The same tee-supplicant is available in the meta-arm layer
along with the recipe.
| meta-arm/recipes-security/optee/optee-client
| meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
| meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
| meta-arm/recipes-security/optee/optee-client.inc
| meta-arm/recipes-security/optee/optee-client_4.1.0.bb
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jon Mason <jon.mason@arm.com>
oe-core master now has 6.6.54 which incorporates this patch, so we don't
need to carry it anymore.
This reverts commit 60fd47edd0.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Application Root of Trust and the PSA Root of Trust was not
isolated in TF-M Isolation Level 2 beacuse of the misconfiguration of
the MPU. The added patch fixes this issue.
Fixes: a8f47e9 (arm-bsp/trusted-firmware-m: corstone1000: update to 2.0)
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Create new yml file "corstone1000-extsys.yml" which adds "corstone1000-extsys" as
new MACHINE_FEATURE.
Based on this, external system components can be enabled or disabled from the
Linux Kernel and U-Boot.
Reason for change:
DT-schema test is failing for the SystemReady-IR v2.0 certification because
device tree binding for remoteproc dts node corresponds to external system has
not been upstreamed in the Linux Kernel yet.
So, it has been decided to make enablement of external system configurable in
order to make Corstone1000 FVP SystemReady-IR v2.0 certifiable.
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Improve the documentation in the user guide of the following tests:
- SystemReady-IR tests
- Manual capsule update and ESRT checks
- Linux distros tests
- UEFI Secureboot (SB) test
- PSA API tests
In addition, we moved the tests in one section for better readability.
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The reset has to be removed from the TF-M side after capsule update
because it caused data abort exceptions on the host side.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
The buffer size has to be increased to fit the EFI variables which got
increased metadata sizes.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The increased EFI variable metadata need bigger buffer so it can
be transfered to the Secure Enclave without memory overflow
issues. The heap and buffer sizes had to be aligned with the.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The private authenticated variable changes increased the variables
metadata. The PS max asset size and related buffer sizes have to be
increased because of this.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This changeset updates the user guide to test the secureboot for both the
FVP and FPGA.
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The psa-iat-api-test was failing because the PLATFORM_HAS_ATTEST_PK
flag was added to the build for Corstone1000.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Crypto-AEAD-APIs tests fails on mps3. Configures CC312 mps3 model
same as predefined cc312 FVP configuration while keeping debug
ports closed.
Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Corstone1000 does not properly clean the cache and disable gic interrupts
before the reset. This causes a race condition especially in FVP after reset.
This adds proper sequence before resetting the platform.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add corstone1000-recovery-image image based on core-image-minimal
while disabling the testimage task which is irrelevant in case of
an initramfs bundle.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Corstone-1000 no longer uses OpenAMP, and it was the only platform
which needed this library.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The OpenAMP is replaced by the RSE Communication Protocol and
the documentation had to by updated to reflect this change.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Update the Corstone-1000 user guide with the new instructions on how to
build/use an ESP image and how to use the meta-arm-systemready layer to
run the ACS tests.
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The SystemReady IR ACS test suite require that there is a valid ESP
partition available to the system. This change creates a new image that
only contains a ESP partition and ensures it's mounted on the second MMC
card so it's available when the SystemReady tests run.
The diagnostic level of the 2 MMC cards have also been lowered to
improve the ACS test duration.
Corrected a spelling mistake in the corstone1000-flash-firmware-image.bb
file.
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Added the missing meta-arm-systemready required variable to enable its
use with the corstone1000-fvp machine. Also explicitly set all the
consoles.
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
After enabling additional features in Trusted Services, the size of BL32
image (OP-TEE + Trusted Services SPs) is larger now. To create more space
in secure RAM for BL32 image, this patch removes NS_SHARED_RAM region which
is not currently used by corstone1000 platform.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This change enables the UEFI secure boot and its related configurations
for corstone1000
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The .nopt and capsule are generated during the yocto build. Sync the
documentation with the changes.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Currently, only the Corstone-1000 platform uses the capsule generation
class. Corstone-1000 uses U-Boot instead of EDK2. With this change,
the dependency on EDK2 was removed.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The .nopt image is used during the UEFI Update Capsule generation.
This .nopt image was generated manually when it was needed.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add a recipe to enable building and deploying the FWU service
implemented in the Trusted Services Project. The FWU service can
help vendors to meet PSA certification requirements.
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Due to how the timer in u-boot is implemented, it's quite possible for
a two second timeout in the u-boot login to actually take over 15s to
expire.
Take a patch from the mailing list to implement this differently so the
timer runs in an accurate amount of time.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
add support for the remoteproc control feature for the external system
With this feature we can switch on/off the external system on demand:
echo stop > /sys/class/remoteproc/remoteproc0/state
echo start > /sys/class/remoteproc/remoteproc0/state
During Linux boot the remoteproc subsystem automatically start
the external system. The user can use the commands above to
stop then start the remote core.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
describe the external system as a remoteproc node in the device tree
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
install the external system binaries under /lib/firmware
The kernel's remoteproc subsystem expects the firmware file to be under /lib/firmware
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This is mostly based on the existing qemu-generic-arm64 machine, but by
not being based on the genericarm64 and instead being specifically a
machine to run on the qemu sbsa-ref machine we get to tune differently.
Specifically, this configures sbsa-ref to be a Neoverse N2 (v9), and the
tune is set to match. Another notable difference to qemu-generic-arm64
is that the kernel configuration is at present defconfig. We may wish
to change this in the future to be the same fragmented configuration as
genericarm64.
We have to ignore two testimage parselogs failures: one from NUMA which
will be fixed in a future EDK2 release, and one from efifb where we
should be using the bochsdrm driver instead (further investigation is
needed)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Every platform should have the chance to try the -rt patches.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
- The Secure Enclave Proxy Secure Partition fails at psa_call()
because wrong parameter was passed.
- The SMM Gateway initialization failed because a malloc()
returned a NULL pointer. The SMM_GATEWAY_MAX_UEFI_VARIABLES
had to be decreased to avoid this.
- Increase shared memory buffer size and add buildtime check
- Use __packed for the variable_metadata struct
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
The Trusted Services v1.0 uses new RPC protocol and the message
fields in u-boot had to be synchronized.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
Add configuration settings to TF-A, OP-TEE and TS SPs needed to get TS
built and run on the fvp-base machine.
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
- Update driver version to v2.0.0
- Follow up the name change. The driver has been renamed from
arm_ffa_tee to arm_tstee.
Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
