tail -c +1025 ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.nopt" diff --git a/meta-arm/meta-arm/conf/machine/generic-arm64.conf b/meta-arm/meta-arm/conf/machine/generic-arm64.conf deleted file mode 100644 index 9594e04171..0000000000 --- a/meta-arm/meta-arm/conf/machine/generic-arm64.conf +++ /dev/null @@ -1,25 +0,0 @@ -#@TYPE: Machine -#@NAME: generic-arm64 -#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which -#have working firmware and boot via EFI. - -require conf/machine/include/arm/arch-armv8a.inc - -PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto" -KBUILD_DEFCONFIG = "defconfig" -KCONFIG_MODE = "--alldefconfig" -KERNEL_IMAGETYPE = "Image" -MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware" - -IMAGE_FSTYPES ?= "wic" -WKS_FILE ?= "efi-disk.wks.in" -EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}" - -MACHINE_FEATURES:append = " alsa bluetooth efi qemu-usermode rtc screen usbhost vfat wifi" - -SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0" - -XSERVER ?= "xserver-xorg \ - xf86-video-fbdev \ - xf86-video-modesetting \ - " diff --git a/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py b/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py index 80f72aab6b..dddc10ee3a 100644 --- a/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py +++ b/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py @@ -3,6 +3,7 @@ import enum import pathlib import pexpect import os +import time from oeqa.core.target.ssh import OESSHTarget from fvp import runner @@ -127,9 +128,19 @@ class OEFVPTarget(OESSHTarget): def call_pexpect(terminal, *args, **kwargs): attr = getattr(self.terminals[terminal], name) if callable(attr): - return attr(*args, **kwargs) + self.logger.debug(f"Calling {name} on {terminal} : with arguments -> {args} : {kwargs}") + start_time = time.monotonic() # Record the start time + + attr = getattr(self.terminals[terminal], name) + result = attr(*args, **kwargs) + + end_time = time.monotonic() # Record the end time + elapsed_time = end_time - start_time + self.logger.debug(f"Execution time for result: [ {result} ] - elapsed_time: {elapsed_time} seconds") else: - return attr + result = attr + + return result return call_pexpect diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/ftpm.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/ftpm.py new file mode 100644 index 0000000000..be0cf46f5b --- /dev/null +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/ftpm.py @@ -0,0 +1,41 @@ +# +# SPDX-License-Identifier: MIT +# + +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.oetimeout import OETimeout + +class FtpmTestSuite(OERuntimeTestCase): + """ + Minimal test for optee-ftpm and ftpm kernel driver interfaces + """ + @OETimeout(360) + def test_ftpm(self): + # device files, need tee-supplicant fully initialized which takes some time + # and tests seem to run before boot is complete + cmd = "ls -l /dev/tpm0 /dev/tpmrm0 || ( runlevel; sleep 60; ls -l /dev/tpm0 /dev/tpmrm0 )" + status, output = self.target.run(cmd, timeout=90) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + # tpm version + cmd = "cat /sys/class/tpm/tpm0/tpm_version_major" + status, output = self.target.run(cmd, timeout=60) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + self.assertEqual(output, "2", msg='\n'.join([cmd, output])) + + # sha384 pcrs + cmd = 'for c in $(seq 0 23); do cat /sys/class/tpm/tpm0/pcr-sha384/"${c}"; done' + status, output = self.target.run(cmd, timeout=60) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + # sha256 pcrs + cmd = 'for c in $(seq 0 23); do cat /sys/class/tpm/tpm0/pcr-sha256/"${c}"; done' + status, output = self.target.run(cmd, timeout=60) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + # sha1 pcrs + cmd = 'for c in $(seq 0 23); do cat /sys/class/tpm/tpm0/pcr-sha1/"${c}"; done' + status, output = self.target.run(cmd, timeout=60) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/optee.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/optee.py new file mode 100644 index 0000000000..4f46225b1d --- /dev/null +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/optee.py @@ -0,0 +1,24 @@ +# +# SPDX-License-Identifier: MIT +# + +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.oetimeout import OETimeout + +class OpteeTestSuite(OERuntimeTestCase): + """ + Run OP-TEE tests (xtest). + """ + @OETimeout(1300) + @OEHasPackage(['optee-test']) + def test_opteetest_xtest(self): + # clear storage before executing tests + cmd = "xtest --clear-storage || true" + status, output = self.target.run(cmd, timeout=60) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + cmd = "xtest" + status, output = self.target.run(cmd, timeout=1200) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index 882989561d..5442399935 100644 --- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -28,9 +28,7 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a two expected PSA Crypto tests failures testing features - # TS will not support. - self.run_test_tool('psa-crypto-api-test', expected_status=46) + self.run_test_tool('psa-crypto-api-test') @OEHasPackage(['ts-psa-its-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) @@ -40,8 +38,7 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-ps-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_05_psa_ps_api_test(self): - # There are a few expected PSA Storage tests failing - self.run_test_tool('psa-ps-api-test', expected_status=46) + self.run_test_tool('psa-ps-api-test') @OEHasPackage(['ts-psa-iat-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) @@ -53,13 +50,12 @@ class TrustedServicesTest(OERuntimeTestCase): def test_09_ts_service_grp_check(self): # If this test fails, available test groups in ts-service-test have changed and all # tests using the test executable need to be double checked to ensure test group to - # TS SP mapping is still valid. + # TS SP mapping is still valid. test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" - test_grp_list+=" DiscoveryServiceTests" self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) @OEHasPackage(['optee-test']) @@ -79,7 +75,7 @@ class TrustedServicesTest(OERuntimeTestCase): def test_11_ps_service_tests(self): if 'ts-storage' not in self.tc.td['MACHINE_FEATURES'] and \ 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Storage SP is not included into OPTEE') + self.skipTest('Storage SP is not deployed in the system.') self.run_test_tool('ts-service-test -g PsServiceTests') @OEHasPackage(['ts-service-test']) @@ -87,7 +83,7 @@ class TrustedServicesTest(OERuntimeTestCase): def test_12_its_service_tests(self): if 'ts-its' not in self.tc.td['MACHINE_FEATURES'] and \ 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Internal Storage SP is not included into OPTEE') + self.skipTest('Internal Storage SP is not deployed in the system.') self.run_test_tool('ts-service-test -g ItsServiceTests') @OEHasPackage(['ts-service-test']) @@ -95,9 +91,8 @@ class TrustedServicesTest(OERuntimeTestCase): def test_14_attestation_service_tests(self): if 'ts-attestation' not in self.tc.td['MACHINE_FEATURES'] and \ 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Attestation SP is not included into OPTEE') - for grp in ["AttestationProvisioningTests", "AttestationServiceTests"]: - self.run_test_tool('ts-service-test -g %s'%grp) + self.skipTest('Attestation SP is not deployed in the system.') + self.run_test_tool('ts-service-test -g Attestation') @OEHasPackage(['ts-service-test']) @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-crypto', 'Crypto SP is not included') @@ -105,16 +100,5 @@ class TrustedServicesTest(OERuntimeTestCase): def test_15_crypto_service_tests(self): if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Crypto SP is not included into OPTEE') - for grp in ["CryptoKeyDerivationServicePackedcTests", "CryptoMacServicePackedcTests", \ - "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ - "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: - self.run_test_tool('ts-service-test -g %s'%grp) - - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_16_discovery_service_test(self): - if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ - 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Crypto SP is not included into OPTEE') - self.run_test_tool('ts-service-test -g DiscoveryServiceTests') + self.skipTest('Crypto SP is not deployed in the system.') + self.run_test_tool('ts-service-test -g Crypto') diff --git a/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb b/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb index 775f406457..d0605dd7a5 100644 --- a/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb +++ b/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb @@ -3,7 +3,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=bb63326febfb5fb909226c8e7ebcef5c" -SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git;branch=master" +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git;branch=master;protocol=https" SRCREV = "d3b1a15d18542b2086e72bfdc3fc43f454772a3b" # boot-wrapper doesn't make releases diff --git a/meta-arm/meta-arm/recipes-bsp/images/firmware-deploy-image.bb b/meta-arm/meta-arm/recipes-bsp/images/firmware-deploy-image.bb index 76c827385b..2f347f0b39 100644 --- a/meta-arm/meta-arm/recipes-bsp/images/firmware-deploy-image.bb +++ b/meta-arm/meta-arm/recipes-bsp/images/firmware-deploy-image.bb @@ -15,7 +15,8 @@ do_install[noexec] = "1" FIRMWARE_BINARIES ?= "" do_deploy() { - firmware_loc="${TMPDIR}_${MACHINE}/deploy/images/${MACHINE}" + firmware_loc=$(echo "${TMPDIR}" | sed "s/${TCLIBC}/musl/") + firmware_loc="${firmware_loc}_${MACHINE}/deploy/images/${MACHINE}" for firmware in ${FIRMWARE_BINARIES}; do echo "cp -av ${firmware_loc}/${firmware} ${DEPLOYDIR}/" cp -av "${firmware_loc}/${firmware}" ${DEPLOYDIR}/ diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch new file mode 100644 index 0000000000..2d189d8e8c --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch @@ -0,0 +1,36 @@ +From 1d1425bde8435d6e2b3e4f2b7bcb2eb293ef9601 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli <mikko.rapeli@linaro.org> +Date: Mon, 15 Jan 2024 09:26:56 +0000 +Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot + +If firmware is configured with TPM support but it's missing +on HW, e.g. swtpm not started and/or configured with qemu, +then continue booting. Missing TPM is not a fatal error. +Enables testing boot without TPM device to see that +missing TPM is detected further up the SW stack and correct +fallback actions are taken. + +Upstream-Status: Pending + +Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> +--- + plat/qemu/qemu/qemu_measured_boot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c +index 122bb23b14..731b081c47 100644 +--- a/plat/qemu/qemu/qemu_measured_boot.c ++++ b/plat/qemu/qemu/qemu_measured_boot.c +@@ -79,7 +79,8 @@ void bl2_plat_mboot_finish(void) + * Note: In QEMU platform, OP-TEE uses nt_fw_config to get the + * secure Event Log buffer address. + */ +- panic(); ++ ERROR("Ignoring TPM errors, continuing without\n"); ++ return; + } + + /* Copy Event Log to Non-secure memory */ +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.3.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.4.bb index 5ba8d48cb4..9072dca50a 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.3.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.4.bb @@ -9,8 +9,8 @@ SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmwa SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};destsuffix=fiptool-${PV};branch=${SRCBRANCH}" LIC_FILES_CHKSUM = "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" -# Use fiptool from TF-A v2.10.3 -SRCREV = "0f915309c3821ce6f78f8451e5a6178d0cf07611" +# Use fiptool from TF-A v2.10.4 +SRCREV = "569e16caad976a0684147da1ecc6333fd9b7f813" SRCBRANCH = "lts-v2.10" DEPENDS += "openssl-native" diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index b3624bb3c7..3d42a97c7b 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -1,5 +1,4 @@ COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" -COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64" COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm-secureboot" #FIXME - clang fails to build tfa for qemuarm-secureboot, and possibly other @@ -14,7 +13,6 @@ SRC_URI:append:qemuarm64-secureboot = " \ " TFA_PLATFORM:qemuarm64-secureboot = "qemu" -TFA_PLATFORM:qemu-generic-arm64 = "qemu_sbsa" TFA_PLATFORM:qemuarm-secureboot = "qemu" # Trusted Services secure partitions require arm-ffa machine feature. @@ -32,7 +30,6 @@ TFA_BUILD_TARGET:aarch64:qemuall = "all fip" TFA_BUILD_TARGET:arm:qemuall = "all fip" TFA_INSTALL_TARGET:qemuarm64-secureboot = "flash.bin" -TFA_INSTALL_TARGET:qemu-generic-arm64 = "bl1 fip" TFA_INSTALL_TARGET:qemuarm-secureboot = "flash.bin" DEPENDS:append:aarch64:qemuall = " optee-os" diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb index b30ac7252d..332ca7a688 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb @@ -1,7 +1,7 @@ require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc -# TF-A v2.10.3 -SRCREV_tfa = "0f915309c3821ce6f78f8451e5a6178d0cf07611" +# TF-A v2.10.4 +SRCREV_tfa = "569e16caad976a0684147da1ecc6333fd9b7f813" SRCBRANCH = "lts-v2.10" LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" @@ -11,3 +11,8 @@ SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=ht SRCREV_mbedtls = "72718dd87e087215ce9155a826ee5a66cfbe9631" LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +# continue to boot also without TPM +SRC_URI += "\ + file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \ +" diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202402.bb b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202402.bb index bd84096731..9a1086fc5b 100644 --- a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202402.bb +++ b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202402.bb @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = "file://License.txt;md5=2b415520383f7964e96700ae12b4570a" SRCREV = "edc6681206c1a8791981a2f911d2fb8b3d2f5768" +UPSTREAM_CHECK_GITTAGREGEX = "^edk2-stable(?P<pver>\d+)$" + S = "${WORKDIR}/git" inherit native diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend index 7a39bb0319..e923d9f034 100644 --- a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend @@ -13,24 +13,6 @@ EDK2_PLATFORM:qemuarm = "ArmVirtQemu-ARM" EDK2_PLATFORM_DSC:qemuarm = "ArmVirtPkg/ArmVirtQemu.dsc" EDK2_BIN_NAME:qemuarm = "QEMU_EFI.fd" -COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64" -DEPENDS:append:qemu-generic-arm64 = " trusted-firmware-a coreutils-native" -EDK2_PLATFORM:qemu-generic-arm64 = "SbsaQemu" -EDK2_PLATFORM_DSC:qemu-generic-arm64 = "Platform/Qemu/SbsaQemu/SbsaQemu.dsc" -EDK2_BIN_NAME:qemu-generic-arm64 = "SBSA_FLASH0.fd" - -do_compile:prepend:qemu-generic-arm64() { - mkdir -p ${B}/Platform/Qemu/Sbsa/ - cp ${RECIPE_SYSROOT}/firmware/bl1.bin ${B}/Platform/Qemu/Sbsa/ - cp ${RECIPE_SYSROOT}/firmware/fip.bin ${B}/Platform/Qemu/Sbsa/ -} - -do_install:append:qemu-generic-arm64() { - install ${B}/Build/${EDK2_PLATFORM}/${EDK2_BUILD_MODE}_${EDK_COMPILER}/FV/SBSA_FLASH*.fd ${D}/firmware/ - # QEMU requires that the images be minimum of 256M in size - truncate -s 256M ${D}/firmware/SBSA_FLASH*.fd -} - do_install:append:qemuarm64() { install ${B}/Build/${EDK2_PLATFORM}/${EDK2_BUILD_MODE}_${EDK_COMPILER}/FV/${EDK2_BIN_NAME} ${D}/firmware/ } diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.24.11.bb b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb index fe89e01f53..eab2255f6f 100644 --- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.24.11.bb +++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb @@ -5,8 +5,11 @@ LIC_FILES_CHKSUM = "file://license_terms/license_agreement.txt;md5=1a33828e132ba file://license_terms/third_party_licenses/third_party_licenses.txt;md5=b9005e55057311e41efe02ccfea8ea72 \ file://license_terms/third_party_licenses/arm_license_management_utilities/third_party_licenses.txt;md5=c09526c02e631abb95ad61528892552d" -SRC_URI[fvp-aarch64.sha256sum] = "7a3593dafd3af6897b3a0a68f66701201f8f3e02a3d981ba47494b2f18853648" -SRC_URI[fvp-x86_64.sha256sum] = "0f132334834cbc66889a62dd72057c976d7c7dfcfeec21799e9c78fb2ce24720" +SRC_URI[fvp-aarch64.sha256sum] = "22096fc2267ad776abe0ff32d0d3b870c9fae10036d9c16f4f0fe4a64487a11e" +SRC_URI[fvp-x86_64.sha256sum] = "5f33707a1bdaa96a933b89949f28643110ad80ac9835a75f139c200b64a394dc" + +# The CSS used in the FVP homepage make it too difficult to query with the tooling currently in Yocto +UPSTREAM_VERSION_UNKNOWN = "1" MODEL_CODE = "FVP_Base_RevC-2xAEMvA" diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc index a20959b780..29de89f222 100644 --- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc +++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc @@ -29,10 +29,17 @@ def get_real_pv(d): pv = d.getVar("PV") return "%s.%s_%s" % tuple(pv.split(".")) +def get_fm_short_pv_url(d): + # FVP versions are like 11.12_43 + pv = d.getVar("PV") + return "FM_%s_%s" % tuple(pv.split("."))[:2] + + # If PV is 1.2.3, VERSION=1.2, BUILD=3, PV_URL=1.2_3. VERSION = "${@oe.utils.trim_version(d.getVar('PV', -1))}" BUILD = "${@d.getVar('PV').split('.')[-1]}" PV_URL = "${@get_real_pv(d)}" +PV_URL_SHORT="${@get_fm_short_pv_url(d)}" # The directory the FVP is installed into FVPDIR = "${libdir}/fvp/${BPN}" diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb index 4ac9a6ca5d..aef9edde51 100644 --- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb +++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb @@ -2,12 +2,14 @@ require fvp-ecosystem.inc MODEL = "Corstone-1000" MODEL_CODE = "FVP_Corstone_1000" -PV = "11.23_25" +PV = "11.23.25" -SRC_URI = "https://developer.arm.com/-/media/Arm%20Developer%20Community/Downloads/OSS/FVP/${MODEL}/${MODEL_CODE}_${PV}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" +SRC_URI = "https://developer.arm.com/-/media/Arm%20Developer%20Community/Downloads/OSS/FVP/${MODEL}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" SRC_URI[fvp-aarch64.sha256sum] = "e299e81d5fa8b3d2afee0850fd03be31c1a1c3fad07f79849c63e46ee5e36acc" SRC_URI[fvp-x86_64.sha256sum] = "ec34c9564ccb5b1eb62fc2757673343a353db1d116a7cb1b5f82f9d985d99cdf" +UPSTREAM_CHECK_REGEX = "${MODEL_CODE}_(?P<pver>(\d+[\.\-_]*)+)_${FVP_ARCH}\.tgz" + LIC_FILES_CHKSUM = "file://license_terms/license_agreement.txt;md5=1a33828e132ba71861c11688dbb0bd16 \ file://license_terms/third_party_licenses/third_party_licenses.txt;md5=0c32ac6f58ebff83065105042ab98211" diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-envelope.inc b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-envelope.inc index 1e8bb40728..f48d823f60 100644 --- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-envelope.inc +++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-envelope.inc @@ -2,7 +2,7 @@ require fvp-common.inc HOMEPAGE = "https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms" -SRC_URI = "https://developer.arm.com/-/media/Files/downloads/ecosystem-models/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" +SRC_URI = "https://developer.arm.com/-/media/Files/downloads/ecosystem-models/${PV_URL_SHORT}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" UPSTREAM_CHECK_URI = "${HOMEPAGE}" UPSTREAM_CHECK_REGEX = "${MODEL_CODE}_(?P<pver>(\d+[\.\-_]*)+).tgz" diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-tee/arm-ffa-tee_1.1.2.bb b/meta-arm/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb index 5790d00f10..44608b1dd2 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-tee/arm-ffa-tee_1.1.2.bb +++ b/meta-arm/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb @@ -10,13 +10,13 @@ SRC_URI = "git://gitlab.arm.com/linux-arm/linux-trusted-services;protocol=https; " S = "${WORKDIR}/git" -# Tag tee-v1.1.2 -SRCREV = "8a81f5d2406f146b15a705d49b256efaa5fa3ba9" +# Tag tee-v2.0.0 +SRCREV = "a2d7349a96c3b3afb44bf1555d53f1c46e45a23d" COMPATIBLE_HOST = "(arm|aarch64).*-linux" -KERNEL_MODULE_AUTOLOAD += "arm-ffa-tee" +KERNEL_MODULE_AUTOLOAD += "arm-tstee" do_install:append() { install -d ${D}${includedir} - install -m 0644 ${S}/uapi/arm_ffa_tee.h ${D}${includedir}/ + install -m 0644 ${S}/uapi/arm_tstee.h ${D}${includedir}/ } diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-tee/files/Makefile b/meta-arm/meta-arm/recipes-kernel/arm-tstee/files/Makefile index 40a6e47403..6d781d15db 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-tee/files/Makefile +++ b/meta-arm/meta-arm/recipes-kernel/arm-tstee/files/Makefile @@ -1,4 +1,4 @@ -obj-m := arm-ffa-tee.o +obj-m := arm-tstee.o SRC := $(shell pwd) diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg deleted file mode 100644 index 84e0dd71ca..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg +++ /dev/null @@ -1,4 +0,0 @@ -# These configurations have a dependency on !PREEMPT_RT. Set them to `n` to -# avoid complain when do_kernel_configcheck. -CONFIG_LEDS_TRIGGER_CPU=n -CONFIG_TRANSPARENT_HUGEPAGE=n diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc deleted file mode 100644 index ae97c2e2a3..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc +++ /dev/null @@ -1,7 +0,0 @@ -define KMACHINE generic-arm64 -define KTYPE preempt-rt -define KARCH arm64 - -kconf hardware generic-arm64-preempt-rt-tweaks.cfg -include ktypes/preempt-rt/preempt-rt.scc -include features/bluetooth/bluetooth.scc diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-standard.scc b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-standard.scc deleted file mode 100644 index 7036476902..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-standard.scc +++ /dev/null @@ -1,6 +0,0 @@ -define KMACHINE generic-arm64 -define KTYPE standard -define KARCH arm64 - -include ktypes/standard/standard.scc -include features/bluetooth/bluetooth.scc diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index c4e351bb39..a287d0e181 100644 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -1,11 +1,5 @@ ARMFILESPATHS := "${THISDIR}/files:" -COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64" -FILESEXTRAPATHS:prepend:generic-arm64 = "${ARMFILESPATHS}" -SRC_URI:append:generic-arm64 = " \ - file://generic-arm64-kmeta;type=kmeta;destsuffix=generic-arm64-kmeta \ - " - FILESEXTRAPATHS:prepend:qemuarm64-secureboot = "${ARMFILESPATHS}" SRC_URI:append:qemuarm64-secureboot = " \ file://tee.cfg \ diff --git a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb index 1bb76819b0..d5f6e01db3 100644 --- a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb +++ b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb @@ -5,7 +5,6 @@ HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" COMPATIBLE_MACHINE ?= "invalid" COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64" COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64" -COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64" COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm" #FIXME - doesn't currently work with clang diff --git a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend index 4829bc107f..31be0e8f97 100644 --- a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend +++ b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend @@ -1,15 +1,11 @@ FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" DEPENDS:append = "\ - ${@bb.utils.contains('MACHINE_FEATURES', \ - 'optee-ftpm', \ - 'optee-ftpm', \ - '' , \ - d)}" + ${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', 'optee-ftpm', '' , d)} \ +" EXTRA_OEMAKE:append = "\ - ${@bb.utils.contains('MACHINE_FEATURES', \ - 'optee-ftpm', \ - 'CFG_EARLY_TA=y EARLY_TA_PATHS="${STAGING_DIR_TARGET}/${base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf"', \ - '', \ - d)} " + ${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', \ + 'CFG_CORE_HEAP_SIZE=131072 CFG_EARLY_TA=y EARLY_TA_PATHS="${STAGING_DIR_TARGET}/${base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf"', \ + '', d)} \ +" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc index ce5b8b86ca..d30e8ea7f3 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -6,64 +6,80 @@ # TS SPs UUIDs definitions require recipes-security/trusted-services/ts-uuid.inc -TS_ENV = "opteesp" +TS_ENV ?= "opteesp" TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" +TS_BIN_SPM_TEST= "${RECIPE_SYSROOT}/usr/opteesp/bin" + +SP_EXT = "${@oe.utils.conditional('TS_ENV','opteesp','.stripped.elf','.bin',d)}" # ITS SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ ' ts-sp-its', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ - ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ITS_UUID}${SP_EXT}', '', d)}" # Storage SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ ' ts-sp-storage', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ - ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${STORAGE_UUID}${SP_EXT}', '', d)}" # Crypto SP. DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ ' ts-sp-crypto', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ - ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${CRYPTO_UUID}${SP_EXT}', '', d)}" # Attestation SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ ' ts-sp-attestation', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ - ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ATTESTATION_UUID}${SP_EXT}', '', d)}" # Env-test SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ ' ts-sp-env-test', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ - ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ENV_TEST_UUID}${SP_EXT}', '', d)}" # SE-Proxy SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ ' ts-sp-se-proxy', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ - ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${SE_PROXY_UUID}${SP_EXT}', '', d)}" # SMM Gateway DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ts-sp-smm-gateway', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ - ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${SMM_GATEWAY_UUID}${SP_EXT}', '', d)}" # SPM test SPs DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ - ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" + ' ts-sp-spm-test1 ts-sp-spm-test2 \ + ts-sp-spm-test3 ts-sp-spm-test4', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ - ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN_SPM_TEST}/${SPM_TEST1_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST2_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST3_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST4_UUID}.stripped.elf', \ + '', d)}" EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ ' CFG_SPMC_TESTS=y', '' , d)}" +# Firmware Update SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \ + ' ts-sp-fwu', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \ + ' ${TS_BIN}/${FWU_UUID}${SP_EXT}', '', d)}" + # Block Storage SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ ' ts-sp-block-storage', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ - ' ${TS_BIN}/${BLOCK_STORAGE_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${BLOCK_STORAGE_UUID}${SP_EXT}', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', \ + ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y \ + SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee.inc b/meta-arm/meta-arm/recipes-security/optee/optee.inc index 1569a9df3b..37676f1496 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee.inc @@ -2,7 +2,6 @@ UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$" COMPATIBLE_MACHINE ?= "invalid" COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64" -COMPATIBLE_MACHINE:qemu-generic-arm64 ?= "qemu-generic-arm64" COMPATIBLE_MACHINE:qemuarm ?= "qemuarm" # Please add supported machines below or set it in .bbappend or .conf diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch new file mode 100644 index 0000000000..bcffa4b86f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch @@ -0,0 +1,100 @@ +From 9fbeb9dd8c4f2c842248541b73e4cff9c6f8d26e Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <gyorgy.szing@arm.com> +Date: Wed, 27 Mar 2024 21:53:51 +0000 +Subject: [PATCH 1/1] Allow configuring flash image files compile time + +Allow configuring image file PATH name for file and semihosted +block_store using CMake build options. + +Upstream-Status: Pending + +Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> +--- + .../block_storage/factory/file/block_store_factory.c | 6 +++++- + .../service/block_storage/factory/file/component.cmake | 6 +++++- + .../block_storage/factory/semihosting/block_store_factory.c | 6 +++++- + .../block_storage/factory/semihosting/component.cmake | 6 +++++- + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/components/service/block_storage/factory/file/block_store_factory.c b/components/service/block_storage/factory/file/block_store_factory.c +index c6915107b..ef05ee791 100644 +--- a/components/service/block_storage/factory/file/block_store_factory.c ++++ b/components/service/block_storage/factory/file/block_store_factory.c +@@ -25,6 +25,10 @@ + #define FILE_BLOCK_SIZE (512) + #endif + ++#ifndef FILE_BLK_FILE_NAME ++#define FILE_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + static char disk_img_filename[256]; + + struct block_store_assembly { +@@ -60,7 +64,7 @@ struct block_store *file_block_store_factory_create(void) + + /* Ensure disk image filename is set */ + if (disk_img_filename[0] == '\0') +- file_block_store_factory_set_filename("secure-flash.img"); ++ file_block_store_factory_set_filename(FILE_BLK_FILE_NAME); + + /* Initialise a file_block_store to provide underlying storage */ + struct block_store *secure_flash = file_block_store_init( +diff --git a/components/service/block_storage/factory/file/component.cmake b/components/service/block_storage/factory/file/component.cmake +index 644f03972..fa15d1399 100644 +--- a/components/service/block_storage/factory/file/component.cmake ++++ b/components/service/block_storage/factory/file/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "file_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(FILE_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS FILE_BLK_FILE_NAME="${FILE_BLK_FILE_NAME}") ++message(status "Block storage image file PATH is ${FILE_BLK_FILE_NAME}") +diff --git a/components/service/block_storage/factory/semihosting/block_store_factory.c b/components/service/block_storage/factory/semihosting/block_store_factory.c +index 8e58e3638..09bdb74eb 100644 +--- a/components/service/block_storage/factory/semihosting/block_store_factory.c ++++ b/components/service/block_storage/factory/semihosting/block_store_factory.c +@@ -21,6 +21,10 @@ + /* Most common block size for UEFI volumes */ + #define SEMIHOSTING_BLOCK_SIZE (512) + ++#ifndef SEMIHOSTING_BLK_FILE_NAME ++#define SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + struct block_store_assembly + { + struct semihosting_block_store semihosting_block_store; +@@ -55,7 +59,7 @@ struct block_store *semihosting_block_store_factory_create(void) + /* Initialise a semihosting_block_store to provide underlying storage */ + struct block_store *secure_flash = semihosting_block_store_init( + &assembly->semihosting_block_store, +- "secure-flash.img", ++ SEMIHOSTING_BLK_FILE_NAME, + SEMIHOSTING_BLOCK_SIZE); + + if (secure_flash) { +diff --git a/components/service/block_storage/factory/semihosting/component.cmake b/components/service/block_storage/factory/semihosting/component.cmake +index 97affaf49..98d6dcdcb 100644 +--- a/components/service/block_storage/factory/semihosting/component.cmake ++++ b/components/service/block_storage/factory/semihosting/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "semihosting_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS SEMIHOSTING_BLK_FILE_NAME="${SEMIHOSTING_BLK_FILE_NAME}") ++message(status "Block storage semihosting image file PATH is ${SEMIHOSTING_BLK_FILE_NAME}") +\ No newline at end of file +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch deleted file mode 100644 index 6664fd0519..0000000000 --- a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e62709f8e6f586ace7975b58b8a1c726d120759f Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing <Gyorgy.Szing@arm.com> -Date: Thu, 31 Aug 2023 18:24:50 +0200 -Subject: [PATCH] LazyFetch: allow setting the cmake generator - -Allow configuring the CMake generator used for external components. By -default use the generator the main project is using. -For details see the documentation in tools/cmake/common/LazyFetch.cmake. - -Change-Id: Ie01ea1ae533cf7a40c1f09808de2ad2e83a09db3 -Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - tools/cmake/common/LazyFetch.cmake | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/tools/cmake/common/LazyFetch.cmake b/tools/cmake/common/LazyFetch.cmake -index 68e790e..7676201 100644 ---- a/tools/cmake/common/LazyFetch.cmake -+++ b/tools/cmake/common/LazyFetch.cmake -@@ -87,11 +87,20 @@ function(LazyFetch_ConfigAndBuild) - "component specific. Pleas refer to the upstream documentation for more information.") - endif() - -+ if(NOT DEFINED ${UC_DEP_NAME}_GENERATOR) -+ if(DEFINED ENV{${UC_DEP_NAME}_GENERATOR}) -+ set(${UC_DEP_NAME}_GENERATOR ENV{${UC_DEP_NAME}_GENERATOR} CACHE STRING "CMake generator used for ${UC_DEP_NAME}.") -+ else() -+ set(${UC_DEP_NAME}_GENERATOR ${CMAKE_GENERATOR} CACHE STRING "CMake generator used for ${UC_DEP_NAME}.") -+ endif() -+ endif() -+ - execute_process(COMMAND - ${CMAKE_COMMAND} -E env "CROSS_COMPILE=${CROSS_COMPILE}" - ${CMAKE_COMMAND} - "-C${CONFIGURED_CACHE_FILE}" - -DCMAKE_BUILD_TYPE=${${UC_DEP_NAME}_BUILD_TYPE} -+ -G${${UC_DEP_NAME}_GENERATOR} - -S ${BUILD_SRC_DIR} - -B ${BUILD_BIN_DIR} - RESULT_VARIABLE --- -2.34.1 - diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch deleted file mode 100644 index 28e041bce6..0000000000 --- a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch +++ /dev/null @@ -1,41 +0,0 @@ -From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing <Gyorgy.Szing@arm.com> -Date: Tue, 25 Apr 2023 15:03:46 +0000 -Subject: [PATCH 1/1] Limit nanopb build to single process - -Sometimes in yocto the nanopb build step fails. The reason seems -to be a race condition. This fix disables parallel build as -a workaround. - -Upstream-Status: Inappropriate [yocto specific] - -Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> ---- - external/nanopb/nanopb.cmake | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake -index 36465f61..94f8048c 100644 ---- a/external/nanopb/nanopb.cmake -+++ b/external/nanopb/nanopb.cmake -@@ -65,6 +65,8 @@ if(TARGET stdlib::c) - unset_saved_properties(LIBC) - endif() - -+set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) -+set(PROCESSOR_COUNT 1) - include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) - LazyFetch_MakeAvailable(DEP_NAME nanopb - FETCH_OPTIONS ${GIT_OPTIONS} -@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb - CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" - SOURCE_DIR "${NANOPB_SOURCE_DIR}" - ) -+set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) -+ - unset(_cmake_fragment) - - if(TARGET stdlib::c) --- -2.34.1 - diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch deleted file mode 100644 index 9ae4c6f2b8..0000000000 --- a/meta-arm/meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 35d16cdfd51aeca5df70732accc89e250af86b69 Mon Sep 17 00:00:00 2001 -From: Ross Burton <ross.burton@arm.com> -Date: Fri, 29 Sep 2023 16:21:26 +0100 -Subject: [PATCH] Upgrade nanopb - -Upgrade the nanopb checkout to 0.4.7 plus some important build fixes, and -change the build/install process to be more reliable. - -This should be upstreamed, but some pieces of this are not upstreamable in their -current state. - -Upstream-Status: Pending -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - external/nanopb/fix-pyhon-name.patch | 41 ---------------------- - external/nanopb/nanopb-init-cache.cmake.in | 6 +++- - external/nanopb/nanopb.cmake | 7 ++-- - 3 files changed, 8 insertions(+), 46 deletions(-) - delete mode 100644 external/nanopb/fix-pyhon-name.patch - -diff --git a/external/nanopb/fix-pyhon-name.patch b/external/nanopb/fix-pyhon-name.patch -deleted file mode 100644 -index ab0e84c550f4..000000000000 ---- a/external/nanopb/fix-pyhon-name.patch -+++ /dev/null -@@ -1,41 +0,0 @@ --This patch fixes two issues: -- --1. On windows the python3 executable is not allways called "python3". As a result -- "protoc" execution can fail due to the shebang in the file. This patch fixes -- this by running protoc with the intepreter. -- --2. In addition when not running from a virtualenv, the install path for python file -- is set to the "user site-packages" to avoid needing elevated access rights. -- --diff --git a/CMakeLists.txt b/CMakeLists.txt --index 31c86e7..e827015 100644 ----- a/CMakeLists.txt --+++ b/CMakeLists.txt --@@ -54,13 +54,25 @@ if(nanopb_BUILD_GENERATOR) -- string(REGEX REPLACE "([^;]+)" "\\1_pb2.py" generator_proto_py_file "${generator_proto}") -- add_custom_command( -- OUTPUT ${generator_proto_py_file} --- COMMAND ${nanopb_PROTOC_PATH} --python_out=${PROJECT_BINARY_DIR} -I${PROJECT_SOURCE_DIR}/generator/proto ${generator_proto_file} --+ COMMAND ${Python_EXECUTABLE} ${nanopb_PROTOC_PATH} --python_out=${PROJECT_BINARY_DIR} -I${PROJECT_SOURCE_DIR}/generator/proto ${generator_proto_file} -- DEPENDS ${generator_proto_file} -- ) -- add_custom_target("generate_${generator_proto_py_file}" ALL DEPENDS ${generator_proto_py_file}) --+ --+ if (DEFINED ENV{VIRTUAL_ENV}) --+ set(PYTHON_INSTALL_DIR ${Python_SITELIB} CACHE PATH "Install location for generated python modules.") --+ else() --+ execute_process( --+ COMMAND ${Python_EXECUTABLE} -m site --user-site --+ OUTPUT_VARIABLE PYTHON_USER_SITE --+ OUTPUT_STRIP_TRAILING_WHITESPACE --+ ) --+ set(PYTHON_INSTALL_DIR ${PYTHON_USER_SITE} CACHE PATH "Install location for generated python modules.") --+ endif() --+ -- install( -- FILES ${PROJECT_BINARY_DIR}/${generator_proto_py_file} --- DESTINATION ${Python_SITELIB} --+ DESTINATION ${PYTHON_INSTALL_DIR} -- ) -- endforeach() -- endif() -diff --git a/external/nanopb/nanopb-init-cache.cmake.in b/external/nanopb/nanopb-init-cache.cmake.in -index fb8104d64b26..8df41ddcb5eb 100644 ---- a/external/nanopb/nanopb-init-cache.cmake.in -+++ b/external/nanopb/nanopb-init-cache.cmake.in -@@ -12,11 +12,15 @@ set(BUILD_STATIC_LIBS On CACHE BOOL "") - set(nanopb_BUILD_RUNTIME On CACHE BOOL "") - set(nanopb_BUILD_GENERATOR On CACHE BOOL "") - set(nanopb_MSVC_STATIC_RUNTIME Off BOOL "") --set(nanopb_PROTOC_PATH ${CMAKE_SOURCE_DIR}/generator/protoc CACHE STRING "") -+ -+set(Python_EXECUTABLE "@Python_EXECUTABLE@" CACHE PATH "Location of python3 executable") - - string(TOUPPER @CMAKE_CROSSCOMPILING@ CMAKE_CROSSCOMPILING) # CMake expects TRUE - if (CMAKE_CROSSCOMPILING) - set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY CACHE STRING "") - endif() - -+set(nanopb_PYTHON_INSTDIR_OVERRIDE "@BUILD_INSTALL_DIR@/lib/python" CACHE PATH "") -+set(NANOPB_GENERATOR_DIR "@BUILD_INSTALL_DIR@/lib/python" CACHE PATH "") -+ - @_cmake_fragment@ -diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake -index 36465f612d5d..57cf3d697fdd 100644 ---- a/external/nanopb/nanopb.cmake -+++ b/external/nanopb/nanopb.cmake -@@ -28,7 +28,7 @@ running this module. - - set(NANOPB_URL "https://github.com/nanopb/nanopb.git" - CACHE STRING "nanopb repository URL") --set(NANOPB_REFSPEC "nanopb-0.4.2" -+set(NANOPB_REFSPEC "nanopb-0.4.7" - CACHE STRING "nanopb git refspec") - set(NANOPB_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/nanopb-src" - CACHE PATH "nanopb source-code") -@@ -85,7 +85,7 @@ find_package(Python3 REQUIRED COMPONENTS Interpreter) - - find_file(NANOPB_GENERATOR_PATH - NAMES nanopb_generator.py -- PATHS ${nanopb_SOURCE_DIR}/generator -+ PATHS ${NANOPB_INSTALL_DIR}/bin - DOC "nanopb protobuf compiler" - NO_DEFAULT_PATH - ) -@@ -186,11 +186,10 @@ function(protobuf_generate) - target_include_directories(${PARAMS_TGT} PRIVATE ${_OUT_DIR_BASE}) - endif() - -- get_filename_component(NANOPB_GENERATOR_DIR "${NANOPB_GENERATOR_PATH}" DIRECTORY CACHE "Location of nanopb generator.") - #Append a protobuf generator command to the nanopb_generate target. - add_custom_command(OUTPUT "${_OUT_C}" "${_OUT_H}" - COMMAND -- ${CMAKE_COMMAND} -E env PYTHONPATH=${NANOPB_GENERATOR_DIR} -+ ${CMAKE_COMMAND} -E env PYTHONPATH=${NANOPB_INSTALL_DIR}/lib/python - ${Python3_EXECUTABLE} ${NANOPB_GENERATOR_PATH} - -I ${PARAMS_BASE_DIR} - -D ${_OUT_DIR_BASE} diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb index aafe85160c..789bde7cb2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -10,8 +10,8 @@ SRC_URI += "file://tee-udev.rules \ OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" -DEPENDS += "arm-ffa-tee arm-ffa-user" -RRECOMMENDS:${PN} += "arm-ffa-tee" +DEPENDS += "arm-tstee arm-ffa-user" +RRECOMMENDS:${PN} += "arm-tstee" # Unix group name for dev/tee* ownership. TEE_GROUP_NAME ?= "teeclnt" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index 20a462199e..e05aadd77c 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -2,19 +2,17 @@ LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" -SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=integration;name=trusted-services;destsuffix=git/trusted-services \ +SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=main;name=trusted-services;destsuffix=git/trusted-services \ " FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI:append = "\ - file://0001-Limit-nanopb-build-to-single-process.patch \ - file://0001-LazyFetch-allow-setting-the-cmake-generator.patch \ - file://nanopb-upgrade.patch \ + file://0001-Allow-configuring-flash-image-files-compile-time.patch \ " -#Latest on 2023 April 28 -SRCREV_trusted-services = "08b3d39471f4914186bd23793dc920e83b0e3197" +# Trusted Services; aka. 2024 April 19 +SRCREV_trusted-services = "602be607198ea784bc5ab1c0c9d3ac4e2c67f1d9" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -25,10 +23,10 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.3.0" +# MbedTLS, tag "v3.5.1" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" -LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" +SRCREV_mbedtls = "15254759342494c7e969766d5424d78d7deb9bfa" +LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" # Nanopb, tag "nanopb-0.4.7" plus some further fixes SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" @@ -50,17 +48,7 @@ SRC_URI += "git://github.com/cpputest/cpputest.git;name=cpputest;protocol=https; SRCREV_cpputest = "e25097614e1c4856036366877a02346c4b36bb5b" LIC_FILES_CHKSUM += "file://../cpputest/COPYING;md5=ce5d5f1fe02bcd1343ced64a06fd4177" -# Libmetal -SRC_URI += "git://github.com/OpenAMP/libmetal.git;name=libmetal;protocol=https;branch=main;destsuffix=git/libmetal" -SRCREV_libmetal = "f252f0e007fbfb8b3a52b1d5901250ddac96baad" -LIC_FILES_CHKSUM += "file://../libmetal/LICENSE.md;md5=fe0b8a4beea8f0813b606d15a3df3d3c" - -# Openamp -SRC_URI += "git://github.com/OpenAMP/open-amp.git;name=openamp;protocol=https;branch=main;destsuffix=git/openamp" -SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d" -LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e1413585ecbf" - -SRCREV_FORMAT = "trusted-services_dtc_mbedtls_nanopb_qcbor_tcose_cpputest_libmetal_openamp" +SRCREV_FORMAT = "trusted-services_dtc_mbedtls_nanopb_qcbor_tcose_cpputest" inherit apply_local_src_patches LOCAL_SRC_PATCHES_INPUT_DIR = "N/A" @@ -74,6 +62,11 @@ do_apply_local_src_patches() { apply_local_src_patches ${S}/external/nanopb ${WORKDIR}/git/nanopb } +do_config:append:() { + # Fine tune MbedTLS configuration for crypto only operation. + sh -c "cd ${WORKDIR}/git/mbedtls; python3 scripts/config.py crypto" +} + # Paths to dependencies required by some TS SPs/tools EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \ -DCPPUTEST_SOURCE_DIR=${WORKDIR}/git/cpputest \ @@ -81,6 +74,4 @@ EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \ -DT_COSE_SOURCE_DIR=${WORKDIR}/git/tcose \ -DQCBOR_SOURCE_DIR=${WORKDIR}/git/qcbor \ -DMBEDTLS_SOURCE_DIR=${WORKDIR}/git/mbedtls \ - -DOPENAMP_SOURCE_DIR=${WORKDIR}/git/openamp \ - -DLIBMETAL_SOURCE_DIR=${WORKDIR}/git/libmetal \ " diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc index b46cd49897..272e9106cd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc @@ -23,7 +23,7 @@ TS_PLATFORM ?= "ts/mock" # FIP packaging is not supported yet SP_PACKAGING_METHOD ?= "embedded" -SYSROOT_DIRS += "/usr/opteesp /usr/arm-linux" +SYSROOT_DIRS += "/usr/${TS_ENV} /usr/opteesp /usr/arm-linux" # TS cmake files use find_file() to search through source code and build dirs. # Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails. @@ -32,7 +32,6 @@ OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/" EXTRA_OECMAKE += '-DLIBGCC_LOCATE_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ -DCROSS_COMPILE="${TARGET_PREFIX}" \ - -DSP_PACKAGING_METHOD="${SP_PACKAGING_METHOD}" \ -DTS_PLATFORM="${TS_PLATFORM}" \ ' export CROSS_COMPILE="${TARGET_PREFIX}" @@ -40,15 +39,20 @@ export CROSS_COMPILE="${TARGET_PREFIX}" # Default TS installation path TS_INSTALL = "/usr/${TS_ENV}" -# Use the Yocto cmake toolchain for arm-linux TS deployments and -# the TS opteesp toolchain for opteesp TS deployments -EXTRA_OECMAKE += "${@oe.utils.conditional('TS_ENV', 'opteesp', \ - '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/${TS_ENV}/default_toolchain_file.cmake', \ - '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake', \ - d)} \ - " +# Use the Yocto cmake toolchain for external components of the arm-linux TS deployments, +# and the TS toolchain for opteesp and sp deployments +def get_ts_toolchain_option(d): + ts_env=d.getVar('TS_ENV') + if ts_env == 'opteesp' or ts_env == 'sp': + return '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/'+ts_env+'/default_toolchain_file.cmake' + if ts_env == 'arm-linux': + return '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake' + bb.error("Unkown value \"%s\" for TS_ENV." % (ts_env)) + return '' + +EXTRA_OECMAKE += "${@get_ts_toolchain_option(d)}" # Paths to pre-built dependencies required by some TS SPs/tools EXTRA_OECMAKE += "-Dlibts_ROOT=${STAGING_DIR_HOST}${TS_INSTALL}/lib/cmake/libts/ \ - -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}${TS_INSTALL}/newlib \ + -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}/usr/opteesp/newlib \ " diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index 668bde568f..a17c1720e2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -18,6 +18,10 @@ TOOLCHAIN = "gcc" FILES:${PN} = "${bindir}/ts-demo" +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + do_install:append () { install -d ${D}${bindir} mv ${D}${TS_INSTALL}/bin/ts-demo ${D}${bindir} diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb index 24a724a4fd..669e87aed1 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -7,7 +7,7 @@ require trusted-services.inc SRC_URI += "git://sourceware.org/git/newlib-cygwin.git;name=newlib;protocol=https;branch=master;destsuffix=git/newlib \ " -# tag "newlib-0.4.1" +# tag "newlib-4.1.0" SRCREV_newlib = "415fdd4279b85eeec9d54775ce13c5c412451e08" LIC_FILES_CHKSUM += "file://../newlib/COPYING.NEWLIB;md5=b8dda70da54e0efb49b1074f349d7749" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index c8b4e99244..93051bf38a 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -13,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" +SRCREV_psatest = "74dc6646ff594e131a726a5305aba77bac30eceb" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "-DPSA_ARCH_TESTS_SOURCE_DIR=${WORKDIR}/git/psatest" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb index e5c662e4d0..c39554a69b 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb @@ -16,6 +16,9 @@ SRCREV_psaqcbor = "42272e466a8472948bf8fca076d113b81b99f0e0" EXTRA_OECMAKE += "-DPSA_TARGET_QCBOR=${WORKDIR}/git/psaqcbor \ " +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" # Mbedtls 3.1.0 does not compile with clang. # This can be removed after TS updated required mbedtls version diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 3d756015a0..c8b1409c50 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -1,11 +1,12 @@ # Common part of all Trusted Services SPs recipes -TS_ENV = "opteesp" +TS_ENV ?= "opteesp" require trusted-services.inc require ts-uuid.inc DEPENDS += "dtc-native ts-newlib" +DEPENDS += "${@oe.utils.conditional('TS_ENV','sp','python3-pyelftools-native','', d)}" FILES:${PN}-dev = "${TS_INSTALL}" @@ -30,3 +31,13 @@ INSANE_SKIP:${PN}-dev += "ldflags" # Trusted Services SPs do not compile with clang TOOLCHAIN = "gcc" + +# FORTIFY_SOURCE is a glibc feature. Disable it for all SPs as these do not use glibc. +TARGET_CFLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_C_FLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2" + +# Override yoctos default linux specific toolchain file. trusted-services.inc +# will add a proper tooclhain option. +OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake" + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb new file mode 100644 index 0000000000..02f58fb42e --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: <text>Copyright 2024 Arm Limited and/or its +# affiliates <open-source-office@arm.com></text> +# +# SPDX-License-Identifier: MIT + +DESCRIPTION = "Trusted Services Firmware Update Service provider" + +require ts-sp-common.inc +inherit deploy + +SP_UUID = "${FWU_UUID}" +TS_SP_FWU_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}" + +# The GPT parser component is needed from TF-A +SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a" +SRCREV_tfa = "v2.7.0" +LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" +do_apply_local_src_patches:append() { + apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a +} + +EXTRA_OECMAKE:append = "-DTFA_SOURCE_DIR=${WORKDIR}/git/tf-a" + +# Deploy the secure flash image. +do_deploy() { + cp -v ${S}/components/media/disk/disk_images/multi_location_fw.img ${DEPLOYDIR}/secure-flash.img +} +addtask deploy after do_compile + +EXTRA_OECMAKE:append:qemuall = " -DSEMIHOSTING_BLK_FILE_NAME:STRING=${@oe.path.relative('${TMPDIR}', '${DEPLOY_DIR_IMAGE}')}/secure-flash.img" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc index e357629b0f..5c0d686571 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -1,5 +1,8 @@ DESCRIPTION = "Trusted Services SPMC test SPs" +# spm test SP only supports opteesp. +TS_ENV = 'opteesp' + require ts-sp-common.inc SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb new file mode 100644 index 0000000000..2ee69c1f0c --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP4" + +SP_INDEX="4" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 1eb05d8b5c..810ffa5e59 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -10,4 +10,6 @@ STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6" +SPM_TEST4_UUID = "423762ed-7772-406f-99d8-0c27da0abbf8" +FWU_UUID = "6823a838-1b06-470e-9774-0cce8bfb53fd" BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c" |
