From 0a6e7e3b76fa0e6aea6a40c69ad7d4ea8be720d8 Mon Sep 17 00:00:00 2001 From: Louis Mayencourt Date: Thu, 24 Oct 2019 15:18:46 +0100 Subject: fconf: Move platform io policies into fconf Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index fff336cd2..e8e990d45 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -201,6 +201,9 @@ USE_COHERENT_MEM := 1 # Build option to add debugfs support USE_DEBUGFS := 0 +# Build option to fconf based io +USE_FCONF_BASED_IO := 0 + # Build option to choose whether Trusted Firmware uses library at ROM USE_ROMLIB := 0 -- cgit v1.2.3 From 60e8f3cfd5910c59c9a573ce05bd61091336b09a Mon Sep 17 00:00:00 2001 From: Petre-Ionut Tudor Date: Thu, 7 Nov 2019 15:18:03 +0000 Subject: Read-only xlat tables for BL31 memory This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466 --- make_helpers/defaults.mk | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index e8e990d45..60958a1d1 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -207,6 +207,13 @@ USE_FCONF_BASED_IO := 0 # Build option to choose whether Trusted Firmware uses library at ROM USE_ROMLIB := 0 +# Build option to choose whether the xlat tables of BL images can be read-only. +# Note that this only serves as a higher level option to PLAT_RO_XLAT_TABLES, +# which is the per BL-image option that actually enables the read-only tables +# API. The reason for having this additional option is to have a common high +# level makefile where we can check for incompatible features/build options. +ALLOW_RO_XLAT_TABLES := 0 + # Chain of trust. COT := tbbr -- cgit v1.2.3 From 28f39f02ade1bd3ae86c8a472d01873ba0cdacb7 Mon Sep 17 00:00:00 2001 From: Max Shvetsov Date: Tue, 25 Feb 2020 13:56:19 +0000 Subject: SPMD: save/restore EL2 system registers. NOTE: Not all EL-2 system registers are saved/restored. This subset includes registers recognized by ARMv8.0 Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0 Signed-off-by: Jose Marinho Signed-off-by: Olivier Deprez Signed-off-by: Artsem Artsemenka Signed-off-by: Max Shvetsov --- make_helpers/defaults.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 60958a1d1..8e1f273a3 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -262,3 +262,8 @@ USE_SPINLOCK_CAS := 0 # Enable Link Time Optimization ENABLE_LTO := 0 + +# Build flag to include EL2 registers in cpu context save and restore during +# S-EL2 firmware entry/exit. This flag is to be used with SPD=spmd option. +# Default is 0. +CTX_INCLUDE_EL2_REGS := 0 -- cgit v1.2.3 From 033039f8e5ad0ff231261e316f27bf22bc5713a2 Mon Sep 17 00:00:00 2001 From: Max Shvetsov Date: Tue, 25 Feb 2020 13:55:00 +0000 Subject: SPMD: add command line parameter to run SPM at S-EL2 or S-EL1 Added SPMD_SPM_AT_SEL2 build command line parameter. Set to 1 to run SPM at S-EL2. Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled). Removed runtime EL from SPM core manifest. Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0 Signed-off-by: Artsem Artsemenka Signed-off-by: Max Shvetsov --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 8e1f273a3..9273469e2 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -188,6 +188,9 @@ SPD := none # Enable the Management Mode (MM)-based Secure Partition Manager implementation SPM_MM := 0 +# Use SPM at S-EL2 as a default config for SPMD +SPMD_SPM_AT_SEL2 := 1 + # Flag to introduce an infinite loop in BL1 just before it exits into the next # image. This is meant to help debugging the post-BL2 phase. SPIN_ON_BL1_EXIT := 0 -- cgit v1.2.3 From 7cda17bb0f92db39d123a4f2a1732c9978556453 Mon Sep 17 00:00:00 2001 From: Sumit Garg Date: Fri, 15 Nov 2019 10:43:00 +0530 Subject: drivers: crypto: Add authenticated decryption framework Add framework for autheticated decryption of data. Currently this patch optionally imports mbedtls library as a backend if build option "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption using AES-GCM algorithm. Signed-off-by: Sumit Garg Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271 --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 9273469e2..012760733 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -65,6 +65,9 @@ CTX_INCLUDE_PAUTH_REGS := 0 # Debug build DEBUG := 0 +# By default disable authenticated decryption support. +DECRYPTION_SUPPORT := none + # Build platform DEFAULT_PLAT := fvp -- cgit v1.2.3 From c6ba9b4547b58d16b5e0f4ec331ff4422b1f1d66 Mon Sep 17 00:00:00 2001 From: Sumit Garg Date: Thu, 14 Nov 2019 16:33:45 +0530 Subject: Makefile: Add support to optionally encrypt BL31 and BL32 Following build flags have been added to support optional firmware encryption: - FW_ENC_STATUS: Top level firmware's encryption numeric flag, values: 0: Encryption is done with Secret Symmetric Key (SSK) which is common for a class of devices. 1: Encryption is done with Binding Secret Symmetric Key (BSSK) which is unique per device. - ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It could be SSK or BSSK depending on FW_ENC_STATUS flag. - ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector (IV) in hex string format. - ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware. - ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload. Similar flags can be added to encrypt other firmwares as well depending on use-cases. Signed-off-by: Sumit Garg Change-Id: I94374d6830ad5908df557f63823e58383d8ad670 --- make_helpers/defaults.mk | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 012760733..03322db19 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -109,6 +109,18 @@ ENABLE_BTI := 0 # Use BRANCH_PROTECTION to enable PAUTH. ENABLE_PAUTH := 0 +# By default BL31 encryption disabled +ENCRYPT_BL31 := 0 + +# By default BL32 encryption disabled +ENCRYPT_BL32 := 0 + +# Default dummy firmware encryption key +ENC_KEY := 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + +# Default dummy nonce for firmware encryption +ENC_NONCE := 1234567890abcdef12345678 + # Build flag to treat usage of deprecated platform and framework APIs as error. ERROR_DEPRECATED := 0 @@ -124,6 +136,9 @@ FIP_NAME := fip.bin # Default FWU_FIP file name FWU_FIP_NAME := fwu_fip.bin +# By default firmware encryption with SSK +FW_ENC_STATUS := 0 + # For Chain of Trust GENERATE_COT := 0 -- cgit v1.2.3 From a6de824f7e3352ba6507bca37dbf671a16a3ec93 Mon Sep 17 00:00:00 2001 From: Louis Mayencourt Date: Fri, 28 Feb 2020 16:57:30 +0000 Subject: fconf: Clean Arm IO Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This removes the duplicate io_policies and functions definition. This patch: - replace arm_io_storage.c with the content of arm_fconf_io_storage.c - rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB. - use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb. - propagate DEFINES when parsing dts. - use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb. - set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior of fvp stays the same as it was before the introduction of fconf. Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e Signed-off-by: Louis Mayencourt --- make_helpers/defaults.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 03322db19..4e968e2d3 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -223,7 +223,7 @@ USE_COHERENT_MEM := 1 USE_DEBUGFS := 0 # Build option to fconf based io -USE_FCONF_BASED_IO := 0 +ARM_IO_IN_DTB := 0 # Build option to choose whether Trusted Firmware uses library at ROM USE_ROMLIB := 0 -- cgit v1.2.3 From 7ff088d1f0d17e6afed236f979ffc5adf005d8b0 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Sun, 22 Mar 2020 05:06:38 +0000 Subject: Enable MTE support Enable MTE support by adding memory tag option in Makefile This option is available only when ARMv8.5-MemTag is implemented MTE options are added in latest clang and armclang compiler which support below options: for clang 1. -march=arm8.5-a+memtag 2. -fsanitize=memtag for armclang 1. -march=arm8.5-a+memtag 2. -mmemtag-stack Set the option SUPPORT_STACK_MEMTAG=yes to enable memory stack tagging. Signed-off-by: Manish V Badarkhe Change-Id: I4e0bbde4e9769ce03ead6f550158e22f32c1c413 --- make_helpers/defaults.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 4e968e2d3..590a800a6 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -288,3 +288,8 @@ ENABLE_LTO := 0 # S-EL2 firmware entry/exit. This flag is to be used with SPD=spmd option. # Default is 0. CTX_INCLUDE_EL2_REGS := 0 + +# Enable Memory tag extension which is supported for architecture greater +# than Armv8.5-A +# By default it is set to "no" +SUPPORT_STACK_MEMTAG := no -- cgit v1.2.3 From 45aecff003e7055b3990076ef774dd78ce86e6d1 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 28 Apr 2020 04:53:32 +0100 Subject: Implement workaround for AT speculative behaviour During context switching from higher EL (EL2 or higher) to lower EL can cause incorrect translation in TLB due to speculative execution of AT instruction using out-of-context translation regime. Workaround is implemented as below during EL's (EL1 or EL2) "context_restore" operation: 1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1 bits for EL1 or EL2 (stage1 and stage2 disabled) 2. Save all system registers except TCR and SCTLR (for EL1 and EL2) 3. Do memory barrier operation (isb) to ensure all system register writes are done. 4. Restore TCR and SCTLR registers (for EL1 and EL2) Errata details are available for various CPUs as below: Cortex-A76: 1165522 Cortex-A72: 1319367 Cortex-A57: 1319537 Cortex-A55: 1530923 Cortex-A53: 1530924 More details can be found in mail-chain: https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html Currently, Workaround is implemented as build option which is default disabled. Signed-off-by: Manish V Badarkhe Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0 --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 590a800a6..608e96349 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -293,3 +293,6 @@ CTX_INCLUDE_EL2_REGS := 0 # than Armv8.5-A # By default it is set to "no" SUPPORT_STACK_MEMTAG := no + +# Select workaround for AT speculative behaviour. +ERRATA_SPECULATIVE_AT := 0 -- cgit v1.2.3 From cbf9e84a193883f11a99b2f61417710a69e36e0d Mon Sep 17 00:00:00 2001 From: Balint Dobszay Date: Wed, 18 Dec 2019 15:28:00 +0100 Subject: plat/arm/fvp: Support performing SDEI platform setup in runtime This patch introduces dynamic configuration for SDEI setup and is supported when the new build flag SDEI_IN_FCONF is enabled. Instead of using C arrays and processing the configuration at compile time, the config is moved to dts files. It will be retrieved at runtime during SDEI init, using the fconf layer. Change-Id: If5c35a7517ba00a9f258d7f3e7c8c20cee169a31 Signed-off-by: Balint Dobszay Co-authored-by: Madhukar Pappireddy --- make_helpers/defaults.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 608e96349..e5880d206 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -223,7 +223,10 @@ USE_COHERENT_MEM := 1 USE_DEBUGFS := 0 # Build option to fconf based io -ARM_IO_IN_DTB := 0 +ARM_IO_IN_DTB := 0 + +# Build option to support SDEI through fconf +SDEI_IN_FCONF :=0 # Build option to choose whether Trusted Firmware uses library at ROM USE_ROMLIB := 0 -- cgit v1.2.3 From 452d5e5ef11271df6ef8480eed900252fd330f10 Mon Sep 17 00:00:00 2001 From: Madhukar Pappireddy Date: Tue, 2 Jun 2020 09:26:30 -0500 Subject: plat/fvp: Add support for dynamic description of secure interrupts Using the fconf framework, the Group 0 and Group 1 secure interrupt descriptors are moved to device tree and retrieved in runtime. This feature is enabled by the build flag SEC_INT_DESC_IN_FCONF. Change-Id: I360c63a83286c7ecc2426cd1ff1b4746d61e633c Signed-off-by: Madhukar Pappireddy --- make_helpers/defaults.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index e5880d206..585f06fcc 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -226,7 +226,10 @@ USE_DEBUGFS := 0 ARM_IO_IN_DTB := 0 # Build option to support SDEI through fconf -SDEI_IN_FCONF :=0 +SDEI_IN_FCONF := 0 + +# Build option to support Secure Interrupt descriptors through fconf +SEC_INT_DESC_IN_FCONF := 0 # Build option to choose whether Trusted Firmware uses library at ROM USE_ROMLIB := 0 -- cgit v1.2.3 From fbc44bd1bbbafe01848afd009d507b595b264b5f Mon Sep 17 00:00:00 2001 From: Varun Wadekar Date: Fri, 12 Jun 2020 10:11:28 -0700 Subject: Prevent RAS register access from lower ELs This patch adds a build config 'RAS_TRAP_LOWER_EL_ERR_ACCESS' to set SCR_EL3.TERR during CPU boot. This bit enables trapping RAS register accesses from EL1 or EL2 to EL3. RAS_TRAP_LOWER_EL_ERR_ACCESS is disabled by default. Signed-off-by: Varun Wadekar Change-Id: Ifb0fb0afedea7dd2a29a0b0491a1161ecd241438 --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 585f06fcc..6db228f2d 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -302,3 +302,6 @@ SUPPORT_STACK_MEMTAG := no # Select workaround for AT speculative behaviour. ERRATA_SPECULATIVE_AT := 0 + +# Trap RAS error record access from lower EL +RAS_TRAP_LOWER_EL_ERR_ACCESS := 0 -- cgit v1.2.3 From 84ef9cd812faba6c52f7dc78544c0b5f45781759 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Mon, 29 Jun 2020 10:32:53 +0100 Subject: make, doc: Add build option to create chain of trust at runtime Added a build option 'COT_DESC_IN_DTB' to create chain of trust at runtime using fconf. Signed-off-by: Manish V Badarkhe Change-Id: I92b257ac4ece8bbf56f05a41d1e4056e2422ab89 --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 6db228f2d..9a6fd58fb 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -305,3 +305,6 @@ ERRATA_SPECULATIVE_AT := 0 # Trap RAS error record access from lower EL RAS_TRAP_LOWER_EL_ERR_ACCESS := 0 + +# Build option to create cot descriptors using fconf +COT_DESC_IN_DTB := 0 -- cgit v1.2.3 From 582e4e7b2852ae31f1a7f55bd45c412508b952a6 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Wed, 29 Jul 2020 10:58:44 +0100 Subject: Makefile, doc: Make OPENSSL_DIR variable as build option for tools Openssl directory path is hardcoded to '/usr' in the makefile of certificate generation and firmware encryption tool using 'OPENSSL_DIR' variable. Hence changes are done to make 'OPENSSL_DIR' variable as a build option so that user can provide openssl directory path while building the certificate generation and firmware encryption tool. Also, updated the document for this newly created build option Change-Id: Ib1538370d2c59263417f5db3746d1087ee1c1339 Signed-off-by: Manish V Badarkhe --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 9a6fd58fb..caf5990f2 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -308,3 +308,6 @@ RAS_TRAP_LOWER_EL_ERR_ACCESS := 0 # Build option to create cot descriptors using fconf COT_DESC_IN_DTB := 0 + +# Build option to provide openssl directory path +OPENSSL_DIR := /usr -- cgit v1.2.3 From fddfb3baf7c9e6e5e6d3462e71df6ba9d292f142 Mon Sep 17 00:00:00 2001 From: Madhukar Pappireddy Date: Wed, 12 Aug 2020 13:18:19 -0500 Subject: plat/arm: Use common build flag for using generic sp804 driver SP804 TIMER is not platform specific, and current code base adds multiple defines to use this driver. Like FVP_USE_SP804_TIMER and FVP_VE_USE_SP804_TIMER. This patch removes platform specific build flag and adds generic flag `USE_SP804_TIMER` to be set to 1 by platform if needed. Change-Id: I5ab792c189885fd1b98ddd187f3a38ebdd0baba2 Signed-off-by: Madhukar Pappireddy --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index caf5990f2..27f8f2a51 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -311,3 +311,6 @@ COT_DESC_IN_DTB := 0 # Build option to provide openssl directory path OPENSSL_DIR := /usr + +# Build option to use the SP804 timer instead of the generic one +USE_SP804_TIMER := 0 -- cgit v1.2.3 From ee15a17272abec0b969545dada4258a9e2a3721f Mon Sep 17 00:00:00 2001 From: Leonardo Sandoval Date: Thu, 18 Jun 2020 17:32:55 -0500 Subject: defaults.mk: default KEY_SIZE to 2048 in case of RSA algorithm According to the documentation [1], KEY_SIZE defaults to 2048 when RSA algorithm is chosen, so set this value on the make's defaults file. [1] https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/build-options.html Change-Id: I030f98363198a752bc0dd03528f748de527d48d8 Signed-off-by: Leonardo Sandoval --- make_helpers/defaults.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 27f8f2a51..7220a5d76 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -157,6 +157,11 @@ HW_ASSISTED_COHERENCY := 0 # Set the default algorithm for the generation of Trusted Board Boot keys KEY_ALG := rsa +# Set the default key size in case KEY_ALG is rsa +ifeq ($(KEY_ALG),rsa) +KEY_SIZE := 2048 +endif + # Option to build TF with Measured Boot support MEASURED_BOOT := 0 -- cgit v1.2.3 From ae3cf1ff31024d0ea200d7ec9a7d0412042cbdc5 Mon Sep 17 00:00:00 2001 From: Alexei Fedorov Date: Tue, 6 Oct 2020 15:54:12 +0100 Subject: TF-A: Add HASH_ALG default value to defaults.mk This patch adds default value of 'sha256' for HASH_ALG build flag to 'make_helpers\defaults.mk', according to 'docs\getting_started\build-options.rst'. This fixes Measured Boot driver error when TF-A uses default HASH_ALG value and TPM_HASH_ALG is set to sha384 or sha512. Change-Id: Id0aa34b54807de0adaf88e5f7d7032577c22f365 Signed-off-by: Alexei Fedorov --- make_helpers/defaults.mk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 7220a5d76..bc4982d64 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2016-2020, ARM Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -150,6 +150,10 @@ GICV2_G0_FOR_EL3 := 0 # by lower ELs. HANDLE_EA_EL3_FIRST := 0 +# Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512. +# The default value is sha256. +HASH_ALG := sha256 + # Whether system coherency is managed in hardware, without explicit software # operations. HW_ASSISTED_COHERENCY := 0 -- cgit v1.2.3 From 062f8aaf8a415497191f991a744fc7901362ba3c Mon Sep 17 00:00:00 2001 From: Arunachalam Ganapathy Date: Thu, 28 May 2020 11:57:09 +0100 Subject: lib: el3_runtime: Conditionally save/restore EL2 NEVE registers Include EL2 registers related to Nested Virtualization in EL2 context save/restore routines if architecture supports it and platform wants to use these features in Secure world. Change-Id: If006ab83bbc2576488686f5ffdff88b91adced5c Signed-off-by: Arunachalam Ganapathy --- make_helpers/defaults.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index bc4982d64..578bd5987 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -62,6 +62,11 @@ CTX_INCLUDE_FPREGS := 0 # world. It is not needed to use it in the Non-secure world. CTX_INCLUDE_PAUTH_REGS := 0 +# Include Nested virtualization control (Armv8.4-NV) registers in cpu context. +# This must be set to 1 if architecture implements Nested Virtualization +# Extension and platform wants to use this feature in the Secure world +CTX_INCLUDE_NEVE_REGS := 0 + # Debug build DEBUG := 0 -- cgit v1.2.3 From f18217902a4c84c2cb6695164ffa1db540a0146b Mon Sep 17 00:00:00 2001 From: Alexei Fedorov Date: Mon, 7 Dec 2020 16:38:53 +0000 Subject: TF-A: Add build option for Arm Feature Modifiers This patch adds a new ARM_ARCH_FEATURE build option to add support for compiler's feature modifiers. It has the form '[no]feature+...' and defaults to 'none'. This option translates into compiler option '-march=armvX[.Y]-a+[no]feature+...'. Change-Id: I37742f270a898f5d6968e146cbcc04cbf53ef2ad Signed-off-by: Alexei Fedorov --- make_helpers/defaults.mk | 3 +++ 1 file changed, 3 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 578bd5987..9e5fe8557 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -19,6 +19,9 @@ AARCH32_SP := none # The Target build architecture. Supported values are: aarch64, aarch32. ARCH := aarch64 +# ARM Architecture feature modifiers: none by default +ARM_ARCH_FEATURE := none + # ARM Architecture major and minor versions: 8.0 by default. ARM_ARCH_MAJOR := 8 ARM_ARCH_MINOR := 0 -- cgit v1.2.3 From 0063dd1708e67e5d36168caaf2a0df383bbe1455 Mon Sep 17 00:00:00 2001 From: Javier Almansa Sobrino Date: Mon, 23 Nov 2020 18:38:15 +0000 Subject: Add support for FEAT_MTPMU for Armv8.6 If FEAT_PMUv3 is implemented and PMEVTYPER(_EL0).MT bit is implemented as well, it is possible to control whether PMU counters take into account events happening on other threads. If FEAT_MTPMU is implemented, EL3 (or EL2) can override the MT bit leaving it to effective state of 0 regardless of any write to it. This patch introduces the DISABLE_MTPMU flag, which allows to diable multithread event count from EL3 (or EL2). The flag is disabled by default so the behavior is consistent with those architectures that do not implement FEAT_MTPMU. Signed-off-by: Javier Almansa Sobrino Change-Id: Iee3a8470ae8ba13316af1bd40c8d4aa86e0cb85e --- make_helpers/defaults.mk | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 578bd5987..f69a73ea6 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -79,6 +79,10 @@ DEFAULT_PLAT := fvp # Disable the generation of the binary image (ELF only). DISABLE_BIN_GENERATION := 0 +# Disable MTPMU if FEAT_MTPMU is supported. Default is 0 to keep backwards +# compatibility. +DISABLE_MTPMU := 0 + # Enable capability to disable authentication dynamically. Only meant for # development platforms. DYN_DISABLE_AUTH := 0 -- cgit v1.2.3 From 7dfb99118e89c41e4f2e9efb451dc7608326892c Mon Sep 17 00:00:00 2001 From: Jimmy Brisson Date: Mon, 22 Jun 2020 14:18:42 -0500 Subject: Add TRNG Firmware Interface service This adds the TRNG Firmware Interface Service to the standard service dispatcher. This includes a method for dispatching entropy requests to platforms and includes an entropy pool implementation to avoid dropping any entropy requested from the platform. Change-Id: I71cadb3cb377a507652eca9e0d68714c973026e9 Signed-off-by: Jimmy Brisson Signed-off-by: Andre Przywara --- make_helpers/defaults.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'make_helpers/defaults.mk') diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 5217a8514..e94f3c31a 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2016-2020, ARM Limited. All rights reserved. +# Copyright (c) 2016-2021, ARM Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -209,6 +209,9 @@ SAVE_KEYS := 0 # Software Delegated Exception support SDEI_SUPPORT := 0 +# True Random Number firmware Interface +TRNG_SUPPORT := 0 + # Whether code and read-only data should be put on separate memory pages. The # platform Makefile is free to override this value. SEPARATE_CODE_AND_RODATA := 0 -- cgit v1.2.3