- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
For each threat, we now separate:
- how to mitigate against it;
- whether TF-A currently implements these mitigations.
A new "Mitigations implemented?" box is added to each threat to
provide the implementation status. For threats that are partially
mitigated from platform code, the original text is improved to make
these expectations clearer. The hope is that platform integrators will
have an easier time identifying what they need to carefully implement
in order to follow the security recommendations from the threat model.
Change-Id: I8473d75946daf6c91a0e15e61758c183603e195b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I5c856437b60cdf05566dd636a01207c9b9f42e61
This patch fixes the following encodings in the System register
encoding space for the MPAM registers. The encodings now match
with the Arm® Architecture Reference Manual Supplement for MPAM.
* MPAMVPM0_EL2
* MPAMVPM1_EL2
* MPAMVPM2_EL2
* MPAMVPM3_EL2
* MPAMVPM4_EL2
* MPAMVPM5_EL2
* MPAMVPM6_EL2
* MPAMVPM7_EL2
* MPAMVPMV_EL2
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ib339412de6a9c945a3307f3f347fe7b2efabdc18
Add SP entries to event_log_metadata if SPD_spmd is enabled. Otherwise
the platform cannot boot with measured boot enabled.
Signed-off-by: Imre Kis <imre.kis@arm.com>
Change-Id: I525eb50e7bb60796b63a8c7f81962983017bbf87
MISRA Violation: MISRA-C:2012 R.15.6
- The body of an iteration-statement or a selection-statement shall be
a compound statement.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: Ia1d6fcabd36d18ff2dab6c22579ffafd5211fc1f
After the SRC bit clear, we must wait for a while to make sure
the operation is finished. And don't enable all the PU domains
by default.
for USB OTG, the limitations are:
1. before system clock configuration. ipg clock runs at 12.5MHz.
delay time should longer than 82us.
2. after system clock configuration. ipg clock runs at 66.5MHz.
delay time should longer than 15.3us.
so add udelay 100 to safely clear the SRC bit 0.
Signed-off-by: Jacky Bai <ping.bai@nxp.com>
Change-Id: I52e8e7739fdaaf86442bcd148e768b6af38bcdb7
Denver CPUs use the same workaround for CVE-2017-5715 and CVE-2022-23960
vulnerabilities. The workaround for CVE-2017-5715 is always enabled, so
all Denver variants use CPU_NO_EXTRA3_FUNC as a placeholder for the
mitigation for CVE-2022-23960. This patch implements the approach.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I0863541ce19b6b3b6d1b2f901d3fb6a77f315189
MISRA Violation: MISRA-C:2012 R.8.13
- The pointer variable points to a non-constant type
but does not modify the object it points to. Consider
adding const qualifier to the points-to type.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: Ifd06c789cfd3babe1f5c0a17aff1ce8e70c87b05
MISRA Violation: MISRA-C:2012 R.8.13
- The pointer variable points to a non-constant type
but does not modify the object it points to. Consider
adding const qualifier to the points-to type.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: I74e1b69290e081645bec8bb380128936190b5e24
MISRA Violation: MISRA-C:2012 R.4.6
- Using basic numerical type int rather than a typedef
that includes size and signedness information.
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@xilinx.com>
Change-Id: I4eccce7e238f283348a5013e2e45c91435b4ae4e
Different from other i.MX SoCs, which typically use a 24MHz reference clock,
the i.MX8MQ uses a 25MHz reference clock. As the architected timer clock
frequency is directly sourced from the reference clock via a /3 divider this
SoC runs the timers at 8.33MHz.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: Ief36af9ffebce7cb75a200124134828d3963e744
Optimizing the pinctrl_functions structure. Remove the pointer to
array of u16 type which consumes a lot of memory (64bits pointer to
array + 16B for END_OF_GROUPS + almost useless 8bits on every entry
which is the same for every group) and add two new members of type
u16 and u8 with the name called group_base and group_size
respectively.
The group_base member contains the base value of pinctrl group whereas
the group_size member contains the total number of groups requested
from the pinctrl function.
Overall, it saves around ~2KB of RAM and ~0.7KB of code memory.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Ronak Jain <ronak.jain@xilinx.com>
Change-Id: I79b761b45df350d390fa344d411b340d9b2f13ac
Fixing possible Null pointer dereference error, found
by Coverity scan.
Change-Id: If60b7f7e13ecbc3c01e3a9c5005c480260bbabdd
Signed-off-by: David Vincze <david.vincze@arm.com>
Fix the wrong FF-A version being used for retrieving existing memory
descriptors for v1.0 clients. Internally these should always be stored
using the latest version rather than client version.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibee1b2452c8d6ebd23bbd9d703c96ca185444093
Fix an incorrect bound check for overlapping memory regions which can
give false positives if the two regions are consecutive to each other.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I997dc4d1ef2014660cc964aff0a73e348c44eff0
GCC 11 and Clang 14 now use the DWARF 5 standard by default however
Arm-DS currently only supports up to version 4. Therefore, for debug
builds, ensure the DWARF 4 standard is used.
Also update references for Arm DS-5 to it's successor Arm-DS (Arm
Development Studio).
Change-Id: Ica59588de3d121c1b795b3699f42c31f032cee49
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
* changes:
feat(fvp): add plat hook for memory transactions
feat(spmc): enable handling of the NS bit
feat(spmc): add support for v1.1 FF-A memory data structures
feat(spmc/mem): prevent duplicated sharing of memory regions
feat(spmc/mem): support multiple endpoints in memory transactions
feat(spmc): add support for v1.1 FF-A boot protocol
feat(plat/fvp): introduce accessor function to obtain datastore
feat(spmc/mem): add FF-A memory management code
Add call to platform hooks upon successful transmission of a
memory transaction request and as part of a memory reclaim request.
This allows for platform specific functionality to be performed
accordingly.
Note the hooks must be placed in the initial share request and final
reclaim to prevent order dependencies with operations that may take
place in the normal world without visibility of the SPMC.
Add a dummy implementation to the FVP platform.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0c7441a9fdf953c4db0651512e5e2cdbc6656c79
In FF-A v1.1 the NS bit is used by the SPMC to specify the
security state of a memory region retrieved by a SP.
Enable the SPMC to set the bit for v1.1 callers or v1.0
callers that explicitly request the usage via FFA_FEATURES.
In this implementation the sender of the memory region must
reside in the normal world and the SPMC does not support
changing the security state of memory regions therefore
always set the NS bit if required by the caller.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I215756b28e2382082933ba1dcc7584e7faf4b36b
Add support for the FF-A v1.1 data structures to the EL3 SPMC
and enable the ability to convert between v1.0 and the v1.1
forwards compatible data structures.
The SPMC now uses the v1.1 data structures internally and will
convert descriptors as required depending on the FF-A version
supported by the calling partition.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ic14a95ea2e49c989aecf19b927a6b21ac50f863e
Allow the SPMC to reject incoming memory sharing/lending requests
that contain memory regions which overlap with an existing
request.
To enable this functionality the SPMC compares each requested
memory region to those in ongoing memory transactions and rejects
the request if the ranges overlap.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I7588846f272ec2add2a341d9f24836c73a046e2f
Enable FFA_MEM_LEND and FFA_MEM_SHARE transactions to support multiple
borrowers and add the appropriate validation. Since we currently
only support a single S-EL1 partition, this functionality is to
support the use case where a VM shares or lends memory to one or
more VMs in the normal world as part of the same transaction to
the SP.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ia12c4357e9d015cb5f9b38e518b7a25b1ea2e30e
* changes:
build(changelog): add new scope for Arm SMMU driver
feat(smmu): add SMMU abort transaction function
docs(build): add build option for DRTM support
build(drtm): add DRTM support build option
* changes:
docs(threat-model): remove some redundant text in threat #08
docs(threat-model): make experimental features out of scope
docs(threat-model): cosmetic changes
A partition can request the use of the FF-A boot protocol via
an entry in its manifest along with the register (0-3)
that should be populated with a pointer to a data structure
containing boot related information. Currently the boot
information consists of an allocated memory region
containing the SP's manifest, allowing it to map and parse
any extra information as required.
This implementation only supports the v1.1 data structures
and will return an error if a v1.0 client requests the usage
of the protocol.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I67692553a90a7e7d94c64fe275edd247b512efca
In order to provide the EL3 SPMC a sufficient datastore to
record memory descriptors, a accessor function is used.
This allows for the backing memory to be allocated in a
platform defined manner, to accommodate memory constraints
and desired use cases.
Provide an implementation for the Arm FVP platform to
use a default value of 512KB memory allocated in the
TZC RAM section.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I92bc55ba6e04bdad429eb52f0d2960ceda682804
Originally taken from the downstream Trusty SPD [1]
implementation and modified to integrate with
the EL3 SPMC internals.
Add support to the EL3 SPMC for a subset of the FF-A
memory management ABIs:
- FFA_MEM_SHARE
- FFA_MEM_LEND
- FFA_MEM_RETRIEVE_REQ
- FFA_MEM_RETRIEVE_RESP
- FFA_MEM_RELINQUISH
- FFA_MEM_RECLAIM
- FFA_MEM_FRAG_RX
- FFA_MEM_FRAG_TX
This implementation relies on a datastore allocated in
platform specific code in order to store memory descriptors
about ongoing memory transactions. This mechanism
will be implemented in the following commit.
[1] https://android.googlesource.com/trusty/external/trusted-firmware-a/+/refs/heads/master/services/spd/trusty/
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ib042f73c8a6e0f0aed00f6762be175cb9dedc042
Add an explicit note that measured boot is out of scope of the threat
model. For example, we have no threat related to the secure
management of measurements, nor do we list its security benefits
(e.g. in terms of repudiation).
This might be a future improvement to the threat model but for now
just acknowledge it is not considered.
Change-Id: I2fb799a2ef0951aa681a755a948bd2b67415d156
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Created a function to abort all pending NS DMA transactions to
engage complete DMA protection. This call will be used by the
subsequent DRTM implementation changes.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Signed-off-by: Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
Change-Id: I94992b54c570327d6746295073822a9c0ebdc85d
Added DRTM support build option in the makefiles.
This build option will be used by the DRTM implementation
in the subsequent patches.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Signed-off-by: Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
Change-Id: I15366f86b3ebd6ab2ebcb192753015d547cdddee
When SPMC is present at S-EL2, EL1 context registers don't need to be
initialized for Secure state. This patch makes sure that EL1 context
registers are initialized only for Non-secure state, and when SPMC is
not present at S-EL2
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I4a60b258c31ce5f6472a243e2687159cc495259b
This change makes use of 32-bit crc for calculating gpt header crc
and compares it with the given value.
Signed-off-by: Rohit Ner <rohitner@google.com>
Change-Id: I49bca7aab2c3884881c4b7d90d31786a895290e6
This change makes the necessary additions to makefile of
platforms using partition driver.
Signed-off-by: Rohit Ner <rohitner@google.com>
Change-Id: I0d524760bf52e1d9b4a103f556231f20146bd78e
