1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 16:37:08 +00:00

Compare commits

..

26 Commits

Author SHA1 Message Date
Jon Mason 150169d01f arm/linux-yocto: backport patch to fix 6.5.13 networking issues
Linux kernel commit 9aea191c29e18f7c044a2f95a2da7f7b7fdd0449 (backported
to 6.5.13 as part of the stable process) introduces an bug, which is
preventing networking from functioning (and logging lots of errors in
dmesg).  Linux kernel commit 45b3fae4675dc1d4ee2d7aefa19d85ee4f891377
resolves the issue.

It is need for everything, but only applying for aarch64 to keep the
CI tooling happy.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-12 14:00:59 -04:00
Emekcan Aras 9a4ae38e84 arm-bsp/optee: Improve PIN counter handling robustness
This patches a security issue discovered lately in OP-TEE version
earlier than v4.1. The detailed report can be found here:

https://github.com/OP-TEE/optee_os/security/advisories/GHSA-2f5m-q4w3-865p

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
2024-02-21 09:54:41 +00:00
Ross Burton 12e80bade1 CI: use https: to fetch meta-virtualization
Some firewalls may reject git: traffic, so use https.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-02-15 12:24:04 +00:00
Harsimran Singh Tungal 6bfd024269 arm-bsp/tf-a-tests: fix corstone1000
The tftf tests are getting stuck on nanbield for corstone1000
due to incompatible optee version. The optee version on nanbield
needs to be upgraded to fix the tftf tests. To avoid that upgrade
on the release branch, some tftf tests are skipped for corstone1000
platform to make the tftf tests work.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-02-08 14:11:47 +00:00
Ross Burton 7915779267 arm-bsp/documentation: upgrade Sphinx slightly
Many Sphinx plugins now require Sphinx 5+ ([1], [2], and more), so
sphinx 4.5 isn't usable as the requirements in sphinx itself are not
pinned so you end up with a broken setup with errors such as:

sphinx.errors.VersionRequirementError: The sphinxcontrib.serializinghtml
extension used by this project needs at least Sphinx v5.0; it therefore
cannot be built with this version.

There's a sufficient number of plugins that manually pinning them all is
tedious, so upgrade the documentation to Sphinx 5 (and the corresponding
RTD theme).

Also remove sphinx-copybutton, as this extension is unused.

[1] https://github.com/sphinx-doc/sphinxcontrib-applehelp/commit/ccc77c814a92ef21c300e5ef725b76c40b7ce653
[2] https://github.com/sphinx-doc/sphinxcontrib-devhelp/commit/b2dc14bd8bdd7994c565d254772a0ba3ddecfe51

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 10:53:16 -05:00
Harsimran Singh Tungal 987d685ed0 corstone1000:arm-bsp/tftf: Fix tftf tests on mps3
The tftf tests were getting crashed on the MPS3 and two issues were found
during investigation. This change set provide fix for those issues:
1. The tftf tests were getting crashed on the MPS3 when compiled with
LOG_LEVEL=50. So, reducing the log level and aligning it with the TF-A
allows us to get rid of the crash.

2. Once the above crash got resolved, it has been found that tftf tests
were getting asserted while reading the value of the register
GICD_ITARGETSR. The reason for the crash is that the value of this register
is zero. As per the GIC documentation, this register is RAZ/WI for uniprocessor
implementation and corstone1000 is uniprocessor implementation for FPGA.
So, this change compiles the tftf tests in release mode which allows us
to compile out the assert definitions.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 09:34:00 -05:00
Debbie Martin 79c52afe74 ci: Add Arm SystemReady firmware and IR ACS builds
Add CI builds for Arm SystemReady Firmware within the fvp-base CI job and a new
Arm SystemReady IR ACS build job. Add the CI kas config for each of these
builds.

The ACS build can be controlled by the ACS_TEST GitLab variable to specify
whether or not to run the testimage. If this variable is not set, the
testimage step will not run. The job tag can be controlled by the ACS_TAG GitLab
variable.

Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-08 09:09:36 -05:00
Debbie Martin 5afb0ce40e arm-systemready: Add parted dependency and inherit testimage
Add the parted-native dependency explicitly which is needed to
use wic commands.

Also explicitly inherit testimage. This means that the kas config
is no longer required to include it in IMAGE_CLASSES.

Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-08 09:09:36 -05:00
Harsimran Singh Tungal ae11c9d473 arm-bsp/documentation: corstone1000: fix the steps in the user guide and instructions
Provide updates and fixes in the user guide identified during testing.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-06 09:11:22 -05:00
Emekcan Aras 0bd7fece41 arm-bsp/documentation: corstone1000: fix the requirements.txt and conf.py path
Readthedocs server requires an absolute path from project's root
directory to find correct requirements.txt and conf.py.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 19:49:49 +00:00
Emekcan Aras 507eb6c01c arm-bsp/documentation: corstone1000: add readthedocs.yaml file
Migrate Corstone-1000 documentation to .readthedocs.yaml configuration file v2.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 16:32:38 +00:00
Abdellatif El Khlifi 118c376ab2 kas: corstone1000: pin the SHAs
Upgrade the Corstone-1000 YMLs as follows:

- Set the layers SHAs
- Align with Kas v4
- Update the layers list

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:13 +00:00
Emekcan Aras af84b2c79d arm-bsp/documentation: corstone1000: add a note and fix instructions
Add a note for Capsule update negative test scenario and fixes instructions
regarding distro-boot in Corstone-1000 user guide.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:13 +00:00
Emekcan Aras 4cb225ae8f arm-bsp/documentation: corstone1000: Add EFI system partition section
Adds creating an EFI System Partition for Corstone-1000.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:13 +00:00
Abdellatif El Khlifi e0f91d02ab arm-bsp/documentation: corstone1000: update the user guide
align the user guide with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 7d04734458 arm-bsp/documentation: corstone1000: update the architecture document
align the architecture document with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Abdellatif El Khlifi b7d14693f4 arm-bsp/documentation: corstone1000: update the change log
align the change log with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Abdellatif El Khlifi 3ead3b9ecd arm-bsp/documentation: corstone1000: update the release note
align the release note with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 8e0757c6cf arm-bsp/u-boot: corstone1000: enable virtio-net support for FVP
Use Ethernet over VirtIO on FVP due to lan91c111 Ethernet driver support dropped from U-Boot.
This patch enables virtio-net device in u-boot to pass ACS tests related to
NIC and PXE. The current ethernet device still works in linux kernel and
corstone1000-mps3 Ethernet device is supported by u-boot, so no change is
required regarding existing Ethernet device.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 1cc64ee62f arm-bsp/corstone1000-fvp: Disable Time Annotation
Timing Annotation is a feature of the model that enables high-level
performance estimations to be made [1]. This currently doesn't work
properly with the new models and it's recommended to unset FASTSIM_DISABLE_TA.

[1] https://developer.arm.com/documentation/100965/1119/Timing-Annotation

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 326013b877 arm-bsp/corstone1000-fvp: add unpadded image support for MMC card config
Enables unpadded image support for MMC cards.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 070c349a85 arm-bsp/corstone1000-fvp: Add virtio-net configuration
Adds virtio-net configuration to use virtio-net in corstone1000-fvp.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 472df5300f arm/fvp-corstone1000: upgrade to 11.23_25
Upgrade to the 11.23_25 release of the FVP.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 13:40:39 +00:00
Delane Brandy 238dc94e2b arm-bsp/documentation: corstone1000: Update the user guide
Update the user guide to include Linux distro installation on fvp

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-24 13:40:39 +00:00
Emekcan Aras 6bdf52fb09 arm-bsp/corstone1000: fix synchronization issue on openamp notification
This fixes a race that is observed rarely in the FVP. It occurs in FVP
when tfm sends the notication ack in openamp, and then reset the access
request which resets the mhu registers before received by the host
processor. It implements the fix both in SE and the host processor openamp
wrapper. This solution enables polling on the status register of mhu until
the notificaiton is read by the host processor. (Inspired by
signal_and_wait_for_signal function in mhu_wrapper_v2_x.c in trusted-firmware-m
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/arm/rss/common/native_drivers/mhu_wrapper_v2_x.c#n61)

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-24 13:40:39 +00:00
Ross Burton 81b3db6673 arm-bsp/optee-os: update Upstream-Status tags
Fix some formatting, and switch Accepted to Backport.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-24 12:26:42 +00:00
401 changed files with 6848 additions and 11269 deletions
+168 -206
View File
@@ -1,26 +1,16 @@
image: ${MIRROR_GHCR}/siemens/kas/kas:4.3.2
image: ${MIRROR_GHCR}/siemens/kas/kas:4.0
variables:
# These are needed as the k8s executor doesn't respect the container
# entrypoint by default
CPU_REQUEST: ""
DEFAULT_TAG: ""
CACHE_DIR: $CI_BUILDS_DIR/persist
MIRROR_GHCR: ghcr.io
# These are needed as the k8s executor doesn't respect the container entrypoint
# by default
FF_KUBERNETES_HONOR_ENTRYPOINT: 1
FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0
# The default value for KUBERNETES_CPU_REQUEST
CPU_REQUEST: ""
# The default machine tag for the build jobs
DEFAULT_TAG: ""
# The machine tag for the ACS test jobs
ACS_TAG: ""
# The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
CACHE_DIR: $CI_BUILDS_DIR/persist
# The container mirror to use
MIRROR_GHCR: ghcr.io
# Whether to run the SystemReady ACS tests
ACS_TEST: 0
# The list of extra Kas fragments to be used when building
EXTRA_KAS_FILES: ""
# The NVD API key to use when fetching CVEs
NVDCVE_API_KEY: ""
ACS_TAG: ""
stages:
- prep
@@ -71,8 +61,7 @@ stages:
# Catch all for everything else
- if: '$KERNEL != "linux-yocto-dev"'
script:
- KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml
- echo KASFILES=$KASFILES
- KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME"):lockfile.yml
- kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
- kas build $KASFILES
- ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log
@@ -120,6 +109,27 @@ update-repos:
# VIRT: [none, xen]
# TESTING: testimage
corstone1000-fvp:
extends: .build
parallel:
matrix:
- TESTING: [testimage, tftf]
corstone1000-mps3:
extends: .build
parallel:
matrix:
- TESTING: [none, tftf]
fvp-base:
extends: .build
parallel:
matrix:
- TESTING: testimage
- FIRMWARE: edk2
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
arm-systemready-ir-acs:
extends: .build
timeout: 12h
@@ -133,6 +143,116 @@ arm-systemready-ir-acs:
tags:
- ${ACS_TAG}
fvps:
extends: .build
generic-arm64:
extends: .build
juno:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
musca-b1:
extends: .build
musca-s1:
extends: .build
n1sdp:
extends: .build
parallel:
matrix:
- TESTING: [none, n1sdp-ts, n1sdp-optee, tftf]
qemu-generic-arm64:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TESTING: testimage
qemuarm64-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
qemuarm64:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
qemuarm-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- TOOLCHAINS: external-gccarm
TESTING: testimage
qemuarm:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
qemuarmv5:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
sgi575:
extends: .build
tc1:
extends: .build
parallel:
matrix:
- TESTING: testimage
tags:
- x86_64
toolchains:
extends: .build
selftest:
extends: .setup
script:
- KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
- kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'
# Validate layers are Yocto Project Compatible
check-layers:
extends: .setup
@@ -143,23 +263,35 @@ check-layers:
matrix:
- LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain]
corstone1000-fvp:
extends: .build
parallel:
matrix:
- FIRMWARE: corstone1000-firmware-only
TESTING: [testimage, tftf]
- FIRMWARE: none
TESTING: testimage
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
pending-updates:
extends: .setup
artifacts:
paths:
- update-report
script:
- rm -fr update-report
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
# Do this on x86 whilst the compilers are x86-only
tags:
- x86_64
corstone1000-mps3:
extends: .build
parallel:
matrix:
- FIRMWARE: corstone1000-firmware-only
TESTING: [none, tftf]
- FIRMWARE: none
# What percentage of machines in the layer do we build
machine-coverage:
extends: .setup
script:
- ./ci/check-machine-coverage
coverage: '/Coverage: \d+/'
metrics:
extends: .setup
artifacts:
reports:
metrics: metrics.txt
script:
- kas shell --update --force-checkout ci/base.yml --command \
"$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"
documentation:
extends: .setup
@@ -183,173 +315,3 @@ documentation:
artifacts:
paths:
- build-docs/
fvp-base:
extends: .build
parallel:
matrix:
- TS: [none, fvp-base-ts]
TESTING: testimage
- FIRMWARE: edk2
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
arm-systemready-ir-acs:
extends: .build
timeout: 12h
parallel:
matrix:
# arm-systemready-ir-acs must be specified after fvp-base for ordering
# purposes for the jobs-to-kas output. It is not enough to just have it
# in the job name because fvp-base.yml overwrites the target.
- PLATFORM: [fvp-base, corstone1000-fvp]
ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
tags:
- ${ACS_TAG}
fvps:
extends: .build
genericarm64:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
juno:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
# What percentage of machines in the layer do we build
machine-coverage:
extends: .setup
script:
- ./ci/check-machine-coverage
coverage: '/Coverage: \d+/'
metrics:
extends: .setup
artifacts:
reports:
metrics: metrics.txt
script:
- kas shell --update --force-checkout ci/base.yml --command \
"$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"
musca-b1:
extends: .build
musca-s1:
extends: .build
n1sdp:
extends: .build
parallel:
matrix:
- TESTING: [none, n1sdp-ts, n1sdp-optee, tftf]
pending-updates:
extends: .setup
artifacts:
paths:
- update-report
script:
- rm -fr update-report
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
# Do this on x86 whilst the compilers are x86-only
tags:
- x86_64
qemuarm64-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm64:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- TOOLCHAINS: external-gccarm
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarmv5:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
sbsa-ref:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
selftest:
extends: .setup
script:
- KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
- kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'
sgi575:
extends: .build
toolchains:
extends: .build
@@ -1,79 +0,0 @@
From 42358d889ed652a8c386862f8c65e5fbe7484de2 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Fri, 26 Apr 2024 10:38:28 +0000
Subject: [PATCH] procps: fix build with new glibc but old kernel headers
If you're building procps with a newer glibc (with pidfd_open()) but
older kernel headers (say 4.x, before __NR_pidfd_open) then procps will
fail to build because of a typo in configure.ac.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../procps/procps/pidfd.patch | 42 +++++++++++++++++++
meta/recipes-extended/procps/procps_4.0.4.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/pidfd.patch
diff --git a/meta/recipes-extended/procps/procps/pidfd.patch b/meta/recipes-extended/procps/procps/pidfd.patch
new file mode 100644
index 00000000000..f5e8183e547
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/pidfd.patch
@@ -0,0 +1,42 @@
+From c8f625e085b8249cc009e8b19c3a19100217eb35 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Thu, 25 Apr 2024 13:33:15 +0000
+Subject: [PATCH] Fix pidfd_open detection
+
+This check for pidfd_open uses AC_CHECK_FUNC which just runs the specified code, but
+src/pgrep.c checks HAVE_PIDFD_OPEN which will only be defined by AC_CHECK_FUNCS.
+
+Also pidfd_open is defined in sys/pidfd.h so that needs including.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+
+diff --git a/configure.ac b/configure.ac
+index fec27e3f..024731c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -170,7 +170,7 @@ AC_TRY_COMPILE([#include <errno.h>],
+ AC_MSG_RESULT(yes),
+ AC_MSG_RESULT(no))
+
+-AC_CHECK_FUNC([pidfd_open], [enable_pidwait=yes], [
++AC_CHECK_FUNCS([pidfd_open], [enable_pidwait=yes], [
+ AC_MSG_CHECKING([for __NR_pidfd_open])
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+ #include <sys/syscall.h>
+diff --git a/src/pgrep.c b/src/pgrep.c
+index d8e57dff..c5211aec 100644
+--- a/src/pgrep.c
++++ b/src/pgrep.c
+@@ -44,7 +44,9 @@
+
+ #ifdef ENABLE_PIDWAIT
+ #include <sys/epoll.h>
+-#ifndef HAVE_PIDFD_OPEN
++#ifdef HAVE_PIDFD_OPEN
++#include <sys/pidfd.h>
++#else
+ #include <sys/syscall.h>
+ #endif /* !HAVE_PIDFD_OPEN */
+ #endif
diff --git a/meta/recipes-extended/procps/procps_4.0.4.bb b/meta/recipes-extended/procps/procps_4.0.4.bb
index 800384f22f7..ec8c4b0261b 100644
--- a/meta/recipes-extended/procps/procps_4.0.4.bb
+++ b/meta/recipes-extended/procps/procps_4.0.4.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
file://sysctl.conf \
+ file://pidfd.patch \
"
SRCREV = "4ddcef2fd843170c8e2d59a83042978f41037a2b"
--
2.34.1
-14
View File
@@ -29,13 +29,6 @@ Other Directories
This directory contains scripts used in running the CI tests
Mailing List
------------
To interact with the meta-arm developer community, please email the meta-arm mailing list at meta-arm@lists.yoctoproject.org
Currently, it is configured to only allow emails to members from those subscribed.
To subscribe to the meta-arm mailing list, please go to
https://lists.yoctoproject.org/g/meta-arm
Contributing
------------
Currently, we only accept patches from the meta-arm mailing list. For general
@@ -56,13 +49,6 @@ The component being changed in the shortlog should be prefixed with the layer na
arm-toolchain/gcc: enable foobar v2
Releases and Release Schedule
--------------
We follow the Yocto Project release methodology, schedule, and stable/LTS support timelines. For more information on these, please reference:
https://docs.yoctoproject.org/ref-manual/release-process.html
https://wiki.yoctoproject.org/wiki/Releases
https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS
Reporting bugs
--------------
E-mail meta-arm@lists.yoctoproject.org with the error encountered and the steps
-37
View File
@@ -1,37 +0,0 @@
# Reporting vulnerabilities
Arm takes security issues seriously and welcomes feedback from researchers and
the security community in order to improve the security of its products and
services. We operate a coordinated disclosure policy for disclosing
vulnerabilities and other security issues.
Security issues can be complex and one single timescale doesn't fit all
circumstances. We will make best endeavours to inform you when we expect
security notifications and fixes to be available and facilitate coordinated
disclosure when notifications and patches/mitigations are available.
## How to Report a Potential Vulnerability?
If you would like to report a public issue (for example, one with a released CVE
number), please contact the meta-arm mailing list at
meta-arm@lists.yoctoproject.org and arm-security@arm.com.
If you are dealing with a not-yet released or urgent issue, please send a mail
to the maintainers (see README.md) and arm-security@arm.com, including as much
detail as possible. Encrypted emails using PGP are welcome.
For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
## Branches maintained with security fixes
meta-arm follows the Yocto release model, so see
[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
LTS] for detailed info regarding the policies and maintenance of stable
branches.
The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
releases of the Yocto Project. Versions in grey are no longer actively maintained with
security patches, but well-tested patches may still be accepted for them for
significant issues.
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 11
includes:
-4
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 11
includes:
@@ -14,5 +12,3 @@ local_conf_header:
target:
- arm-systemready-ir-acs
- arm-systemready-linux-distros-debian
- arm-systemready-linux-distros-opensuse
+2 -7
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -7,7 +5,7 @@ distro: poky
defaults:
repos:
branch: scarthgap
branch: nanbield
repos:
meta-arm:
@@ -21,10 +19,6 @@ repos:
layers:
meta:
meta-poky:
patches:
procps:
path: 0001-procps-fix-build-with-new-glibc-but-old-kernel-heade.patch
repo: meta-arm
env:
BB_LOGCONFIG: ""
@@ -38,6 +32,7 @@ local_conf_header:
PACKAGECONFIG:remove:pn-qemu-system-native = "gtk+ sdl"
PACKAGECONFIG:append:pn-perf = " coresight"
INHERIT += "rm_work"
DISTRO_FEATURES:remove = "ptest"
extrapackages: |
CORE_IMAGE_EXTRA_INSTALL += "perf opencsd"
CORE_IMAGE_EXTRA_INSTALL:append:aarch64 = " gator-daemon"
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+6 -4
View File
@@ -1,13 +1,15 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
- ci/meta-openembedded.yml
- ci/poky-tiny.yml
- ci/meta-secure-core.yml
- kas/corstone1000-image-configuration.yml
local_conf_header:
extrapackages: |
# Intentionally blank to prevent perf from being added to the image in base.yml
target:
- core-image-minimal
- corstone1000-image
- perf
-10
View File
@@ -1,10 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- kas/corstone1000-firmware-only.yml
target:
- corstone1000-flash-firmware-image
- perf
+5 -2
View File
@@ -1,9 +1,12 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/corstone1000-common.yml
- ci/fvp.yml
local_conf_header:
fvp-config: |
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = " ssh-server-dropbear"
machine: corstone1000-fvp
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-21
View File
@@ -1,21 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
cve: |
INHERIT += "cve-check"
# Allow the runner environment to provide an API key
NVDCVE_API_KEY = "${@d.getVar('BB_ORIGENV').getVar('NVDCVE_API_KEY') or ''}"
# Just show the warnings for our layers
CVE_CHECK_SHOW_WARNINGS = "0"
CVE_CHECK_SHOW_WARNINGS:layer-arm-toolchain = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-bsp = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-systemready = "1"
# Ignore the kernel, we sometime carry kernels in meta-arm
CVE_CHECK_SHOW_WARNINGS:pn-linux-yocto = "0"
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+3 -5
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -8,6 +6,6 @@ local_conf_header:
SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain"
TCMODE = "external-arm"
EXTERNAL_TOOLCHAIN = "${TOPDIR}/toolchains/${TARGET_ARCH}"
# Disable ptest as this pulls target compilers, which don't
# work with external toolchain currently
DISTRO_FEATURES:remove = "ptest"
# Temporary workaround for a number binaries in the toolchains that are using 32bit timer API
# This must be done here instead of the recipe because of all the libraries in the toolchain have the issue
INSANE_SKIP:append = " 32bit-time"
-34
View File
@@ -1,34 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/fvp-base.yml
- ci/meta-openembedded.yml
- ci/testimage.yml
local_conf_header:
trusted_services: |
# Enable the needed test suites
TEST_SUITES = " ping ssh trusted_services"
# Include all Secure Partitions into the image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
MACHINE_FEATURES:append = " ts-block-storage ts-fwu"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
IMAGE_INSTALL:append = " packagegroup-ts-tests-psa"
CORE_IMAGE_EXTRA_INSTALL += "optee-test"
# Set the TS environment
TS_ENV="sp"
# Enable and configure semihosting
FVP_CONFIG[cluster0.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[semihosting-enable] = "True"
-6
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -7,7 +5,3 @@ header:
- ci/fvp.yml
machine: fvp-base
target:
- core-image-sato
- boot-wrapper-aarch64
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+1 -2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# Simple target to build the FVPs that are publically available
header:
@@ -24,3 +22,4 @@ target:
- nativesdk-fvp-corstone1000
- nativesdk-fvp-n1-edge
- nativesdk-fvp-sgi575
- nativesdk-fvp-tc1
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+6
View File
@@ -0,0 +1,6 @@
header:
version: 14
includes:
- ci/base.yml
machine: generic-arm64
-18
View File
@@ -1,18 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
repos:
poky:
layers:
meta-yocto-bsp:
local_conf_header:
bootloader: |
# If running genericarm64 in a qemu we need to manually build the bootloader
EXTRA_IMAGEDEPENDS += "virtual/bootloader"
machine: genericarm64
+1 -1
View File
@@ -2,7 +2,7 @@
set -u -e
BASENAME=arm-gnu-toolchain
VER=${VER:-13.2.Rel1}
VER=${VER:-12.2.rel1}
HOST_ARCH=${HOST_ARCH:-$(uname -m)}
# Use the standard kas container locations if nothing is passed into the script
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+5 -21
View File
@@ -3,28 +3,17 @@
# This script is expecting an input of machine name, optionally followed by a
# colon and a list of one or more parameters separated by commas between
# brackets. For example, the following are acceptable:
# corstone1000-mps3
# fvp-base: [testimage]
# qemuarm64-secureboot: [clang, glibc, testimage]
# This argument should be quoted to avoid expansion and to be handled
# as a single value.
#
# Any further arguments will be handled as further yml file basenames.
# corstone1000-mps3
# fvp-base: [testimage]
# qemuarm64-secureboot: [clang, glibc, testimage]
#
# Turn this list into a series of yml files separated by colons to pass to kas
set -e -u
# First, parse the GitLab CI job name (CI_JOB_NAME via $1) and accumulate a list
# of Kas files.
JOBNAME="$1"
shift
FILES="ci/$(echo $1 | cut -d ':' -f 1).yml"
# The base name of the job
FILES="ci/$(echo $JOBNAME | cut -d ':' -f 1).yml"
# The list of matrix variations
for i in $(echo $JOBNAME | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
# Given that there are no yml files for gcc or glibc, as those are the
# defaults, we can simply ignore those parameters. They are necessary
# to pass in so that matrix can correctly setup all of the permutations
@@ -35,9 +24,4 @@ for i in $(echo $JOBNAME | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
FILES+=":ci/$i.yml"
done
# Now pick up any further names
for i in $*; do
FILES+=":ci/$i.yml"
done
echo $FILES
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+1 -3
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -7,7 +5,7 @@ repos:
meta-secure-core:
url: https://github.com/Wind-River/meta-secure-core.git
layers:
meta-secure-core-common:
meta:
meta-signing-key:
meta-efi-secure-boot:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+14
View File
@@ -0,0 +1,14 @@
header:
version: 14
includes:
- ci/generic-arm64.yml
local_conf_header:
failing_tests: |
DEFAULT_TEST_SUITES:remove = "parselogs"
machine: qemu-generic-arm64
target:
- core-image-sato
- sbsa-acs
+3 -7
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -9,8 +7,6 @@ machine: qemuarm-secureboot
target:
- core-image-base
local_conf_header:
optee: |
IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
TEST_SUITES:append = " optee ftpm"
- optee-examples
- optee-test
- optee-os-tadevkit
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+3 -7
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -9,8 +7,6 @@ machine: qemuarm64-secureboot
target:
- core-image-base
local_conf_header:
optee: |
IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
TEST_SUITES:append = " optee ftpm"
- optee-examples
- optee-test
- optee-os-tadevkit
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-12
View File
@@ -1,12 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
machine: sbsa-ref
target:
- core-image-sato
- sbsa-acs
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
-11
View File
@@ -1,11 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
sstate_mirror: |
BB_HASHSERVE_UPSTREAM = "wss://hashserv.yoctoproject.org/ws"
SSTATE_MIRRORS = "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
BB_HASHSERVE = "auto"
BB_SIGNATURE_HANDLER = "OEEquivHash"
+11
View File
@@ -0,0 +1,11 @@
header:
version: 14
includes:
- ci/base.yml
- ci/fvp.yml
- ci/meta-openembedded.yml
machine: tc1
target:
- core-image-minimal
+1 -3
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -14,7 +12,7 @@ local_conf_header:
slirp: |
TEST_RUNQEMUPARAMS = "slirp"
sshd: |
IMAGE_FEATURES += "ssh-server-dropbear"
IMAGE_FEATURES:append = " ssh-server-dropbear"
sshkeys: |
CORE_IMAGE_EXTRA_INSTALL += "ssh-pregen-hostkeys"
universally_failing_tests: |
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2 -2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -18,3 +16,5 @@ target:
- nativesdk-gcc-aarch64-none-elf
- gcc-arm-none-eabi
- nativesdk-gcc-arm-none-eabi
- gcc-arm-none-eabi-11.2
- nativesdk-gcc-arm-none-eabi-11.2
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-2
View File
@@ -1,5 +1,3 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+4 -9
View File
@@ -18,18 +18,17 @@ features for each [Secure Partition][^2] you would like to include:
| ----------------- | --------------- |
| Attestation | ts-attesation |
| Crypto | ts-crypto |
| Firmware Update | ts-fwu
| Internal Storage | ts-its |
| Protected Storage | ts-storage |
| se-proxy | ts-se-proxy |
| smm-gateway | ts-smm-gateway |
| spm-test[1-4] | optee-spmc-test |
| spm-test[1-3] | optee-spmc-test |
Other steps depend on your machine/platform definition:
1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.
(Please see ` meta-arm/recipes-kernel/arm-tstee`.)
(Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.)
For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is
enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled.
@@ -45,13 +44,9 @@ Other steps depend on your machine/platform definition:
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be
set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation.
## Normal World applications
Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests.
## OEQA Trusted Services tests
@@ -67,4 +62,4 @@ See `ci/trusted-services.yml` for an example how to include them into an image.
[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html
[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
+10 -9
View File
@@ -1,11 +1,14 @@
header:
version: 14
distro: poky
env:
DISPLAY: ""
distro: poky-tiny
defaults:
repos:
branch: scarthgap
branch: nanbield
repos:
meta-arm:
@@ -16,14 +19,14 @@ repos:
poky:
url: https://git.yoctoproject.org/git/poky
commit: c5df9c829a549ca002c36afd6bdf23639831502e
commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff
layers:
meta:
meta-poky:
meta-openembedded:
url: https://git.openembedded.org/meta-openembedded
commit: 6de0ab744341ad61b0661aa28d78dc6767ce0786
commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d
layers:
meta-oe:
meta-python:
@@ -31,17 +34,15 @@ repos:
meta-secure-core:
url: https://github.com/wind-river/meta-secure-core.git
commit: 13cb4867fb1245581c80da3b94b72c4b4f15d67e
commit: e29165a1031dcf601edbed1733cedd64826672a5
layers:
meta-secure-core-common:
meta:
meta-signing-key:
meta-efi-secure-boot:
local_conf_header:
base: |
CONF_VERSION = "2"
setup: |
PACKAGE_CLASSES = "package_ipk"
BB_NUMBER_THREADS ?= "16"
PARALLEL_MAKE ?= "-j16"
@@ -50,4 +51,4 @@ local_conf_header:
machine: unset
target:
- corstone1000-flash-firmware-image
- corstone1000-image
-23
View File
@@ -1,23 +0,0 @@
---
header:
version: 14
local_conf_header:
firmwarebuild: |
BBMULTICONFIG:remove = "firmware"
# Need to ensure the rescue linux options are selected
OVERRIDES .= ":firmware"
# Need to ensure we build with a small libc
TCLIBC="musl"
mass-storage: |
# Ensure the Mass Storage device is absent
FVP_CONFIG[board.msd_mmc.p_mmc_file] = "invalid.dat"
test-configuration: |
TEST_SUITES = "_qemutiny ping"
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = "ssh-server-dropbear"
CORE_IMAGE_EXTRA_INSTALL:remove = "ssh-pregen-hostkeys"
+7 -13
View File
@@ -2,21 +2,15 @@ header:
version: 14
includes:
- kas/corstone1000-base.yml
- kas/corstone1000-image-configuration.yml
- kas/corstone1000-firmware-only.yml
- kas/fvp-eula.yml
env:
DISPLAY:
WAYLAND_DISPLAY:
XAUTHORITY:
machine: corstone1000-fvp
local_conf_header:
testimagefvp: |
IMAGE_CLASSES += "fvpboot"
fvp-config: |
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = " ssh-server-dropbear"
INHERIT += "fvpboot"
mass-storage: |
# Ensure the Mass Storage device is absent
FVP_CONFIG[board.msd_mmc.p_mmc_file] = "invalid.dat"
machine: corstone1000-fvp
target:
- corstone1000-image
-49
View File
@@ -1,49 +0,0 @@
header:
version: 14
local_conf_header:
extrapackages: |
# Intentionally blank to prevent perf from being added to the image in base.yml
firmwarebuild: |
# Only needed as kas doesn't add it automatically unless you have 2 targets in seperate configs
BBMULTICONFIG ?= "firmware"
distrosetup: |
DISTRO_FEATURES = "usbhost ipv4"
initramfsetup: |
# Telling the build system which image is responsible of the generation of the initramfs rootfs
INITRAMFS_IMAGE_BUNDLE:firmware = "1"
INITRAMFS_IMAGE:firmware ?= "corstone1000-recovery-image"
IMAGE_FSTYPES:firmware:pn-corstone1000-recovery-image = "${INITRAMFS_FSTYPES}"
IMAGE_NAME_SUFFIX:firmware = ""
# enable mdev/busybox for init
INIT_MANAGER:firmware = "mdev-busybox"
VIRTUAL-RUNTIME_init_manager:firmware = "busybox"
# prevent the kernel image from being included in the intramfs rootfs
PACKAGE_EXCLUDE:firmware += "kernel-image-*"
# Disable openssl in kmod to shrink the initramfs size
PACKAGECONFIG:remove:firmware:pn-kmod = "openssl"
imageextras: |
# Don't include kernel binary in rootfs /boot path
RRECOMMENDS:${KERNEL_PACKAGE_NAME}-base = ""
# all optee packages
CORE_IMAGE_EXTRA_INSTALL += "optee-client"
# TS PSA API tests commands for crypto, its, ps and iat
CORE_IMAGE_EXTRA_INSTALL += "packagegroup-ts-tests-psa"
CORE_IMAGE_EXTRA_INSTALL:firmware += "packagegroup-ts-tests-psa"
# external system firmware
CORE_IMAGE_EXTRA_INSTALL:firmware += "external-system-elf"
capsule: |
CAPSULE_EXTENSION = "uefi.capsule"
CAPSULE_FW_VERSION = "6"
CAPSULE_NAME = "${MACHINE}-v${CAPSULE_FW_VERSION}"
-2
View File
@@ -2,7 +2,5 @@ header:
version: 14
includes:
- kas/corstone1000-base.yml
- kas/corstone1000-image-configuration.yml
- kas/corstone1000-firmware-only.yml
machine: corstone1000-mps3
+1 -5
View File
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "meta-arm-bsp"
BBFILE_PATTERN_meta-arm-bsp = "^${LAYERDIR}/"
BBFILE_PRIORITY_meta-arm-bsp = "5"
LAYERSERIES_COMPAT_meta-arm-bsp = "nanbield scarthgap"
LAYERSERIES_COMPAT_meta-arm-bsp = "nanbield"
LAYERDEPENDS_meta-arm-bsp = "core meta-arm"
# This won't be used by layerindex-fetch, but works everywhere else
@@ -24,7 +24,3 @@ BBFILES_DYNAMIC += " \
meta-arm-systemready:${LAYERDIR}/dynamic-layers/meta-arm-systemready/*/*/*.bb \
meta-arm-systemready:${LAYERDIR}/dynamic-layers/meta-arm-systemready/*/*/*.bbappend \
"
WARN_QA:append:layer-meta-arm-bsp = " patch-status"
addpylib ${LAYERDIR}/lib oeqa
@@ -14,10 +14,7 @@ TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-corstone1000-native"
FVP_EXE ?= "FVP_Corstone-1000"
FVP_CONSOLES[default] = "host_terminal_0"
FVP_CONSOLES[tf-a] = "host_terminal_1"
FVP_CONSOLES[se] = "secenc_terminal"
FVP_CONSOLES[extsys] = "extsys_terminal"
FVP_CONSOLE ?= "host_terminal_0"
#Disable Time Annotation
FASTSIM_DISABLE_TA = "0"
@@ -38,7 +35,7 @@ FVP_CONFIG[se.nvm.update_raw_image] ?= "0"
FVP_CONFIG[se.cryptocell.USER_OTP_FILTERING_DISABLE] ?= "1"
# Boot image
FVP_DATA ?= "board.flash0=corstone1000-flash-firmware-image-${MACHINE}.wic@0x68000000"
FVP_DATA ?= "board.flash0=${IMAGE_NAME}.wic@0x68000000"
# External system (cortex-M3)
FVP_CONFIG[extsys_harness0.extsys_flashloader.fname] ?= "es_flashfw.bin"
@@ -52,20 +49,18 @@ FVP_TERMINALS[extsys0.extsys_terminal] ?= "Cortex M3"
# MMC card configuration
FVP_CONFIG[board.msd_mmc.card_type] ?= "SDHC"
FVP_CONFIG[board.msd_mmc.p_fast_access] ?= "0"
FVP_CONFIG[board.msd_mmc.diagnostics] ?= "0"
FVP_CONFIG[board.msd_mmc.diagnostics] ?= "2"
FVP_CONFIG[board.msd_mmc.p_max_block_count] ?= "0xFFFF"
FVP_CONFIG[board.msd_config.pl180_fifo_depth] ?= "16"
FVP_CONFIG[board.msd_mmc.support_unpadded_images] ?= "true"
FVP_CONFIG[board.msd_mmc.p_mmc_file] ?= "${IMAGE_NAME}.wic"
# MMC2 card configuration
FVP_CONFIG[board.msd_mmc_2.card_type] ?= "SDHC"
FVP_CONFIG[board.msd_mmc_2.p_fast_access] ?= "0"
FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "0"
FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "2"
FVP_CONFIG[board.msd_mmc_2.p_max_block_count] ?= "0xFFFF"
FVP_CONFIG[board.msd_config_2.pl180_fifo_depth] ?= "16"
FVP_CONFIG[board.msd_mmc_2.support_unpadded_images] ?= "true"
FVP_CONFIG[board.msd_mmc_2.p_mmc_file] ?= "corstone1000-esp-image-${MACHINE}.wic"
# Virtio-Net configuration
FVP_CONFIG[board.virtio_net.enabled] ?= "1"
+3 -6
View File
@@ -4,7 +4,9 @@
#@NAME: Armv8-A Base Platform FVP machine
#@DESCRIPTION: Machine configuration for Armv8-A Base Platform FVP model
require conf/machine/include/arm/arch-armv8-4a.inc
require conf/machine/include/arm/arch-armv8a.inc
TUNE_FEATURES = "aarch64"
ARM_SYSTEMREADY_FIRMWARE = "trusted-firmware-a:do_deploy"
ARM_SYSTEMREADY_ACS_CONSOLE = "default"
@@ -47,10 +49,6 @@ FVP_CONFIG[bp.virtio_net.hostbridge.userNetworking] ?= "1"
FVP_CONFIG[bp.virtio_net.hostbridge.userNetPorts] = "2222=22"
FVP_CONFIG[bp.virtio_rng.enabled] ?= "1"
FVP_CONFIG[cache_state_modelled] ?= "0"
FVP_CONFIG[cluster0.check_memory_attributes] ?= "0"
FVP_CONFIG[cluster1.check_memory_attributes] ?= "0"
FVP_CONFIG[cluster0.stage12_tlb_size] ?= "1024"
FVP_CONFIG[cluster1.stage12_tlb_size] ?= "1024"
FVP_CONFIG[bp.secureflashloader.fname] ?= "bl1-fvp.bin"
FVP_CONFIG[bp.flashloader0.fname] ?= "fip-fvp.bin"
FVP_CONFIG[bp.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
@@ -62,4 +60,3 @@ FVP_TERMINALS[bp.terminal_0] ?= "Console"
FVP_TERMINALS[bp.terminal_1] ?= ""
FVP_TERMINALS[bp.terminal_2] ?= ""
FVP_TERMINALS[bp.terminal_3] ?= ""
FVP_CONFIG[bp.secure_memory] ?= "1"
@@ -2,64 +2,81 @@ require conf/machine/include/arm/armv8a/tune-cortexa35.inc
MACHINEOVERRIDES =. "corstone1000:"
# TF-M
PREFERRED_VERSION_trusted-firmware-m ?= "2.0.%"
# TF-A
TFA_PLATFORM = "corstone1000"
PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
PREFERRED_VERSION_trusted-firmware-a ?= "2.9.%"
PREFERRED_VERSION_tf-a-tests ?= "2.8.%"
TFA_BL2_BINARY = "bl2-corstone1000.bin"
TFA_FIP_BINARY = "fip-corstone1000.bin"
# optee
PREFERRED_VERSION_optee-os ?= "4.1.%"
# TF-M
EXTRA_IMAGEDEPENDS += "virtual/trusted-firmware-m"
# Trusted Services
TS_PLATFORM = "arm/corstone1000"
TS_SP_SE_PROXY_CONFIG = "corstone1000"
# Include smm-gateway and se-proxy SPs into optee-os binary
MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy"
# TF-M settings for signing host images
TFA_BL2_RE_IMAGE_LOAD_ADDRESS = "0x62353000"
TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
RE_IMAGE_OFFSET = "0x1000"
# u-boot
PREFERRED_VERSION_u-boot ?= "2023.07%"
MACHINE_FEATURES += "efi"
EFI_PROVIDER ?= "grub-efi"
EXTRA_IMAGEDEPENDS += "u-boot"
# Grub
LINUX_KERNEL_ARGS ?= "earlycon=pl011,0x1a510000 console=ttyAMA0,115200"
GRUB_LINUX_APPEND ?= "${LINUX_KERNEL_ARGS}"
IMAGE_CMD:wic[vardeps] += "GRUB_LINUX_APPEND"
UBOOT_CONFIG ??= "EFI"
UBOOT_CONFIG[EFI] = "corstone1000_defconfig"
UBOOT_ENTRYPOINT = "0x80000000"
UBOOT_LOADADDRESS = "0x80000000"
UBOOT_BOOTARGS = "earlycon=pl011,0x1a510000 console=ttyAMA0 loglevel=9"
UBOOT_ARCH = "arm"
UBOOT_EXTLINUX = "0"
#optee
PREFERRED_VERSION_optee-os ?= "3.22%"
PREFERRED_VERSION_optee-client ?= "3.22%"
EXTRA_IMAGEDEPENDS += "optee-os"
OPTEE_ARCH = "arm64"
OPTEE_BINARY = "tee-pager_v2.bin"
# Include smm-gateway and se-proxy SPs into optee-os binary
MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy"
TS_PLATFORM = "arm/corstone1000"
TS_SP_SE_PROXY_CONFIG = "corstone1000"
# External System(Cortex-M3)
EXTRA_IMAGEDEPENDS += "external-system"
# Linux kernel
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.6.%"
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPE:firmware = "Image.gz"
PREFERRED_PROVIDER_virtual/kernel:forcevariable = "linux-yocto"
PREFERRED_VERSION_linux-yocto = "6.5%"
KERNEL_IMAGETYPE = "Image.gz"
INITRAMFS_IMAGE_BUNDLE ?= "1"
#telling the build system which image is responsible of the generation of the initramfs rootfs
INITRAMFS_IMAGE = "corstone1000-initramfs-image"
IMAGE_NAME_SUFFIX = ""
# add FF-A support in the kernel
MACHINE_FEATURES += "arm-ffa"
# prevent the kernel image from being included in the intramfs rootfs
PACKAGE_EXCLUDE = "kernel-image-*"
# enable this feature for kernel debugging
# MACHINE_FEATURES += "corstone1000_kernel_debug"
# login terminal serial port settings
SERIAL_CONSOLES ?= "115200;ttyAMA0"
IMAGE_FSTYPES += "wic"
# Need to clear the suffix so TESTIMAGE_AUTO works
IMAGE_NAME_SUFFIX = ""
WKS_FILE ?= "efi-disk-no-swap.wks.in"
WKS_FILE:firmware ?= "corstone1000-flash-firmware.wks.in"
# making sure EXTRA_IMAGEDEPENDS will be used while creating the image
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# If not building under the firmware multiconf we need to build the actual firmware
FIRMWARE_DEPLOYMENT ?= "firmware-deploy-image"
FIRMWARE_DEPLOYMENT:firmware ?= ""
EXTRA_IMAGEDEPENDS += "${FIRMWARE_DEPLOYMENT}"
WKS_FILE ?= "corstone1000-image.corstone1000.wks"
ARM_SYSTEMREADY_FIRMWARE = "${FIRMWARE_DEPLOYMENT}:do_deploy \
corstone1000-esp-image:do_image_complete \
"
ARM_SYSTEMREADY_ACS_CONSOLE ?= "default"
# Disable openssl in kmod to shink the initramfs size
PACKAGECONFIG:remove:pn-kmod = "openssl"
+36
View File
@@ -0,0 +1,36 @@
TUNE_FEATURES = "aarch64"
require conf/machine/include/arm/arch-armv8a.inc
MACHINEOVERRIDES =. "tc:"
# Das U-boot
UBOOT_MACHINE ?= "total_compute_defconfig"
UBOOT_RD_LOADADDRESS = "0x88000000"
UBOOT_RD_ENTRYPOINT = "0x88000000"
UBOOT_LOADADDRESS = "0x80080000"
UBOOT_ENTRYPOINT = "0x80080000"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
# OP-TEE
PREFERRED_VERSION_optee-os ?= "3.20%"
PREFERRED_VERSION_optee-client ?= "3.20%"
PREFERRED_VERSION_optee-test ?= "3.20%"
# Cannot use the default zImage on arm64
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPES += "fitImage"
KERNEL_CLASSES = " kernel-fitimage "
IMAGE_FSTYPES += "cpio.gz"
INITRAMFS_IMAGE ?= "core-image-minimal"
IMAGE_NAME_SUFFIX = ""
SERIAL_CONSOLES = "115200;ttyAMA0"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a optee-os"
PREFERRED_VERSION_trusted-firmware-a ?= "2.8.%"
# FIXME - there is signed image dependency/race with testimage.
# This should be fixed in oe-core
TESTIMAGEDEPENDS:append = " virtual/kernel:do_deploy"
+3 -8
View File
@@ -19,7 +19,7 @@ WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# Use kernel provided by yocto
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.6%"
PREFERRED_VERSION_linux-yocto ?= "6.5%"
# RTL8168E Gigabit Ethernet Controller is attached to the PCIe interface
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "linux-firmware-rtl8168"
@@ -27,21 +27,16 @@ MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "linux-firmware-rtl8168"
# TF-A
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
TFA_PLATFORM = "n1sdp"
PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
# SCP
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
#UEFI EDK2 firmware
EXTRA_IMAGEDEPENDS += "edk2-firmware"
PREFERRED_VERSION_edk2-firmware ?= "202311"
PREFERRED_VERSION_edk2-firmware ?= "202305"
#optee
PREFERRED_VERSION_optee-os ?= "4.1.%"
PREFERRED_VERSION_optee-os-tadevkit ?= "4.1.%"
PREFERRED_VERSION_optee-test ?= "4.1.%"
PREFERRED_VERSION_optee-client ?= "4.1.%"
PREFERRED_VERSION_optee-os ?= "3.22.%"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
+31
View File
@@ -0,0 +1,31 @@
# Configuration for TC1
#@TYPE: Machine
#@NAME: TC1
#@DESCRIPTION: Machine configuration for TC1
require conf/machine/include/tc.inc
TEST_TARGET = "OEFVPTarget"
TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-tc1-native"
FVP_EXE ?= "FVP_TC1"
# FVP Parameters
FVP_CONFIG[css.scp.ROMloader.fname] ?= "scp_romfw.bin"
FVP_CONFIG[css.trustedBootROMloader.fname] ?= "bl1-tc.bin"
FVP_CONFIG[board.flashloader0.fname] ?= "fip_gpt-tc.bin"
#FVP_CONFIG[board.hostbridge.userNetworking] ?= "true"
#FVP_CONFIG[board.hostbridge.userNetPorts] ?= "2222=22"
#smsc ethernet takes a very long time to come up. disable now to prevent testimage timeout
#FVP_CONFIG[board.smsc_91c111.enabled] ?= "1"
FVP_CONSOLE = "terminal_s1"
FVP_TERMINALS[soc.terminal_s0] ?= "Secure Console"
FVP_TERMINALS[soc.terminal_s1] ?= "Console"
# Boot image
FVP_DATA ?= "board.dram=fitImage-core-image-minimal-tc1-tc1@0x20000000"
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2024, Arm Limited.
# Copyright (c) 2022-2023, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -10,78 +10,6 @@ Change Log
This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack.
***************
Version 2024.06
***************
Changes
=======
- Re-enabling support for the External System using linux remoteproc (only supporting switching on and off the External System)
- UEFI Secure Boot and Authenticated Variable support
- RSE Comms replaces OpenAMP
- The EFI System partition image is now created by the meta-arm build system.
This image is mounted on the second MMC card by default in the FVP.
- The capsule generation script is now part of the meta-arm build system.
Corstone1000-flash-firmware-image recipe generates a capsule binary using the U-Boot capsule generation tool that includes
all the firmware binaries and recovery kernel image.
- SW components upgrades
- Bug fixes
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| arm-tstee | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.6.23 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.10.4 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | scarthgap |
+-------------------------------------------+------------------------------+
| poky | scarthgap |
+-------------------------------------------+------------------------------+
| meta-openembedded | scarthgap |
+-------------------------------------------+------------------------------+
| meta-secure-core | scarthgap |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.4 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.2.Rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 13.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.2.1 |
+-------------------------------------------+------------------------------+
***************
Version 2023.11
***************
@@ -370,4 +298,4 @@ Changes
--------------
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
Binary file not shown.

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 57 KiB

@@ -1,21 +1,11 @@
..
# Copyright (c) 2022, 2024, Arm Limited.
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
#################
Arm Corstone-1000
#################
*************************
Disclaimer
*************************
Arm reference solutions are Arm public example software projects that track and
pull upstream components, incorporating their respective security fixes
published over time. Arm partners are responsible for ensuring that the
components they use contain all the required security fixes, if and when they
deploy a product derived from Arm reference solutions.
################
ARM Corstone1000
################
.. toctree::
:maxdepth: 1
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2024, Arm Limited.
# Copyright (c) 2022-2023, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -19,25 +19,6 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair
or correction.
***********************
Release notes - 2024.06
***********************
Known Issues or Limitations
---------------------------
- Use Ethernet over VirtIO due to lan91c111 Ethernet driver support dropped from U-Boot.
- Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang).
- Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3.
- See previous release notes for the known limitations regarding ACS tests.
Platform Support
-----------------
- This software release is tested on Corstone-1000 FPGA version AN550_v2
https://developer.arm.com/downloads/-/download-fpga-images
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
***********************
Release notes - 2023.11
***********************
@@ -232,7 +213,7 @@ Support
-------
For technical support email: support-subsystem-iot@arm.com
For all security issues, contact Arm by email at psirt@arm.com.
For all security issues, contact Arm by email at arm-security@arm.com.
--------------
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2024, Arm Limited.
# Copyright (c) 2022-2023, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -52,8 +52,8 @@ secure flash. Software running on the Secure Enclave is isolated via
hardware for enhanced security. Communication with the Secure Encalve
is achieved using Message Handling Units (MHUs) and shared memory.
On system power on, the Secure Enclave boots first. Its software
comprises of a ROM code (TF-M BL1), MCUboot BL2, and
TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
comprises of a ROM code (TF-M BL1), Mcuboot BL2, and
TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
Secure Enclave follows Firmware Framework for M class
processor (`FF-M`_) specification.
@@ -61,7 +61,7 @@ The Host System is based on ARM Cotex-A35 processor with standardized
peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
the TrustZone technology that allows secure and non-secure security
states in the processor. The software design in the Host System follows
Firmware Framework for A class processor (`FF-A`_) specification.
Firmware Framework for A class procseeor (`FF-A`_) specification.
The boot process follows Trusted Boot Base Requirement (`TBBR`_).
The Host Subsystem is taken out of reset by the Secure Enclave system
during its final stages of the initialization. The Host subsystem runs
@@ -70,12 +70,12 @@ FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS
linux (`linux repo`_) in the non-secure world. The communication between
non-secure and the secure world is performed via FF-A messages.
An external system is intended to implement use-case specific functionality.
The system is based on Cortex-M3 and run RTX RTOS. Communication between the
external system and Host (Cortex-A35) can be performed using MHU as transport
mechanism. The current software release supports switching on and off the
external system. Support for OpenAMP-based communication is under
development.
An external system is intended to implement use-case specific
functionality. The system is based on Cortex-M3 and run RTX RTOS.
Communication between the external system and Host (Cortex-A35) is performed
using MHU as transport mechanism and rpmsg messaging system (the external system
support in Linux is disabled in this release. More info about this change can be found in the
release-notes).
Overall, the Corstone-1000 architecture is designed to cover a range
of Power, Performance, and Area (PPA) applications, and enable extension
@@ -93,64 +93,30 @@ and loads the following software in the chain. For the boot chain
process to work, the start of the chain should be trusted, forming the
Root of Trust (RoT) of the device. The RoT of the device is immutable in
nature and encoded into the device by the device owner before it
is deployed into the field. In Corstone-1000, the content of the ROM
and CC312 OTP (One Time Programmable) memory forms the RoT.
Verification of an image can happen either by comparing the computed and
stored hashes, or by checking the signature of the image if the image
is signed.
is deployed into the field. In Corstone-1000, the BL1 image of the secure
enclave and content of the CC312 OTP (One Time Programmable) memory
forms the RoT. The BL1 image exists in ROM (Read Only Memory).
.. image:: images/SecureBootChain.png
:width: 870
:alt: SecureBootChain
It is a lengthy chain to boot the software on Corstone-1000. On power on,
the Secure Enclave starts executing BL1_1 code from the ROM which is the RoT
of the device. The BL1_1 is the immutable bootloader of the system, it handles
the provisioning on the first boot, hardware initialization and verification
of the next stage.
the secure enclave starts executing BL1 code from the ROM which is the RoT
of the device. Authentication of an image involves the steps listed below:
The BL1_2 code, hashes and keys are written into the OTP during the provisioning.
The next bootstage is the BL1_2 which is copied from the OTP into the RAM. The
BL1_1 also compares the BL1_2 hash with the hash saved to the OTP. The BL1_2
verifies and transfers control to the next bootstage which is the BL2. During the
verification, the BL1_2 compares the BL2 image's computed hash with the BL2 hash in
the OTP. The BL2 is MCUBoot in the system. BL2 can provision additional keys on the
first boot and it authenticates the initial bootloader of the host (Host TF-A BL2)
and TF-M by checking the signatures of the images.
The MCUBoot handles the image verification the following way:
- Load image from a non-volatile memory to dynamic RAM.
- Load image from flash to dynamic RAM.
- The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
- The image is validated using the public key.
The execution control is passed to TF-M after the verification. TF-M being
the runtime executable of the Secure Enclave which initializes itself and, at the end,
brings the host CPU out of rest.
The TF-M BL1 design details and reasoning can be found in the `TF-M design documents
<https://tf-m-user-guide.trustedfirmware.org/design_docs/booting/bl1.html>`_.
The Corstone-1000 has some differences compared to this design due to memory (OTP/ROM)
limitations:
- The provisioning bundle that contains the BL1_2 code is located in the ROM.
This means the BL1_2 cannot be updated during provisioning time.
- The BL1_1 handles most of the hardware initialization instead of the BL1_2. This
results in a bigger BL1_1 code size than needed.
- The BL1_2 does not use the post-quantum LMS verification. The BL2 is verified by
comparing the computed hash to the hash which is stored in the OTP. This means the
BL2 is not updatable.
The host follows the boot standard defined in the `TBBR`_ to authenticate the
secure and non-secure software.
For UEFI Secure Boot, authenticated variables can be accessed from the secure flash.
The feature has been integrated in U-Boot, which authenticates the images as per the UEFI
specification before executing them.
In the secure enclave, BL1 authenticates the BL2 and passes the execution
control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2)
and TF-M. The execution control is now passed to TF-M. TF-M being the run
time executable of secure enclave which initializes itself and, at the end,
brings the host CPU out of rest. The host follows the boot standard defined
in the `TBBR`_ to authenticate the secure and non-secure software.
***************
Secure Services
@@ -158,11 +124,11 @@ Secure Services
Corstone-1000 is unique in providing a secure environment to run a secure
workload. The platform has TrustZone technology in the Host subsystem but
it also has hardware isolated Secure Enclave environment to run such secure
it also has hardware isolated secure enclave environment to run such secure
workloads. In Corstone-1000, known Secure Services such as Crypto, Protected
Storage, Internal Trusted Storage and Attestation are available via PSA
Functional APIs in TF-M. There is no difference for a user communicating to
these services which are running on a Secure Enclave instead of the
these services which are running on a secure enclave instead of the
secure world of the host subsystem. The below diagram presents the data
flow path for such calls.
@@ -173,18 +139,15 @@ flow path for such calls.
The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition
managed by OPTEE which forwards such calls to the Secure Enclave. The
solution relies on the `RSE communication protocol
<https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_
which is a lightweight serialization of the psa_call() API. It can use shared
memory and MHU interrupts as a doorbell for communication between two cores
but currently the whole message is forwarded through the MHU channels in Corstone-1000.
Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection
Unit) is used to implement isolation level 2.
managed by OPTEE which forwards such calls to the secure enclave. The
solution relies on OpenAMP which uses shared memory and MHU interrupts as
a doorbell for communication between two cores. Corstone-1000 implements
isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement
isolation level 2.
For a user to define its own secure service, both the options of the host
secure world or secure encalve are available. It's a trade-off between
lower latency vs higher security. Services running on a Secure Enclave are
lower latency vs higher security. Services running on a secure enclave are
secure by real hardware isolation but have a higher latency path. In the
second scenario, the services running on the secure world of the host
subsystem have lower latency but virtual hardware isolation created by
@@ -211,7 +174,7 @@ Image (the initramfs bundle). The new images are accepted in the form of a UEFI
:width: 690
:alt: ExternalFlash
When Firmware update is triggered, U-Boot verifies the capsule by checking the
When Firmware update is triggered, u-boot verifies the capsule by checking the
capsule signature, version number and size. Then it signals the Secure Enclave
that can start writing UEFI capsule into the flash. Once this operation finishes
,Secure Enclave resets the entire system.
@@ -247,7 +210,7 @@ service. The below diagram presents the data flow to store UEFI variables.
The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to
communicate with the SMM Service in the secure world. The backend of the
SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS
calls are forwarded to the Secure Enclave as explained above.
calls are forwarded to the secure enclave as explained above.
.. image:: images/UEFISupport.png
File diff suppressed because it is too large Load Diff
+32
View File
@@ -0,0 +1,32 @@
# TC1 Platform Support in meta-arm-bsp
## Overview
The Total Compute platform provides an envelope for all of Arm's latest IP and
software solutions, optimised to work together. Further information can be
found on the Total Compute community page:
https://community.arm.com/developer/tools-software/oss-platforms/w/docs/606/total-compute
The user guide for TC1 platform with detailed instructions for
syncing and building the source code and running on TC1 Fixed Virtual Platform
for poky and android distributions is available at:
https://git.linaro.org/landing-teams/working/arm/arm-reference-platforms.git/tree/docs/tc1/user-guide.rst
## Building
In the local.conf file, MACHINE should be set as follows:
MACHINE = "tc1"
To build the required binaries for tc1, run the commmand:
```bash$ bitbake tc-artifacts-image```
Trusted-firmware-a is the final component to be built with the rest of the
components dependent of it, therefore building tc-artifacts-image which depends
on trusted-firmware-a will build all the required binaries.
## Running
To run the produced binaries in a TC1 Fixed Virtual Platform please get
the run scripts at:
https://git.linaro.org/landing-teams/working/arm/model-scripts.git/
and follow the instructions in the user-guide.rst available in:
https://git.linaro.org/landing-teams/working/arm/arm-reference-platforms.git/tree/docs/tc1/user-guide.rst
@@ -1,5 +0,0 @@
# The release of EDK2 after 202402 should fix this
NUMA: Failed to initialise from firmware
# TODO: we should be using bochsdrm over efifb?
efifb: cannot reserve video memory at 0x80000000
@@ -1 +0,0 @@
COMPATIBLE_MACHINE:fvp-base = "fvp-base"
@@ -38,20 +38,15 @@ do_compile() {
do_compile[cleandirs] = "${B}"
do_install() {
install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.bin ${D}${nonarch_base_libdir}/firmware/es_flashfw.bin
install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.elf ${D}${nonarch_base_libdir}/firmware/es_flashfw.elf
install -D -p -m 0644 ${B}/product/${PRODUCT}/firmware/release/bin/firmware.bin ${D}/firmware/es_flashfw.bin
}
FILES:${PN} = "${nonarch_base_libdir}/firmware/es_flashfw.bin"
FILES:${PN}-elf = "${nonarch_base_libdir}/firmware/es_flashfw.elf"
PACKAGES += "${PN}-elf"
INSANE_SKIP:${PN}-elf += "arch"
SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
FILES:${PN} = "/firmware"
SYSROOT_DIRS += "/firmware"
inherit deploy
do_deploy() {
cp -rf ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/
cp -rf ${D}/firmware/* ${DEPLOYDIR}/
}
addtask deploy after do_install
@@ -0,0 +1,8 @@
# TC specific configuration
COMPATIBLE_MACHINE = "(tc?)"
HAFNIUM_PLATFORM = "secure_tc"
do_compile() {
PATH="${S}/prebuilts/linux-x64/clang/bin:$PATH" oe_runmake -C ${S}
}
@@ -1,25 +0,0 @@
SUMMARY = "Corstone1000 platform esp Image"
DESCRIPTION = "This builds a simple image file that only contains an esp \
partition for use when running the SystemReady IR ACS tests."
LICENSE = "MIT"
COMPATIBLE_MACHINE = "corstone1000"
# IMAGE_FSTYPES must be set before 'inherit image'
# https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_FSTYPES
IMAGE_FSTYPES = "wic"
inherit image
IMAGE_FEATURES = ""
IMAGE_LINGUAS = ""
PACKAGE_INSTALL = ""
# This builds a very specific image so we can ignore any customization
WKS_FILE = "efi-disk-esp-only.wks.in"
WKS_FILE:firmware = "efi-disk-esp-only.wks.in"
EXTRA_IMAGEDEPENDS = ""
# Don't write an fvp configuration file for this image as it can't run
IMAGE_POSTPROCESS_COMMAND:remove = "do_write_fvpboot_conf;"
@@ -1,11 +0,0 @@
COMPATIBLE_MACHINE = "corstone1000"
FIRMWARE_BINARIES = "corstone1000-flash-firmware-image-${MACHINE}.wic \
bl1.bin \
es_flashfw.bin \
${CAPSULE_NAME}.${CAPSULE_EXTENSION} \
corstone1000_capsule_cert.crt \
corstone1000_capsule_key.key \
"
do_deploy[mcdepends] = "mc::firmware:corstone1000-flash-firmware-image:do_image_complete"
@@ -1,96 +0,0 @@
SUMMARY = "Corstone1000 platform Image"
DESCRIPTION = "This is the main image which is the container of all the binaries \
generated for the Corstone1000 platform."
LICENSE = "MIT"
COMPATIBLE_MACHINE = "corstone1000"
# IMAGE_FSTYPES must be set before 'inherit image'
# https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_FSTYPES
IMAGE_FSTYPES = "wic uefi_capsule"
inherit image
inherit tfm_sign_image
inherit uefi_capsule
inherit deploy
DEPENDS += "external-system \
trusted-firmware-a \
trusted-firmware-m \
u-boot \
"
IMAGE_FEATURES = ""
IMAGE_LINGUAS = ""
PACKAGE_INSTALL = ""
# The generated ${MACHINE}_image.nopt is used instead of the default wic image
# for the capsule generation. The uefi.capsule image type doesn't have to
# depend on the wic because of this.
#
# The corstone1000_capsule_cert.crt and corstone1000_capsule_key.key are installed
# by the U-Boot recipe so this recipe has to depend on that.
CAPSULE_IMGTYPE = ""
CAPSULE_CERTIFICATE_PATH = "${DEPLOY_DIR_IMAGE}/corstone1000_capsule_cert.crt"
CAPSULE_GUID:corstone1000-fvp ?= "989f3a4e-46e0-4cd0-9877-a25c70c01329"
CAPSULE_GUID:corstone1000-mps3 ?= "df1865d1-90fb-4d59-9c38-c9f2c1bba8cc"
CAPSULE_IMGLOCATION = "${DEPLOY_DIR_IMAGE}"
CAPSULE_INDEX = "1"
CAPSULE_MONOTONIC_COUNT = "1"
CAPSULE_PRIVATE_KEY_PATH = "${DEPLOY_DIR_IMAGE}/corstone1000_capsule_key.key"
UEFI_FIRMWARE_BINARY = "${B}/${MACHINE}_image.nopt"
# TF-A settings for signing host images
TFA_BL2_BINARY = "bl2-corstone1000.bin"
TFA_FIP_BINARY = "fip-corstone1000.bin"
TFA_BL2_RE_IMAGE_LOAD_ADDRESS = "0x62353000"
TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
RE_IMAGE_OFFSET = "0x1000"
# Offsets for the .nopt image generation
TFM_OFFSET = "102400"
FIP_OFFSET = "479232"
KERNEL_OFFSET = "2576384"
do_sign_images() {
# Sign TF-A BL2
sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \
${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
# Update BL2 in the FIP image
cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
fiptool update --tb-fw \
${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_${TFA_BL2_BINARY} \
${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
# Sign the FIP image
sign_host_image ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} \
${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
}
do_sign_images[depends] = "\
fiptool-native:do_populate_sysroot \
"
# This .nopt image is not the same as the one which is generated by meta-arm/meta-arm/classes/wic_nopt.bbclass.
# The meta-arm/meta-arm/classes/wic_nopt.bbclass removes the partition table from the wic image, but keeps the
# second bank. This function creates a no-partition image with only the first bank.
create_nopt_image() {
dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/bl2_signed.bin of=${B}/${MACHINE}_image.nopt
dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/tfm_s_signed.bin of=${B}/${MACHINE}_image.nopt seek=${TFM_OFFSET}
dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/signed_fip-corstone1000.bin of=${B}/${MACHINE}_image.nopt seek=${FIP_OFFSET}
dd conv=notrunc bs=1 if=${DEPLOY_DIR_IMAGE}/Image.gz-initramfs-${MACHINE}.bin of=${B}/${MACHINE}_image.nopt seek=${KERNEL_OFFSET}
}
do_image_uefi_capsule[depends] += " linux-yocto:do_deploy"
do_image_uefi_capsule[mcdepends] += " ${@bb.utils.contains('BBMULTICONFIG', 'firmware', 'mc::firmware:linux-yocto:do_deploy', '', d)}"
do_image_uefi_capsule[prefuncs] += "create_nopt_image"
do_deploy() {
install -m 0755 ${B}/${MACHINE}_image.nopt ${DEPLOYDIR}
}
addtask deploy after do_image_uefi_capsule
@@ -0,0 +1,38 @@
SUMARY = "Corstone1000 platform Image"
DESCRIPTION = "This is the main image which is the container of all the binaries \
generated for the Corstone1000 platform."
LICENSE = "MIT"
COMPATIBLE_MACHINE = "corstone1000"
inherit image
inherit tfm_sign_image
inherit uefi_capsule
PACKAGE_INSTALL = ""
IMAGE_FSTYPES += "wic uefi_capsule"
UEFI_FIRMWARE_BINARY = "${PN}-${MACHINE}.${CAPSULE_IMGTYPE}"
UEFI_CAPSULE_CONFIG = "${THISDIR}/files/${PN}-capsule-update-image.json"
CAPSULE_IMGTYPE = "wic"
do_sign_images() {
# Sign TF-A BL2
sign_host_image ${RECIPE_SYSROOT}/firmware/${TFA_BL2_BINARY} \
${TFA_BL2_RE_IMAGE_LOAD_ADDRESS} ${TFA_BL2_RE_SIGN_BIN_SIZE}
# Update BL2 in the FIP image
cp ${RECIPE_SYSROOT}/firmware/${TFA_FIP_BINARY} .
fiptool update --tb-fw \
${TFM_IMAGE_SIGN_DEPLOY_DIR}/signed_${TFA_BL2_BINARY} \
${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY}
# Sign the FIP image
sign_host_image ${TFM_IMAGE_SIGN_DIR}/${TFA_FIP_BINARY} \
${TFA_FIP_RE_IMAGE_LOAD_ADDRESS} ${TFA_FIP_RE_SIGN_BIN_SIZE}
}
do_sign_images[depends] = "\
trusted-firmware-a:do_populate_sysroot \
fiptool-native:do_populate_sysroot \
"
@@ -0,0 +1,25 @@
SUMARY = "Corstone1000 platform Initramfs Image"
DESCRIPTION = "This is the main Linux image which includes an initramfs kernel/rootfs bundle."
LICENSE = "MIT"
COMPATIBLE_MACHINE = "corstone1000"
IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
inherit core-image
# By default all basic packages required for a bootable system are installed
# by core-image . These packages are: packagegroup-core-boot and
# packagegroup-base-extended
inherit image-buildinfo
#package management is not supported in corstone1000
IMAGE_FEATURES:remove = "package-management"
# all optee packages
IMAGE_INSTALL += "optee-client"
# TS PSA API tests commands for crypto, its, ps and iat
IMAGE_INSTALL += "packagegroup-ts-tests-psa"
@@ -1,7 +0,0 @@
require recipes-core/images/core-image-minimal.bb
# The core-image-minimal is used for the initramfs bundle for the
# Corstone1000 but the testimage task caused hanging errors. This is
# why the core-image-minimal is forked here so the testimage task can
# be disabled as it is not relevant for the Corstone1000.
IMAGE_CLASSES:remove = "testimage"
@@ -0,0 +1,11 @@
{
"Payloads": [
{
"FwVersion": "5",
"Guid": "e2bb9c06-70e9-4b14-97a3-5a7913176e3f",
"LowestSupportedVersion": "1",
"Payload": "$UEFI_FIRMWARE_BINARY",
"UpdateImageIndex": "0"
}
]
}
@@ -1,4 +0,0 @@
MACHINE_DEPLOY_FIRMWARE_REQUIRE ?= ""
MACHINE_DEPLOY_FIRMWARE_REQUIRE:corstone1000 = "corstone1000-firmware-deploy-image.inc"
require ${MACHINE_DEPLOY_FIRMWARE_REQUIRE}
@@ -13,6 +13,9 @@ DEPENDS += "n1sdp-board-firmware"
EXTRA_OECMAKE:append = " \
-DSCP_N1SDP_SENSOR_LIB_PATH=${RECIPE_SYSROOT}/n1sdp-board-firmware_source/LIB/sensor.a \
"
# scp-firmware version aligning to Arm Reference Solutions N1SDP-2023.06.22 Release
SRCREV = "543ae8ca3c9e38da3058311118fa3ceef1da47f7"
PV .= "+git"
do_install:append() {
fiptool \
@@ -1,6 +1,5 @@
# SGI575 specific SCP configurations and build instructions
COMPATIBLE_MACHINE:sgi575 = "sgi575"
SCP_PRODUCT_GROUP = "neoverse-rd"
SCP_LOG_LEVEL = "INFO"
@@ -0,0 +1,5 @@
# TC specific SCP configuration
COMPATIBLE_MACHINE = "(tc1)"
FW_TARGETS = "scp"
@@ -0,0 +1,33 @@
From 27300daa2397c89e13aa648db30aa5c6acb06bcc Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Fri, 2 Feb 2024 11:58:33 +0000
Subject: [PATCH] corstone1000: skip tftf tests
Skip some tests for platform corstone1000 which make the tftf tests
hanged when use with optee v3.22
Upstream-Status: Pending
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
plat/arm/corstone1000/tests_to_skip.txt | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/plat/arm/corstone1000/tests_to_skip.txt b/plat/arm/corstone1000/tests_to_skip.txt
index fdab230..c5eaac0 100644
--- a/plat/arm/corstone1000/tests_to_skip.txt
+++ b/plat/arm/corstone1000/tests_to_skip.txt
@@ -13,3 +13,11 @@ Timer framework Validation/Verify the timer interrupt generation
CPU Hotplug/CPU hotplug
PSCI CPU Suspend
PSCI STAT/for valid composite state CPU suspend
+FF-A Direct messaging/FF-A Request SP-to-SP direct messaging
+FF-A Direct messaging/FF-A Request SP-to-SP direct messaging deadlock
+FF-A Memory Sharing/Share Memory with Secure World
+FF-A Memory Sharing/Request Donate Memory SP-to-SP
+FF-A Memory Sharing/Request Share Memory SP-to-VM
+SIMD,SVE Registers context/Check that SIMD registers context is preserved
+FF-A Interrupt/Test NS interrupts
+SMMUv3 tests
--
2.34.1
@@ -0,0 +1,162 @@
From fa7ab9b40babee29d2aadb267dfce7a96f8989d4 Mon Sep 17 00:00:00 2001
From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
Date: Mon, 9 Jan 2023 13:59:06 +0000
Subject: [PATCH] feat(corstone1000): bl2 loads fip based on metadata
Previously bl2 was reading the boot_index directly with a hard coded
address and then set the fip image spec with fip offsets base based on
the boot_index value.
This commit removes this logic and rely on PSA_FWU_SUPPORT
which reads the fip partition based on the active firmware bank written in
metadata.
Note: fip partition contains signature area at the begining. Hence, the fip
image starts at fip partition + fip signature area size.
Upstream-Status: Pending
Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
---
bl2/bl2_main.c | 4 +++
.../corstone1000/common/corstone1000_plat.c | 32 ++++++-------------
.../common/include/platform_def.h | 12 +++----
tools/cert_create/Makefile | 4 +--
tools/fiptool/Makefile | 4 +--
5 files changed, 24 insertions(+), 32 deletions(-)
diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index ce83692e0ebc..1a9febc007b2 100644
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -87,6 +87,10 @@ void bl2_main(void)
/* Perform remaining generic architectural setup in S-EL1 */
bl2_arch_setup();
+#if ARM_GPT_SUPPORT
+ partition_init(GPT_IMAGE_ID);
+#endif
+
#if PSA_FWU_SUPPORT
fwu_init();
#endif /* PSA_FWU_SUPPORT */
diff --git a/plat/arm/board/corstone1000/common/corstone1000_plat.c b/plat/arm/board/corstone1000/common/corstone1000_plat.c
index 0235f8b8474c..7f9708a82489 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_plat.c
+++ b/plat/arm/board/corstone1000/common/corstone1000_plat.c
@@ -33,36 +33,17 @@ const mmap_region_t plat_arm_mmap[] = {
static void set_fip_image_source(void)
{
const struct plat_io_policy *policy;
- /*
- * metadata for firmware update is written at 0x0000 offset of the flash.
- * PLAT_ARM_BOOT_BANK_FLAG contains the boot bank that TF-M is booted.
- * As per firmware update spec, at a given point of time, only one bank
- * is active. This means, TF-A should boot from the same bank as TF-M.
- */
- volatile uint32_t *boot_bank_flag = (uint32_t *)(PLAT_ARM_BOOT_BANK_FLAG);
-
- if (*boot_bank_flag > 1) {
- VERBOSE("Boot_bank is set higher than possible values");
- }
-
- VERBOSE("Boot bank flag = %u.\n\r", *boot_bank_flag);
policy = FCONF_GET_PROPERTY(arm, io_policies, FIP_IMAGE_ID);
assert(policy != NULL);
assert(policy->image_spec != 0UL);
+ /* FIP Partition contains Signature area at the begining which TF-A doesn't expect */
io_block_spec_t *spec = (io_block_spec_t *)policy->image_spec;
+ spec->offset += FIP_SIGNATURE_AREA_SIZE;
+ spec->length -= FIP_SIGNATURE_AREA_SIZE;
- if ((*boot_bank_flag) == 0) {
- VERBOSE("Booting from bank 0: fip offset = 0x%lx\n\r",
- PLAT_ARM_FIP_BASE_BANK0);
- spec->offset = PLAT_ARM_FIP_BASE_BANK0;
- } else {
- VERBOSE("Booting from bank 1: fip offset = 0x%lx\n\r",
- PLAT_ARM_FIP_BASE_BANK1);
- spec->offset = PLAT_ARM_FIP_BASE_BANK1;
- }
}
void bl2_platform_setup(void)
@@ -75,6 +56,13 @@ void bl2_platform_setup(void)
set_fip_image_source();
}
+void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1,
+ u_register_t arg2, u_register_t arg3)
+{
+ arm_bl2_early_platform_setup((uintptr_t)arg0, (meminfo_t *)arg1);
+ NOTICE("CS1k: early at bl2_platform_setup\n");
+}
+
/* corstone1000 only has one always-on power domain and there
* is no power control present
*/
diff --git a/plat/arm/board/corstone1000/common/include/platform_def.h b/plat/arm/board/corstone1000/common/include/platform_def.h
index 584d485f3ea7..0bfab05a482b 100644
--- a/plat/arm/board/corstone1000/common/include/platform_def.h
+++ b/plat/arm/board/corstone1000/common/include/platform_def.h
@@ -173,16 +173,16 @@
/* NOR Flash */
-#define PLAT_ARM_BOOT_BANK_FLAG UL(0x08002000)
-#define PLAT_ARM_FIP_BASE_BANK0 UL(0x081EF000)
-#define PLAT_ARM_FIP_BASE_BANK1 UL(0x0916F000)
-#define PLAT_ARM_FIP_MAX_SIZE UL(0x1ff000) /* 1.996 MB */
-
#define PLAT_ARM_NVM_BASE V2M_FLASH0_BASE
#define PLAT_ARM_NVM_SIZE (SZ_32M) /* 32 MB */
+#define PLAT_ARM_FIP_MAX_SIZE UL(0x1ff000) /* 1.996 MB */
-#define PLAT_ARM_FLASH_IMAGE_BASE PLAT_ARM_FIP_BASE_BANK0
+#define PLAT_ARM_FLASH_IMAGE_BASE UL(0x08000000)
#define PLAT_ARM_FLASH_IMAGE_MAX_SIZE PLAT_ARM_FIP_MAX_SIZE
+#define PLAT_ARM_FIP_OFFSET_IN_GPT (0x86000)
+
+/* FIP Information */
+#define FIP_SIGNATURE_AREA_SIZE (0x1000) /* 4 KB */
/*
* Some data must be aligned on the biggest cache line size in the platform.
diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile
index 042e844626bd..45b76a022f91 100644
--- a/tools/cert_create/Makefile
+++ b/tools/cert_create/Makefile
@@ -78,8 +78,8 @@ INC_DIR += -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include
# directory. However, for a local build of OpenSSL, the built binaries are
# located under the main project directory (i.e.: ${OPENSSL_DIR}, not
# ${OPENSSL_DIR}/lib/).
-LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR}
-LIB := -lssl -lcrypto
+LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS}
+LIB := -lssl -lcrypto ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS}
HOSTCC ?= gcc
diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
index 2ebee33931ba..dcfd314bee89 100644
--- a/tools/fiptool/Makefile
+++ b/tools/fiptool/Makefile
@@ -39,7 +39,7 @@ HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
# directory. However, for a local build of OpenSSL, the built binaries are
# located under the main project directory (i.e.: ${OPENSSL_DIR}, not
# ${OPENSSL_DIR}/lib/).
-LDLIBS := -L${OPENSSL_DIR}/lib -L${OPENSSL_DIR} -lcrypto
+LDLIBS := -L${OPENSSL_DIR}/lib -L${OPENSSL_DIR} -lcrypto ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS}
ifeq (${V},0)
Q := @
@@ -47,7 +47,7 @@ else
Q :=
endif
-INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS}
HOSTCC ?= gcc
@@ -1,32 +0,0 @@
From d70a07562d3b0a7b4441922fd3ce136565927d04 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Wed, 21 Feb 2024 07:57:36 +0000
Subject: [PATCH] fix(corstone1000): pass spsr value explicitly
Passes spsr value for BL32 (OPTEE) explicitly between different boot
stages.
Upstream-Status: Pending
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
---
.../corstone1000/common/corstone1000_bl2_mem_params_desc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plat/arm/board/corstone1000/common/corstone1000_bl2_mem_params_desc.c b/plat/arm/board/corstone1000/common/corstone1000_bl2_mem_params_desc.c
index fe521a9fa..2cc096f38 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_bl2_mem_params_desc.c
+++ b/plat/arm/board/corstone1000/common/corstone1000_bl2_mem_params_desc.c
@@ -72,7 +72,8 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP,
VERSION_2, entry_point_info_t, NON_SECURE | EXECUTABLE),
.ep_info.pc = BL33_BASE,
-
+ .ep_info.spsr = SPSR_64(MODE_EL2, MODE_SP_ELX,
+ DISABLE_ALL_EXCEPTIONS),
SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
VERSION_2, image_info_t, 0),
.image_info.image_base = BL33_BASE,
--
2.25.1
@@ -1,54 +0,0 @@
From 684b8f88238f522b52eb102485762e02e6b1671a Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Fri, 23 Feb 2024 13:17:59 +0000
Subject: [PATCH] fix(spmd): remove EL3 interrupt registration
This configuration should not be done for corstone1000 and similar
platforms. GICv2 systems only support EL3 interrupts and can have SEL1 component
as SPMC.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Upstream-Status: Inappropriate [Discussions of fixing this in a better way is ongoing in upstream]
---
services/std_svc/spmd/spmd_main.c | 24 ------------------------
1 file changed, 24 deletions(-)
diff --git a/services/std_svc/spmd/spmd_main.c b/services/std_svc/spmd/spmd_main.c
index 066571e9b..313f05bf3 100644
--- a/services/std_svc/spmd/spmd_main.c
+++ b/services/std_svc/spmd/spmd_main.c
@@ -580,30 +580,6 @@ static int spmd_spmc_init(void *pm_addr)
panic();
}
- /*
- * Permit configurations where the SPM resides at S-EL1/2 and upon a
- * Group0 interrupt triggering while the normal world runs, the
- * interrupt is routed either through the EHF or directly to the SPMD:
- *
- * EL3_EXCEPTION_HANDLING=0: the Group0 interrupt is routed to the SPMD
- * for handling by spmd_group0_interrupt_handler_nwd.
- *
- * EL3_EXCEPTION_HANDLING=1: the Group0 interrupt is routed to the EHF.
- *
- */
-#if (EL3_EXCEPTION_HANDLING == 0)
- /*
- * Register an interrupt handler routing Group0 interrupts to SPMD
- * while the NWd is running.
- */
- rc = register_interrupt_type_handler(INTR_TYPE_EL3,
- spmd_group0_interrupt_handler_nwd,
- flags);
- if (rc != 0) {
- panic();
- }
-#endif
-
return 0;
}
--
2.25.1
@@ -0,0 +1,29 @@
From 16937460429d6bcd502b21c20d16222541ed8d48 Mon Sep 17 00:00:00 2001
From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Date: Mon, 6 Mar 2023 15:57:59 +0000
Subject: [PATCH] psci: SMCCC_ARCH_FEATURES discovery through PSCI_FEATURES
allow normal world use PSCI_FEATURES to discover SMCCC_ARCH_FEATURES
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Upstream-Status: Inappropriate [A U-Boot patch will be released to fix an issue in the PSCI driver]
---
lib/psci/psci_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/psci/psci_main.c b/lib/psci/psci_main.c
index a631f3ffbf..cc8904b006 100644
--- a/lib/psci/psci_main.c
+++ b/lib/psci/psci_main.c
@@ -337,7 +337,7 @@ int psci_features(unsigned int psci_fid)
{
unsigned int local_caps = psci_caps;
- if (psci_fid == SMCCC_VERSION)
+ if (psci_fid == SMCCC_VERSION || psci_fid == SMCCC_ARCH_FEATURES)
return PSCI_E_SUCCESS;
/* Check if it is a 64 bit function */
--
2.25.1

Some files were not shown because too many files have changed in this diff Show More