2015-11-04 |
Merge pull request #423 from jcastillo-arm/jc/genfw/1211
...
Remove deprecated IO return definitions
Achin Gupta
committed
on 4 Nov 2015
|
2015-11-02 |
Remove deprecated IO return definitions
...
Patch 7e26fe1f deprecates IO specific return definitions in favour
of standard errno codes. This patch removes those definitions
and its usage from the IO framework, IO drivers and IO platform
layer. Following this patch, standard errno codes must be used
when checking the return value of an IO function.
Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
Juan Castillo
committed
on 2 Nov 2015
|
Introduce print_entry_point_info() function
...
This patch introduces a new function called 'print_entry_point_info'
that prints an entry_point_t structure for debugging purposes.
As such, it can be used to display the entry point address, SPSR and
arguments passed from a firmware image to the next one.
This function is now called in the following images transitions:
- BL1 to BL2
- BL1 to BL31
- BL31 to the next image (typically BL32 or BL33)
The following changes have been introduced:
- Fix the output format of the SPSR value : SPSR is a 32-bit value,
not a 64-bit one.
- Print all arguments values.
The entry_point_info_t structure allows to pass up to 8 arguments.
In most cases, only the first 2 arguments were printed.
print_entry_point_info() now prints all of them as 'VERBOSE'
traces.
Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
Sandrine Bailleux
committed
on 2 Nov 2015
|
2015-10-23 |
Use standard errno definitions in load_auth_image()
...
This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.
It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.
Change-Id: I1228477346d3876151c05b470d9669c37fd231be
Juan Castillo
authored
on 1 Oct 2015
Juan Castillo
committed
on 23 Oct 2015
|
2015-09-02 |
Ensure BL2 security state is secure
...
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
run in secure world otherwise BL3-1/BL3-2 have to execute from
non-secure memory. Hence, This patch removes the change_security_state()
call in bl1_run_bl2() and replaces it with an assert to confirm
the BL2 as secure.
Fixes ARM-software/tf-issues#314
Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
Vikram Kanigiri
committed
on 2 Sep 2015
|
2015-08-20 |
TBB: abort boot if BL3-2 cannot be authenticated
...
BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.
This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.
In case of authentication error, the memory region used to store
the image is wiped clean.
Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
Juan Castillo
committed
on 20 Aug 2015
|
2015-06-25 |
TBB: delete deprecated PolarSSL authentication module
...
After updating the main authentication module to use the transport
and crypto modules and the CoT description, the PolarSSL
authentication module is no longer required. This patch deletes it.
Change-Id: I8ba1e13fc1cc7b2fa9df14ff59eb798f0460b878
Juan Castillo
committed
on 25 Jun 2015
|
TBB: switch to the new authentication framework
...
This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.
A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.
The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.
The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.
On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.
REMOVED BUILD OPTIONS:
* 'AUTH_MOD'
Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
Juan Castillo
committed
on 25 Jun 2015
|
Use numbers to identify images instead of names
...
The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.
This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.
As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.
A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.
Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.
The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.
IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.
Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
Juan Castillo
committed
on 25 Jun 2015
|
TBB: replace assert() with runtime checks in PolarSSL module
...
Using assert() to check the length of keys and hashes included in
a certificate is not a safe approach because assert() only applies
to debug builds. A malformed certificate could exploit security
flaws in release binaries due to buffer overflows.
This patch replaces assert() with runtime checkings in the PolarSSL
authentication module, so malformed certificates can not cause a
memory overflow.
Change-Id: I42ba912020595752c806cbd242fe3c74077d993b
Juan Castillo
committed
on 25 Jun 2015
|
TBB: use ASN.1 type DigestInfo to represent hashes
...
The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
Without additional information, the firmware running on the platform
has to know in advance the algorithm used to generate the hash.
This patch modifies the cert_create tool so the certificate extensions
that include an image hash are generated according to the following
ASN.1 structure:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
The PolarSSL module has been updated to extract the image hash
from the certificate extension according to this structure.
Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
Juan Castillo
committed
on 25 Jun 2015
|
2015-04-27 |
Fix type mismatches in verbose logging
...
Commit dad2504 adds support for type checking in printf-like
functions. Some of the VERBOSE logging statements were not updated
at that time.
Fix the type mismatches in the verbose logging statements.
Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
Dan Handley
committed
on 27 Apr 2015
|
2015-04-08 |
Add support to indicate size and end of assembly functions
...
In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.
To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.
The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.
Fixes ARM-Software/tf-issues#295
Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
Kévin Petit
committed
on 8 Apr 2015
|
2015-03-11 |
TBB: remove PolarSSL SHA1 functions from the binary
...
Commit ea4ec3aad5e1 ("TBB: use SHA256 to generate the certificate
signatures") updated the cert_create tool to generate the
signatures using SHA256 instead of SHA1. Therefore, SHA1 is no
longer required.
This patch removes the SHA1 option from the PolarSSL configuration
file. The source file sha1.c is no longer needed and has been
excluded from the build. The SHA1 functions are no longer included
in the binary, reducing the memory footprint of BL1 and BL2 by
approximately 6 KB.
Change-Id: I72ea2cff03c0964c3eaadce148ec2ad2c6dde2e3
Juan Castillo
committed
on 11 Mar 2015
|
2015-03-05 |
Fix violations to the coding style
...
All coding style violations have been fixed in a previous patch and
since then, each individual patch has been checked in this regard.
However, the latest version of the checkpatch.pl script from the Linux
kernel is more advanced and it is able to flag new errors in the
Trusted Firmware codebase. This patch fixes them.
Change-Id: I1f332f2440984be85d36b231bb83260368987077
Sandrine Bailleux
committed
on 5 Mar 2015
|
2015-01-28 |
TBB: add authentication module interface
...
This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.
To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.
To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.
If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.
Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
Juan Castillo
authored
on 13 Jan 2015
Dan Handley
committed
on 28 Jan 2015
|
TBB: add PolarSSL based authentication module
...
This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.
PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).
To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.
Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:
Changes on FVP:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- BL2 memory region has been increased to 112 KB
Changes on Juno:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- Trusted ROM region in Flash has been increased to 128 KB.
- BL2 memory region has been increased to 116 KB
Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
Juan Castillo
authored
on 13 Jan 2015
Dan Handley
committed
on 28 Jan 2015
|
Skip reserving memory for non-executable and BL3-0 images
...
This patch adds support to not reserve the memory where an image is
loaded if the image is:
1. A non-executable image e.g. a certificate
2. An executable image which is not meant to run on the
application CPU (e.g. BL3-0)
Both types of images are characterized by a NULL entrypoint argument
to the load_image() function. It is used to distinguish them from
other type of images.
Important: Use this feature carefully. The caller is responsible for
providing a valid entrypoint while loading images which will execute
on the application CPU to prevent a potential overwrite of the
corresponding memory region.
Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
Juan Castillo
authored
on 19 Jan 2015
Dan Handley
committed
on 28 Jan 2015
|
2014-08-19 |
Rework use of labels in assembly macros.
...
This patch provides a workaround for the ASM_ASSERT label issue
and also reworks the use of labels in assembly macros.
If the caller of the ASM_ASSERT macro happened to use the
label '1' to jump past the ASM_ASSERT macro, it would not have
worked since the ASM_ASSERT macro internally used the same label.
Hence, as a workaround, this patch makes the label a high
number in the expectation that the caller will never use it.
Also updated the other assembly macros using numerical labels to
named lables.
Change-Id: Iec892359db84f2391ad2a83a92141c4d7049776a
Soby Mathew
committed
on 19 Aug 2014
|
2014-08-12 |
Rationalize console log output
...
Fix the following issues with the console log output:
* Make sure the welcome string is the first thing in the log output
(during normal boot).
* Prefix each message with the BL image name so it's clear which
BL the output is coming from.
* Ensure all output is wrapped in one of the log output macros so it can
be easily compiled out if necessary. Change some of the INFO() messages
to VERBOSE(), especially in the TSP.
* Create some extra NOTICE() and INFO() messages during cold boot.
* Remove all usage of \r in log output.
Fixes ARM-software/tf-issues#231
Change-Id: Ib24f7acb36ce64bbba549f204b9cde2dbb46c8a3
Dan Handley
committed
on 12 Aug 2014
|
2014-07-28 |
Merge pull request #177 from jcastillo-arm/jc/tf-issues/096
...
Rework incorrect use of assert() and panic() in codebase
danh-arm
committed
on 28 Jul 2014
|
Rework incorrect use of assert() and panic() in codebase
...
Assert a valid security state using the macro sec_state_is_valid().
Replace assert() with panic() in those cases that might arise
because of runtime errors and not programming errors.
Replace panic() with assert() in those cases that might arise
because of programming errors.
Fixes ARM-software/tf-issues#96
Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
Juan Castillo
committed
on 28 Jul 2014
|
Rework the crash reporting in BL3-1 to use less stack
...
This patch reworks the crash reporting mechanism to further
optimise the stack and code size. The reporting makes use
of assembly console functions to avoid calling C Runtime
to report the CPU state. The crash buffer requirement is
reduced to 64 bytes with this implementation. The crash
buffer is now part of per-cpu data which makes retrieving
the crash buffer trivial.
Also now panic() will use crash reporting if
invoked from BL3-1.
Fixes ARM-software/tf-issues#199
Change-Id: I79d27a4524583d723483165dc40801f45e627da5
Soby Mathew
committed
on 28 Jul 2014
|
Implement an assert() callable from assembly code
...
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.
Fixes ARM-software/tf-issues#95
Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
Soby Mathew
committed
on 28 Jul 2014
|
2014-07-25 |
Implement a leaner printf for Trusted Firmware
...
This patch implements a "tf_printf" which supports only the commonly
used format specifiers in Trusted Firmware, which uses a lot less
stack space than the stdlib printf function.
Fixes ARM-software/tf-issues#116
Change-Id: I7dfa1944f4c1e634b3e2d571f49afe02d109a351
Soby Mathew
committed
on 25 Jul 2014
|
2014-07-01 |
Remove concept of top/bottom image loading
...
This concept is no longer required since we now support loading of
images at fixed addresses only.
The image loader now automatically detects the position of the image
inside the current memory layout and updates the layout such that
memory fragmentation is minimised.
The 'attr' field of the meminfo data structure, which used to hold
the bottom/top loading information, has been removed. Also the 'next'
field has been removed as it wasn't used anywhere.
The 'init_bl2_mem_layout()' function has been moved out of common
code and put in BL1-specific code. It has also been renamed into
'bl1_init_bl2_mem_layout'.
Fixes ARM-software/tf-issues#109
Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
Sandrine Bailleux
committed
on 1 Jul 2014
|
2014-06-05 |
Make the entry point argument optional in load_image()
...
There are cases where the entry point information is useless to the
caller, e.g. when an image just needs to be loaded in memory but won't
ever be executed.
This patch allows load_image() function to take a NULL pointer as the
entry point argument. In this case, it won't be populated.
Change-Id: Ie9394b054457706c6699926c5e0206e0c3851c56
Sandrine Bailleux
committed
on 5 Jun 2014
|
2014-05-23 |
Move BL porting functions into platform.h
...
Some platform porting functions were in BL specific header files.
These have been moved to platform.h so that all porting functions
are in the same place. The functions are now grouped by BL.
Obsolete BL headers files have been removed.
Also, the weak declaration of the init_bl2_mem_layout() function
has been moved out the header file and into the source file
(bl_common.c) using the more succinct #pragma syntax. This
mitigates the risk of 2 weak definitions being created and the
wrong one being picked up by the compiler.
Change-Id: Ib19934939fd755f3e5a5a5bceec88da684308a83
Dan Handley
authored
on 15 May 2014
Achin Gupta
committed
on 23 May 2014
|
2014-05-22 |
Rework memory information passing to BL3-x images
...
The issues addressed in this patch are:
1. Remove meminfo_t from the common interfaces in BL3-x,
expecting that platform code will find a suitable mechanism
to determine the memory extents in these images and provide
it to the BL3-x images.
2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x
code as the images use link-time information to determine
memory extents.
meminfo_t is still used by common interface in BL1/BL2 for
loading images
Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
Vikram Kanigiri
committed
on 22 May 2014
|
Populate BL31 input parameters as per new spec
...
This patch is based on spec published at
https://github.com/ARM-software/tf-issues/issues/133
It rearranges the bl31_args struct into
bl31_params and bl31_plat_params which provide the
information needed for Trusted firmware and platform
specific data via x0 and x1
On the FVP platform BL3-1 params and BL3-1 plat params
and its constituents are stored at the start of TZDRAM.
The information about memory availability and size for
BL3-1, BL3-2 and BL3-3 is moved into platform specific data.
Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9
Vikram Kanigiri
committed
on 22 May 2014
|