1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 04:27:08 +00:00

Compare commits

..

489 Commits

Author SHA1 Message Date
Ross Burton b68089f264 CI: only run pending-updates on master
This job takes a few minutes and isn't useful unless it's being ran for
master, or is being actively worked on.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-11-04 09:33:19 -05:00
Peter Hoyes 21894cc2ea arm/classes: Fix IMAGE_POSTPROCESS_COMMAND in fvpboot
Since OE-core 6fd8af0d, the semicolon delimeter in bb.build_exec_func
variables is not needed. The commit silently removes any stray ';' but
failed to handle ';' when assigning to vardeps.

In meta-arm, this has the effect of changes to FVP_* variables not being
picked up when rebuilding the image recipe since mickledore.

This is ancient history now, so just remove the semicolon to fix the
variable dependency issue when using fvpboot in meta-arm.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-08-13 05:00:22 -04:00
Hongxu Jia 2de04c3d31 optee-os_4.4.0: fix CVE-2025-46733
Backport a patch from upstream [1] to fix CVE-2025-46733

[1] https://github.com/OP-TEE/optee_os/commit/941a58d78c99c4754fbd4ec3079ec9e1d596af8f

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-07-30 05:01:19 -04:00
Hamideh Izadyar f87642b6ca arm/trusted-firmware-m: apply TF-M downstream patches
Apply TF-M downstream patches in the main TF-M recipe, rather than doing
it in corstone1000 recipe.

Signed-off-by: Hamideh Izadyar <hamideh.izadyar@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-07-29 17:57:58 +01:00
Ross Burton 8e2c715fab CI: use walnascar branch of meta-virtualization
This layer has a walnascar branch now, so use it as master is no longer
compatible with walnascar.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-07-14 11:41:23 +01:00
Jon Mason ed9d996aa9 arm-systemready/ir-acs: Update URL
The github URL where the image was located has gone away on the master
branch.  Update the URL to point to the legacy branch, which should stay
around (according to the documentation).

Fixes: aebe535aa8 ("arm-systemready: Introduce the Arm SystemReady layer")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-07-08 11:34:06 -04:00
Abdellatif El Khlifi c63ce2117e kas: corstone-1000: pin Yocto layer dependencies for CORSTONE1000-2025-05 release
Set the tested SHAs of the dependent community layers from
the Walnascar branch of each layer.

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-06-16 02:00:23 -04:00
Hugues KAMBA MPIANA 0acaf26833 arm-bsp/documentation: corstone1000: Amend for CORSTONE1000-2025.05
* Update software component recipe references
* Update Yocto Project release name
* Update Corstone-1000 release name
* Update release note
* Various other improvements

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-06-16 02:00:23 -04:00
Ali Can Ozaslan 4f8d2f4b2f arm-bsp/trusted-services: corstone1000: Align PSA crypto structs with TF-M
The TF-M was upgraded to v2.1.1 for the Corstone-1000. The TS had to be
aligned with it, to keep the Secure Enclave Proxy Secure Partition
compatible with TF-M.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-05-07 14:00:17 -04:00
Ross Burton 42928dcc17 CI: use walnascar branches
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-04-15 16:46:23 +01:00
Jon Mason ca5c51e25c arm/edk2-firmware: remove qemuarm64-secureboot
edk2 isn't booting on qemuarm64-secureboot, and hasn't for some time.
Also, it's not being tested as part of CI.  Remove until it is working
again.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Jon Mason 69121ff4e5 arm/edk2-firmware: update to 202502
Update to the latest tagged version of edk2-firmware.  This requires
rebasing the sbsa-acs patches.  Also, sgi575 works with the latest
version but requires a patch to compile cleanly.

There is an issue with qemuarm/qemuarm64 where the boot device is not
found in edk2 if 'RELEASE' is set as the build mode.  Temporarily
changing that to DEBUG while the issue is being worked on (in
https://github.com/tianocore/edk2/issues/10942).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Jon Mason ce4c7f6661 arm/edk2-firmware: add version to be printed out
Currently, the version number is not being specified, which is causing
the version to be printed as an empty string.  Such as:
    UEFI firmware (version  built at 00:50:36 on Feb 21 2025)
and
    Tianocore/EDK2 firmware version

Add the package version as the version to be printed out, which results
in:
    UEFI firmware (version 202502 built at 00:50:36 on Feb 21 2025)
and
    Tianocore/EDK2 firmware version 202502

An intermediate variable was used instead of PV to allow for the
variable to be overridden if necessary.

Also, minor white space clean-up to match the style in the rest of the
file.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Richard Purdie ca97d0fcec classes/tfm_sign_image: Fix assignment whitespace
Fix whitespace to avoid a warning with newer bitbake.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 06:00:04 -04:00
Yogesh Wani 385450558e arm-bsp/documentation: corstone1000: Fix typos in the documentation
The Corstone-1000 read the docs had some small typos in the
Design Overview section. Commit addresses these.

Copyright information now updated.

Signed-off-by: Yogesh Wani <yogesh.wani@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-09 05:00:04 -04:00
Gergely Kovacs 79eb13dd05 arm/trusted-firmware-a: remove optee-os dependency from tests
The TF-A tests should not depend on OPTEE-OS

Signed-off-by: Gergely Kovacs <Gergely.Kovacs2@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-08 06:00:05 -04:00
Ross Burton 1d119f24f9 arm/fvp-base-a-aem: remove spurious executable stack from one library
There are some objects in the FVP binary that are assembler source and
fail to declare what permissions the stack needs to have, so GCC falls
back to assuming that the final binary needs an executable stack.

glibc 2.41 (as now used in uninative) introduces changes here[1]: whether
to have an executable stack or not when the binary doesn't specify a
need (defaults to executable, but this is a tunable), and any binaries
that are dlopen()ed that require an executable stack will fail.

Thus, some FVPs on some platforms (notable, fvp-base-a-aem on x86-64)
now fail on startup:

  libarmctmodel.so: cannot enable executable stack as shared object requires: Invalid argument

Luckily the solution here is to simply clear the executable bit, as
an executable stack is not actually needed.  Until a new release of the
FVP is made we can fix the binary in our package using execstack.

[1] https://lists.gnu.org/archive/html/info-gnu/2025-01/msg00014.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:24 -04:00
Ross Burton b19f24bd0a arm/execstack-native: add new recipe
Add a recipe for the execstack binary from prelink-cross. This tool is
used to manipulate the GNU_STACK segment in ELF binaries, specifically
to control whether the binary requests an executable stack or not.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:24 -04:00
Martin Jansa 5a55c4aaf9 metadata: add whitespace around assignments
With:
https://lists.openembedded.org/g/bitbake-devel/message/17508
there are WARNINGs like:

WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="1"'
WARNING: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.3.rel1.bb: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/arm-binary-toolchain.inc:31 has a lack of whitespace around the assignment: 'SKIP_FILEDEPS="1"'
WARNING: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.3.rel1.bb: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/arm-binary-toolchain.inc:31 has a lack of whitespace around the assignment: 'SKIP_FILEDEPS="1"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.3.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.3.bb:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.12.0.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.12.0.bb:38 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.12.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.12.1.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.1.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc:89 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-rmm/trusted-firmware-rmm_0.6.0.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-rmm/trusted-firmware-rmm_0.6.0.bb:34 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.28.23.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-library.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-n1-edge.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-sgi575.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:21 has a lack of whitespace around the assignment: 'FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"'
WARNING: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:53 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-examples_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend:1 has a lack of whitespace around the assignment: 'FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc:11 has a lack of whitespace around the assignment: 'TS_BIN_SPM_TEST= "${RECIPE_SYSROOT}/usr/opteesp/bin"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-test_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb:12 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb:13 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/ts-demo/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb:13 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/block-storage/config/${TS_SP_BLOCK_STORAGE_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb:14 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="1"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="2"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="3"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="4"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 06:00:04 -04:00
Mikko Rapeli 7fca237eab trusted-firmware-a: set mbedtls git branch with SRCBRANCH_MBEDTLS
Enables building latest bleeding edge tf-a and mbedtls with
local.conf setup:

INHERIT += "poky-bleeding"
POKY_AUTOREV_RECIPES += "trusted-firmware-a"

SRCREV_mbedtls:pn-trusted-firmware-a = "AUTOINC"
SRCREV_tfa:pn-trusted-firmware-a = "AUTOINC"
SRCBRANCH:pn-trusted-firmware-a = "master"
SRCBRANCH_MBEDTLS:pn-trusted-firmware-a = "master"
LIC_FILES_CHKSUM:pn-trusted-firmware-a = "file://docs/license.rst;md5=1118e32884721c0be33267bd7ae11130"
BBMASK += "meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.12.bb"
BBMASK += "meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb"

This includes workarounds for poky-bleeding.bbclass which doesn't
work with multiple SRCREV variables, masking away
tf-a 2.10 and 2.11 recipes which cause recipe parsing problems
and only one recipe needed to build latest upstream master
branch to avoid 503 error codes from remote git server.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 05:00:04 -04:00
Gyorgy Szing 595cb0f1a0 arm/trusted-services: fix udev management in libts
- Change libts to stop making udev related configuration if optee-client
  is deployed to the target to avoid conflicts.
- Remove the executable permission from installed tee-udev.rules file.
- Remove teepriv device from udev file as this device is op-tee specific.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 158ce8e566 optee-client: use the same tee group as libts
Change optee-client to use the same bitbake variable to configure the
group name used for controlling access to /dev/tee* devices on the
target. The aim is to simplify system configuration by aligning the
two recipes.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 516eb0672f optee-client: drop privileges of tee-supplicant
Stop the tee-supplicant being run with root privileges when the system
is not using systemd.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 91cacb6332 optee-client: fix udev and systemd handling
Eliminate the systemd specific install content fix-up commands appended
to do_install.
  - patch optee-client to allow controlling installation of systemd and
    udev specific configuration files.
  - pass driver group names to optee-client build

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 2ec60ece8d optee-os: add v4.4
Add recipes to allow building OP-TEE v4.4. This is the first version
carrying an SPMC implementation which supports branch protection.

Update corstone1000:
  - to use the new op-tee version
  - `CFG_TZDRAM_SIZE` is increased further from `0x340000` to `0x360000`
     as version 4.4.0 of OP-TEE OS requires more memory

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>

optee-os: corestone1000: udpate to op-tee v4.4

Update OP-TEE version and add a patch to increase TZDRAM size to add
more memory to OP-TEE.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Mikko Rapeli 94596e0fae optee-client: use udev rule and systemd service from upstream
Use backported upstream patch for udev rule and systemd service file.
sysvinit script is still used from meta-arm. Don't install systemd
service without systemd distro feature, other way round for
sysvinit script.

tee-supplicant started by systemd service runs as non-root teesuppl
user with teepriv group. sysvinit still runs as root since busybox
start-stop-daemon doesn't support -g group parameter and -u teesuppl
doesn't seem to change the effective user.

udev rules allow non-root /dev/tee* access from tee and
/dev/teepriv* access from teepriv groups.

Tested sysvinit changes with:

$ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml

and systemd changes with:

$ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml:ci/uefi-secureboot.yml

Cc: tom.hochstein@nxp.com
Cc: sahil.malhotra@nxp.com
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Mikko Rapeli 9f19b9b9a3 trusted-firmare-a: update qemu patch status
Submitted to upstream and worked through review
comments and CI issues:

https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/36514

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 10:42:55 -04:00
Mikko Rapeli 629fc54290 edk2-firmware: fix SOURCE_DATE_EPOCH
edk2-firmware build scripts use printenv to print SOURCE_DATE_EPOCH
but that is not in HOSTTOOLS and thus fails with configurations
which use VirtualRealTimeClockLib. Change to using SOURCE_DATE_EPOCH
environment variable directly to fix builds. I think this is OE
specific build config change but filed a bug report upstream
https://github.com/tianocore/edk2/issues/10910
since the fallback mechanism is not working.

Applying patch in 202411 recipe and not .inc since 202408 recipe
from meta-arm-bsp does not find the patch file from meta-arm
side.

[Jon Mason: corrected issues with email patch mangling for edk2]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 10:41:22 -04:00
Ross Burton 2cc1cd16ab CI: dump all environment variables in update-repos
Print all of the environment variables in the update-repos task for
introspection, instead of a subset.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Ross Burton 9b92d080b1 CI: disable KAS_REPO_REF_DIR by default
Having local repo caches is a little fiddly to manage, and by definition
we're running CI inside GitLab which supports mirroring repositories
automatically.

As these mirrors are always available and update automatically, make
Kas reference directories opt-in and instead expect that the site is
either fine with full fetches, or is using KAS_PREMIRRORS.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Ross Burton c8da42d7bd CI: always save the lockfile.yml in update-repos
The update-repos job can "fail with warnings" if the reference repository
fetch fails. This is intentionally a warning as the CI may have set
KAS_PREMIRRORS and a stale cache is fine.

However, by default artifacts are only saved on successful jobs, so if
this happens the lockfile.yml isn't saved. Ensure the artifacts are
always saved so the rest of the pipeline is successful.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Jon Mason f94c002d1d arm-bsp/sgi575: add FVP support
Add FVP support to sgi575 and run a boot test as part of CI.  Networking
is not currently working and seems to require an older version of edk2
to boot the kernel.  Also, the unique files for grub and wks do not seem
to be necessary.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Jon Mason 3bf8bf5d4d arm/fvp: add TC3 and Neoverse v3, remove n1 edge
Add Total Compute 2023, Neoverse V3 R1, and Reference Design-1 AE FVPs.
Also, remove Neoverse N1 Edge.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Jon Mason 957fcca083 arm/edk2-firmware: Fix branch name variables
In the SRC_URI, the branch name variables are switched for edk2 and
edk2-platforms.  Switch them as appropriate.

Fixes: bf204866e8 ("arm: Use SRC* variables consistently")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Ross Burton 49cad31d10 ci/update-repos: always pass the latest URL
Instead of assuming that the repository was created with the latest URL,
fetch the repository explicitly when fetching.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 95e4041c19 ci: show KAS_PREMIRRORS in preamble
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 69f9b2da14 ci: forward the exit code from update-repos
If update-repos fails with status 128 then that means it failed to fetch
the remote repositories.  This should result in a warning not a failure
but flock was just returning status 1.

Save the exit code and if it returns 128 continue but exit with it
later, so the lockfile generation still occurs but the job doesn't fail.

Also, only call the update-repos script if KAS_REPO_REF_DIR has been set.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 5d0fcd503b CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Mikko Rapeli 56c13c3648 trusted-firmware-a: move qemu patch
qemuarm64-secureboot directory in path to 0001-Add-spmc_manifest-for-qemu.patch
hides the patch from machines with different names and thus break builds
unless overrides are set to include "qemuarm64-secureboot".
Move patch to plain "files" directory to avoid build failures
and this cumbersome workaround.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:52 -04:00
Ross Burton 34c8608d87 arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:32 -04:00
Ross Burton c9fa84d0f7 CI: use DEFAULT_TAG as the default ACS_TAG
This stops the job being stuck if the runners will only take jobs that
have been tagged.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:32 -04:00
Jon Mason f78c6c0e4f arm/trusted-firmware-a: update 2.12.0 recipe to 2.12.1
Update to the lts-v2.12.1 tag.  Changes include a number of CVE fixes
and mbedtls minor version bump:
	8cf9edba5cc3 docs(changelog): changelog for lts-v2.12.1 release
	f5d048108bf3 Merge changes from topic "for-lts-v2.12.1" into lts-v2.12
	56472775f96d docs(maintainers): update LTS maintainers
	baab55315c7f docs: updates to LTS
	f00f71efc410 docs: add inital lts doc
	1a8ee82c6d77 Merge changes from topic "for-lts-v2.12.1" into lts-v2.12
	b19ce90a908c fix(rd1ae): fix rd1-ae device tree
	34f10e7d9fc7 feat(rd1ae): add Generic Timer in device tree
	551dc4c09f57 docs(rd1ae): update documentation to include BL32
	8e4240779867 feat(rd1ae): add support for OP-TEE SPMC
	8e4bb69c747e feat(mbedtls): mbedtls config update for v3.6.2
	a46d6a1320d7 docs(prerequisites): update mbedtls to version 3.6.2
	2ffe181a3982 refactor(mbedtls): rename default mbedtls confs
	3809359e2124 fix(cpus): workaround for Neoverse-V3 erratum 3701767
	4a9ff092c9b4 fix(cpus): workaround for Neoverse-N3 erratum 3699563
	7e41b706e97c fix(cpus): workaround for Neoverse-N2 erratum 3701773
	15300ac30c55 fix(cpus): workaround for Cortex-X925 erratum 3701747
	6e0efc7fe739 fix(cpus): workaround for Cortex-X4 erratum 3701758
	8299c1274617 fix(cpus): workaround for Cortex-X3 erratum 3701769
	fa6c9874485b fix(cpus): workaround for Cortex-X2 erratum 3701772
	4e78288fd2bc fix(cpus): workaround for Cortex-A725 erratum 3699564
	ae6edfd5b543 fix(cpus): workaround for Cortex-A720-AE erratum 3699562
	24526273fc50 fix(cpus): workaround for Cortex-A720 erratum 3699561
	a7b322706435 fix(cpus): workaround for Cortex-A715 erratum 3699560
	d4826882210b fix(cpus): workaround for Cortex-A710 erratum 3701772
	9d6143ec8ffb fix(cpus): workaround for accessing ICH_VMCR_EL2
	7e4bf042a0dd chore(cpus): fix incorrect header macro
	9427c061eb8d fix(security): apply SMCCC_ARCH_WORKAROUND_4 to affected cpus
	bea64fd5272d fix(security): add support in cpu_ops for CVE-2024-7881
	16b87247ed03 fix(security): add CVE-2024-7881 mitigation to Cortex-X3
	427c33bc0c0b fix(security): add CVE-2024-7881 mitigation to Neoverse-V3
	192a152448ae fix(security): add CVE-2024-7881 mitigation to Neoverse-V2
	3e4d94c43b64 fix(security): add CVE-2024-7881 mitigation to Cortex-X925
	41a52efd6f38 fix(security): add CVE-2024-7881 mitigation to Cortex-X4
	2f09b9f3c2af fix(security): enable WORKAROUND_CVE_2024_7881 build option
	70a7d3f2d030 fix(cpus): workaround for CVE-2024-5660 for Cortex-X925
	41b64fe36f42 fix(cpus): workaround for CVE-2024-5660 for Cortex-X2
	0b2d22097c96 fix(cpus): workaround for CVE-2024-5660 for Cortex-A77
	193370e1c6a2 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V1
	d52c52a5fa8c fix(cpus): workaround for CVE-2024-5660 for Cortex-A78_AE
	3bd6531a55a4 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78C
	eda09acd1b22 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78
	b9766da96365 fix(cpus): workaround for CVE-2024-5660 for Cortex-X1
	6324220805b1 fix(cpus): workaround for CVE-2024-5660 for Neoverse-N2
	6041f0723994 fix(cpus): workaround for CVE-2024-5660 for Cortex-A710
	b23f5da614e6 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V2
	ef378713fa4b fix(cpus): workaround for CVE-2024-5660 for Cortex-X3
	2898088f8ba6 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V3
	b8e111c72619 fix(cpus): workaround for CVE-2024-5660 for Cortex-X4
	a6f6396313ea fix(cpus): workaround for Cortex-X4 erratum 2923985
	d1c3a5d8b9d8 fix(build): do not force PLAT in plat_helpers.mk
	ea1b816b1763 chore(deps): update pytest for cot-dt2c
	65762d7b4cfc chore(deps): bump jinja2
	87f3125a0e45 chore(deps): bump jinja2 in the pip group across 1 directory
	b4530565c030 chore(deps): bump the pip group across 2 directories with 1 update
	11e5f92d3d43 build(deps): bump setuptools in the pip group across 1 directory
	850389f4acfe chore(deps): bump micromatch

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Jon Mason 27a88dd7bd arm/opencsd: update to v1.5.6
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Jon Mason b4e61d8c10 arm/edk2-firmware: update to edk2-stable202411
Update to the latest version of edk2.  Unfortunately, sbsa-ref has a
kernel warning due to the CPU topology that was added.  So, hold this
platform back to 202408 and move those recipes to meta-arm-bsp.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Mikko Rapeli 45daeba052 oeqa parselogs-ignores-sbsa-ref.txt: ignore screen error
It's not clear why this happens but this error is visible
in CI builds too often. Root cause needs analysis but
ignore the error for now.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/75/builds/1190/steps/23/logs/stdio

Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/meta-arm/build/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/srv/pokybuild/yocto-worker/meta-arm/build/meta/lib/oeqa/runtime/cases/parselogs.py", line 185, in test_parselogs
    self.assertEqual(errcount, 0, msg=self.msg)
AssertionError: 1 != 0 : Log: /srv/pokybuild/yocto-worker/meta-arm/build/build/tmp/work/sbsa_ref-poky-linux/core-image-sato/1.0/target_logs/Xorg.0.log
-----------------------
Central error: [   103.173] failed to find screen to remove
***********************
[   101.955] (**) QEMU QEMU USB Tablet: (accel) selected scheme none/0
[   101.955] (**) QEMU QEMU USB Tablet: (accel) acceleration factor: 2.000
[   101.958] (**) QEMU QEMU USB Tablet: (accel) acceleration threshold: 4
[   102.144] (II) event0  - QEMU QEMU USB Tablet: is tagged by udev as: Mouse
[   102.169] (II) event0  - QEMU QEMU USB Tablet: device is a pointer
[   102.228] (II) config/udev: Adding input device QEMU QEMU USB Keyboard (/dev/input/event1)
[   102.228] (**) QEMU QEMU USB Keyboard: Applying InputClass "libinput keyboard catchall"
[   102.229] (II) Using input driver 'libinput' for 'QEMU QEMU USB Keyboard'
[   102.229] (**) QEMU QEMU USB Keyboard: always reports core events
[   102.229] (**) Option "Device" "/dev/input/event1"
[   102.318] (II) event1  - QEMU QEMU USB Keyboard: is tagged by udev as: Keyboard
[   102.326] (II) event1  - QEMU QEMU USB Keyboard: device is a keyboard
[   102.345] (II) event1  - QEMU QEMU USB Keyboard: device removed
[   102.385] (**) Option "config_info" "udev:/sys/devices/platform/PNP0D10:00/usb1/1-2/1-2:1.0/0003:0627:0001.0002/input/input1/event1"
[   102.386] (II) XINPUT: Adding extended input device "QEMU QEMU USB Keyboard" (type: KEYBOARD, id 7)
[   102.519] (II) event1  - QEMU QEMU USB Keyboard: is tagged by udev as: Keyboard
[   102.527] (II) event1  - QEMU QEMU USB Keyboard: device is a keyboard
[   103.105] (II) modeset(0): Disabling kernel dirty updates, not required.
[   103.165] (II) config/udev: removing GPU device /sys/devices/pci0000:00/0000:00:01.0/drm/card0 /dev/dri/card0
[   103.173] xf86: remove device 0 /sys/devices/pci0000:00/0000:00:01.0/drm/card0
[   103.173] failed to find screen to remove
***********************
1 errors found in logs.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 11:00:04 -04:00
Ross Burton 00fa95aec1 CI: fix duplicate variables
I accidentally created two variables sections, resulting in our build
jobs running on very limited containers.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-03-20 11:50:21 +00:00
Ross Burton f20bd9ff62 CI: move CPU_REQUEST from .build to .setup
We were only setting the k8s CPU request in .build jobs not .setup. This
was intentional initially so that only the build jobs get more resources,
but some of the non-.build jobs are resource-heavy. For example, the
pending-updates job has to parse the entire metadata from scratch, and
that sometimes takes longer than usual when we only have two cores to
use.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 11:00:07 -04:00
Mikko Rapeli 53bfba8c5b optee-ftpm: support genericarm64
genericarm64 machines may have firmware with optee support
and thus also optee-ftpm may be compiled and used there.
tee-supplicant will load TAs at runtime if support is
detected.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 07:00:04 -04:00
Mikko Rapeli 11d3f0ad34 optee: support genericarm64
optee-client/tee-supplicant, optee-os-tadevkit and optee-test can be
compiled for genericarm64 and these detect firmware optee support at
runtime. Using qemuarm64 compatible config for them.
optee-os itself may need HW specific config for different boards
and SoCs but these components work with same config on multiple boards.
Tested on qemu and AMD kv260 with Linaro Trusted Substrate firmware
(https://gitlab.com/Linaro/trustedsubstrate/meta-ts).

Note: optee-test version in userspace and optee-os version in firmware
must match for tests to pass.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 07:00:04 -04:00
Ross Burton e02a77c055 CI: there's no need to run pending-updates on x86 machines
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-10 09:00:05 -04:00
Ross Burton af9375798f arm/arm-bsp/trusted-firmware-a: use main branch when fetching mbedtls
mbedtls pushes to both master and main, but main is preferred.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-10 09:00:05 -04:00
Ross Burton b6227e2962 arm-bsp/fvp-base: bump cores to to v8.5
The Pointer Authentication (PAC) instructions are part of v8.3, and BTI
(Branch Target Indentification) instructions are mandatory in v8.5.

As we want to use PAC/BTI everywhere in this BSP, bump the cores to
v8.5.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-06 10:40:44 -05:00
Andrew Jeffery f9f47ec15a arm/trusted-services: ts-sp-fw: Replace v2.7.0 tag with commit ID
Do so for the usual reason of avoiding network access during recipe
parsing. Occasionally parsing will stall for me as it seems connectivity
to trustedfirmware.org can be flaky.

Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-28 01:00:06 -05:00
Jon Mason 07fcd92a68 arm/boot-wrapper-aarch64: update to the latest
Update to the latest commit.
Changes in gn between 5e3760073454c72f3458805a1b7a89ecf80353cb and ac6742520ded1da30d500f74e8affe86e27cabd5
	ac6742520ded aarch64: Start Xen on Armv8-R at EL2
	ba899d1d7227 aarch64: Implement PSCI for Armv8-R
	476a0b6451d7 aarch64: Enable Armv8-R EL2 boot
	0f00cf4cb8b2 Introduce --with-bw-arch for boot-wrapper compile arch
	aafb5958eb9d Boot CPUs sequentially
	d62de19c8661 Add printing functions
	1ab497ed6c38 Simplify spin logic
	1e576e54d0a4 Unify assembly setup paths
	19ffbec99cf5 aarch32: Always enter kernel via exception return
	e8e6f797bafa aarch32: Implement cpu_init_arch()
	8745a2cd8e0a aarch32: Refactor inital entry
	77c3316737fc aarch64: Always enter kernel via exception return
	308d25f908a8 aarch64: Implement cpu_init_arch()
	4dcb17f55300 aarch64: Remove redundant EL1 entry logic
	400f0a86dcc8 Revert "configure: allow the use of bare-metal toolchains"
	1fea854771f9 configure: allow the use of bare-metal toolchains
	784feb9b0753 Makefile: suppress RWX segment warnings
	e1d7651f3c2f Makefile: rework test-dtc-option
	cd7fe8a88e82 aarch64: Enable access into RCW[S]MASK_EL1 registers from EL2 and below
	1ac203146003 aarch64: Enable access into 128 bit system registers from EL2 and below
	b13b3bdcb2a1 aarch64: Enable access into SCTLR2_ELx registers from EL2 and below
	61b84b4a1c02 aarch64: Remove TSCXT bit set from SCTLR_EL2_RESET
	3bac221638c4 configure: make --with-kernel-dir optional

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 9da0a47d07 arm/trusted-firmware-rmm: update to 0.6.0
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason b31af92555 arm/trusted-firmware-m: update to v2.1.1
Update trusted-firmware-m to the latest LTS (TF-Mv2.1.1)
Changes between 0c4c99ba33b3e66deea070e149279278dc7647f4 and 02bf279913439a07082dd581df033f370a8fbb92
	02bf27991343 docs: Release notes for v2.1.1
	7264a32e84a0 docs: rp2350: Minor docs & script improvements
	4bad159af017 Docs: Release dates update
	a5e02ec0c6a2 Align .gitignore contents to main branch
	8fe944a652f5 Platform: RP2350: Fix NV counters in ITS
	66bc1fa8eed9 Build: Fix patch formatting for 0001-iar-Add-missing-v8.1m-check.patch
	895d44a4eb52 Platform: RP2350: Add NV counters to ITS
	e81b741aa6cc tf-m-tests: Step version for rp2350 psa-arch-tests
	2be65a027c86 Platform: rp2350: Add rwx linker flag conditionally for GNUARM
	a85425417696 Platform: RP2350: Add RP2350 porting
	9ed2e7c7f52b Platform/TFM/ITS/Config: Commits required for new platform porting
	f12db7c872d5 cc3xx/low-level/pka: SRAM size depends on CC3XX version
	c7e0192fab6f cc3xx/low-level/hash: wait for hash engine to be idle
	42a4041bdff4 Crypto: Update to Mbed TLS 3.6.2
	471c127e7755 Crypto: Add option to enforce ABI compatibility
	7da71fd05445 tfm_spe_mailbox: Fix NULL pointer checks
	974bc101e0b2 cc3xx/low-level/pka: wait for sw reset to be done before proceeding
	89b9c4889c60 Crypto: Enforce MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS on Mbed TLS config
	62b1300557c5 Crypto: Additional checks for writes to avoid out-of-bound access
	a2cead6a9ef4 tfm_spe_mailbox: Use local vars for local_copy_vects
	15afe61d1194 TFMV-8: Fix unchecked user-supplied pointer via mailbox message
	22e8e89c8f56 tfm_spe_mailbox: Do not write-back on input vectors checks failure
	12a4c5342965 tfm_spe_mailbox: Validate vectors from NSPE
	75bbe3fc0240 CC3XX: Relax assert condition in aead_crypt for input
	0db7ebf32ba3 Crypto: Protect writes to avoid out-of-bound access
	2ecea430fbb4 Crypto: Prevent the scratch allocator from overflowing
	fbcdc69b794d SPM: mailbox_agent_api: Free connection if params association fails
	2a59580b5809 Crypto: Update to Mbed TLS 3.6.1
	6a54ec89f22f Platform: STM32: script all_stm_platfrom
	66596b4dae57 Platform: corstone1000: Fix isolation L2 memory protection
	7045675209ca stm : fix error on b_u585i_iot02a with TF-Mv2.1.0

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 55b41af673 arm/trusted-firmware-a: update the LTS to v2.10.12
Update trusted-firmware-a to lts-v2.10.12
Changes between 7e63213601425c7a6d83e47dc936b264deb9df2b and 408ba4ddfe9a8d55e3e2488bea89c39adef07981
	408ba4ddfe9a docs(changelog): changelog for lts-v2.10.12 release
	7bdf51628eab Merge "docs(maintainers): update LTS maintainers" into lts-v2.10
	8355ef7728ec docs(maintainers): update LTS maintainers
	faceedf4e5c2 Merge changes from topic "for-lts-v2.10.12" into lts-v2.10
	9007a3344e12 Merge changes from topic "gr/lts-doc-2.10" into lts-v2.10
	924c7f42ce4a chore(deps): bump cross-spawn
	7c8c034e5fed chore(deps): bump jinja2 in the pip group across 1 directory
	3d85a19f2f54 docs: updates to LTS
	13657a3f3f2a docs: add inital lts doc
	a4c57c122407 Merge changes from topic "lts-v2.10.12" into lts-v2.10
	564922601397 feat(mbedtls): mbedtls config update for v3.6.2
	44161dcb10ab docs(prerequisites): update mbedtls to version 3.6.2
	0ac65e7aa5ec refactor(mbedtls): rename default mbedtls confs
	8b2c885739dd fix(arm): add extra hash config to validate ROTPK
	832b92b7f615 docs(changelog): changelog for lts-v2.10.11 release
	a3fc7c18c461 Merge changes from topic "for-lts-2.10.11" into lts-v2.10
	196984e65da0 fix(cpus): workaround for Cortex-X4 erratum 2923985
	0eed05ee70aa chore(cpus): optimise runtime errata applications
	34e6d7cb8ce1 Merge changes from topic "sm/fix_erratum" into lts-v2.10
	ad9dfdc5800c fix(cpus): workaround for CVE-2024-5660 for Cortex-X2
	5673d345aaa3 fix(cpus): workaround for CVE-2024-5660 for Cortex-A77
	4fd2a6702dd1 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V1
	a02a863d3156 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78_AE
	87250d2bb1ea fix(cpus): workaround for CVE-2024-5660 for Cortex-A78C
	30c57c58abe3 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78
	c7d3c9eb2d81 fix(cpus): workaround for CVE-2024-5660 for Cortex-X1
	282e63544d26 fix(cpus): workaround for CVE-2024-5660 for Neoverse-N2
	f7ae819f03ae fix(cpus): workaround for CVE-2024-5660 for Cortex-A710
	3efc9e13011d fix(cpus): workaround for CVE-2024-5660 for Neoverse-V2
	17e17ed3f1e6 fix(cpus): workaround for CVE-2024-5660 for Cortex-X3
	a6375e1feb42 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V3
	e42abf298321 fix(cpus): workaround for CVE-2024-5660 for Cortex-X4
	698e68fe1fe9 fix(cpus): workaround for CVE-2024-5660 for Cortex-X925
	b229b47bd86c chore: rename Blackhawk to Cortex-X925
	96498991d1ce chore: rename Chaberton to Cortex-A725
	b28aa38e28cf docs(changelog): changelog for lts-v2.10.10 release
	8e74814ce52f Merge changes from topic "for-lts-v2.10.10" into lts-v2.10
	c9f3fb5822dc build(deps): bump setuptools in the pip group across 1 directory
	395ef3534cf1 chore(deps): bump micromatch
	6c6e986bffb3 build(npm): update Node.js and all packages
	c5d2a030a35f build(deps): bump braces
	ebf6430a01c5 build(deps): bump idna from 3.4 to 3.7
	93ad43e79ef7 build(deps): bump jinja2 from 3.1.2 to 3.1.4
	f8a06a0f82ce build(deps): bump urllib3 from 2.0.2 to 2.2.2
	3ea256c36a4b build(deps): bump pip from 23.1.2 to 23.3

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 74bd36ec63 arm/gn: update to latest commit
Update to the latest gn commit.
Changes in gn between 95b0f8fe31a992a33c040bbe3867901335c12762 and ab638bd7cbb9ac8468bf2fbe60c74ed4706a14a7
	ab638bd7cbb9 Revert "Speed-up GN with custom OutputStream interface."
	2dd9331a7041 Speed-up GN with custom OutputStream interface.
	ed1abc107815 Add `exec_script_allowlist` to replace `exec_script_whitelist`.
	c97a86a72105 Retry ReplaceFile in case of failure
	7296b601ea80 Fix crash when NinjaBuildWriter::RunAndWriteFile fails
	468c6128db7f fix include for escape.h
	5a47a93b9426 fix exit code for gn gen failure
	24e92acb8472 misc: Use html.escape instead of cgi.escape
	feafd1012a32 Do not copy parent build_dependency_files_ in Scope constructors.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 543adf67d2 arm/opencsd: update to 1.5.5
Update to the latest stable version (1.5.5), comprised of the following
commits:
	742d60ed7dc7 opencsd: Update version info and README for 1.5.5
	7ca491c516b8 build: Update docs for MacOS support
	cac83e59666e build: Add MacOS development makefile
	e56eff270ca2 build: Use .dylib shared library suffix for MacOS
	35f957d2a97a build: Create initial MacOS makefile
	44dff5b22a26 build: Restore Linux build support
	a0e13010e1d6 build: Rename build folders as 'unix_common' for upcoming MacOS support
	ecdde9f69307 tests: Add option to suppress elapsed processing time in test program.
	821632be920c tests: update mem_buff_demo test to add options.
	70e472c9387f opencsd: Memacc object cleanup fix

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason f1fc5c53a1 arm/hafnium: update to v2.12.0
Update to the latest version of halfnium

Changes between 2bef7ab3895c48d39b84ab58179b2d0de5156b8b and 2cf2ca7c4b81ab18e9cd363d9a5c8288e2a94fda
	2cf2ca7c4b81 docs: the change log for the v2.12 release
	69e18eb52d63 docs: update the threat model for IPI threats
	c9866ab33c7a docs: add description of single service IPI support
	b17856caec30 test: interrupt targeting blocked vcpu is queued
	0ee13d9cc510 test: add helpers to share page for coordination btw endpoints
	eda971da9f4c fix: queue interrupt targeting blocked vcpu
	0a69718c6298 fix(docs): fixes to the docs to fix build errors
	4b3d26803b56 test(ipi): IPI to invalid vCPU fails
	2f579f93c1d9 test: multiple SPs periodic deadlines on multiple cores
	8157b6897a8f test: multiple SPs with periodic deadline
	b390a0d12967 test(ipi): set target vCPU in VCPU_STATE_BLOCKED
	2affbc7a7bbb test(ipi): target vCPU set in VCPU_STATE_PREEMPTED
	180a65a7be5f feat(ipi): handle in VCPU_STATE_BLOCKED/PREEMPTED
	84d49b67d2d9 fix(ipi): small fixes to the ipi implementation
	0136b2bf3f35 test: migrate blocked vcpu with pending timer
	da42b544504b test: timer expired while vcpu is in PREEMPTED state
	7c9702280c62 chore: reduce verbosity of console messages for SPs
	9243e772b209 docs: support for arch timer in secure world
	c0110997e1f8 chore: add doc comment on Pauth fault tests
	a067dc1d77f8 test: add unit tests for timer management
	872742eec217 test: use watchdog timer as source of non secure interrupt
	febcb625856e test: add driver for normal world watchdog timer
	b9dd51451e46 test: introduce driver for sp805 peripheral
	65827d703535 test: migrate vCPU of SP with pending timer deadline
	593b8addcbdc test: multiple SPs programmed with timer deadlines
	fe10878b1e1c test: SP reprograms the arch timer deadline
	b2429b49c524 test: SP handles timer with short deadline
	34c050a04357 test: commands for SP services to configure timer
	64ae5a8d6a18 test: add SP helper utilities for arch timer
	6b8cf4f361f6 feat(arch timer): handle spurious host timer interrupt
	106bfc364d64 feat(arch timer): migrate vCPU with pending timer to another CPU
	cf069a65988e feat(arch timer): resume SP if deadline expires in NWd
	2efb3e103382 feat(arch timer): handle host timer interrupt tracking live deadline
	32424db1d5d6 feat(arch timer): inject timer virtual interrupt before resuming vCPU
	a3787c91a96c feat(arch timer): track pending timer configured by SP vCPU
	28e988f3bb56 chore: exclude physical timer source file from static checks
	f684d196422b feat(arch timer): trap and emulate physical timer access from SPs
	d3ac7383c10f feat(arch timer): helpers to configure EL1 physical timer
	f658f5e1a6e1 feat(arch timer): initialize timer list and host physical timer
	def48d0365b3 feat(arch timer): introduce host timer driver
	c31708afa85c feat(arch timer): helper utilities to add and remove from timer list
	eed861e514ba feat(arch timer): data structure to track pending timers
	08200fe0f2e2 test: physical interrupt preempts virtual interrupt handling
	75331b3ee028 test: SPMC call chain not preemptible
	179f567f17fe test: helpers commands to mimic secure interrupt scenarios
	94946a1451e3 fix(interrupts): SPMC scheduled call chain shall not be preempted
	025a451a9275 fix: simplify secure interrupt handling
	c3fd9756a53e feat(memory share): handle GPF in FFA_MEM_FRAG_RX
	e06384d55458 docs: document VM availability messages
	50ef91174b38 refactor: api_ffa_msg_send_direct_resp
	13f09815b474 refactor: don't pass sender/receiver ID
	79504ff11a86 refactor: remove unused functions
	a1a0235181b3 test: VM availability messaging tests
	06e8b732abc2 feat: forward VM availability messages from SPMC to SP
	d0356f85a2a2 refactor: `spmd_handler` refactorings
	520bcc86451b test: VM created/destroyed partition properties
	a603e0842531 feat: VM created/destroyed partition properties
	18694027d10d feat: parse `vm-availability-messages`
	1308a63f4851 test(ipi): FFA_NOTIFICATION_INFO_GET reports pending IPI
	d270b869c989 test(ipi): target waiting vCPU whilst in SWd
	537165559733 test(ipi): target waiting vCPU whilst in NWd
	3a9510e81960 test(ipi): handling SRI in the NWd
	377defd58730 test(ipi): send IPI to running vCPU
	d2efb134495d test(ipi): state machine to help testing IPI
	8be2651ff463 test(ipi): add unit tests for fetching pending IPIs
	1f2babf02fd8 feat(ipi): report IPIs in FFA_NOTIFICATION_INFO_GET
	960be20fecdc feat(ipi): handle IPI for waiting case
	f3cf28cf7d4b feat(ipi): introduce IPI paravirtualised interface
	18485946304c refactor: use bitfields for interrupt_descriptor struct
	e44e18e5702b fix: increase stack size in primary VM
	cc9d11383413 ci: increase timeout for long running tests
	b8f9a899f0be test: if SPs wake up with eret FFA_RUN
	4dbf4d95c63f fix: only normal world VMs need FFA_RUN
	478faac95b69 refactor: always eret FFA_RUN to the caller
	8ddb0e2d11e6 chore: drop the FFA_RUN tests
	3190f5401e09 chore: specify updated submodule commit hash
	baaf9e5bd0c5 docs: update FFA_PARTITION_INFO_GET(_REGS)
	0ffce75f8244 refactor(notifications): verbose validity check
	3e55c4d8e3de fix: check ff-a version for functionality support
	d96c931b233d test(ff-a): report features in partition info get
	7fb0fdb7ab97 fix: report indirect message and direct message 2
	11f50e5ff10b chore: drop linux/driver project checks
	d5d6c381e69c chore: drop the driver/linux submodule
	8018929656f3 doc: refer the checkpatch.pl setup
	d8e61447a1b5 ci: add script download checkpatch.pl
	94b0fa111104 chore: drop rule to update linux binary
	ddeedafa09d0 chore: drop the third_party/linux submodule
	6b756a10770a ci: drop the setup with the hafnium driver
	15e302616540 chore: drop hf_interrupt_inject
	da6b099e5dfb chore: drop mailbox waiting list
	9a9ed227a137 test(ff-a): FFA_MSG_WAIT called with pending message
	ccbf26c078c7 docs: add FFA_MSG_WAIT description
	ea8ccfe752cb refactor(notifications): drop the SRI state
	ac0cb263714c chore: drop legacy timer support in hypervisor
	9acc62973951 chore: remove legacy timer support tests
	a74c97c4c184 test: interrupt targets blocked SP
	23a7e58b6494 fix(interrupts): resume blocked vCPU and pend vIRQ line
	3e749afb2d9b test(pauth): test PAuth usage from S-EL0
	70c6ca0e0cb9 fix(pauth): use prng to generate S-EL0 pauth keys
	9478e32bb811 refactor: UUID packing/unpacking
	cca64d765bf0 refactor: `get_ffa_partition_info`
	fb9c2a27a319 refactor: `api_ffa_fill_partition_info`
	45abeebfd2b4 feat: report error if too many UUIDs in manifest
	6053297ef775 refactor(manifest): UUID parsing
	8c5de22b6b6a test: fork 'preempted_by_secure_interrupt'
	bd32c97bdb07 refactor: simplify interception of FF-A calls
	67f5ba3d10d3 refactor: boot order list to use list.h
	8e02186908e0 refactor: rename list functions
	3bfc36eab652 test(ff-a): cannot send indirect message when RX buffer full
	3d5a9609bf43 test(ff-a): add RX retention tests to S-EL0 setup
	a2103eb08381 feat(code-coverage): check elf files for folder include/exclude
	c7270b752e5f fix(memory share): hypervisor retrieve request check
	7640451f68fc fix(build): fix out of tree build specifying $OUT
	36fcf881497b fix: detect pauth algorithm in cpu
	483686441714 refactor: `memcpy` refactors
	5d5f27972dbb fix: use correct load-address while adding offset
	3bb825946fed fix(indirect message): set framework notifications
	8ccd2d0f0552 fix: rename load address relative offset node name
	67196c7ad3bc docs: document new `FFA_VERSION` behaviour
	c4d9ae80b40b fix(ff-a): don't report ME interrupt to EL0
	41c5da385103 fix(notifications): delay SRI flag use from NWd
	d9e7c8fd3cf9 fix: in case the mailbox is FULL return FFA_RUN
	77b4eef0071d fix(hftest): clear NPI when polling for notifications
	486ffdce7223 test(ff-a): FFA_MSG_WAIT multicore RX buffer test
	337dbdfa04ee test(ff-a): test FFA_MSG_WAIT with retain RX buffer flag
	7253bd5c43fc feat(ff-a): add retain RX buffer flag to ffa_msg_wait
	bc854180a4bb test(ff-a): verify FFA_MSG_WAIT releases RX buffer
	be1a0b7a4d43 fix(ffa): add RX buffer release to FFA_MSG_WAIT
	b8730e9f7263 refactor: moved api_interrupt_clear_decrement to vcpu
	cfc8174a3a22 refactor: added ffa_msg_wait_complete
	472f66a344c9 refactor: use vm_id_is_current_world
	ac9407556eca refactor: rename implicit_completion_signal
	3b31f09c4e80 refactor: create vcpu_secure_interrupt_complete
	9a4b9c0b9592 fix(notifications): per-vCPU for MP only
	318e90a733de feat: queue interrupt targeting blocked vcpu
	c023e39839c0 test: new setup with S-EL1 UP SP as Service2
	538b688a0865 test: register secondary entrypoint only for MP S-EL1
	ec3bf2223df0 test: queue interrupt targeting a migrated vcpu in blocked state
	97fa216c6ae9 test: queue interrupt targeting a migrated vcpu in running state
	ce6baae61eee test: queue interrupt targeting a migrated vcpu in waiting state
	4fff340ea012 test: queue multiple pending virtual interrupts
	e1bec84e69f1 test: handle secure interrupt triggered by Generic Timer
	95bb8fe60145 test: leverage build define to identify an S-EL0 SP
	75a1ab7b9c3c test: update manifests to accommodate AP REFCLK timer device region
	76fe642c630f test: add SP helper commands to manage generic timer
	ad3fb6698931 test: add driver for AP REFCLK Generic timer
	92b404ecffd6 test: driver for generic memory mapped system timer
	ae519e184f12 test: map MMIO regions from device region nodes
	7945bb578a0f refactor: reduce fields tracking interrupt handling for vcpus
	93d3d7015108 feat(interrupts): target migratable S-EL1 UP vCPU
	42e56c11d90e feat(interrupts): target migratable S-EL0 UP vCPU
	48dc41c3890c feat(interrupts): queue if unable to signal virtual interrupt
	c64d0645a4c4 feat(interrupts): prioritize servicing queued virtual interrupts
	32913cb081cf feat(interrupts): data structures, helpers for queueing
	b7c2558e1bbd fix(interrupts): drop the running priority before resuming vcpu
	6acc53703857 fix(hftest): logs from different setups would override
	ff651e335032 feat: hftest to disable_visualisation
	6f6bf8a117f9 refactor: simplify functions to pend VI
	33172403a44a fix: moved unsupported function log
	3e9f605eba42 test: interrupt to be pended before boot
	cc542042dbbd feat(interrupts): physical interrupt enabled
	d533859d7826 chore: add venv to gitignore
	1c56a252a966 fix(hftest): service set-up functions in core 0
	65deaa433730 refactor: drop hypervisor-specific tests
	6045881f4fe2 fix(notifications): vCPU ID check in get ABI
	a2c79226b56b docs: redirect to a common ff-a binding document in TF-A
	296ee70c7af7 refactor(memory share): split check of hyp retrieve request
	058ddee34d02 fix: remove memory region's device attribute
	71704804400a secure_tc: enable branch protection
	9c5b1d3708f8 refactor: split `api_ffa_features`
	650cb148d610 refactor: report FFA_YIELD
	1a8c0cdb812c refactor: report secondary EP register supported
	5a222641c137 refactor: permission get/set supported at S-EL0 partitions
	4271ff9734fe refactor: remove arch/platform specific ffa_features
	4e8e479805bb refactor: reduce log level of some log statements
	be12343e0ceb fix(hftest): interrupt enable/disable
	94f9a7303d06 fix(docs): refactor poetry dependency group
	734981e83008 fix(memory share): dont change the PAS for device memory
	9a444adfee0b refactor(hftest): update iris options
	fd374b8c9227 fix(memory share): v1.1 emad reserved field check
	5ebf4bf2c364 feat: parallelize `clang-tidy`
	2ad6b66ef5f6 chore: fix `clang-tidy` warnings
	a4d4a2b00cf2 fix: check `.h` files with `clang-tidy`
	20acb0118db9 refactor: remove `make check`
	ca9234c8510c refactor: reformat `.clang-tidy`
	67a7926ce341 fix: first vCPU runs in the VCPU_STATE_RUNNING
	77f39c21e52a fix(docs): point poetry readthedocs virtual env
	bd43209c3d7f refactor: console log verbosity
	052fa62be451 fix(docs): design doc typo fails the build
	a33eca997600 fix(qemu): memory barriers to operate DMA
	66a38bd5184d fix: fix build with clang-18
	a5ea909bfc61 fix: fix build with clang-17
	74ee3ab8bb56 fix: fix build with clang-16
	6f1f1210152d feat: print vCPU ID
	920362870c0d test: tests for printing sequentially and concurrently
	31e5c95fd1c7 fix(hftest): define stacks for all secondary cores
	7cdb36d7dfa8 test(mem share): RO mem cannot be zeroed during send
	72d53a15d7b7 fix(boot): remove limit all partition memory is RW
	c7a3848c7cc0 refactor: improve hftest error message
	133ae6e2e48b feat(dlog): adopt FF-A in `stdout_putchar`
	c5cebbc0e8d0 refactor: move log buffer from VM to vCPU
	99fe2434f9d9 refactor: add documentation for interrupt controller in DT
	1c26ae7ec65a fix(gic): add support for passing GIC data from DT in boot flow
	99c5eff25b84 test: add unit tests to validate dma properties
	718afa9ca629 refactor: create a helper function to obtain common fields
	9c764b3e5437 refactor: use dma device properties struct within device node
	7de26958d155 refactor: extract VM's log buffer into separate struct
	6027b4f0bd7a fix: fix signature of `memcpy`
	8f046e4873ea refactor: remove `CHECK_OR_ZERO` macro from `std.h`
	2b56fc163c19 refactor: replace some uses of `uintptr_t` with `cpu_id_t`
	b4ef4320e1d0 refactor: use typedef for CPU entry point functions
	71d887b7cad0 refactor(memory share): improve naming of sender_orig_mode
	c8e6e85d7f72 test(memory share): device as normal through descritor mem types
	3b65a25f2642 test(memory share): lend device memory as normal
	6e2613628196 fix(memory share): add precedence check for memory type
	2268412d6968 test(memory share): normal memory lent as device
	91052c3eb749 fix(memory share): log for invalid instruction access
	3f295b18c75c feat(manifest): add overlap checks for SPMC memory
	889cbf1e6e82 refactor: use enums for PSCI constants
	5e99699970bc refactor: add helper function to check if VM is primary
	8204182ee3d2 refactor: add helper functions for checking if VM is UP/MP
	0a824e972474 chore: fix log strings
	bd060340445e fix(memory share): relinquish from VM
	9bbcb87d8873 fix(memory share): assert pointer before dereferencing
	a39a84497eda feat(memory share): relinquish use `memcpy_trapped`
	3f6527cd56f9 feat(memory share): revert memory retrieve
	69cdfd9531f8 feat(memory share): avoid updating PTs
	7b9cc432ce38 feat(memory share): memcpy_trapped to copy retrieve resp
	8f2150d1d4c6 feat(memory share): `memcpy_trapped` to read from tx
	f220d57a4102 fix(memory share): retrieve request validation
	c9227c849e62 fix(memory share): multiple borrower with NWd VM
	540cddfcb118 feat: introduce gicd_set_ctrl helper utility
	cde596402559 test(ff-a): add tests for changing version through `FFA_VERSION`
	64d930ee6c33 fix: check that calls to FFA_VERSION actually succeed
	e9921275a326 fix: memory sharing tests
	08befddc43c0 refactor: move `update_mm_security_state` to `common/ffa.c`
	2909e54cf230 refactor: port tests due to new restrictions
	d319fbbb5b9b fix: remove log statement that caused `FFA_VERSION` to fail
	6eeec8e85a5f feat: restrict `FFA_VERSION` calls
	0e617d9d2245 refactor(ff-a): `FFA_VERSION` related refactorings
	4b846eb871c0 fix(mem share): zeroing RO memory during memory send
	8fc1b5054cb2 fix: error codes need to be uint32_t
	6fd6c1d6ecad fix: fix input validation in FFA_FEATURES
	49ec1e42e218 refactor: refactor `api_ffa_features`
	88851f90b88e feat: add macros to check bits
	d1c34b5edee1 feat(mte): add error log for sync tag fault in EL2
	95fbb31760eb feat(memory share): add memory share 64-bit ABIs
	b9ae416a7d55 refactor: use `GET_ESR_EC` macro
	5a13355b0802 refactor: add `GET_ESR_FNV`
	9f7ce018c967 test(dlog): unit tests for `dlog` with binary format specifier
	7efc8377234e feat(dlog): support binary unsigned integer format specifiers
	e8937d9c2a05 chore(dlog): fix uses of `dlog` to use new format strings
	544549064bb2 feat(dlog): check arguments to `dlog` at compile-time
	50af30574657 test(dlog): unit tests for `dlog` with length modifiers
	70894da99ab1 feat(dlog): handle length modifiers
	e980e611ed8a refactor(dlog): miscellaneous changes related to logging
	705b56e94b38 refactor(dlog): move `dlog_flush_buffer` to `api.c`
	e8fdaed4c376 refactor(dlog): replace macros with enums
	93157d09e78f test(dlog): unit tests for `dlog`
	c9df08b45438 feat(hftest): assertion macros for strings
	d2ef618a680c refactor(dlog): return number of characters written
	222d9fbb3dee fix: enable `-Wsign-compare` in `ASSERT_EQ`
	1064a9c8d3c3 refactor: use `enum ffa_error` for errors
	824b63d9b256 feat: enable `-Wsign-compare`
	b090762d1c4d fix: disable `-Wsign-compare` for dtc
	4a88b9625897 feat: enable `-Wextra` flag
	df099becb672 refactor(init): use memory pool for boot params
	dc759f53ddbe refactor: use an enum for FF-A error codes
	d38270c14fe8 refactor: use enum for SP commands
	6a7c95926233 feat(hftest): rewrite error messages for failed assertions
	76766e61e230 refactor: use `typeof` in `HFTEST_ASSERT_OP`
	871b41e33565 refactor: always expand `assert` macro
	3a3e08dbd653 fix: check for illegal values of gic related build flags
	346a09cfce7f fix: check for illegal branch protection feature
	0549849def41 fix: propagate enable_mte build flag to cflags
	00d3b632aeda fix: incorrect calculation for number of boot info desc
	b886d4930571 fix(memory share): drop check to instruction access

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 1adc206509 arm/fvp-base-a-aem: update to 11.28.23
Update to the latest version.

License SHA changed due to the addition of "Artistic License 2.0" and
was missing entries for a few others that were there previously.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-24 11:06:06 -05:00
Jose Quaresma a55e4445f2 bsp: optee-client: cleanup old tee-supplicant
The same tee-supplicant is available in the meta-arm layer
along with the recipe.

| meta-arm/recipes-security/optee/optee-client
| meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
| meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
| meta-arm/recipes-security/optee/optee-client.inc
| meta-arm/recipes-security/optee/optee-client_4.1.0.bb

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-21 09:07:49 -05:00
Jon Mason 25ca4ecb32 arm/trusted-firmware-a: update git recipe
Update the TF-A git recipe to the latest commit (as it was older than
the 2.12 release previously).  Also, update mbedtls to 3.6.2 (per the
tf-a docs in the master branch).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-20 09:00:07 -05:00
Jon Mason 48708ed3cc arm/trusted-firmware-a: re-add patches
TF-A Patches were erroneously moved to meta-arm-bsp, despite still being
needed by the recipes in meta-arm.  Copy them back and make copious
apologies.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-20 09:00:07 -05:00
Jon Mason 7c2df809e0 arm/trusted-firmware-a: move qemuarm64-secureboot file to the correct location
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-13 11:00:04 -05:00
Jon Mason 5773030601 CI/machine-summary: remove binary toolchains and sort entries alphabetically
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-13 11:00:04 -05:00
Jon Mason 8a457932df arm/trusted-firmware-a: Move 2.11 to meta-arm-bsp
Move v2.11 to meta-arm-bsp so that corstone1000 can still use it (though
2.12 does appear to work).  Move all the other platforms in meta-arm-bsp
to use 2.12.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-11 10:24:07 -05:00
Jon Mason f0f0be29a3 arm/trusted-firmware-a: Add cot-dt2c
Platforms with GENERATE_COT need to either have COT_DESC_IN_DTB set or
use cot-dt2c to generate it.  Add cot-dt2c from trusted-firmware-a
sources and its python dependencies to enable this for those that need
it.

Also, move all the relevant platforms in meta-arm-bsp to use 2.12

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-10 14:49:31 -05:00
Philip Puk d656275855 arm-bsp/u-boot: corstone1000: Reserve memory for RSS comm pointer access protocol
This memory was used by OpenAMP to establish communication between
the Secure Enclave and Trusted Services. After transitioning from
OpenAMP to RSE_COMMS, this shared memory is now configured for the
pointer access protocol in RSE_COMMS.

Since this memory may be still used by a user-space application
in linux as U-Boot is passing an EFI memory map starting from
0x80000000, this memory range should be reserved as the
pointer access protocol may be enabled on corstone1000 in the future.

Signed-off-by: Philip Puk <philip.puk@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-10 09:22:21 -05:00
Mikko Rapeli 34d326f107 systemd-boot: update systemd-bootaarch64.efi path
poky updated systemd from 256 to 257 which changed
the build time path.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-02-10 14:04:58 +00:00
Ross Burton 03af0c72f1 arm-toolchain: remove external-arm-toolchain
Integrating the binary Arm GCC toolchain into OE is quite complicated
because the binary release and oe-core's toolchain are arranged slightly
differently, which makes it quite fragile.

As it's obviously a binary release we cannot patch it to fix issues.

Also it has some fairly sizable limitations: for example the kernel
headers are old (from linux 4.19) and the locale packaging is different
so locale package dependencies don't work.

The main historic users of the external toolchain no longer use it, so
remove it.  The recipes will remain in the LTS branches for users who
are using it currently, but will not be part of the next release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Acked-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-30 07:26:31 -05:00
Ross Burton 78f7c988e2 arm-toolchain/external-arm-toolchain: update for toolchain provider changes
The oe-core commit "classes/recipes: Switch virtual/XXX-gcc to
virtual/cross-cc (and c++/binutils)"[1] changes the virtual names that
the toolchain components use, so external-arm-toolchain needs updating
to use these new names.

[1] 4ccc3bc8266c327bcc18c9a3faf7536210dfb9f0

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-30 07:26:31 -05:00
Musa Antike b56ab3175d kas: Include unattended Debian test
Add unattended installation yml to Debian  target

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:41:59 -05:00
Musa Antike f1769d5640 arm-systemready/oeqa: Add unattended installation testcase
Add test for Debian unattended installation verification

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:41:52 -05:00
Musa Antike f0978b3067 arm-systemready/linux-distros: Implement unattended Debian
- Implement unattended installation for Debian
- Upgrade Debian version to 12.8.0

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Musa Antike 6e913cf30d arm-systemready/linux-distros: Move openSUSE unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Musa Antike 0702fbbcfa arm-systemready/linux-distros: Move Fedora unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Mikko Rapeli db933d55b4 trusted-firmware-a: fix mbedtls license checksum
tf-a 2.10.9 uses mbedtls 3.6.1 from 3.6 branch which
has the same checksum as in tf-a 2.11 recipe. Found when
downgrading tf-a from 2.12 to 2.10 to debug hangs on zcu102
board:

ERROR: trusted-firmware-a-2.10.9-r0 do_populate_lic: QA Issue: trusted-firmware-a: The LIC_FILES_CHKSUM does not match for file://mbedtls/LICENSE;
md5=3b83ef96387f14655fc854ddc3c6bd57
trusted-firmware-a: The new md5 checksum is 379d5819937a6c2f1ef1630d341e026d
trusted-firmware-a: Here is the selected license text:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html)
OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license.
This means that users may choose which of these licenses they take the code
under.

The full text of each of these licenses is given below.

                                 Apache License
                           Version 2.0, January 2004
...
  `Gnomovision' (which makes passes at compilers) written by James Hacker.

  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice

This General Public License does not permit incorporating your program into
proprietary programs.  If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library.  If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
trusted-firmware-a: Check if the license information has changed in /home/builder/src/base/repo/build/tmp_zynqmp-zcu102/work/zynqmp_zcu102-poky-linux/trusted-firmware-a/2.10.9/git/mbedtls/LICENSE to verify that the LICENSE value "BSD-2-Clause & BSD-3-Clause & MIT & Apache-2.0 & Apache-2.0" r
emains valid [license-checksum]
ERROR: trusted-firmware-a-2.10.9-r0 do_populate_lic: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: /home/builder/src/base/repo/build/tmp_zynqmp-zcu102/work/zynqmp_zcu102-poky-linux/trusted-firmware-a/2.10.9/temp/log.do_populate_lic.4070974
NOTE: recipe trusted-firmware-a-2.10.9-r0: task do_populate_lic: Failed
ERROR: Task (/home/builder/src/base/repo/build/../meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.9.bb:do_populate_lic) f
ailed with exit code '1'

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-17 09:30:29 -05:00
Mikko Rapeli eb9a1ec43b edk2-firmware: fix PlatformStandaloneMmRpmb.dsc build
With backported patch from upstream. Error was:

| build.py...
| /home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/edk2-platforms/Platform/StandaloneMm/PlatformS
tandaloneMmPkg/PlatformStandaloneMmRpmb.dsc(...): error 4000: Instance of library class [HobPrintLib] is not found
|       in [/home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/StandaloneMmPkg/Core/StandaloneMmCor
e.inf] [AARCH64]
|       consumed by module [/home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/StandaloneMmPkg/Core
/StandaloneMmCore.inf]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
2025-01-17 09:30:29 -05:00
Philip Puk 90123a287f arm-bsp/recipes-security: Add protobuf interface to crypto-sp in corstone1000
Adds protobuf interface to se-proxy-sp as the main crypto-sp uses it and
parsec service 1.4 also switch using protobuf interface.

Signed-off-by: Philip Puk <philip.puk@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-13 12:00:03 -05:00
Jon Mason 0905953af4 arm/trusted-firmware-a: bump fip and tests to 2.12
Bump fip and tf-a tests to use the 2.12 sources

Note: change to license is for CoT device tree python application (which
is Apache licensed).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Quentin Schulz 280018a5db arm/trusted-firmware-a: add support for 2.12.0
Add support for TF-A version v2.12.0 and mbedtls 3.6.1.

GCC-compiled boot tested on RK3588 Tiger, RK3399 Puma and PX30 Ringneck.

0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch is merged in
2.12.0 so no need to have it in SRC_URI as for 2.11.0 and earlier
recipes.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Jon Mason f52fb00f10 arm/trusted-firmware-a: update 2.10 LTS to the latest versions
Update TF-A LTS to 2.10.9 (which includes an mbedtls bump to 3.6.1, per
docs).  Also, bump the TF-A tests to the latest version.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Ali Can Ozaslan bc5967ad87 arm-bsp/linux-yocto: corstone1000: Update to version 6.12
* Set Linux kernel preferred version for Corstone-1000 to 6.12.
* Update version listed in Corstone-1000 user guide documentation.
* Remove Linux kernel version 6.10 recipe as was only used by Corstone-1000.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-07 09:00:04 -05:00
Bence Balogh 6c34f1e425 arm-bsp/documentation: corstone1000: describe host level authentication
A new section was added for the host level authentication which
explains how the FIP content is verified at TF-A level.

Signed-off-by: Abdellatif El Khlifi abdellatif.elkhlifi@arm.com
Signed-off-by: Bence Balogh bence.balogh@arm.com
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-30 11:00:04 -05:00
Hugues KAMBA MPIANA cc4399ad9a arm-bsp/documentation: corstone1000: Show flyout menu in sidebar
Use flyout menu enabled via the `flyout_display`
parameter to show the flyout in the bottom of the sidebar.

The default Read the Docs (RtD) flyout needs to be disabled in order
to not have 2 flyouts showing. It is done by disabling it in the
RtD project settings.

Additionally, the Sphinx theme needs to be upgraded from version
2.0.0 to version 3.0.0. The sphinx and docutils modules also need
to be update for compatibility reason.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-21 08:22:38 -05:00
Peter Hoyes 5adb315517 arm/lib: Relax "Listening for serial connection" regex
Newer versions of the FVP now contain a full log entry for the
"Listening for serial connection on port" regex of the form:

INFO: FVP_NAME: terminal_uart: Listening for serial connection...

Relax the regex to support this new logging format and change from
re.match to re.search as the regex may not appear at the start of the
line.

This change is backwards-compatible with older versions of the FVP.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-16 10:00:05 -05:00
Ross Burton 83d9575a38 arm-bsp/linux-yocto: add temporary 6.10 recipe
oe-core has removed 6.10, so until corstone1000 has upgraded to 6.12 add
it temporarily to meta-arm-bsp.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 11:00:03 -05:00
Ross Burton fd2ba2d290 arm-bsp/linux-yocto: fix Juno build with linux 6.12
The DesignWare platform driver is hidden behind a DesignWare Core option
now, so enable that too.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 11:00:03 -05:00
Adam Johnston 3df279b56a arm-bsp/corstone-1000: IMAGE_ROOTFS_EXTRA_SPACE workaround
When images are repacked IMAGE_ROOTFS_EXTRA_SPACE is ignored.
This is not necessarily a bug but an undocumented quirk of how wic
works.

Evaluate IMAGE_ROOTFS_EXTRA_SPACE and use the value with the
 --extra-space option. Note that, since IMAGE_ROOTFS_EXTRA_SPACE is in
Kb, the value for `--extra-space` requires the explicit 'K' suffix (the
default is 'M')

Signed-off-by: Adam Johnston <adam.johnston@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 10:00:05 -05:00
Abdellatif El Khlifi 258277bab5 arm-bsp/linux-yocto: corstone1000: Update the Upstream-Status of the remoteproc patches
Set the Upstream-Status to Denied because the community suggests a different design

The external system implementation in Corstone-1000 is user-defined.
In the implementation provided by he FPGA board and by the FVP, the
Cortex-A35 (Linux) can not access the memory of the external system (Cortex-M3).
So, Linux can not load the external system firmware and can not communicate
with the external system using Rpmsg over remoteproc subsystem. The reason is Rpmsg
needs vrings memory buffers to be shared between both cores.
The community prefers that the HW is updated with memory sharing before they
consider merging the remoteproc driver.

We reached the agreement that we will split the work in two parts:

Part 1: Writing an SSE-710 reset controller driver
Part 2: Corstone-1000 remoteproc driver

Part 1 is doable and we will be working on it.
Part 2 is waiting for the FPGA upgrade with the memory sharing feature.

For more details [1].

[1]: https://lore.kernel.org/all/20241009094635.GA14639@e130802.arm.com/

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-12 06:00:04 -05:00
Jamin Lin 22de236233 arm: remove python3-pyhsslms recipe
I upstreamed this recipe in meta-openembedded/meta-python,
so removes this recipe from meta-arm meta layer.

https://github.com/openembedded/meta-openembedded/blob/master/meta-python/recipes-devtools/python/python3-pyhsslms_2.0.0.bb

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-11 22:00:04 -05:00
Gabor Abonyi b2c43dbf9b lib/fvp: add name to terminal title in FVP runner
Currently, terminal title is %title, which is populated with the
component name by the FVP. This commit prepends it with {name},
which is already a mandatory parameter for terminals to be launched.
E.g. FVP_TERMINALS[terminal_uart] ?= "My Name" will launch a terminal
with a title "My Name - terminal_uart".

Signed-off-by: Gabor Abonyi <gabor.abonyi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-09 09:00:03 -05:00
Hugues KAMBA MPIANA 8af2f218d4 kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release.
The SHA of the dependent community layers are commented out and set to
the tested SHA from the `styhead` branch of each layer.

The set SHAs are to be uncommented in the `styhead` branch which is
to be used to create the `CORSTONE1000-2024.11` tag.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 10:30:39 -05:00
Hugues KAMBA MPIANA 5c40c5f7f7 arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release
* Fix typographical error in documentation.
* Add missing instructions.
* Create paragraphs where necessary to improve readability.
* Change `note` box to `important` box

* Remove verification of arm_tstee driver presence:
arm-tstee driver has been integrated in Linux v6.10.14 which is
the one used in the software stack. It is built as part of Linux and
is no longer a loadable module.
The steps to verify the driver presence are no longer applicable.

* Standardise naming of the target platform:
Consistently use the name `Corstone-1000` to refer to the target platform.

* Update Debian OS version from 12.4 to 12.7
Debian version 12.4 has a bug in Shim 15.7.
This bug causes a fatal error when attempting to boot media installer
for Debian,and resets the platform before installation starts.
A patch to skip the Shim was applied to Corstone-1000 to avoid
the error.
Debian version 12.7 no longer has the bug in the Shim thus making
the usage of the patch redundant.
Bump Debian installer to version 12.7 and remove usage of the patch
for the Debian installation test.

* Replace xterm with tmux:
Update the user guide to specify tmux instead of xterm.
Using tmux as opposed to xterm provides a better user experience
when running the commands listed on the user guide.

* Use ACS image for FVP SystemReady test:
Due to fixed timeout values in the meta-arm-systemready the ACS time
test do not complete successfully.
Instead, specify commands to use the pre-built ACS image.

* List Trusted Services as a host component:
Add Trusted Services to the list of components used on the Host processor
of the Corstone-1000. The various BitBake recipes and append files used to
build Trusted Services are listed for the component.

* Update release version to CORSTONE1000-2024.11:
All references to the version of the Corstone-1000 software reference
stack have been updated from CORSTONE1000-2024.06 to CORSTONE1000-2024.11.
Add to the changelog the 2024.11 release information.
Add the 2024.11 release notes.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 10:30:39 -05:00
Ross Burton 82bb1d2190 arm/fvp-base-a-aem: upgrade to 11.27.19
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-03 10:00:04 -05:00
Bence Balogh 30519676ab arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch
Due to a mismatch between the ADAC dummy token major version and the version
in the secure-debug-manager repository [1]'s submodule [2], the secure debug connection was denied.
Update the ADAC token major and minor versions in TF-M to align with the expected
dummy token.

[1] https://github.com/ARM-software/secure-debug-manager/
[2] https://git.trustedfirmware.org/plugins/gitiles/shared/psa-adac.git/+/refs/heads/master/psa-adac/core/include/psa_adac.h

Fixes: 7e9466 ("arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-02 05:00:04 -05:00
Mikko Rapeli 737bfd0e63 linux-yocto: remove signing
Remove secure boot signature from kernel image.
It's signed as part of uki image now which signs
kernel, initramfs etc.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli 682fb426ee uefi-secureboot.yml: switch to Unified Kernel Image (UKI)
Unified Kernel Image includes kernel and initrd which
both are signed with UEFI secure boot. This brings secure
boot closer to userspace.

Use core-image-initramfs-boot to find the real
rootfs and boot systemd init there. No need to hard code
rootfs via qemuboot/runqemu variables.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli a3523586e5 uefi-secureboot.yml: remove duplicate distro features
Setting INIT_MANAGER to "systemd" already sets needed
feature flags. Appending to them only causes sstate
cache invalidation and recompilations.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli d0fd3e961a qemuarm64-secureboot.conf: append to WKS_FILE_DEPENDS
Various classes add dependencies so don't overwrite them.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Jon Mason 853fde2b24 CI: add poky-altcfg in xen.yml for systemd image requirement
xen-image-minimal now requires systemd.  Add poky-altcfg (which has
systemd amongst other things) as an includes in the xen.yml file to work
around this.  Also, xen requires openssh instead of dropbear.  So,
override that entry.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-21 11:00:04 -05:00
Romain Naour 9d9c2fb93e CI: test external-arm-toolchain with usrmerge enabled
We want to test meta-arm-toolchain layer with usrmerge enabled [1]
since it produce some breakage with current external ARM toolchains [2].

Instead of using a custom setting (poky + usrmerge enabled), use the
existing poky-altcfg provided by Yocto. poky-altcfg uses systemd as
init system and imply usermerge being enabled (new systemd v255
requirement) [3].

Note: It must be a 32bit machine, since there are currently no aarch64
host toolchains for aarch64 (some gitlab runner used by meta-arm are
aarch64 host) [4].

[1] https://docs.yoctoproject.org/scarthgap/ref-manual/features.html?highlight=usrmerge#distro-features
[2] https://lists.yoctoproject.org/g/meta-arm/message/5557
[3] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[4] 4bfa191ada

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:39 -05:00
Romain Naour de47f836e2 external-arm-toolchain: rebuild libmvec.so symlink if any
On some architectures (namely Aarch64), glibc may provide a libmvec
library since glibc 2.22, which programs built with gcc OpenMP
support might get linked to.

In order for these programs to work on the target, we need to copy this
library to the target filesystem.

Make sure that libmvec.so symlink is correct with or without usermerge
enabled otherwise libmvec.so symlink is broken.

For more details on libmvec, see
https://sourceware.org/glibc/wiki/libmvec.

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:33 -05:00
Romain Naour cb4c0c9a93 external-arm-toolchain: override dynamic loader path with usrmerge enabled
usrmerge nowaday required by systemd [1] but it broke
external-arm-toolchain in several ways...

When usrmerge is enabled, /lib is no longer part of SYSROOT_DIRS list
while the prebuilt toolchain expect the dynamic loader to be placed in
/lib not /usr/lib.

There is no /lib directory in the per-package sysroot directory
generated to build each package:

  [...]/build/tmp/sysroots-components/<target>/<package>/
  sysroot-providers/ usr/

But the cross-compiler still generate binaries with dynamic loarder
path set to "/lib/ld-linux-<target>.so*"

  strings sanitycheckc_cross.exe | grep ld
  /lib/ld-linux-aarch64.so.1

A symlink /lib -> /usr/lib is crated in the final rootfs image.

But this broke the meson-qemuwrapper used when "qemu-usermode"
(MACHINE_FEATURES) is available:

See [2]:
  do_write_config:append:class-target() {
       # Write out a qemu wrapper that will be used as exe_wrapper so that meson
       # can run target helper binaries through that.
       qemu_binary="${@qemu_wrapper_cmdline(d, '$STAGING_DIR_HOST', ['$STAGING_DIR_HOST/${libdir}','$STAGING_DIR_HOST/${base_libdir}'])}"

It produce a runtime issue while running a meson sanity check:

  meson-qemuwrapper [...]/build/meson-private/sanitycheckc_cross.exe

  qemu-aarch64: Could not open '/lib/ld-linux-aarch64.so.1': No such file or directory

Note: The binaries build by the Yocto internal toolchain seems be "patched" [3]
to look at /usr/lib instead of /lib.

We use -Wl,--dynamic-linker to make sure that the cross-compiler
generate binaries using the dynamic loader path defined by usrmerge
for all packages build by Yocto.

[1] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[2] https://git.openembedded.org/openembedded-core/tree/meta/classes-recipe/meson.bbclass?h=2024-04.3-scarthgap#n130
[3] https://github.com/openembedded/openembedded-core/blob/scarthgap/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:23 -05:00
Vasyl Vavrychuk 8634bdc2f2 external-arm-toolchain: remove ${base_libdir}/libpthread*.so from FILES:${PN}
When `usrmerge` distro feature is not enabled, then `${base_libdir}`
resolves to `/lib` and `/lib/libpthread*.so` does not match any files.
But, with `usrmerge` distro feature, `${base_libdir}` is `/usr/lib`, so
removed line leads to `/usr/lib/libpthread.so` symlink included in
`${PN}` which causes QA check failure.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:19 -05:00
Vasyl Vavrychuk 4b2cef379f external-arm-toolchain: in libc.so GNU ld script use base_libdir
`base_libdir` gets replaced with `/lib` or `/usr/lib` depending on
`usrmerge` distro feature.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:13 -05:00
Romain Naour a6f44bbb80 external-arm-toolchain: wrap symlink handling under usrmerge check
Rework the symlink handling when usermerge is enabled.
Indeed, "ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so" create a
dead link with usermerge...

Based on: https://lists.yoctoproject.org/g/meta-arm/message/5765

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: "Parthiban" <parthiban@linumiz.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:00 -05:00
Vasyl Vavrychuk 98eea62962 external-arm-toolchain: wrap base_libdir vs libdir manipulations under usrmerge check
With `usrmerge` disto feature `base_libdir` and `libdir` are the same,
so it does not make sense to:

* removing "duplicates" between them
* move files from `base_libdir` to `libdir`

This fixes build error

| mv: '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' and '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' are the same file

in case of `usrmerge` feature enabled.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:14:53 -05:00
Romain Naour 9a0451a959 external-arm-toolchain: remove old sed fixup for libc.so
As reported by Vasyl Vavrychuk [1], /${EAT_LIBDIR}/${EAT_TARGET_SYS}
is not present in libc.so in the latest prebuilt toolchains:

ARM32:
  $ cat ./gcc-arm-8.3-2019.03-x86_64-arm-linux-gnueabihf/arm-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

Aarch64:
  $ cat ./gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/aarch64-linux-gnu/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

We can safely remove old sed fixup for libc.so.

[1] https://lists.yoctoproject.org/g/meta-arm/message/5565

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:12:08 -05:00
Ross Burton e7898787bb CI: don't use debug-tweaks
As of the following commit in oe-core[1]:

  classes-recipe/core-image: drop debug-tweaks IMAGE_FEATURE

The debug-tweaks feature is no longer valid. Replace it with the options
that we need to perform login over testimage.

[1] https://git.openembedded.org/openembedded-core/commit/?id=2c229f9542c6ba608912e14c9c3f783c3fa89349

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-08 09:00:03 -05:00
Hugues KAMBA MPIANA bf9010c684 arm-bsp/documentation: corstone1000: Add SystemReady IR v2.0 certification
- Add details on SystemReady IR v2.0 certification achievement
- Document additional patch added
- Update release notes with new milestone tag `CORSTONE1000-2024.06-systemready-ir-v2.0`

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 18:18:25 -05:00
Ziad Elhanafy ac05154c51 arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition
This adapts to the oe-core rework to enforce a separate directory
for unpacking local sources (UNPACKDIR) instead of polluting WORKDIR
directly.

Follows the guidelines from:
https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 18:18:25 -05:00
Jon Mason 2fdc139084 arm-bsp/tc: remove all references to total compute
The tc files were removed some time ago, but there are still entries
in the bbappends trying to reference those files.  Remove them.

Fixes: 0af53c6453 ("arm-bsp: Remove tc1")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-23 17:00:03 -04:00
Jon Mason 6165b9e7a1 arm-bsp/fvp-base: remove backported u-boot patches
With the recent update of u-boot to 2024.10, these patches are no longer
needed (as they are in this release).  Remove them and everything is
happy again.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-23 17:00:03 -04:00
Jon Mason e161d8aefb arm/scp-firmware: update to v2.15.0
Update SCP to the latest tagged version, and update the related patch to
the new location of the relevant files.

For a comparison of the changes, please go to
https://git.gitlab.arm.com/firmware/SCP-firmware/-/compare/v2.14.0...v2.15.0

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-14 13:00:03 -04:00
Jon Mason 8a03ee5fdf arm/edk2: update to 202408
Update edk2 to the latest stable release tag, and update edk2-platforms
to the last SHA that seems to work.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-14 13:00:03 -04:00
Ben 33fa7e75ed kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Ben 0e0b9e608c arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Ben 02ba927dfc arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Javier Tia d315a5dec9 arm/uefi-secureboot: Add uefi capsule update support
UEFI capsule update is a mechanism that allows firmware updates to be
delivered and applied in a standardized way. It is part of the UEFI
specification and provides a way to update system firmware components
like the BIOS, UEFI drivers, or other platform firmware.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 21:00:04 -04:00
Jon Mason 40cc644285 CI: Rework qemuarm64-secureboot matrix
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl).  So,
modify the matrix to keep the coverage of everything else but musl.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:16:20 -04:00
Javier Tia a93bdc8e4e arm/uefi-secureboot: Add uefi http boot support
Enable network boot via HTTP protocol. Many embedded and server-class
systems use network boot for booting. Enabling network boot on devices
allows:

- Shipping devices without OS images. When we power up the device, the
  firmware can connect to the Internet and download and install suitable
  boot images for this specific device. Administrators can centrally
  manage the boot images and configuration files on a network server.
  This centralization streamlines the management of boot options and
  ensures consistency across all devices.

- This is particularly useful in enterprise environments. On mass
  deployments, there is a need to install the operating system on
  multiple devices simultaneously.

- Ability to maintain a completely diskless system if needed 

The plain HTTP protocol lacks encryption. It's intended to be used on
local networks. Secure http protocol support is under review. 

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 00:00:04 -04:00
Khem Raj 72546aff89 layer.conf: Update to walnascar (5.2) layer/release series
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-04 23:00:03 -04:00
Javier Tia 847fd39b25 arm/qemuarm64-secureboot: Enable UEFI Secure Boot
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.

Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries. 

Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.

Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.

Advantages using systemd as Init Manager:

- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.

- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.

- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.

- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.

- Add CI settings to build and test UEFI Secure Boot.

Add one test to verify Secure Boot using OE Testing infraestructure:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-04 10:27:35 -04:00
Javier Tia fc08510f22 arm: Enable Secure Boot in all required recipes
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).

sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-03 18:00:04 -04:00
Mikko Rapeli 5720b1044f optee-client: switch systemd service to notify type
optee-client 4.3 supports systemd sd-notify to inform
systemd and other services that it has started.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-02 08:55:14 -04:00
Mikko Rapeli 210f5f7dcc arm/oeqa/optee.py: increase timeout value from 22 to 45 minutes
Tests are taking more time now and several devices are
timing out:

https://gitlab.com/jonmason00/meta-arm/-/pipelines/1467809227

qemuarm64-secureboot runs the test in 10 and
qemuarm-secureboot in 13 minutes.

Upstream optee CI shows xtest runs taking around 30 minutes on
slowest qemu machines:

https://github.com/OP-TEE/optee_os/actions/runs/10997530234?pr=7052

Guestimate limit to 45 minutes so that slowest and most loaded
machines could fit there too. optee xtest has internal test
specific timeouts so if something hangs it should be detected
earlier.

If these limits still cause issues, then we could disable some of
the longer running tests with "xtest -l" option. Default for
testing level is 1 but maybe 2 or 3 could be enough.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Cc: Jérôme Forissier <jerome@forissier.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 5c1407e904 arm/gn: update to latest commit
Update to the latest gn commit.
Changes in gn between b2afae122eeb6ce09c52d63f67dc53fc517dbdc8 and 95b0f8fe31a992a33c040bbe3867901335c12762
95b0f8fe31a9 Improve error message for duplicated items
e30a1fe26e5e [rust-project] Always use forward slashes in sysroot paths
20806f79c6b4 Update all_dependent_configs docs.
f792b9756418 set 'no_stamp_files' by default
60a28b636057 fix a typo
b5ff50936a72 Stop using transitional LFS64 APIs
a737c2849f13 do not use tool prefix for phony rule
e080b4d340c2 [rust] Add sysroot_src to rust-project.json
50ecf4c84d08 Implement and enable 'no_stamp_files'
4e4b8d989499 Add Target::dependency_output_alias()
225e90c5025b Add "outputs" to generated_file documentation.
9e0c7b7cefb2 Update bug database link.
d010e218ca70 remove a trailing space after variable bindings
32f63e70484f fix tool name in error
f190770a69a3 remove unused includes
54f5b539df8c Markdown optimization (follow-up)
e3d088c4b6ac Support link_output, depend_output in Rust linked tools.
fc8172f4a107 Properly verify runtime_outputs in rust tool definitions.
fdb90141934a BugFix: Syntax error in gen.py file
93550dc1701d generated_file: add output to input deps of stamp
449f3e4dfb45 Markdown optimization:
05eed8f6252e Revert "Rust: link_output, depend_output and runtime_outputs for dylibs"
8f2193f70793 hint using nogncheck on disallowed includes
0ee833e823f2 Rust: link_output, depend_output and runtime_outputs for dylibs
1b41f0502f87 Add missing reference section to function_toolchain.cc

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 453a531158 arm/arm-ffa-user: update to 5.0.2
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 5ead59d370 arm/opencsd: update to 1.5.4
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 6abc3b7daa arm/optee: update to 4.3.0
Update OP-TEE to version 4.3.0
NOTE: the license file in optee-test changed, but the license is the
same (commit a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7).  They chose to
change the URL of the licenses in question to be "LICENSE-GPL" and
"LICENSE-BSD".

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 7cce43e632 Revert "CI: switch to building against styhead branches where possible"
This reverts commit 2b1348d74f.

Revert to allow the meta-arm master branch to use the master branch of
other layers.
2024-10-01 11:08:47 -04:00
Ross Burton 00f4bd027c arm-base/linux-yocto: revert interim 6.10 patch for fvp-base
oe-core master now has 6.10.11 which incorporates this patch, so we don't
need to carry it anymore.

This reverts commit 60fd47edd0.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 07:01:16 -04:00
Bence Balogh 8abb62ccb7 arm-bsp/trusted-firmware-m: corstone1000: Update patches
Some of the existing patches were submitted and merged to the
upstream TF-M repository.
In this commit, the upstream statuses are updated, and the patches are
reordered so the submitted patches are applied first.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-30 13:24:50 -04:00
Mikko Rapeli 890cbb9841 trusted-firmware-a: fix panic on kv260/zynqmp
kv260 with optee and secure-boot panics without this fix:

https://ledge.validation.linaro.org/scheduler/job/93620

Xilinx Zynq MP First Stage Boot Loader

Release 2022.2   Oct  7 2022  -  04:56:16
MultiBootOffset: 0x40
Reset Mode	:	System Reset
Platform: Silicon (4.0), Running on A53-0 (64-bit) Processor, Device
Name: XCZUUNKNEG

QSPI 32 bit Boot Mode

FlashID=0x20 0xBB 0x20

PMU Firmware 2022.2	Oct  7 2022   04:56:16
PMU_ROM Version: xpbr-v8.1.0-0
�I/TC:
I/TC: OP-TEE version: 4.2.0-dev (gcc version 14.1.0 (GCC)) #1 Fri Apr 12
09:51:21 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check
https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: Primary CPU switching to normal world boot
PANIC at PC : 0x00000000fffed94c

Fix proposed by MaheedharSai.Bollapalli@amd.com

Cc: MaheedharSai.Bollapalli@amd.com
Cc: michal.simek@amd.com
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-30 10:00:17 -04:00
Jon Mason eefb6a12ba arm-bsp/fvp-base: use trusted-firmware-a v2.11
Update to use the latest version of tf-a.  The patch for virtio was
upstreamed and already in v2.11.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 14:00:07 -04:00
Jon Mason 0d0b8ffac2 arm/optee-os: Backport the clang fixes
The Clang bug in OP-TEE OS has been resolved (see
https://github.com/OP-TEE/optee_os/issues/6754).  Backport those patches
and remove the forcing of GCC in the recipe.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 14:00:05 -04:00
Ali Can Ozaslan 94c54c4f57 arm-bsp/optee: corstone1000: Update upstream status
The patch with pending status was submitted to the upstream OP-TEE
repo.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:12 -04:00
Ross Burton f22852b353 CI: transform testimage reports into JUnit XML reports
Using resulttool we can transform the oeqa JSON reports into JUnit XML,
which GitLab can display in pipelines and merge requests.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Ross Burton 8696545747 CI: remove duplicate arm-systemready-ir-acs
We had two instances of the same job, so consolidate them into one.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Ross Burton d96bebfded CI: add KAS_BUILD_DIR variable
Instead of always using KAS_WORK_DIR/build to refer to the build tree,
on the assumption that is where the build tree is, export KAS_BUILD_DIR
and use that variable instead.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Quentin Schulz 7eac705805 arm/trusted-firmware-a: add recipe for more-recent-but-not-yet-released source code
The point of this recipe is to allow people to quickly test more recent
commits that aren't yet part of any release just yet.

One should really not use it in any product, but it's nice for CI and
development purposes.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Bence Balogh 3db8bc67b4 arm-bsp/trusted-firmware-m: corstone1000: Update metadata handling
The added TF-M patches:
- Remove unused files from TF-M's BL1
- Remove unecessary duplications in metadata write functions
- Fix compiler switches in metadata handling functions: the runtime TF-M
  uses the GPT to get the offsets for the metadata.
- Validate both metadata replica in the beginning by checking the crc32
  checksum. If one of the replicas is corrupted then update it using the
  other replica.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Ross Burton 2b1348d74f CI: switch to building against styhead branches where possible
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Quentin Schulz a754b2beac add basic b4 config file
b4[1] is a very nice tool for mail-based contribution. A config[2] file
exists to set up a few defaults. We can use it to set the To recipients
to always add, in our case the mailing list.

This shouldn't be necessary if we had a script that b4 prep --auto-to-cc
could call to find the mail address(es) to send to. Let's start without
it for now.

[1] https://pypi.org/project/b4/
[2] https://b4.docs.kernel.org/en/latest/config.html

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Mikko Rapeli 6def088acd arm/optee-client: fix systemd service dependencies
udev starts tee-supplicant once optee has been found.
Fix dependencies in systemd service so that starting it in
initrd is possible. Stopping requires that ftpm
kernel module is disabled or any TPM related actions will fail until
the next reboot so working around these in the service file. These
are limitations of current kernel optee and ftpm drivers.

tpm2.target requires systemd 256 or newer. With older system version
there is no simple way to queue in service before TPM device is
available.

https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target

Note that
https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html
detects TPM support from either existing kernel driver (built in or
loaded really early in initrd and rootfs boot) or ACPI table entry for
TPM device. If firmware used a TPM device but doesn't provide ACPI table
entry for it, then a kernel patch has been proposed to expose this to
userspace:

https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/

and matching change proposal for systemd:

https://github.com/systemd/systemd/pull/32400

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-26 12:00:04 -04:00
Javier Tia 2d28195634 arm/optee: Add optee udev rules
If a /dev/teepriv[0-9]* device is detected, start an instance of
tee-supplicant.service with the device name as parameter.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-26 12:00:04 -04:00
Luca Fancellu 139e87e119 arm/lib: Handle timeout for spawn object on stop()
The current code is waiting 5 seconds to get an EOF on the
console pexpect spawn object, on a particularly slow machine
this timeout was not enough ending up into a TIMEOUT exception.

To solve this, increase the timeout and handle the TIMEOUT exception
by printing an error on the debug console instead of letting the
exception raise up to the stack, force the spawn object close() call
as well, since at this stage we would like the process to terminate
anyway.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-23 13:00:04 -04:00
Harsimran Singh Tungal f7ea72db24 arm-bsp/trusted-services: corstone1000: Update Trusted-Services patches
Modify the upstream status and commit descriptions of Trusted-Services patches.
Few patches have been been upstreamed to external Trusted-Services gerrit repository
for review. So, update upstream status of those patches accordingly.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 12:00:04 -04:00
Jon Mason ea2c1ab5db arm-bsp/fvp: Re-enable parselogs
Re-enable parselogs testing for fvp-base and corstone1000-fvp, and add
an ignore file for the relevant entries.  Also, increase the testing
being done on corstone1000-fvp.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason 60fd47edd0 arm-bsp/fvp-base: Get 6.10 kernel working
Apply upstream patch to get virtio networking functioning again and
switch to the 6.10 kernel.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason a6e74d3926 arm-bsp/fvp-base: support poky-altcfg
Add the bits to enable poky-altcfg to boot to prompt on fvp-base.
Unfortunately, ssh takes a very long time to come up, which causes the
ssh test to timeout.  So, don't enable this by default in CI.
Also, switch to building full-cmdline instead of sato, since we're never
actually testing the graphics on this platform.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason 45a2b44284 arm-toolchain: remove libmount-mountfd-support when using binary toolchain
util-linux is failing when compiling with:
| configure: error: libmount_mountfd_support selected, but required mount FDs based API not available
Remove this feature when building with the binary toolchain to avoid
this issue.

Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-19 12:00:04 -04:00
Bence Balogh d75cf2dd53 arm-bsp/trusted-firmware-m: corstone1000: Fix MPU configuration
The Application Root of Trust and the PSA Root of Trust was not
isolated in TF-M Isolation Level 2 beacuse of the misconfiguration of
the MPU. The added patch fixes this issue.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 17:00:05 -04:00
Jon Mason 5eb457b526 arm-bsp/documentation: corstone1000: Improve user guide
Includes:
* Sentence clarifications
* Usage of list numbering where steps are given
* Usage of code syntax where appropriate
* Usage of RST syntax for notes
* Appropriate capitalization of component names
* Consistently use the term MPS3 to refer to the physical hardware
* Present tests in a clear and consistent manner
* Wrap commands to reduce horizontal scrolling
* Creating paragraphs to improve readability
* Usage of shell variables for placeholders so user can
  create their shell variables and use the provided commands
  as in the user guide.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:59:23 -04:00
Bence Balogh 6ce3f43792 arm-bsp/documentation: corstone1000: remove TEE driver load
The arm-tstee driver was upstreamed to the v6.10 kernel so it doesn't
have to be loaded manually. Updated the related parts in the
Corstone-1000 user guide.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:25 -04:00
Bence Balogh bd1e228d4a arm-bsp/linux-yocto: corstone1000: bump to v6.10
This commit updates the linux-yocto version to the latest availabe one.
No additional work was needed to make it work in Corstone-1000.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:13 -04:00
Jon Mason 5c12aab797 arm/libts: Patch to fix 6.10 kernel builds breaks
The ts-tee driver was upstreamed into the v6.10 kernel.  Remove
arm-tstee driver package, since the upstream one should be used.

optee and arm ffa driver are logging non-fatal errors in dmesg, which is
causing the parselogs test to fail.  This is due to arm ffa needing
givc3.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:13 -04:00
Jon Mason 60361945cf arm/musl: work around trusted services error
CI test for Trusted Services is failing with the recent musl update.
The issue was bisected to an update in musl modifying the behavior of
PAGE_SIZE.  Revert this change in musl while using trusted-services
until a proper solution can be found.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-11 10:00:03 -04:00
Martin Jansa f3d1c0293e layer.conf: Update to styhead release name series
oe-core switched to styhead only in:
https://git.openembedded.org/openembedded-core/commit/?h=styhead&id=b4cf6d5236a3eacaf56ca2f805b006efac65b26c

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-06 15:31:04 -04:00
Hugues KAMBA MPIANA f975faf4c3 arm-bsp/documentation: corstone1000: Mention PMOD module as prerequisite
Add a warning in the Corstone-1000 documentation to indicate to the
end user that a 32 MB QSPI flash PMOD module is required to run
the Corstone-1000 software stack on MPS3-FPGA with the AN550 Application
note programmed.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-04 05:00:03 -04:00
Harsimran Singh Tungal 9d00aa03f6 arm-bsp,documentation: corstone1000: update user documentation
Add new usage details for running the secure boot testing
script located in the `systemready-patch` repository.

This script is used to create UEFI authenticated variables and sign the
Linux kernel image for the MPS3-FPGA and FVP secure boot tests.
Reflect the latest modifications to the script usage in the Corstone-1000 user guide.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-03 11:31:32 -04:00
Harsimran Singh Tungal 0f87b7c46a arm-bsp,kas: corstone1000: enable External System based on new yml file
Create new yml file "corstone1000-extsys.yml" which adds "corstone1000-extsys" as
new MACHINE_FEATURE.
Based on this, external system components can be enabled or disabled from the
Linux Kernel and U-Boot.

Reason for change:
DT-schema test is failing for the SystemReady-IR v2.0 certification because
device tree binding for remoteproc dts node corresponds to external system has
not been upstreamed in the Linux Kernel yet.
So, it has been decided to make enablement of external system configurable in
order to make Corstone1000 FVP SystemReady-IR v2.0 certifiable.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-03 11:31:32 -04:00
Jon Mason f741b4d8b9 arm/trusted-firmware-a: update LICENSE entry
As pointed out by Denys Dmytriyenko, the LICENSE entry in
trusted-firmware-a is not accurate.  docs/license.rst specifies the
licenses to be BSD 3 Clause for the project, with code from other
projects imported as:
libc BSD-3-Clause
libfdt BSD-2-Clause
LLVM BSD-3-Clause
zlib BSD-3-Clause
STMicroelectronics platform source code BSD-3-Clause
Linux source  MIT
DICE Apache 2.0

Note: these are the license the code is imported with (according to
license.rst), not a listing of the license(s) of those sources.

Signed-off-by: Jon Mason <jon.mason@arm.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
2024-09-03 11:31:21 -04:00
Bence Balogh 36e8641cc9 CI: Add secure debug build for Corstone-1000
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Bence Balogh db2b46a464 arm-bsp/documentation: corstone1000: add Secure Debug test
The new section writes down the steps that are needed for reproducing
the Secure Debug authentication.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Bence Balogh 7e94669f60 arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug
The Secure Debug functionality can be enabled on MPS3 by using the new
corstone1000-mps3-secure-debug.yml kas file. The kas file adds the new
secure-debug machine feature. The TF-M recipe adds the needed TF-M
build flags and patches in order to make the Secure Debug work.

This way, the Corstone-1000 will only boot fully if a debugger is
connected and a debug authentication is initiated.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Jon Mason 11d6e24167 arm/arm-tstee: pin kernel to 6.6 to workaround issue
arm-tstee doesn't compile on 6.8 or newer kernels.  Temporarily pin the
kernels of machines using this package back to 6.6 while developing a
fix.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-20 10:00:05 -04:00
Jon Mason 5a3ca1e23f arm/qemu-efi-disk: add rootwait to bootargs
Adding "rootwait" to bootargs for uniformity with the other wic files,
and this _could_ resolve Yocto Bugzilla Bug 15562 (as the intermittent
inability to find the root disk could be because of a race between
needing the disk and it not being mounted yet).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-20 10:00:05 -04:00
Mikko Rapeli 3a850ee377 ts-newlib: setup git with check_git_config
ts-newlib has a custom do_patch function which is not setting
up git like poky do_patch. Build without working git config
may fail:

| *** Please tell me who you are.
|
| Run
|
|   git config --global user.email "you@example.com"
|   git config --global user.name "Your Name"
|
| to set your account's default identity.
| Omit --global to set the identity only in this repository.
|
| fatal: unable to auto-detect email address (got 'tuxbake@81d82e1ac791.(none)')

Fix this by calling check_git_config from poky utils
to setup git correctly.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-13 11:00:05 -04:00
Hugues Kamba-Mpiana 74e7bcfcdf arm-bsp/documentation: corstone1000: Install Sphinx theme as recommended
Read the Docs recommends installing the Sphinx theme by listing
it as an enabled extensions prior to setting it as the active theme.

This commit adds it to the enabled extensions list as it was already
set as the active theme.

Signed-off-by: Hugues Kamba-Mpiana <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 12:00:06 -04:00
Hugues Kamba-Mpiana 7d2e8681e4 arm-bsp/documentation: corstone1000: Deprecation of Sphinx context injection
Read the Docs will stop defining `html_baseurl` Sphinx configuration,
which means that projects will need to define it by themselves to keep the
canonical custom domain properly configured.

The `READTHEDOCS_CANONICAL_URL` environment variable is used to define
`html_baseurl` to keep the previous behavior.

Also inject the `READTHEDOCS` variable into the `html_context`.

Code fragment taken from the blog post here:
https://about.readthedocs.com/blog/2024/07/addons-by-default/

Signed-off-by: Hugues Kamba-Mpiana <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 12:00:06 -04:00
Bence Balogh aea2c9b003 arm-bsp/trusted-firmware-m: corstone1000: fix bank offset
A patch was added to fix the address of the bank erasing and flashing
during the capsule update procedure. Previously the BL2 partition was
not erased properly.

The offset in the corstone1000-flash-firmware.wks.in was updated to
be aligned with the changes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 05:00:06 -04:00
Bence Balogh c965cf722f arm-bsp/trusted-firmware-m: Remove TF-M v2.0 recipe
There no longer is a platform in meta-arm that uses this version of
TF-M. The last platform that did use it (Corstone-1000) now uses
a later version.
See meta-arm-bsp/conf/machine/include/corstone1000.inc for more info.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Bence Balogh 50b4d9cca9 arm-bsp/trusted-services: corstone1000: align PSA crypto structs with TF-M
The TF-M was upgraded to v2.1.0 for the Corstone-1000. The TS had to be
aligned with it, to keep the Secure Enclave Proxy Secure Partition
compatible with TF-M.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Bence Balogh d362e3a7ee arm-bsp/trusted-firmware-m: corstone1000: upgrade to TF-M v2.1.x
Update the preferred version of TrustedFirmware-M for Cortsone-1000
from 2.0.x to 2.1.x to benefit from the latest fixes and improvements
as well as to reduce the number of out-of-tree patches.

As a result of updating the version:
* Remove no longer required out-of-tree patches
* Rebase and update the numbering of the remaining out-of-tree patches

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Ross Burton 8a3b84ac38 arm-bsp/linux-yocto: update for linux 6.10
CONFIG_FB_ARMCLCD is long obsolete, has been replaced with a DRM driver
enabled by CONFIG_DRM_PL111, and was removed in 6.8.

CONFIG_THERMAL_WRITABLE_TRIPS was removed in 6.9.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-08 11:00:06 -04:00
Mariam Elshakfy 5e27594771 arm/trusted-services: Move ts-newlib compilation fix to meta-arm
This change moves ts-newlib compilation fix from
meta-arm-bsp to meta-arm, as this compilation failure
is not specific to meta-arm-bsp platforms.

Signed-off-by: Mariam Elshakfy <mariam.elshakfy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-07 17:00:05 -04:00
Ross Burton 1d21bf1577 arm/edk2-firmware: set CVE_PRODUCT to the correct CPE
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-06 10:00:07 -04:00
Bence Balogh 3f78e99e0f arm-bsp/trusted-firmware-a: corstone1000: update upstream statuses
The patches with Pending status were submitted to the upstream TF-A
repo.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-03 09:00:05 -04:00
Jon Mason bf85e4a9a1 arm/trusted-firmware-a: remove workaround patch for qemuarm64-secureboot
bl31 interrupt type regression has been fixed in v2.11 of trusted
firmware a.  Since qemuarm64-secureboot is using that version, this
patch can be removed.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason e687068e5a arm-bsp: remove unreferenced patches and configs
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason 6657b15b31 arm: use devtool to clean-up patches
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason 3880bc18bc arm-bsp/fvp-base: u-boot patch clean-up
Move the fvp-base unique u-boot patches to the proper nested directory
and rename them to match convention (devtool style).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Mikko Rapeli 1e7cac70cc optee-os: fix buildpaths QA failure on corstone1000
Patches applied upstream:

https://github.com/OP-TEE/optee_os/pull/6974

Fixes:

https://gitlab.com/jonmason00/meta-arm/-/jobs/7472950159

ERROR: mc:firmware:optee-os-4.2.0-r0 do_package_qa: QA Issue: File /lib/firmware/tee.elf in package optee-os contains reference to TMPDIR [buildpaths]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 09:42:31 -04:00
Mikko Rapeli b1db172d51 optee-os: remove buildpaths INSANE_SKIP
Embedded build paths are now removed and test passes.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 9a6a118924 optee-os-tadevkit: remove buildpaths INSANE_SKIP
Embedded build paths are now removed and test passes.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 677d9937f2 optee-os: remove absolute paths
Change optee-os build scripts to not use absolute
build time paths in generated header files and scripts.

Two patches are backports from master/4.3.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 96da3de1ea optee-os: asm debug prefix fixes
The .S files compiled by optee-os were including
absolute path of the recipe git tree. Fix this by
applying CFLAGS with correct debug prefix maps to AFLAGS
used by optee makefiles. Fixes optee-os and optee-os-tadevkit
buildpaths QA errors.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Luca Fancellu f3b60ee389 arm/oeqa: Introduce retry mechanism for fvp_devices run_cmd
Currently the run_cmd, which is a wrapper for self.target.run()
that uses SSH to spawn commands on the target, can fail spuriously
with error 255 and cause the test to fail on slow systems.

In order to address that, introduce a retry mechanism for the call,
that is able to wait some time for the system to settle and retry
the command when the error code from SSH is 255.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:05:46 -04:00
Amr Mohamed 88a47b37f7 kas: Add new yml file for Distros unattended installation
Define “DISTRO_UNATTENDED_INST_TESTS” variable in meta-arm-systemready
independently from meta-arm-auto-solutions. This will allow running
the unattended installation without meta-arm-auto-solutions.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed 9c95daa244 arm-systemready/oeqa: Add new test for Fedora unattended installation
The oeqa test responds to the boot loader prompt error message and
waits till the distro installation is finished.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed c014f118a1 arm-systemready/linux-distros: Add kickstart file for Fedora unattended
Add the Fedora kickstart configuration file and define a function to
modify the unpacked ISO image to add the kickstart file inside and
modify the grub.cfg file.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed bd95810d77 arm-systemready/linux-distros: new inc file for unattended installation
Add a new inc file to unpack and repack the distro ISO image after
adding the kickstart configuration file inside.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Ross Burton c850a8624c arm-systemready: explicitly disable SPDX in the fake image classes
If SPDX 3.0 has been enabled then it :appends to IMAGE_CLASSES and then
breaks at build time because there are several classes and recipes that
look like but are not images.

Explicitly :remove the relevant class, but this really needs a better
solution in the long term.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-26 08:44:08 -04:00
Ali Can Ozaslan e8b60718a8 arm-bsp/trusted-firmware-m: corstone1000: Increase PS size
Increase the size of PS storage in Secure Flash.

The SecureBoot and Security Interface Extension (SIE) tests for MPS3
are failing when the Secure Flash runs out of memory. The frequency
of the errors is at least 50-60%. The aim of this is to increase
the size of PS storage in Secure Flash, so as to minimize
the possibilities of it to run out of memory.

FLASH_PS_AREA_SIZE is increased.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-26 08:44:08 -04:00
Jon Mason 14d24b5526 arm-bsp/fvp-base: add edk2 testimage support
Add the changes necessary to get edk2 booting and testimage passing on
fvp-base.  All that is really necessary is adding the dtb to the too
partition.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:16:57 -04:00
Jon Mason 105338c069 CI: remove xorg test removal from edk2
The edk file removed xorg from being tested, which is currently working
on qemuarm and qemuarm64.  Also, the section name collies with one in
fvp.yml, which has other things that are removed.  Remove this removal
to get things working as expected.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:16:57 -04:00
Jon Mason 6e383417d7 arm/gn: update to the latest commit
Update to the latest gn commit.  The previous commit was from 23 April 2024.
The commits since that commit are:
    Do not cleanup args.gn imports located in the output directory.
    Fix expectations in NinjaRustBinaryTargetWriterTest.SwiftModule
    Do not add native dependencies to the library search path
    Support linking frameworks and swiftmodules in Rust targets
    [desc] Silence print() statements when outputing json
    infra: Move CI/try builds to Ubuntu-22.04
    [MinGW] Fix mingw building issues
    [gn] Fix "link" in the //examples/simple_build/build/toolchain/BUILD.gn
    [template] Fix "rule alink_thin" in the //build/build_linux.ninja.template
    Allow multiple --ide switches

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason 091f102ea5 arm/boot-wrapper-aarch64: update with latest patch
Update to the latest commit.  The previous top commit was from 27 July 2021.
The commits since that commit are:
    aarch64: Enable access to MDSELR_EL1 from EL2 and below
    aarch64: enable Permission Indirection Extension
    aarch64: enable access to TCR2_ELx
    model.lds.S: Quote file paths
    Makefile: Change COUNTER_FREQ to 100 MHz
    sme: Fix sign-extension bug in SMCR_EL3 write
    fix array boundary check in find_logical_id
    aarch64: enable access to HCRX_EL2
    aarch64: Enable use of SME by EL2 and below
    aarch64: Document what we're doing when setting ZCR_EL3.LEN
    aarch64: Recognize PAuth QARMA3
    Makefile: avoid dtc warnings on re-compiling DTB
    Unify start_el3 & start_no_el3
    Rework bootmethod initialization
    Announce locations of memory objects
    aarch32: move the bulk of Secure PL1 initialization to C
    aarch64: move the bulk of EL3 initialization to C
    Announce boot-wrapper mode / exception level
    Rework common init C code
    aarch64: initialize SCTLR_ELx for the boot-wrapper
    aarch64: add mov_64 macro
    aarch32: add coprocessor accessors
    aarch64: add system register accessors

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason e9f00ab335 arm/opencsd: update to 1.5.3
Update to the latest opencsd commit.  The previous commit was from 28 March 2024.
The commits since that commit are:
    opencsd: Update Version info and README for v1.5.3
    build: Minor adjustments to improve clang compatibility
    build: vs2022: Fix minor git tracking issues.
    opencsd: test: update tests for memacc cache api
    opencsd: Add external memacc cache interface.
    opencsd: memory accessor - update caching.
    opencsd: docs: Update man files
    opencsd: etm4: Fix packet print typo.
    opencsd: Fix error handling in snapshot loader
    opencsd: Fix error string ordering.
    opencsd: memacc: Add logging for cache pages and size.
    opencsd: Add timing to trc_packet_lister
    docs: Minor document corrections.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason a1b240fa55 CI: add poky-altcfg
Add poky-altcfg to give us coverage for systemd (and the other things
that it exercises).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-10 12:11:37 -04:00
Amr Mohamed b2f6758fde arm-systemready/README.md: add ARM_FVP_EULA_ACCEPT
Update README.md file to add "ARM_FVP_EULA_ACCEPT=1"
with kas build commands.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-10 09:00:05 -04:00
Jon Mason 4cddc5f600 CI: remove unnecessary clang settings
With the resolution of meta-clang issue 766 and
OE-Core 15d09b02b2632ab1cabc3b1bd9f521e6d3d3b83f
many of the settings are no longer necessary to be set as part of our
CI.  Remove them, as it is causing other issues with CI.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-09 14:40:05 -04:00
Jon Mason f646ee4507 arm-toolchain: update to 13.3
Update the Arm Binary toolchain to version 13.3-rel1.  The upper to
lowercase 'r' in rel was intentional, as the exact match is needed for
devtool to properly determine the correct version.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-09 14:35:23 -04:00
Bence Balogh af0b47160e arm-bsp/u-boot: corstone1000: use mdata v2
The mdata structure was modified to use the v2 and did the minimal
necessarry changes to make it build without errors. This way the
U-Boot metadata is aligned with the TF-A and TF-M structs.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Emekcan Aras f219bed333 arm-bsp/trusted-firmware-m: corstone1000: Switch to metadata v2
Upgrades metadata structs in secure-enclave from v1 to v2 as described
in psa-fwu spec: https://developer.arm.com/documentation/den0118/latest/

The TrustedFirmware-A v2.11 release supports only the metadata v2. The
structs in TF-M side had to be aligned to keep the compatibility.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Bence Balogh 45cc1d2e2c arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.11
Update the preferred version of TrustedFirmware-A for Cortsone-1000
from 2.10.x to 2.11.x to benefit from the latest fixes and improvements
as well as to reduce the number of out-of-tree patches.

As a result of updating the version:
* Remove no longer required out-of-tree patches
* Update the numbering of the remaining out-of-tree patches

Additionally remove unnecessary white spaces in modified BitBake files.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Bence Balogh 0ec9dedc00 arm-bsp/optee: Remove OP-TEE OS v4.1 recipe
There no longer is a platform in meta-arm that uses this version of
OP-TEE OS. The last platform that did use it (Corstone-1000) now uses
a later version.
See `meta-arm-bsp/conf/machine/include/corstone1000.inc` for more info.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 08:00:06 -04:00
Bence Balogh 9532dca1a6 arm-bsp/optee:corstone1000: Update optee to v4.2
Update the preferred version of OP-TEE OS for Cortsone-1000 from
4.1.x to 4.2.x to benefit from the latest fixes and improvements.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 08:00:06 -04:00
Delane Brandy 61f5a0b1b6 arm-bsp/corstone1000: Update Corstone-1000 user guide
Update the Corstone-1000 user guide with the new instructions on how to
rebuild the platform to enable multicore support and run a test to
verify this.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-04 06:00:05 -04:00
Jon Mason 390b9824dd CI: remove ts-smm-gateway for qemuarm64-secureboot-ts
uefi-test is failing on qemuarm64-secureboot with TS enabled with a "Bus
Error".  This regression is caused by the update of QEMU from v8.2.1 to
v9.0.0.  Temporarily disable this test (via disabling ts-smm-gateway) to
get CI green until it can be root caused.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-02 16:28:33 -04:00
Harsimran Singh Tungal b5903ce6ea arm-bsp/trusted-firmware-a: corstone1000: fix compilation issue for FVP multicore
Include platform header file in order to remove compiler warnings.
Due to GCC upgrades to 14.1, some warnings are being treated as errors.
This change resolves TF-A compilation issue when FVP multicore
is enabled.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-02 12:00:05 -04:00
Jon Mason 1d65894556 arm-systemready: WORKDIR to UNPACKDIR changes
Recent upstream changes to what is acceptable use of WORKDIR have broken
where the meta-arm-systemready recipes are expecting things to be.  Fix
them to point to the correct location.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-01 20:38:32 -04:00
Peter Hoyes 1a2004428d arm/fvpboot: Revert "Disable timing annotation by default"
Fast Models 11.26 now print the following warning if the env var
FASTSIM_DISABLE_TA is set:

  Warning: /ARM/FastModels/deprecated: the use of FASTSIM_DISABLE_TA
  environment variable is deprecated and will beremoved in a future
  release.

Remove the env var from the default env passthrough vars in the fvpboot
bbclass.

This reverts commit 735f560aeb.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-01 08:24:26 -04:00
Harsimran Singh Tungal b13a35906a arm-bsp/trusted-services: fix compilation issues for ts-newlib
Fix compilation issues with newer GCC version 14.1 for ts-newlib package
by disabling GCC flags for now.
This is just to unblock meta-arm master compilation issues.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Harsimran Singh Tungal 0e5be70176 arm-bsp/trusted-services: corstone1000: fix compilation issues
Fix compilation issues with newer GCC version 14.1 for Trusted-Services
patches by disabling some GCC flags for now.
This is just to unblock the meta-arm master compilation issues.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Harsimran Singh Tungal 6db296637b arm-bsp/u-boot: corstone1000: fix U-Boot patch
Fix compilation issues with newer GCC version 14.1 in U-Boot patch

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Ziad Elhanafy 5f64790152 arm/oeqa: Enable pexpect profiling for testcase debugging
This patch enables logging with timestamps for individual pexpect
assertions to ease the debugging of failed tests and the tuning of
timeouts. It measures the execution time of all pexpect calls and logs
the actual duration for each.

Only "callable" pexpect calls are timed (e.g. expect, sendline, but not
before or after).

Signed-off-by: Divin Raj <divin.raj@arm.com>
Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:03 -04:00
Ross Burton c4c562c179 CI: update to Kas 4.4 image
The Kas 4.4 image includes the websocket module, needed to use the
public hashserv/sstate.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-26 12:00:06 -04:00
Jon Mason 751e4817c9 arm-toolchain: fix for WORKDIR changes
Fallout from the upstream WORKDIR changes.  do_copy_locale expects
SUPPORTED to be in WORKDIR, but recent changes have made it so that the
source/unpack location is no  longer WORKDIR and cannot be pointed to
be such.  So, do this copy manually here.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-24 11:00:05 -04:00
Jon Mason 8024166d6c arm/qemuarm64-secureboot: fix qemu parameter
QEMU has deprecated the no-acpi parameter, in favor of "acpi=off" machine
setting.  Modify the machine conf to use the new method.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-20 15:48:11 -04:00
Jon Mason 794262c783 arm-bsp/fvp-base: update version to 11.26.11
Update to the latest version of fvp-base-a-aem.  The licence files
changed with an addition of language to add 'Arm License Management
Utilities', but still is licensed under the Arm Proprietary license (and
still requires the EULA to be acknowledged).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-19 17:00:05 -04:00
Ross Burton 981425c54e arm/libts: use UNPACKDIR
Single files in SRC_URI are now in UNPACKDIR not WORKDIR.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Ross Burton 80be96437e arm-bsp/firmware-image-juno: use UNPACKDIR
Update the source/fetching for the new S/UNPACKDIR behaviour. This patch
is complicated by the recipe using UNPACK_DIR already, so I changed that
to avoid confusion.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Ross Burton 1985604beb arm/optee-ftpm: silence new compiler errors from GCC 14.1
GCC 14.1 is stricter with code validation and the build now fails.
However as upstream appear to be about to remove this source entirely from
upstream[1] I didn't want to spend long investigating this if upstream
changes will obsolete it, so just silence the errors for now.

[1] https://github.com/microsoft/ms-tpm-20-ref/pull/108

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Harsimran Singh Tungal bd9fc4bbfc ci,arm-bsp: corstone1000: New MACHINE_FEATURES for Corstone-1000 FVP multicore
Introduce `corstone1000_fvp_smp` as a value of the `MACHINE_FEATURES`
variable to support Corstone-1000 FVP Symmetric Multiprocessing.

A new YAML file is created to add this new machine only for the FVP
variant of the target platform.

The multicore feature is enabled in TrustedFirmware-A,
TrustedFirmware-M, and OP-TEE based on this machine feature.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal e437bc8f7d arm-bsp/trusted-firmware-m: corstone1000: Multicore support for Corstone-1000 FVP
This changeset introduces the multicore support for the Corstone-1000
FVP.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal 3eaa5c632c arm-bsp/trusted-firmware-a: corstone1000: Multicore support for Corstone-1000 FVP
This changeset adds the multicore support in trusted-firmware-a for the Corstone-1000
FVP.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal c42a7ffd3e arm-bsp/u-boot: corstone1000: Enable secondary cores for Corstone-1000 FVP
This changeset adds secondary cpu nodes for Corstone-1000 FVP dts.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal 3e13dfa18a arm-bsp/optee: corstone1000: Remove MMCOMM buffer address
Remove MMCOMM buffer address and its mapping, as it is not being used anymore

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Ross Burton 156141c014 documentation/runfvp: use IMAGE_CLASSES instead of INHERIT
The fvpboot class specifically hooks into the image creation, so it
should use IMAGE_CLASSES instead of INHERIT (which is global in scope).

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:05 -04:00
Jon Mason 150cd18d15 Docs: add ci/kas, quick start, and release information
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-18 13:58:39 -04:00
Ross Burton e6796bf18a arm-bsp/edk2-firmware: work around alignment problem with EDK/qemu
Since switching to master, EDK2 is doing an unaligned access to memory
when drawing the boot logo which causes qemu 9.0.0 (since 728b923f54) to
raise an exception.

There is upstream discussion about where and what the underling bug here
actually is, but until that is resolved we can simply align the logo.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 08:52:21 -04:00
Amr Mohamed 88b78f5558 arm-systemready/linux-distros: Add a third Linux distribution installation
Add Fedora distribution version 39.1.5 installation to fulfill
the SystemReady IR.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
2024-06-18 08:51:59 -04:00
Bence Balogh 71d36251eb arm-bsp/documentation: corstone1000: improve tests documentation
Improve the documentation in the user guide of the following tests:

- SystemReady-IR tests
- Manual capsule update and ESRT checks
- Linux distros tests
- UEFI Secureboot (SB) test
- PSA API tests

In addition, we moved the tests in one section for better readability.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-13 13:00:06 -04:00
Bence Balogh 841b88fdc2 arm-bsp/documentation: corstone1000: update the boot chain
The Secure Boot chain section is updated in the architecture document
to reflect the TF-M BL1 design.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-13 13:00:06 -04:00
Andrey Zhizhikin 30872ba12a optee-client: Switch away from S = WORKDIR
Since OE-Core commit 32cba1cc916a ("insane: Error for S == WORKDIR")
usage of WORKDIR in tasks is fatal, and shall be replaced with UNPACKDIR.
Similar change is introduced in OE-Core commit d9328e3b0b06 ("recipes:
Switch away from S = WORKDIR"), follow the same pattern for OP-TEE client.

Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-12 09:29:29 -04:00
Jon Mason f8338c3af2 Revert "CI: temporarily backport the procps fix"
This reverts commit fef5eafc08.
2024-06-11 12:39:50 -04:00
Ryan Eatmon b08bf096a0 arm/test-pacbti: Use UNPACKDIR
Fix parsing recipes error:

  Parsing recipes...
  ERROR: meta-arm/recipes-test/pacbti/test-pacbti.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: Parsing halted due to errors, see error messages above

There was a change in oe-core [1] and was further discussed here [2].

[1]  https://git.openembedded.org/openembedded-core/commit/?h=master&id=32cba1cc916ad530c5e6630a927e74ca6f06289b
[2] https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ryan Eatmon <reatmon@ti.com>
2024-06-11 11:37:58 -04:00
Ross Burton 8ce0dc290f arm-bsp/ssh-pregen-hostkeys: fix corstone1000 typo
Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 8769c92fc1 arm-bsp/u-boot: update tick.patch to merged patches
These patches have been merged, so refresh the patches.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton d7f8e985ba arm/u-boot: remove obsolete qemuarm patch
This has been obsoleted by "arm: enable support for QEMU firmware tables"
upstream, in v2024.04.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 680e121bb2 CI: use pregenerated SSH keys in genericarm64
We boot genericarm64 inside a qemu, so add the pregenerated keys to speed
up testing.  This isn't a risk because we don't publish the images.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 419736b6ad CI: back to master
Move meta-arm's CI for master branch back to master of the upstream layers.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Thomas Perrot 43e4afbd7a optee-os: remove NOWERROR from EXTRA_OEMAKE
NOWERROR=1 has been made obsolete by commit beb065df6ee5 ("Do not set
-Werror by default"). Remove it.

Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-11 04:00:05 -04:00
Jon Mason 8d2a45af05 arm/arm-tstee: add UPSTREAM_CHECK
Add UPSTREAM_CHECK_GITTAGREGEX to allow devtool to check for the latest
version

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason a4761c2edc arm/trusted-firmware-rmm: update to 0.5.0
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 9010839803 arm/trusted-firmware-rmm: add UPSTREAM_CHECK and tweak recipe version
Adding UPSTREAM_CHECK_GITTAGREGEX to properly check the upstream
version, and modify the recipe name to follow the version in the git
tree.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 1bcc820850 arm/edk2: update to edk2-stable202405
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 3cf4301fb9 arm/hafnium: update to v2.11
Update hafnium to the latest version

Changes in hafnium between 946fde92bedc95e1320684b0bc2dc752bc1e1bc7 and 2bef7ab3895c48d39b84ab58179b2d0de5156b8b
2bef7ab3895c docs: the change log for the v2.11 release
2aea748eb344 docs: add SIMD support section
dac0ae1bf74a docs: threat model GPF with memory share
9dbe17a3fc60 docs: threat model to NWd rxtx buffer
0b45a2e28f65 docs: fix FFA_CONSOLE_LOG description
c28ee3eda25d docs: device regions in SPMC manifest
d547d6df4228 docs(memory management): rme integration
963a5d73abb5 docs: document `FFA_FEATURES`
d40979fd9974 docs: document `FFA_CONSOLE_LOG` ABI
dfc312e2a965 docs: add description of device memory lending
ce8526ecac0f docs: update threat model for static dma isolation
17c9ad327bfa fix(ff-a): report NPI and MEI unsupported to normal world
27a4df506d83 refactor(simd): cosmetic rename sm local variable
4695ce892967 fix(simd): fix SME-only save/restore conditions
4fd8f364ff43 fix(simd): omit setting SVE VL in SIMD restore
034a31970f4e fix(simd): cosmetic comments
79dbd6f9ab99 fix(simd): mask out SMCCC SVE hint bit
96ffeee3175b fix(simd): use SMCCC SVE hint bit mask
ca92fb0d303a refactor(simd): FPU save/restore convert to C
42a5262ebd4a fix: SVE/SME unsupported in processor feature regs
731f40b91e39 fix(test): reorder log before sync call in echo_mp
9b579d365a2d chore: remove extra lines from echo_mp test log
8a5fd9d9163a feat(indirect message): use 'memcpy_trapped'
0a21db13d12d feat(ff-a): use memcpy that is trapped GPF
a2d1c3b9c94a feat: add implementation of `memcpy_trapped`
7388c18ef222 refactor: exception handling macros for reuse at EL2
568f2a7b8fb9 feat(aarch64): define macros to process GPF
462ad8d90796 chore(hftest): use common secondary stack definition
491ff30f1ac4 test(dir_msg): demo MP test with direct message
0c029c2719cd feat: prepare for MP tests
b186fecfdf78 feat: added macro SERVICE_SELECT_MP
592ede3c7b95 test(memory share): NWd to SWd device memory sharing
63af1fab1656 feat(memory share): enable NWd to SWd device memory lending
4339edcf0bb0 feat(memory share): validate sp device mem ranges
6dff8271fbdc test(memory share): check limits on device mem sharing
a4de8a56b211 test(memory share): device lend SP to SP
a56ec8eff0f5 refactor(memory share): attributes in test helpers
9764ff6bd861 feat(memory share): allow device memory lend SP to SP
941ef34e5741 test(manifest): device memory for overlaps
4d16572b89ac feat(manifest): check device memory region for overlap
163e1a95a253 fix: ensure device regions are mapped as nGnRnE
899c4f28ab00 docs: drop unnecessary build option
03ba75fe13c3 refactor: set vcpu of the NWd in preempted state
0247fe68743e refactor: use `vcpu_set_running` function
874737a43d64 docs: mte build option in TF-A integration
2d570d1ef339 ci: increasing timeout
6976541fcc9e fix: update docs to use correct MTE build flag
b1dbca99bae7 docs: update docs with new RXTX_MAP/UNMAP behavior
738bee137e1d feat(ff-a): validate FFA_RXTX_MAP/UNMAP against NWd page tables
41e8d5b1f805 refactor: set vcpu in preempted state
e143080baf9b feat: add `vm_lock_both_in_order`
587cd29b5d3a test: FFA_CONSOLE_LOG with extended registers
740f74fc95c6 feat: support extended register set for `FFA_CONSOLE_LOG`
b9705e2bd383 fix(ff-a): check that hypervisor's TX buffer is set-up
95f0e6033ad9 fix: fix typo in static_assert
f98b2aa1d407 feat: add helpers for names of various enums
84710f315ae7 refactor(ff-a): use bitfields for memory access bitmaps
2fc6dcfa97e0 feat: update BL31 binary to optimize NS context management
5386559b386a feat: save and restore non-secure peripheral registers
80a7b7fe9abe feat: save and restore non-secure MTE context
0ec38247a973 feat: save and restore non-secure system reg context
c70bacdd5054 refactor: create helpers to save and restore sys reg context
3956b2e6074a fix(direct message): tests to look for FFA_BUSY
7ea3f7ec8cb9 fix(direct message): reorder checks for FFA_BUSY
e5262378c5d7 fix(memory share): missing flag if permissions RO
c972cc6de311 fix(memory share): data access permissions
7de61af932d1 fix(memory share): sender and receiver are the same
f779fb7ed4eb fix: ffa_msg_wait shall not change the mailbox state
dc8cf3b899e6 test(ff-a): NPI not supported on EL0 partition
f1ed5f16cd59 fix(ff-a): report NPI unsupported on EL0 partition
76f1c8f03c27 test(ff-a): SRI is unsupported on secure world
cb6642c1cd6a fix(ff-a): report SRI unsupported to secure partitions
f7861301c512 test(ff-a): FFA_FEATURES returns max RXTX buffer size
0fd672906e61 feat(ff-a): report RXTX buffer size in FFA_FEATURES
f2b6fd1e8e7d test(ff-a): fix counts for ffa_info_get with multiple uuids
a1de3c5f69f6 feat(ff-a): add multiple uuids to partition info desc
3bbed8f554d2 fix: allow code coverage tests to run despite fails
6e3abcff0f1b docs: add FFA_MSG_SEND_DIRECT_REQ2/RESP2 support
364400e8d91b refactor: linux driver statically allocate vms
e0ca9a07de7b refactor(memory share): introduce ffa_memory_access_impdef_init
f1dd1e1375a8 fix: partition message total size check
37b75119ed18 fix: partition message offset check
0abd88768e9a test: FFA_MSG_SEND_DIRECT_RESP2 intercepted
4847e3bdd837 test(dir_msg): cyclic dependency with two ABIs
9375a292b992 test(smccc): test register integrity across FF-A versions
bed1dae8b4c1 test(dir_msg): extend multiple uuids test
f06b52366f40 fix(mem sharing): return error if receiver count is 0
5e425040abf4 test(memory share): multiple borrowers from v1.1 SP
a76fd9165b4b fix(memory share): broken assert in send from SP to multiple
d50411214cb8 docs: update memory sharing to reflect recent changes
607c724cbda3 chore: increase timeout for sp_route_interrupt_to_secondary_vcpu
106c8cec1662 fix: reduce verbosity on passing tf-a-tests
9ae48e998450 test: intercept direct response between two SPs
ca2f92d3adf1 test: enable specifying options for sp_fwd_sleep command
0a704e559d7e fix: unwind call chain after intercepting direct response
5a0991746afa fix: error return in FFA_MEM_PERM_GET/SET
f06ee9df186d fix(memory share): drop assertion sender ID
89c221317513 fix: per-vCPU/global bind/set mismatch
30ac91dc9c78 fix: global notifications shall use vCPU ID 0
6b754a188dca fix: flags that mbz are checked
f020814b4105 chore: improve log message in notification set
7333dcfaf21a fix: notification set error code
1512acc0a69c chore: print bitmap on FFA_NOTIFICATION_BIND
7ccaccf2ab18 fix: invalid ID in bitmap create/destroy
2a500071f224 fix: spmc test script didn't capture failures
37e559da0f07 refactor(tc): remap console logs
a3905006b590 test(dir_msg): add FF-A version based tests
382e0c622a79 test(ff-a): registers preserved after dir_resp
352388760d18 feat(ff-a): preserve extended registers in dir_resp
81237694db4d test: exercise interrupt handling while processing indirect message
8922671489d9 test: support for services to parse device regions
93978b038e4d test: add twdog helpers to primary_with_secondaries
9a1b9c0bff6b test: make sp805 driver common across test setups
ba2488560be8 fix(interrupts): intercept ffa_msg_wait to signal virtual interrupt
ba22a72b8866 refactor: add helpers to intercept and resume ffa calls
7182163a2245 docs: update ff-a bindings for static dma isolation
555f8882f437 docs: add support for static dma isolation
7c7b1a7764ef feat: demonstrate specifying dma device count per partition
0715f32ba515 feat(smmuv3): restrict access of streams to limited memory regions
0e57d3d35892 feat(iommu): map memory regions into dma page tables
070f49ebfb4a feat: initialize page tables for enforcing dma isolation
8a3644777dc1 feat: allow platforms to specify dma device count per partition
e032af5e6a37 feat: track dma devices and map to stream ids
3c2b7911e6ee feat: retrieve dma properties for each memory region node
1ced4cb719ff feat(sme): add NS SME save/restore operations
ffdeb23a067b feat(sme): introduce an SME module
52bbdee7487c feat(sme): add SME related definitions
5b5883351c94 feat(simd): SIMD NS save/restore convert to C
dc112d50c258 refactor: make is_arch_feat_sve_supported inlined
d71c83aa8f44 feat(sve): introduce an SVE module
b0faf45a6c4a fix: ensure SVE traps are enabled when running SPs
063ad835b5bd feat(memory share): revert protect action
fd2060536fee feat(memory share): unprotect memory on reclaim
460d36c1fc58 feat(memory share): protect on memory lend/donate
cf6253e3abec feat(memory share): protect/unprotect memory
a2ff04126675 feat(rme): add protect/unprotect memory functions
0a83dc2bf94c feat(memory share): define ffa_map_actions
dad6003e1fcd feat: add build options for memory protect
cb4dc90811b6 feat: arch helpers to check RME support
2e14ebe8b6e3 fix(memory share): fix behaviour of relinquish clear flag
3d0a462034c0 ci: separate static checks in a script
674e4de6bb3a refactor: mailbox doesn't need size and sender
44e9b3b7bebb fix(memory share): hypervisor retrieve request
7b6ab6195d84 fix(memory share): set size of access descriptor
4f0d9c1843cf refactor(memory share): split memory retrieve req
d61246b6c5e1 fix(ff-a): do not report FFA_EL3_INTR_HANDLE to VM
40d09d2ce60c docs: added section for building a single platform
f90f1f12de0a feat(build): check platforms exist before building
41ef8baba363 refactor(memory share): use receiver_offsets to find receiver array
39bc21b07309 test(dir_msg): test direct message abi pairs
e468c1168124 fix(dir_msg): enforce direct message ABI pairs
cf7cc68012d3 test(ff-a): add FF-A v1.2 ffa_features test
58fe07d70fea test(dir_msg): end-to-end direct msg test with multiple uuids
422b10bc6991 feat(uuids): add support for multiple UUIDs per partition
036cc592731b test(ff-a v1.2): ffa_run to zero extended registers
434bea9652a1 test(dir_msg): add tests for FFA_MSG_SEND_DIRECT_REQ2
de0b0da535a1 test(dir_msg): extend registers in dir_msg tests
087e50241881 feat(dir_msg): add FFA_MSG_SEND_DIRECT_RESP2
db6a08b7cc6c feat(dir_msg) extend FFA_MSG_SEND_DIRECT_REQ2 registers
734ddc4e7cfb test(dir_msg) test FFA_MSG_SEND_DIRECT_REQ2
41fea93fe85b feat(dir msg): add FFA_MSG_SEND_DIRECT_REQ2
86d9fa741b86 feat(prebuilts): add SPMD support for ff-a v1.2 dir msg
c0e7dc20f2a9 docs: update messaging method ff-a binding
f71dee4c7bab feat(manifest): support FF-A v1.2 direct messages
9681574575c0 test(memory share): add test for FF-A v1.1 endpoints
63130e572dbe refactor(memory share): correct names of versioned share tests
909d3bbeca84 test(memory share): check memory access invalid values
59ffee9ba6bd test(memory share): introduce impdef value check
de974ca9b936 feat(memory share): add impdef field to ffa_memory_access
c7dc932e9a15 feat(memory share): check memory region desc values
d5ae44bed0c1 refactor(memory share): add helper for accessing receivers
36e0bdbf58e6 refactor(memory share): make ffa_memory_region update common
64400234fe31 refactor: make is_arch_feat_bti_supported inlined
109c6d4c0e5b fix: restrict HF_INTERRUPT_INJECT to Hypervisor
0926addea321 feat(amu): enable traps
0a1a9f861e6d feat(ff-a): update el0 services to v1.2
78788f863ca5 fix: ignore spurious interrupt and resume preempted vcpu
c5b20e7e0d6b chore: remove clang toolchain from prebuilts
6b351bc82c92 feat: build multiple targets at once
fdd59f75403f refactor: remove plat_ffa_other_world_mem_retrive function
ed7dee80b329 test: exercise interrupt handling with interrupts masked
3aafcb620cf4 test: add helpers and extend command args to mask interrupts
151c2e7f0bf3 fix(interrupts): intercept direct response to signal virtual interrupt
09e086a7dbcf fix(interrupts): reset implicit completion signal
e1562a1488c3 feat(rd): secure hafnium build for rdfremontcfg1 platform
e4fe29698285 feat(ff-a): update FF-A version to v1.2
ad7451b1faee feat(prebuilts): update TF-A prebuilt binary to FF-A v1.2
ed508c80a039 chore: make function private to ffa_memory
b56aac880e08 fix: explicit boolean for `share_state` pointer
639ddfc0193e fix(memory share): read-only memory can't clear memory
41d4fef0f044 fix(memory share): error code in retrieve request
03f08d3dc4b8 feat(gicv3): ensure implementation supports two security states

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 8cbc545e99 arm/trusted-firmware-a: add support for 2.11.0
Add support for tf-a version v2.11.0 and mbedtls 3.6.0.  Modifications
to the license checksum were necessary due to the addition to that file
for DICE (which is Apache 2.0 licensed) for TF-A and the dual license of
mbedtls (Apache 2.0 and addition of GPLv2).

NOTE: FVP base is having (more of) an issue with CI on the newest TF-A,
with SSH tests timing out.  Holding that back to the LTS version until
it cane be resolved.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 3a0081cba8 arm/trusted-firmware-m: update to 2.1.0
Adding CMSIS support, as it is now required.  Also, the SHA being
referenced by tf-m for cmsis is an intermediate SHA (between the v6.0.0
and v6.1.0 release tags).  Finally, mbedtls is now using git submodules.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:06 -04:00
Bence Balogh f609884595 kas: corstone1000: remove Arm-FVP-EULA flag
This flag should not be set here and the ARM_FVP_EULA_ACCEPT
should be set to True manually before building for the FVP, as it is
mentioned in the Corstone-1000 User guide:
export ARM_FVP_EULA_ACCEPT="True"

Fixes: 6e2a54748 ("kas: Corstone-1000 kas files updated")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 05:00:05 -04:00
Bence Balogh f5ebb36c59 arm-bsp/trusted-firmware-m: corstone1000: remove capsule update reset
The reset has to be removed from the TF-M side after capsule update
because it caused data abort exceptions on the host side.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
2024-05-29 14:05:46 -04:00
Delane Brandy 6207240ff4 arm-bsp/corstone1000: update the documentation
Update the Corstone-1000 Documentation for the
2024.06 release.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
2024-05-29 14:04:28 -04:00
Bence Balogh 1de50f4075 arm-bsp/trusted-firmware-m: corstone1000: increase RSE_COMMS buff size
The buffer size has to be increased to fit the EFI variables which got
increased metadata sizes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 407471cf21 arm-bsp/trusted-services: corstone1000: increase comm buffer size
The increased EFI variable metadata need bigger buffer so it can
be transfered to the Secure Enclave without memory overflow
issues. The heap and buffer sizes had to be aligned with the.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh b4d7112b14 arm-bsp/trusted-firmware-m: corstone1000: increase PS sizes
The private authenticated variable changes increased the variables
metadata. The PS max asset size and related buffer sizes have to be
increased because of this.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 676d580a5c arm-bsp/trusted-services: corstone1000: add fixes for private auth vars
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 3aa25c916c arm-bsp/trusted-services: corstone1000: add EFI var handling fixes
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Ross Burton 1f0a39b837 arm-bsp/linux-yocto: fvp-base: remove fvp-timer.cfg
The fvp-timer.cfg enables two modules for the SP804 and SP810 devices.
These are older pieces of hardware that predate the architectural timer
in modern systems, so even if the drivers are built they will not be used
by the kernel.

Whilst this is a good reason to remove them, another reason is that the
SP804 driver is incorrectly defined in the Kconfig so it can only be
built if a machine selects it explicitly (for arm64, only ARCH_BCM2835
and ARCH_HISI do this) or if COMPILE_TEST is enabled.

This led to COMPILE_TEST being enabled so that this driver can be built.
However, COMPILE_TEST does more, notably it turns on COMPILE_WERROR which
then makes any compile warnings fatal.  This is inconvenient, especially
when compiler upgrades happen.

Remove the timer configuration entirely: the architectural timer is used
so this is entirely redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 10:00:05 -04:00
Jon Mason 20966db076 CI: correct BB_HASHSERVE_UPSTREAM
The BB_HASHSERVE_UPSTREAM has issues which cause significantly less of a
match than expected.  Update with the correct values to get the expected
behavior.

Fixes: 6e9525115b ("CI: add Yocto Project SSTATE Mirror")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-21 15:00:05 -04:00
Jon Mason b8965bb95b arm/oeqa: increase optee and ftpm test timeouts
OPTEE and ftpm tests are failing in CI on slower systems due to timing
out, but actually finish when given enough time to complete.  Increase
the timeout value to be roughly 100 seconds longer than the time it is
currently taking to finish on the slower systems.

Fixes: d450786667 ("oeqa runtime: add optee.py test")
Fixes: ba315f7242 ("oeqa runtime: add ftpm.py test")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-17 14:00:05 -04:00
Harsimran Singh Tungal d02467366d arm-bsp/documentation: corstone1000: Update user guide for secureboot test
This changeset updates the user guide to test the secureboot for both the
FVP and FPGA.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-17 07:00:05 -04:00
Amr Mohamed 6877a1c2bd arm-systemready/linux-distros: Upgrade the Debian license
Debian Licenses updated to reflect update from 11.7 to 12.4
License now includes: AFL-2.0, AFL-2.1,
GPL-2.0-with-autoconf-exception,
GPL-2.0-with-OpenSSL-exception,
GPL-3.0-with-autoconf-exception,
GPL-3-with-bison-exception, SMAIL_GPL,
BSD-2-Clause, BSD-3-Clause-Clear,
BSD-4-Clause-UC, TCP-wrappers, OLDAP-2.8,
PSF-2.0, BSL-1.0, bzip2-1.0.6, CC0-1.0,
Libpng, Latex2e, Unicode-TOU, Unicode-DFS-2016,
CC-BY-3.0, CC-BY-SA-3.0, CC-BY-SA-4.0, curl,
MS-PL, NTP, FSFAP, FSFUL, FSFULLR, FSF-Unlimited,
EDL-1.0, Vim, FTL, TCL, MPL-1.1, MPL-2.0,
GFDL-1.1-or-later, GFDL-1.2-or-later,
GFDL-1.3-no-invariants-or-later,
GFDL-1.3-no-invariants-only, Artistic-1.0,
Artistic-2.0, Apache-2.0,
Apache-2.0-with-LLVM-exception, Spencer-86,
MIT, MIT-CMU, MIT-advertising, Beerware,
Intel, X11, ISC, IPL-1.0, SSH-OpenSSH, SSH-short,
RSA-MD, OPL-1.0, PD

Licenses removed: Apache-1.0, Apache-1.1, Ruby, PHP-3.01,
W3C-20150513

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:34 -04:00
Bence Balogh 679218cd84 arm-bsp/trusted-services: corstone1000: fix IAT test
The psa-iat-api-test was failing because the PLATFORM_HAS_ATTEST_PK
flag was added to the build for Corstone1000.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:27 -04:00
Ali Can Ozaslan 611909cd6d arm-bsp/trusted-firmware-m: corstone1000: fix crypto failure on mps3
Crypto-AEAD-APIs tests fails on mps3. Configures CC312 mps3 model
same as predefined cc312 FVP configuration while keeping debug
ports closed.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:27 -04:00
Emekcan Aras 7bae90d708 arm-bsp/trusted-firmware-a: corstone1000: fix reset sequence
Corstone1000 does not properly clean the cache and disable gic interrupts
before the reset. This causes a race condition especially in FVP after reset.
This adds proper sequence before resetting the platform.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:00:14 -04:00
Ben Cownley 8097a792db arm-systemready/linux-distros: Upgrade the openSUSE version to 15.5
openSUSE upgraded to 15.5
openSUSE Licenses updated to reflect update from 15.4 to 15.5
License now includes: Apache-1.1, BSL-1.0, IPL-1.0, Sleepycat, Zlib

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 07:00:05 -04:00
Ross Burton 200786d3a8 arm/oeqa/runtime/fvp_boot: move pexpect import into test method
Move the pexpect import inside the test method so that on machines without
pexpect installed we can still parse the test cases, even if this one
won't be pass.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-15 10:00:25 -04:00
Ross Burton f37a6b32ec arm-bsp/ssh-pregen-hostkeys: enable on virtual machines
As of oe-core b040597, the ssh-pregen-hostkeys recipe is limited to the
qemu* machines only, so that it can only be used in development or
emulation and not in production.

We have some virtual machines in meta-arm-bsp which don't match the
COMPATIBLE_MACHINE in the recipe but still benefit from this recipe, so
add a bbappend to enable it.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-14 07:00:05 -04:00
Ross Burton a6a4952e8c arm/trusted-firmware-a: use correct git URL
As per the documentation[1] the correct git server to use is
review.trustedfirmware.org. We occasionally see failures connecting to
git.trustedfirmware.org so hopefully the documented URLs are more stable.

[1] https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/prerequisites.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-13 12:00:05 -04:00
Jon Mason 6d6fa14744 arm/optee: update to 4.2.0
Update to the latest version of OP-TEE and move the 4.1 recipes still
being used to meta-arm-bsp

Changes in optee_client between f7e4ced15d1fefd073bbfc484fe0e1f74afe96c2 and 3eac340a781c00ccd61b151b0e9c22a8c6e9f9f0
3eac340a781c libteec: Move OP-TEE defined fields into an imp struct
7749688eb18d libteeacl: add pkgconfig file: teeacl.pc
07d2dfab2ecb libteec: pkgconfig: remove duplicate flags in teec.pc
6f992c52a8df libteec: pkgconfig: rename libteec.pc as teec.pc
cef6c7eca494 tee-supplicant: fix potential crash when TA isn't found
c5b3920f5808 libckteec: one shot encryption/decryption may have no input data
afbd31d9592e android: convert .mk files to .bp
bfe37714c20c libteec: drop benchmark framework support

Changes in optee_os between 18b424c23aa5a798dfe2e4d20b4bde3919dc4e99 and 12d7c4ee4642d2d761e39fbcf21a06fb77141dea
12d7c4ee4642 Update CHANGELOG for 4.2.0
fc57019cb35c plat-sam: add support for Microchip sama7g54-ek board
d10f2b2505b1 plat-sam: rename filename for sama5d2 functions to 'platform_sama5d2.c'
a557f87762b1 plat-sam: optimize the macro and makefile for building sama5d2 clocks
3b616eeadd7a drivers: atmel_wdt: update "#include" list of the header files
d8af06119772 drivers: atmel_wdt: remove the unused variable from "struct atmel_wdt"
ea9329ec8928 drivers: atmel_wdt: upgrade to support sama7g5 watchdog
a471cdecfb1c core: reset cancellation mask on TA exit
021a43d32b23 ci: add QEMUv7 job
46fdfeea761f vexpress-qemu_armv8a: increase CFG_CORE_HEAP_SIZE to 131072
bdde1c9927e8 drivers: stm32_i2c: protect bus access with a mutex
cbb0a9fc4309 drivers: firewall: stm32_rifsc: remove use of CFG_PM
cc707b8570d3 drivers: stm32_rng: remove use of CFG_PM
299f9bc19fce drivers: crypto: stm32_cryp: add pm to CRYP driver
14d68630950a drivers: crypto: stm32_cryp: add delay when resetting CRYP peripheral.
1d8b1184c370 drivers: crypto: stm32_cryp: remove reset binding requirements
a8cfcdf2387c ci.yml: add a make command to build HPRE code
9e25528294eb drivers: crypto: hisilicon: init HPRE hardware block
ee726ae9537e ci: remame WD to OPTEE_OS_TO_TEST
4f00b5beb8db ci: update QEMUv8 jobs to use newer Docker image
344ef8a4deda core: kernel: Fix typo in __do_panic()
c80790fe23c5 drivers: regulator: use mutex_pm_aware
9a3248fc031e drivers: clk: replace clock main spinlock with a mutex
3a20c6612811 core: kernel: mutex compliant with PM sequences
f6412fbd119a core: kernel: thread spin locking
19ad526cb139 core: spmc, sp: cleanup FF-A ID handling
4c4387dc246e core: riscv: Prepare SATP for each hart
fe9a26822286 core: riscv: Allocate root page table for each hart
6d7d9de348ec ci: qemuv8: add test case with CFG_WITH_PAGER=y
23f867d38149 core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0
1cf7e98d072c core: replace REGISTER_TIME_SOURCE()
63bfec5e264b core: riscv: Apply SM-based boot flow for secondary harts
058cf7120c26 core: riscv: Do not restrict primary hart to hart ID 0 only
1706a2840a9a core: riscv: Change the condition of communication with untrusted domain
83abc78438b4 riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'
a30b4486180b core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking
ea11f51262ac core: riscv: Apply mask/unmask exceptions when operating page table
d1d1ca2347e7 core: riscv: Apply STATUS helper for RPC resume
de45f2fb6384 core: riscv: Apply exception return to handle_user_mode_panic()
4fe3a3f7bf3c core: riscv: Refine thread trap handler
b5bb30b389ae core: riscv: Refine thread enter/exit user mode
09653bca94ae core: riscv: Apply exception return to resume thread
b2f99d2027f6 core: boot: fix memtag init sequence
5d2d37cd756d ta: pkcs11: Clarify context reference in step_symm_operation()
3844bc9816af core: introduce CFG_NOTIF_TEST_WD
82631bd42041 core: add CFG_CALLOUT
fc59f3d86e9f core: notif: assert callback is unpaged
c5b5aca0eaef core: callout: assert callback is unpaged
fd3f2d693456 core: add missing DECLARE_KEEP_PAGER()
7c9a7b0c779e plat-synquacer: use cpu_spin_lock_xsave() and friend
21773c96f4c2 core: arm: mm: use thread_unmask_exceptions() where applicable
54df46b5c06c core: arm: use cpu_spin_lock_xsave() in generic timer implementation
ad50321f47fd ta: remoteproc: allow remoteproc_load_fw re-entrance
47bcc886c285 core: notif_send_async(): remove debug print
1c3c4a5ffb52 core: tests: add a notification test watchdog
d378a547e848 plat-vexpress: qemu_armv8: define IT_SEC_PHY_TIMER
b008cf009961 plat-vexpress: initialize callout service
5b7afacfba96 core: arm64: implement timer_init_callout_service()
c41db53b5f25 core: define generic callout service initializer
cf707bd0d695 core: add callout service
2d8644ee993a core: arm64: add {read,write}_cntps_cval()
a355270852c7 drivers: clk: clk-stm32mp13: fix memory corruption on oscillator parent
622eef2d5511 plat-synquacer: add initialization value to local variables
b4d1c08a65d6 drivers: regulator: do not cache voltage level value
c4cdfb70e19b core: add __must_check attribute to cpu_spin_lock_xsave()
ccd64a523ab3 core: kernel: add timeout_elapsed_us()
fab37ad7dc71 core: kernel: factorize delay and timeout implementation
51b745fab86c core: riscv: force enable of CFG_CORE_HAS_GENERIC_TIMER
6b0ac81dbe5f core: kernel: describe udelay()/mdelay()
f5305d4dd98c plat-vexpress: disable PL011-specific code when CFG_SEMIHOSTING_CONSOLE=y
a9a3bf985e5d core: arm64: implement __do_semihosting() for Aarch64
31bb491f8e7c core: imx: enable TZC380 driver for all i.mx8m socs
d1c9f59a15c8 riscv: sbi_console: prefer SBI v2.0 DBCN ecall over legacy sbi_console_putchar()
76a2df57b630 riscv: sbi_console: remove unused sbi_console_flush()
db96d03011d3 riscv: sbi_console: remove global spinlock
4d36f99e02cb riscv: sbi_console: remove unneeded #ifdef CFG_RISCV_SBI_CONSOLE
2b31189c4c08 riscv: sbi_console: split FID 0 from SBI_EXT_0_1_CONSOLE_PUTCHAR
286e0fd9f01a riscv: sbi: minor cleanup for SBI HSM related definitions
d6a0fc9bb910 dts: at91: add device trees for sama7g54_ek
74fbd2732948 drivers: clk: sam: skip the NULL clocks when getting the clock by name
943d822aac00 drivers: clk: sam: add sama7g5 clock description
8bd542fcb2ae dts: sama5d2: add huk node for the NVMEM hardware unique key
6c6c4d9eb45d dts: sama5d2: add NVMEM die_id node
f673afe436c9 plat-sam: enable NVMEM unique hardware key and die id support
fc7169686724 drivers: nvmem: add nvmem-huk driver
31a85db883c5 drivers: nvmem: add nvmem-die-id driver
458ef4426c2d drivers: Implement semihosting based console driver for log
55ab8f06a831 core: Refactor console_init() and introduce plat_console_init()
6d716a4b4588 core: riscv: Add semihosting.S for semihosting instructions
7e2a10389c25 core: kernel: Add semihosting functions
f459d3c7d2e1 libutils: Import part of sys/fcntl.h
c6a18428f9e3 plat-sam: implement plat_get_freq() for sama7g5
eb3951bffd95 plat-sam: register additional sama7g5 clocks for SCMI usage
609ba8e3128d plat-sam: register sama7g5 clocks for SCMI usage
f8c1dacbeef9 drivers: clk: make API function description more consistent
821cb656cbb2 drivers: clk: get stm32mp13 PLL output clock duty cycle
1bc6d1bc0945 drivers: clk: set stm32mp13 clock flags
8baaac1ce3ac drivers: clk: pre-enable new parent on clock re-parent
8fbc005673cd drivers: clk: get linear rates description
20f97d9841ac drivers: clk: enable clock on rate change
0ba7ae74a1ff drivers: clk: change parent clock rate if needed
05771552b189 drivers: clk: Get duty cycle from parent clock
59db7f68c4d8 drivers: clk: Add clock duty cycle
0d98c255fb4d plat-stm32mp2: add pm support on stm32mp25
9a4ec17240c1 core: pm: add macro for PM_HINT_STATE access
b8514c1376b1 plat-sam: fix static shared memory address and size
58dbe3dff530 plat-mediatek: add support for MT7988 SoC
4318c69fa77d drivers: clk: sam: add PLL clock driver for sama7g5
9aab6fb2f263 drivers: clk: sam: update to support generic clock for sama7g5
5110b3e7ade5 drivers: clk: sam: update to support main system bus clock for sama7g5
40944c5ccf0b .gitignore: Ignore all dot files and folders except the standard ones
5b4a782ebccf .gitignore: Change entries to only ignore in the source root folder
7f124eb8587b core: arm: kernel: add runtime check for CE
f73f678ca5c6 core: arm: add helper functions for checking CE support
a0635f174d2f core: arm: add check in aarch32 for feat_crc32_implemented()
8a4a051b3a76 core: arm64: remove ID_AA64ISAR0_EL1 macros
443b5e0186c0 core: arm: rewrite feat_crc32_implemented()
f9aaf11e8928 core: arm64: add masks for ID_AA64ISAR0_EL1 fields
85c99f3965f6 core: arm: add masks for ID_ISAR5_EL1 fields
4078bcde942c core: virt, ffa: keep guest partition until resources are reclaimed
3e0b361ef4fd core: ffa: store shm_bits in partition for SPMC at S-EL1
070d197fa568 core: ffa: add SPMC_CORE_SEL1_MAX_SHM_COUNT
05c6a7631891 core: thread_spmc.c: add set_simple_ret_val()
27acbe2b64fc ci: add RISC-V build (rv64, PLATFORM=virt)
2825530b3637 mk/lib.mk: add library to link line only when it does contain objects
339a78c2743f libunw: riscv: simplify architecture test
9fed4516d1f0 libunw: arm: unwind_arm32.c should be compiled only for Arm
209c34dc0356 ldelf: riscv: e64_relocate(): tag sym_idx as __maybe_unused
31bcbe52258e riscv: set default cross-compilers
6c2d2e8a2300 core: gic: wait for writes to propagate
9e935234082a core: gic: support to configure PPI interrupts
49d0c90dd69a core: call init_multi_core_panic_handler() earlier
d5dc9152c8ef core: riscv: Fix PTE creation when freeing PTE
e6a66e30cd41 core: riscv: Rename mattr_to_perms() to mattr_to_pte_bits()
da1a293e65b5 drivers: clk: clk-stm32mp13: round up VCO to the nearest frequency
95f2142bf848 drivers: clk: clk-stm32mp13: don't gate/ungate oscillators not wired
e84c299885a7 drivers: clk: clk-stm32mp13: add ADC and SPI clocks
571857c05c40 ta: pkcs11: factorize second operation handle
63778faac4b7 ta: pkcs11: implement AES GCM operations
5fee6cc9826f ta: pkcs11: pkcs11_ta.h: define PKCS11_CKM_AES_GCM
a2c1c8e408d3 core: mmu: add MEM_AREA_ROM_SEC in check_mem_map()
3b3dff5f5652 MAINTAINERS: update NXP i.MX platforms and Crypto Driver Interface
35a9139e779f drivers: caam: add CAAM key support for DH
8993bfd8dbab drivers: caam: add CAAM key support for ECC
014494479f9d drivers: caam: add CAAM key support for DSA
ccbcceeb73c1 drivers: caam: add CAAM key support for RSA
1495f6c4a82a drivers: caam: add CAAM key driver
9d38cd9151e9 drivers: caam: fix DSA_DUMPDESC macro
a5b52f5092a0 drivers: caam: add missing header
2d53e979f05a drivers: caam: add class field to FIFO_ST macro
f8388fdc2f3e core: move CFG_CORE_BIGNUM_MAX_BITS default definition
9e35f116f9bd dts: stm32: add RIFSC compatible to RIFSC node in stm32mp251.dtsi
d6a8ef58da15 dts: stm32: Add RIFSC configuration support for stm32mp257f-ev1
82e290753e45 plat-stm32mp2: conf: enable RIFSC driver
196cb5a09923 dt-bindings: add RIFSC to default bindings config for STM32MP25
066c3a39a4ac dt-bindings: add RIFSC bindings
cd187630b280 drivers: add stm32 RIFSC support
203147e2b737 plat-stm32mp2: conf: support RIF driver
0179d5f8d520 dt-bindings: add RIF to default bindings config for stm32mp25
e1767b3b5dc4 dt-bindings: firewall: add RIF bindings
1506f47af917 drivers: firewall: add stm32_rif driver for common RIF features
98d105a565ce core: io: fix IO_READ32_POLL_TIMEOUT() when delay is 0us
cf2c8f0959af libutils: Implement speculation barrier for RISC-V
407023cade6b plat-stm32mp1: default enable SAES software fallback
03de2c7bb316 drivers: crypto: stm32_saes: fallback to software on 192bit AES keys
99205375555b drivers: crypto: stm32: cleanup cipher operation structure
496497dc1a00 drivers: crypto: stm32: move context allocation/free functions
061e13f64e84 drivers: crypto: stm32: clean function references
57ad00904006 plat-hikey: Replace register_dynamic_shm() with register_ddr()
eee73fd09042 plat-hikey: make DRAM1_BASE configurable
4c2665755e26 drivers: clk: sam: update to support slow clock for sama7g5
afb609395def drivers: clk: sam: add PMC definitions for sama7g5
29f0ec7152e4 drivers: clk: sam: add UTMI clocks for sama7g5 USB PHY
417a10d1fa23 drivers: clk: sam: update UTMI clock for sama7g5
09c44b0d8b97 driver: crypto: hisilicon: fix error handling
4199b52fe3b8 core: notif_register_driver() assert ndrv is nexus memory
7037ff8aaede core: move _time_source into __nex_bss
dcad180014e0 core: add nex_*init-calls
3d52f27cdb77 core: move multi_core_panic_handler into __nex_data
ba4f5940f45a core: add is_nexus() and refactor is_unpaged()
897aaf117e39 ta: pkcs11: fix build warning on unused arguments
d99b271aed2f drivers: se050: fix default configuration for the SE applet
974529332ded core: kernel: fix typo in huk_subkey.h inline comment
a7400fcded79 core: arm: fix lock in virt_add_cookie_to_current_guest()
89853006a609 core: crypto: fix crypto_asym_get_ecc_keypair_ops() stub
fa1950059f41 ci: qemuv8: preventively avoid "no space left on device" errors
ad194957b670 core: pta: widevine: Add the init implementation
64086346d6bc core: dts: lx2160a: add memory region
439c5ecbb68b core: arm: fix integer overflow in generic_timer_{handler,start}()
c847c2c9c62f ci: update actions/checkout@v3 to v4
c83a542f3734 drivers: crypto: stm32: fix SAES key selection
b8f45155eac7 ci: xen: fix "no space left in device" error"
b066e82535aa plat-vexpress: use serial callbacks rx_intr_{en,dis}able()
6d9ff02ee1f3 core: pl011: implement rx_intr_{enable,disable}() callbacks
e934bfa424d2 core: serial: add rx_intr_{enable,disable}() callbacks
fcabe15c7783 core: crypto: fix internal AES-GCM counter implementation
b4d33ca3ff42 core: ltc: add missing string_ext.h include
64a52f9dc228 drivers: clk: fix indentation in stm32mp13 clock driver
f4dba32508be drivers: clk: fix some stm32mp13 clock controls
a32213b8169c drivers: clk: fix stm32mp13 RNG1 parent clock
d615a7e62095 drivers: regulator: list voltages controlled by a GPIO
bbc33e2ad79c core: ls: correct CFG_CORE_ARM64_PA_BITS for LX2160A-RDB/QDS
5a982d0e96be core: dt: provide stubbed dt_getprop_as_number()
55cd94d198a5 core: ffa: add notifications with SPMC at S-EL2 or EL3
4965507859bb core: hfic: fix HF_INTERRUPT HVC calls
e37b526d7289 core: move hafnium.h into hfic.c
6959d59f0966 core: ffa: exit with native interrupts unmasked
55a80fa9b542 core: arm64.h: add DAIFBIT_{NATIVE,FOREIGN}_INTR
012cdca49db3 plat-k3: drivers: sec_proxy: increment while reading trail bytes
cb30e9d11a16 plat-stm32mp2: default enable embedded test
14c31b4fae40 plat-stm32mp2: allow up to 8GB of external RAM
774dc8aa526b ci: do not add $HOME/.cargo/bin to $PATH
d557d174c2d6 drivers: atmel_rstc: add the function to control sama7g5's USB reset
024af21c74ff drivers: atmel_tcb: update to compatible with sama7g5
7a6bbd59ef0b drivers: atmel_pio: update to compatible with sama7g5
f527a3b76ed8 drivers: atmel_shdwc: update to compatible with sama7g5
e5dba60318b1 driver: crypto: hisilicon: update qm init configs
851d05e65f9c core: riscv: Add .sbss and .sdata sections to linker script
e07f9212d5ad plat-stm32mp1: shared_resource: disable MCKPROT if not needed
6f3fc05370ef drivers: caam: sm2 operation fallback
963a90d842b5 drivers: caam: add caam_hal_rng_pr_enabled() for 8QX, 8DX platforms
54d90e3f0b47 plat-stm32mp2: conf: default enable RNG and RNG PTA
b82b7e73f63e drivers: stm32_rng: print RNG version at driver probe time
aa12f203f239 drivers: stm32_rng: put max noise freq in compatible data
5959d83f6f58 drivers: stm32_rng: move RNG configuration to compat data
45da6509d925 drivers: stm32_rng: add stm32mp25 support
59fea6838b20 core: pta: drop benchmark
a6f60e0f08a7 arm: plat: rcar: gen4: adjust memory map
e7dd9fbb056e arm: virtualization: don't allow hypervisor to issue std calls
6370f75d6fcc drivers: sam: use header file "platform_config.h" instead of "sama5d2.h"
fd286f75cf55 drivers: atmel_rtc: update to compatible with sama7g5
379dc2ae943d drivers: atmel_rstc: update to compatible with sama7g5
cc105e35cbdc drivers: atmel_trng: update to compatible with sama7g5
4b17205bb971 drivers: atmel_piobu: update compatible with sama7g5
c37489baeb29 core: msg_param: remove recursion in included headers
4584d00c9f44 ldelf: check val for NULL dereference
239fae350391 core: tee: initialize dirfile|tadb_entry objects
a2431e9f66cb ta: pkcs11: check returned value of mbedtls_pk_rsa()
fa21a1fb4c6c core: check if string to uuid conversion succeed
2cc2a44c9fce core: check if binary to bignum conversion succeed
8f3afe0e6e8f core: mmu: assert pointer to manifest device tree
a039ffc675d3 core: kernel: dt: check return values from snprintf()
b51aaa628c7c core: arm: fix dead code when ARM32 is not defined
e33c3ff5e9f0 core: kernel: check device tree property pointer
49286073c91e ldelf: remove unnecessary includes
4bc2a199d122 ta: remove unnecessary includes
5ca2c36555d1 core: remove unnecessary includes
34d6dc2ba938 plat-vexpress: remove unnecessary includes
c344db981197 riscv: mm: Set A/D bits of PTE(page table entry) by default
472c70be1569 core: riscv: Rename thread_return_to_ree() to thread_return_to_udomain()
655625e01f36 core: ffa: Read FF-A version from the SP manifest
602ff4f69104 pta: scmi: remove noisy info level message on message process
3f7122d9c558 drivers: scmi_msg: fix size_t trace format
37fbce01492d drivers: stm32_i2c: fix header file inclusion order
5395fe8961bc drivers: i2c: add missing __unused in stubbed function
8a6ca1480ddc core: arm: get DDR range from embedded DTB
c425380f2021 driver: i2c: stm32_i2c: fix call to stm32_i2c_init()
2b9d76616422 drivers: stm32_i2c: apply pinctrl config at init
87aead6ffab3 drivers: stm32_i2c: analog filter config cannot fail

Changes in optee_test between 2e1e7a9c9d659585566a75fc8802f4758c42bcb2 and 526d5bac1b65f907f67c05cd07beca72fbab88dd
526d5bac1b65 gp: update API files to use the imp field in TEEC_Session
a79e6ee457b6 regression_1025: use the imp field in TEEC_Context
dda3212f244f xtest: add SM4 perf test
3feb4fbbb19d ta: os_test: Unmask cancellation from invoke command handler
a641f180d847 xtest: pkcs11_1030: Test AES GCM processing
ea18800d10ce xtest: pkcs11_1006: Test AES GCM mode flag
96f6dd7db7b9 xtest: pkcs11_1005: Test AES GCM support flag
ac200fe2ae40 xtest: asym_perf: fix indentation issues
79ba734b5ff5 ta: crypto_perf: correct coding style issue in symm tests
babafcabdc2b ta: crypto_perf: fix coding style issues in asymm tests
bad11a957a6d ta: crypto_perf: fix build error on type mismatch
cb5136a47bb3 ta: crypto_perf: fix build warning on unused resources
967368b3c7bf regression_4000: check if the generated DH private key is a CAAM black key
4b4caf762cc2 ci: avoid "No space left on device" error
bcd55831e1f7 xtest: add asymmetric cipher perf test
14a2b2ac3db4 ta: crypto_perf: add asymmetric crypto perf tests
99d5c298ff03 xtest: pkcs11_1001: Test CK_UNAVAILABLE_INFORMATION output value
9d566212b3ce regression 4005: Add GCM counter overflow test vectors

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason ac517cbaa3 CI: increase bitbake server timeout
On some CI systems, the bitbake server is timing out at 1 mins.
Increase to 5 mins, which hopefully should give enough time without
letting it run forever.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason c366c322a7 arm-bsp: remove unused recipes
No references can be found for these recipes in meta-arm-bsp, so
removing them.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason 6db139e1fd arm-bsp: remove support for n1sdp
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason e623cc3b0d arm/gn: update to latest commit
Update to the latest gn commit and remove unnecessary patches and build
parameters

Changes in gn between 4bd1a77e67958fb7f6739bd4542641646f264e5d and f284b6b47039a2d7edfcbfc51f52664f82b5a789
f284b6b47039 [src] Add "#include <limits>" in the //src/base/files/file_enumerator_win.cc
155c53952ec2 Get updates to infra/recipes.py from upstream
d823fd85da3f Revert "Teach gn to handle systems with > 64 processors"
f07499aebcf5 [apple] Rename the code-signing properties of create_bundle
415b3b19e094 Fix a typo in "gn help refs" output
93ee9b91423c Revert "[bundle] Use "phony" builtin tool for create_bundle targets"
cfddfffb7913 [bundle] Use "phony" builtin tool for create_bundle targets
06cdcc8e1fa8 [ios] Simplify handling of assets catalog
22581fb46c0c [swift] List all outputs as deps of "source_set" stamp file
59c4bb920542 [swift] Update `gn check ...` to consider the generated header
dd0927eb34bb [swift] Set `restat = 1` to swift build rules
88e8054aff7b Fix build with gcc12
e05c0aa00938 [label_matches] Add new functions label_matches(), filter_labels_include() and filter_labels_exclude()
f19d5817e7ba [swift] Remove problematic use of "stamp" tool
6253a39dbc43 Implement new --ninja-outputs-file option.
5787e994aa4c Add NinjaOutputsWriter class
03d10f1657b4 Move InvokePython() function to its own source file.
0cdb7dd27f5c zos: build with -DZOSLIB_OVERRIDE_CLIB to override creat
d4f94f9a6c25 Enable C++ runtime assertions in debug mode.
0a2b8eac80f1 Fix regression in MakeRelativePath()
8b973aa51d02 fix: Fix Windows MakeRelativePath.
a3dcd7a7ad86 Add long path support for windows
a2e2717ea670 Ensure read_file() files are considered by "gn analyze"
fc722252439e apply 2to3 to for some Python scripts
5110a7f03e86 Add rustflags to desc and help output
f99e015ac35f strings: support case insensitive check only in StartsWith/EndsWith
b5adfe5f574d add .git-blame-ignore-revs
d6085ac6a95b use std::{string,string_view}::{starts_with,ends_with}
8bd36a27c076 apply clang-format to all C++ sources
5d76868385b8 add forward declaration in rust_values.h
b8562a4abd95 Add `root_patterns` list to build configuration.
5fd939de8a66 Use c++20 in GN build
d4be45bb28fb update windows sdk to 2024-01-11
71305b07d708 update windows sdk
85944ebc24a9 Add linux-riscv64.
7367b0df0a0a Update OWNERS list.
92e63272dc04 remove unused function
c7b223bfb225 Ignore build warning -Werror=redundant-move
bc5744174d9e Fix --as=buildfile `gn desc deps` output.
9a45b6123831 Update recipe engine to 9dea1246.
85bd0a62938b treewide: Fix spelling mistakes
e4702d740906 Optimize base::EscapeJSONString for ASCII inputs.
5d8727f3fbf4 [docs]: Mention implicit names in style guide
182a6eb05d15 Use magenta for warnings
991530ce394e Avoid unnecessary "Regenerating ninja files" step after running "gn gen"
c1fc04434c8e Fix variable use tracking for scope subscript accesses.
cc56a0f98bb3 [infra] Link to jemalloc instead of rpmalloc
811d332bd905 Move WriteSourceSetStamp to NinjaCBinaryTargetWriter
3fccef9033b9 [action][data deps] Make data-deps order-only deps of the action outputs
62ac86a938c3 [action] Add test for data_deps of an action target
1029a3b50873 Ninja: Always pass linker flags to rlib-generating command.
fae280eabe5d [serenity] Add SerenityOS port
11e12b0ef870 Remove obsolete comment
1de45d1a11cc Generate a StaticLibrary for rlibs and DynamicLibrary for proc macros
2a92efd396d3 Include library search paths when compiling rlibs
da5fe01bce4a Avoid unused and incorrect linker args in {{rustdeps}}

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason 4ddf285c55 README: add backporting process information
Add entry for how to get patches backported.  Also, do some syntax
cleanups to make the README visualize better.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 14:00:04 -04:00
Jon Mason 1cd6c26bcf arm/trusted-firmware-a: add comment about location of deps
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 14:00:04 -04:00
Ross Burton c9c93da0dd arm/boot-wrapper-aarch64: use https to fetch git source
Some networks limit outgoing git: traffic, so use https:.

Fixes: 0cec3e5 ("arm/gem5/boot-wrapper-aarch64: Move main recipe to meta-arm")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 10:00:06 -04:00
Mathieu Poirier e043bc4884 arm/trusted-firmware-rmm: Add bitbake, include and patch file for RMM
Initial checking providing support for RMM on QEMU's "virt" machine.

Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-02 11:57:43 -04:00
Emekcan Aras 8aa8a1f17f kas: corstone1000: include TS and PSA dependency for firmware image build
Includes TS and PSA dependency for firmware image build.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-02 06:00:05 -04:00
Jon Mason 3574ae46d7 arm/trusted-firmware-a: update to lts-2.10.4
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-01 09:00:21 -04:00
Jon Mason 7889ce0206 arm/fvp-base-a-aem: disable version checking
Recent changes to the FVP Base homepage have caused it to no longer be
searchable with the current Yocto tooling.  Disable it to prevent issues
with `devtool check-upgrade-status`.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-01 09:00:14 -04:00
Jon Mason f9025699f7 arm/fvp-corstone1000: tweak the versioning
Modify the versioning to get it to play nice with `devtool check-upgrade-status`

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-01 09:00:14 -04:00
Jon Mason 950e191d7b arm/boot-wrapper-aarch64: add to fvp-base CI
Add boot-wrapper-aarch64 to fvp-base CI so that it can be
covered by CI and added to the update-report

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-01 09:00:14 -04:00
Jon Mason 54b5c5d1da arm/edk2-basetools: add UPSTREAM_CHECK logic
Currently, 'devtool check-upgrade-status' returns UNKNOWN_BROKEN.  Add
regex to return the correct value.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-01 09:00:14 -04:00
Abdellatif El Khlifi 53b3781a59 arm-bsp/corstone1000-recovery-image: replace core-image-minimal
Add corstone1000-recovery-image image based on core-image-minimal
while disabling the testimage task which is irrelevant in case of
an initramfs bundle.

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-05-01 09:51:03 +00:00
Bence Balogh db28829ff8 arm/trusted-services: remove OpenAMP and Libmetal
Corstone-1000 no longer uses OpenAMP, and it was the only platform
which needed this library.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:22 -04:00
Bence Balogh 1d122b18f2 arm-bsp/trusted-firmware-m: remove OpenAMP and Libmetal
Corstone-1000 no longer uses OpenAMP, and it was the only platform
which needed this library.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:22 -04:00
Bence Balogh 013dded5a4 arm-bsp/doc: corstone1000: update A+M communication
The OpenAMP is replaced by the RSE Communication Protocol and
the documentation had to by updated to reflect this change.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:22 -04:00
Drew Reed 0e3fc3d87b ci: Add Corstone-1000 to the SystemReady ACS build
Added the Corstone-1000 FVP platform to the ACS test build as well as
adding the arm-systemready-firmware variant to the Corstone-1000 FVP
build.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Drew Reed 3b97565103 arm-bsp/corstone1000: Update Corstone-1000 user guide
Update the Corstone-1000 user guide with the new instructions on how to
build/use an ESP image and how to use the meta-arm-systemready layer to
run the ACS tests.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Drew Reed eed6bc24d1 arm-bsp: corstone1000: Make ESP partition available to Corstone-1000
The SystemReady IR ACS test suite require that there is a valid ESP
partition available to the system.  This change creates a new image that
only contains a ESP partition and ensures it's mounted on the second MMC
card so it's available when the SystemReady tests run.
The diagnostic level of the 2 MMC cards have also been lowered to
improve the ACS test duration.
Corrected a spelling mistake in the corstone1000-flash-firmware-image.bb
file.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Drew Reed 1fd614e545 arm-bsp: corstone1000: Configure Corstone-1000 to use the meta-arm-systemready layer
Added the missing meta-arm-systemready required variable to enable its
use with the corstone1000-fvp machine.  Also explicitly set all the
consoles.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Drew Reed 67f9756fa0 arm: Handle nodistro in firmware deployment
The nodistro settings in poky set the TMPDIR variable to include the
TCLIBC value so we need to spot that and swap the TCLIBC for the musl
one used in the firmware multiconfig.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Drew Reed 97e0c91f79 arm-systemready: Fix regex in arm-systemready-ir-acs recipe
The regex used to validate compatible machines is incorrect as it's only
checking the machine name starts with "fvp" not "fvp-" as intended.
It's also been modified to allow FVPs called xxx-fvp to be compatible
with Corstone-1000.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 13:00:07 -04:00
Emekcan Aras e20aac1b6b arm-bsp/trusted-firmware-a: corstone1000: Remove unused NS_SHARED_RAM region
After enabling additional features in Trusted Services, the size of BL32
image (OP-TEE + Trusted Services SPs) is larger now. To create more space
in secure RAM for BL32 image, this patch removes NS_SHARED_RAM region which
is not currently used by corstone1000 platform.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:19 -04:00
Harsimran Singh Tungal 25eec5ced2 arm-bsp/u-boot: corstone1000: Enable UEFI secure boot
This change enables the UEFI secure boot and its related configurations
for corstone1000

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:19 -04:00
Harsimran Singh Tungal 12711d5734 arm-bsp: corstone1000: Enable SMM gateway authenticated variables
This change enables the SMM gateway authenticated variables feature
implementation for Corstone1000

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:19 -04:00
Bence Balogh 5d9e53af10 arm-bsp/corstone1000-flash-firmware-image: fix capsule dependency issue
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:07 -04:00
Bence Balogh aeade01bb7 arm-bsp/documentation: corstone1000: update capsule generation steps
The .nopt and capsule are generated during the yocto build. Sync the
documentation with the changes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:07 -04:00
Bence Balogh b5b7b8e523 arm/uefi_capsule: use U-Boot for capsule generation
Currently, only the Corstone-1000 platform uses the capsule generation
class. Corstone-1000 uses U-Boot instead of EDK2. With this change,
the dependency on EDK2 was removed.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:07 -04:00
Bence Balogh 3b74bb36fd arm-bsp/corstone1000-flash-firmware-image: add nopt generation
The .nopt image is used during the UEFI Update Capsule generation.
This .nopt image was generated manually when it was needed.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 12:00:07 -04:00
Mikko Rapeli c43f173276 ci/qemuarm-secureboot.yml: install optee and test both optee and ftpm
optee-os test xtest needs additional test trusted applications (TA) from
optee-os-ta package to pass. Execution time for ftpm test is around 21
seconds and 596 seconds for optee-test/xtest on an x86_64 build machine.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Mikko Rapeli 70e7f64af6 ci/qemuarm64-secureboot.yml: install optee and test both optee and ftpm
optee-os test xtest needs additional test trusted applications (TA) from
optee-os-ta package to pass. Execution time for ftpm test is around 18
seconds and 430 seconds for optee-test/xtest on an x86_64 build machine.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Mikko Rapeli ba315f7242 oeqa runtime: add ftpm.py test
Test checks that ftpm kernel driver interfaces are available.
If fTPM optee TA is missing or crashes, the kernel driver does not
show the interfaces. A more functional tests would be to use tpm2-tools
from meta-security/meta-tpm but those require additional layer
dependencies which are maybe too much for now. tpm2-tools also depend
on starting tpm2-abrmd before the tools work. The ftpm kernel driver
depends on fully running tee-supplicant in userspace and the optee
side ftpm TA which takes some time. When manually running the tests
some of them failed since ftpm was not yet initialized. The boot
was not complete in those cases so added a workaround for that.
Better would be for all of the tests to start only once boot is
complete, not when ssh is available. Also, the qemuarm64-secureboot
machine includes optee and ftpm TA but does u-boot is not configured
to use the TPM device so boot is not measured.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Mikko Rapeli d450786667 oeqa runtime: add optee.py test
The test runs xtest test suite from optee-tests package.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Mikko Rapeli 1dad884ac0 optee-os: inrease heap size with fTPM
If firmware TPM TA is compiled into optee, it needs a bit more
heap to pass optee-test/xtest suite.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Mikko Rapeli 0923cc8a20 trusted-firmware-a: continue if TPM device is missing
All other firmware boot components also continue booting
if TPM is not found. It is up to subsequent SW components
to e.g. fail if rootfs can't be decrypted. Enables policies
like fall back to unencrypted rootfs if TPM device is
not found with qemu and swtpm.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:08 -04:00
Ross Burton 8399d913a9 CI: build arm-systemready distro images
There are two recipes in meta-arm-systemready that download ISOs for
testing purposes.  Build them in CI to verify that the fetch is
successful.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:04 -04:00
Ross Burton d89d05d9aa arm-systemready/arm-systemready-linux-distros: disable buildhistory
These recipes look like images but are not constructed the same way,
specifically there is no WORKDIR/rootfs/ directory. If buildhistory is
enabled this will cause it to abort, so disable image data collection in
buildhistory.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-30 09:00:04 -04:00
Ross Burton 9649cdcf77 CI: disable ptest in external-gccarm builds
We recently switched the CI to not disable ptest, but this breaks builds
that use the GCC binaries built by Arm (external-arm-toolchain). This is
because the external-arm-toolchain recipe can't build packages for the
target, and the standard oe-core gcc recipes assume that they're being
built with themselves and make assumptions, specifically that libunwind
was enabled and headers can be copied directly from the sysroot.

This is a bigger problem that should be solved somehow, but for now we
can just remove ptest in the external-gccarm CI jobs which removes gcc
from the builds (it comes in via elfutils-ptest RDEPENDS).

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:18 -04:00
Ross Burton e89cd1fe41 CI: remove 32-bit time_t workaround
This is now in the recipe itself, so remove it from CI.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:18 -04:00
Ross Burton b6a47cd180 external-arm-toolchain: ignore warnings about 32-bit time types
Functions that take 32-bit time_t types are unavoidable in the libc, so
ignore the warnings.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Reviewed-by: Denys Dmytriyenko <denis@denix.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:18 -04:00
Ross Burton fef5eafc08 CI: temporarily backport the procps fix
This patch will be merged upstream soon, apply it locally to unblock CI.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:18 -04:00
Ross Burton 68fe673cc9 CI: add Kas schema comments
Add YAML language server comments so that IDEs know what schema to use
for the Kas files.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:18 -04:00
Bence Balogh f63c043ba7 arm-bsp/trusted-firmware-m: replace OpenAMP with RSE Comms
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Bence Balogh db2284fc01 arm-bsp/trusted-services: rebase corstone1000 patches
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Gyorgy Szing 798c0a8257 arm/trusted-services: fix oeqa script
trusted_services.py:test_15_crypto_service runs ts-service test with
an incorrect argument list. The -g argument does not accept two group
names. This resulted in a silent failure.
Fix this by relying the pattern matching capability of the argument.

Additionaly remove references to OP-TEE from test messages as TS tests
are SPMC agonistic.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Gyorgy Szing 2d46f21731 arm/trusted-services: update to 2024 April 19
Update TS and dependencies to latest version of the integration branch.
Remove patches merged upstream.

Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Gyorgy Szing fa05df1611 Add support for the TS Firmware Update service
Add a recipe to enable building and deploying the FWU service
implemented in the Trusted Services Project. The FWU service can
help vendors to meet PSA certification requirements.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Jon Mason b972dabc1b CI: use scarthgap branch for meta-clang
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Ross Burton 0f955984ec arm-bsp/u-boot: add optimised timer implementation for fvp-base
Due to how the timer in u-boot is implemented, it's quite possible for
a two second timeout in the u-boot login to actually take over 15s to
expire.

Take a patch from the mailing list to implement this differently so the
timer runs in an accurate amount of time.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Abdellatif El Khlifi 31de2fada2 arm-bsp/linux-yocto: corstone1000: add external system control support
add support for the remoteproc control feature for the external system

With this feature we can switch on/off the external system on demand:

echo stop > /sys/class/remoteproc/remoteproc0/state
echo start > /sys/class/remoteproc/remoteproc0/state

During Linux boot the remoteproc subsystem automatically start
the external system. The user can use the commands above to
stop then start the remote core.

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Abdellatif El Khlifi 41a848cc93 arm-bsp/u-boot: corstone1000: add external system DTS node
describe the external system as a remoteproc node in the device tree

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:11 -04:00
Abdellatif El Khlifi 26d48f7322 arm-bsp/external-system: costone1000: install the firmware in the filesystem
install the external system binaries under /lib/firmware

The kernel's remoteproc subsystem expects the firmware file to be under /lib/firmware

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:10 -04:00
Ross Burton 0bc288f0f2 CI: show the evaluated KASFILES
When trying to replicate a build locally, having the exact list of Kas
files that was used is very useful.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-29 17:00:10 -04:00
Jon Mason 6e9525115b CI: add Yocto Project SSTATE Mirror
Add the Yocto Project public SSTATE mirror to its own unique yml file.
This allows for developers to use this to speed up builds, while not
adding in the default case.  This "off by default" is because it can add
10s of minutes to each build, which might not be beneficial to those who
are using SSTATE dir locally.

Also, removing the removal ptest distro feature, as this change prevents
an optimal usage of the YP SSTATE mirror (~30% match to ~90% match for
qemuarm64).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:08:41 -04:00
Ross Burton 0fabb8c3dd CI: sort jobs alphabetically
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:08:31 -04:00
Ross Burton 10e23fe1df arm: remove generic-arm64 and qemu-generic-arm64
These BSPs are now obsolete.

Users of generic-arm64 should use genericarm64 from meta-yocto-bsp.

Users of qemu-generic-arm64 should use sbsa-ref from meta-arm-bsp.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:08:19 -04:00
Ross Burton a86f62f144 arm-bsp: add new sbsa-ref machine
This is mostly based on the existing qemu-generic-arm64 machine, but by
not being based on the genericarm64 and instead being specifically a
machine to run on the qemu sbsa-ref machine we get to tune differently.

Specifically, this configures sbsa-ref to be a Neoverse N2 (v9), and the
tune is set to match.  Another notable difference to qemu-generic-arm64
is that the kernel configuration is at present defconfig.  We may wish
to change this in the future to be the same fragmented configuration as
genericarm64.

We have to ignore two testimage parselogs failures: one from NUMA which
will be fixed in a future EDK2 release, and one from efifb where we
should be using the bochsdrm driver instead (further investigation is
needed)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:07:56 -04:00
Ross Burton 9c6330a0b1 CI: add genericarm64
Add the new genericarm64 in meta-yocto-bsp to the CI.

This new BSP is heavily based on the meta-arm generic-arm64 machine, but
with an all-new fragmented kernel configuration.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:04:25 -04:00
Ross Burton 77ebe8b8cc ci/testimage: don't :append to IMAGE_FEATURES
Some BSPs use a proper initramfs and putting a SSH server into them
via this :append isn't ideal.  Adding using += should be sufficient.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:04:13 -04:00
Ross Burton 196caca51b arm-bsp/linux-yocto-rt: include linux-arm-platforms unconditionally
Every platform should have the chance to try the -rt patches.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:04:13 -04:00
Ross Burton 11b8298439 arm/classes/wic_nopt: remove unused class
This class is no longer used by any machines, so remove it.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:04:13 -04:00
Bence Balogh a1b5347b39 arm-bsp/trusted-services:cs1000: fix deployments
- The Secure Enclave Proxy Secure Partition fails at psa_call()
because wrong parameter was passed.
- The SMM Gateway initialization failed because a malloc()
returned a NULL pointer. The SMM_GATEWAY_MAX_UEFI_VARIABLES
had to be decreased to avoid this.
- Increase shared memory buffer size and add buildtime check
- Use __packed for the variable_metadata struct

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing 75d6fc1916 arm-bsp/trusted-services: rebase corstone1000 patches
Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Bence Balogh ecb0b05148 arm-bsp/u-boot: corstone1000: update TS RPC protocol
The Trusted Services v1.0 uses new RPC protocol and the message
fields in u-boot had to be synchronized.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing eeb6441ac6 arm-bsp: enable Trusted Services on the fvp-base platform
Add configuration settings to TF-A, OP-TEE and TS SPs needed to get TS
built and run on the fvp-base machine.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing a130541e92 arm/devtools/fvp-base-a-aem: update the AEM FVP to 11.25.15
Version v11.25 was released and it fixes measured boot. Update the
recipe and integrate the new version.

The pattern of the download URL has changed. Add functionality to
calculate a new URL fragment from the package version.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing 34f1c74092 arm/trusted-services: fix environment handling
The current version of the TS recipes fails to build if the TS
environment is not set to opteesp. Change the recipes to allow building
the sp environment.

This environment targets "generic" secure partitions and produces SPMC
agnostic SP binaries which should be able to boot under any FF-A v1.0
compliant SPMC implementation.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing 7f30d19df1 arm/trusted-services: fix MbedTLS build issue
MbedTLS fails to build when FORTIFY_SOURCE is enabled and the NWd
configuration is used. Disable the compilation option temporary till
the root cause can be fund and a proper fix be made.

The build only fails when building from yocto. The OP-TEE integration
works fine with gcc v13.2_rel1.

Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing 954975813a arm/trusted-services: Update TS to v1.0.0
- Update Trusted Services to v1.0.0.
- Update TS "external components" references to fetch the version
  dictated by the TS repo.
- Remove patches merged up-stream.
- Update the TS nanopb integration fix (see 210a6ace83)
- Update TS test integration.

Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Gyorgy Szing 97be7e3fa3 arm/trusted-services: Update FFA TEE driver to v2.0.0
- Update driver version to v2.0.0
- Follow up the name change. The driver has been renamed from
  arm_ffa_tee to arm_tstee.

Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-23 14:01:59 -04:00
Jon Mason 6b64cd3704 Revert "arm-bsp/corstone1000-flash-firmware-image: add nopt generation"
This reverts commit e6ff022d6d.
2024-04-23 13:56:29 -04:00
Jon Mason 39d31fff7f Revert "arm/uefi_capsule: use U-Boot for capsule generation"
This reverts commit d0d1b96b0a.
2024-04-23 13:56:26 -04:00
Jon Mason 08474f5ce4 Revert "arm-bsp/documentation: corstone1000: update capsule generation steps"
This reverts commit 527475c354.
2024-04-23 13:56:18 -04:00
Bence Balogh 527475c354 arm-bsp/documentation: corstone1000: update capsule generation steps
The .nopt and capsule are generated during the yocto build. Sync the
documentation with the changes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:41:47 -04:00
Bence Balogh d0d1b96b0a arm/uefi_capsule: use U-Boot for capsule generation
Currently, only the Corstone-1000 platform uses the capsule generation
class. Corstone-1000 uses U-Boot instead of EDK2. With this change,
the dependency on EDK2 was removed.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:41:47 -04:00
Bence Balogh e6ff022d6d arm-bsp/corstone1000-flash-firmware-image: add nopt generation
The .nopt image is used during the UEFI Update Capsule generation.
This .nopt image was generated manually when it was needed.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:41:47 -04:00
Jon Mason 2a579f5f54 arm-bsp/linux: remove kmeta SRCREV SHA
A SRCREV for arm-platforms-kmeta was added years ago to get
yocto-check-layer working at the time, but was never removed (and never
updated).  Removing now, since it is not necessary.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:40:28 -04:00
Adam Johnston 115196939f arm-bsp/corstone1000: Fix RSA key generation issue
A patch was dropped when trusted-firmware-m was updated to 2.0 but it
had not yet been merged upstream (2.0 or master).

Restore the patch to fix regression on Corstone-1000

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:40:28 -04:00
Amr Mohamed 463aa8fe14 arm-systemready/linux-distros: Upgrade the Debian version to 12.4
Upgrade the Debian distribution from version 11.7 to version 12.4 in the distribution installation.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-20 09:36:14 -04:00
Ross Burton 80f3b85bbd CI: use scarthgap branches
Upstream master and scarthgap have now diverged, so use scarthgap whilst
we prepare for release.  At the time of writing there is no scarthgap
branch for meta-clang, so leave that on master.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-04-17 13:36:19 +00:00
Ross Burton 04187be11d arm-bsp/fvp-base: improve FVP performance
Increase the number of TLB entries from 0x80 to 0x400 and disable the
checking of memory attributes.  In our CI, this makes testimage run in
576s instead of 803s.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-15 12:00:16 -04:00
Bence Balogh b6843e30d3 kas: corstone1000: disable multiconfig for firmware builds
Multiconfig is only needed when recovery and the mass storage images
are built together. It is not needed when firmware-only build is used.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-15 06:00:15 -04:00
Ross Burton 888a527676 arm-bsp/linux-yocto-dev: add bbappend to enable this kernel for our BSPs
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-12 10:00:15 -04:00
Emekcan Aras 3715c698ec arm-bsp/trusted-firmware-m: corstone1000: Enable host firewall in FVP
Enables host firewall and mpu setup for FVP. It also fixes secure-ram
configuration and disable access rights to secure ram from both normal world
for both mps3 and fvp.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-12 07:00:16 -04:00
Emekcan Aras 14f32eef69 arm-bsp/trusted-services: corstone1000: Change MM comm buffer location
MM Communicate buffer is accessed by normal world but at the moment so it
should be located in DDR instead of secure-ram. This moves mm communicate
buffer to the DDR for trusted-service components.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-12 07:00:16 -04:00
Emekcan Aras 1370190ac5 arm-bsp/u-boot: corstone1000: Change MMCOMM buffer location
MM Communicate buffer is accessed by normal world but at the moment
it's allocated in the secure ram. This moves mm communicate buffer
to the DDR and also fixes the capsule buffer size since it cannot be
more than the bank size.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-12 07:00:16 -04:00
Ross Burton b26148e9de arm-bsp/trusted-firmware-a: remove now-unused 2.9.0 recipe
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 18:00:16 -04:00
Ross Burton faea66de04 arm-bsp/sgi575: upgrade trusted-firmware-a to 2.10
Remove the preferred version so that we track the latest release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 18:00:16 -04:00
Jon Mason 17df9c4ebc arm-bsp/corstone1000: reformat u-boot patches
Some of the corstone u-boot patches are not properly formatted, causing
scripting issues.  Regenerate them via:
    devtool modify u-boot
    git format-patch -N --no-signature devtool-base..HEAD
    mv *.patch ~/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason ee8933dff1 arm/opencsd: update to 1.5.2
Update to the latest stable version (1.5.2), comprised of the following
commits:
	5d86f27a8c0a opencsd: Update version info and README for 1.5.2
	71c50dda716f build: win: Fix name for ocsd-perr utility in windows build
	599551d3ea09 opencsd: docs: Update docs for test programs
	769faaa6368a opencsd: docs: Update trc_pkt_lister man file
	b957577e71bf tests: Fix typo in trc_pkt_lister help output
	dca84a74a0d5 build: Fix clean of mem_acc_test
	85fd025eed35 opencsd: stm: Fix build warning in 64 bit build of STM
	2145b81b4b61 opencsd: etmv4: Fix build warning on decoder
	169cc07d3625 docs: Fix formatting in README.md

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason 46ee22faeb arm/trusted-firmware-a: update to 2.10.3 release
Update to the latest stable version (2.10.3), comprised of the following
commits:
	fc93d0edfc52 docs(changelog): changelog for lts-v2.10.3 release
	4a10950a8538 docs(changelog): display all sections
	bafc27c8d7cf chore: rename Poseidon to Neoverse V3
	a6256d7a2638 feat(cpu): add support for Poseidon V CPU
	ef393a3f9fa2 fix(cpu): correct variant name for default Poseidon CPU
	81931a13a835 fix(cpus): workaround for Cortex-A715 erratum 2413290
	baf14745f117 fix(cpus): workaround for Cortex-A720 erratum 2926083
	635c83eb456a chore: update status of Cortex-X3 erratum 2615812
	03636f2c3d60 fix(cpus): workaround for Cortex-A720 erratum 2940794
	e86990d0911d fix(cpus): fix a defect in Cortex-A715 erratum 2561034
	b59307ef8efd fix(cpus): workaround for Cortex-A715 erratum 2413290
	44f36c48f280 docs(sdei): provide security guidelines when using SDEI
	11cb0962f7ac docs(threat_model): mark power analysis threats out-of-scope
	3e3ff298a614 fix(cpus): workaround for Cortex-A715 erratum 2344187
	d466c5d4d27b fix(cpus): workaround for Cortex-X4 erratum 2701112
	940ebbe2d1d0 fix(cpus): workaround for Cortex-A715 erratum 2331818
	04c60d5ef31c fix(cpus): workaround for Cortex-A715 erratum 2420947
	b7ed781eea74 fix(gic600): workaround for Part 1 of GIC600 erratum 2384374
	58646309aedf chore: rearrange the fvp_cpu_errata.mk file
	a234f540b727 fix(cpus): add erratum 2701951 to Cortex-X3's list
	a24c8006ea39 refactor(errata-abi): workaround platforms non-arm interconnect
	9fe65073d442 refactor(errata-abi): optimize errata ABI using errata framework
	301698e15bc8 fix(cpus): workaround for Cortex-A715 erratum 2429384
	5f8f745c7e99 fix(cpus): workaround for Cortex-X3 erratum 2372204

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason 7df4fb66ab arm/optee-ftpm: update to the latest SHA
Update to the latest SHA.  Rebase of patch needed.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason ab4bf2700f CI: update to kas 4.3.2
The new kas version has fixed the netrc issue.  Update to it and remove
the workaround

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason 0af53c6453 arm-bsp: Remove tc1
Remove tc1 and related recipes that are unique to it (and generally
unused ones).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Jon Mason 2021b81dc5 arm-bsp: remove unused recipes
These recipes users went away but didn't clean up after themselves.
Doing so now.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Debbie Martin 603d9dbfe4 arm-systemready: Change get_json_result_dir helper
The get_testimage_json_result_dir helper in OE core was deleted in
commit 01b1a6a5a4e7cede4d23a981b5144ae9c8306274 in preference for a
common utility. Change the reference within the Arm SystemReady ACS
log handler utlity.

Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Anusmita Dutta Mazumder 9a479aed90 arm-bsp/tf-m:corstone1000: add unique guid for fvp and mps3
This patch in TF-M sets unique GUID for Corstone1000 FVP and MPS3

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Anusmita Dutta Mazumder 5cd5f3442a arm-bsp/u-boot:corstone1000: add unique guid for fvp and mps3
This patch in U-boot sets unique GUID for Corstone1000 FVP and MPS3

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Harsimran Singh Tungal 2007767dd5 corstone1000:arm-bsp/tftf: upgrade tftf version to v2.10
This change upgrades the tftf version to v2.10 for the Corstone-1000.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-11 10:01:59 -04:00
Abdellatif El Khlifi d9e18ce792 arm-bsp/corstone1000: add documentation disclaimer
add Security Vulnerability Disclaimer in Corstone-1000 documentation

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-04-02 11:00:15 -04:00
Jon Mason 8d308aac02 arm: use UPSTREAM_CHECK_COMMITS for git versioned recipes
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-28 17:00:14 -04:00
Jon Mason 7163b472ab arm/sbsa-acs: use UPSTREAM_CHECK_URI for version checking
Since sbsa-acs requires edk2-firmware, it bases its SRC_URI on that.
The first entry of SRC_URI is what is used to determine the latest
version.  So, specify an alternative URI to determine the correct
version.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-28 17:00:14 -04:00
Ali Can Ozaslan b5f2a793ea arm-bsp/trusted-firmware-a: n1sdp: update to 2.10
This change upgrades the trusted-firmware-m version to 2.10
for n1sdp.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-28 08:00:14 -04:00
Ross Burton 2271e33766 CI: ignore netrc warnings caused by Kas
As of oe-core ba391d3, hashserv lookups will use authentication from the
.netrc file.  However, Kas will write invalid netrc files with comments,
which causes bitbake to emit warnings.

This has been fixed in Kas in e700729 but until Kas 4.3.2 is released we
can ignore this warning specifically when checking the logs.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-27 09:32:43 -04:00
Jon Mason c652a09b32 Revert "arm/rmm: Add bitbake, include and patch file for RMM firmware"
This reverts commit 3877284730.
Overzealous script usage pushed patch still under review.  Reverting
until all issues can be resolved.
2024-03-23 10:58:18 -04:00
Jon Mason f9bc290fc9 arm-toolchain: correct UPSTREAM_CHECK
When the URL and names of the toolchain tarballs changed, the
UPSTREAM_CHECKs were not modified with the proper values.  This causes
the tooling to not show when new versions are available.  Modify to get
it working again.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-22 15:00:24 -04:00
Jon Mason d36afba0ca arm/sbsa-acs: remove unreferenced patch
A patch was not removed when sbsa-acs was updated.  Remove and everyone
is now happy.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-22 15:00:24 -04:00
Mathieu Poirier 3877284730 arm/rmm: Add bitbake, include and patch file for RMM firmware
Initial checking providing support for RMM on QEMU's "virt" machine.

Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-22 13:00:23 -04:00
Jon Mason 0aeec5472c CI: reduce coverage of dev kernel
To reduce build and test times in CI, move the dev kernel outside the
standard matrix.  This results in it still being built and tested for
the platform, but only with gcc/glibc (and not against clang and musl).
This greatly reduces the number of permutations that need to be
verified.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-21 11:01:14 -04:00
Jon Mason 81e3864bee arm-toolchain/gcc-arm-none-eabi: remove 11.2
gcc-arm-none-eabi v11.2 is no longer needed by tf-m.  Remove this
version, as there is a newer one available.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-21 11:01:14 -04:00
Jon Mason 5705ede03d arm/scp-firmware: update to v2.14.0
Update to the latest version of SCP.  In this release, some of the
platforms were grouped into common family directories, which
necessitated adding a variable to specify which one.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-21 11:01:14 -04:00
Jon Mason 362e7d6f05 arm/sbsa-acs: update to 7.1.4
Update to the latest version.  Also, remove the gcc12 workaround, as
that was added in edk2 commit 206168e83f090, which has been included
since the 202305 release.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-20 10:52:12 -04:00
Jon Mason 6bc5f4ff2d arm/trusted-firmware-a: update to 2.10.2
Update the TF-A recipe to the latest stable version (2.10.2).
NOTE: tf-a-tests did not have a corresponding stable release.  So,
keeping back at 2.10.0.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-20 10:52:12 -04:00
Jon Mason a77c2859d1 arm/edk2: update to 202402
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-20 10:52:12 -04:00
Jon Mason da97414dfb CI: update kas to 4.3.1
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-20 10:51:49 -04:00
Jon Mason 59b79d5e92 arm-bsp/tfa-tests: move n1sdp patch to platform directory
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-19 11:00:21 -04:00
Jon Mason a19c7d7b76 arm-bsp/tf-a-tests: remove corstone1000 intermediate SHA
Things are now building for corstone1000.  Remove the intermediate SHA
and let it run the latest code.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-19 11:00:21 -04:00
Emekcan Aras 6cd998d411 arm/trusted-services: Add recipe for block storage service
Adds a recipe (ts-sp-block-storage) to build the Block Storage
secure partition to enable feature development for downstream users.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-19 09:22:35 -04:00
Ross Burton c93a1459da Add SECURITY.md 2024-03-18 09:41:57 -04:00
Anusmita Dutta Mazumder 299003f7fc arm-bsp/n1sdp: Update EDK2 version
Update N1SDP EDK2 version to 2023-11 and rebase existing out of tree patches.

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
2024-03-18 09:41:57 -04:00
Anusmita Dutta Mazumder 1c35b69b6e arm-bsp/n1sdp: Update scp-firmware version
Remove scp-firmware sha for intermediate version
to update to v2.13 according to the Arm Reference solutions
Feb-2024 manifest.

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-18 08:00:32 -04:00
Jon Mason 67901eb5cb arm/optee: disable clang due to breakage
With clang 18, optee-os no longer compiles cleanly.  It is now seeing:

| In file included from core/arch/arm/kernel/vfp.c:6:
| In file included from core/arch/arm/include/arm.h:131:
| core/arch/arm/include/arm64.h:436:1: error: expected readable system
register
|   436 | DEFINE_U32_REG_READWRITE_FUNCS(fpcr)
|       | ^
| core/arch/arm/include/arm64.h:417:3: note: expanded from macro
'DEFINE_U32_REG_READWRITE_FUNCS'
|   417 |                 DEFINE_U32_REG_READ_FUNC(reg)   \
|       |                 ^
| core/arch/arm/include/arm64.h:411:3: note: expanded from macro
'DEFINE_U32_REG_READ_FUNC'
|   411 |                 DEFINE_REG_READ_FUNC_(reg, uint32_t, reg)
|       |                 ^
| core/arch/arm/include/arm64.h:398:15: note: expanded from macro
'DEFINE_REG_READ_FUNC_'
|   398 |         asm volatile("mrs %0, " #asmreg : "=r" (val64));
\
|       |                      ^
| <inline asm>:1:10: note: instantiated into assembly here
|     1 |         mrs x8, fpcr
|       |                 ^

Issues are also seen on optee-examples and optee-test.
Forcing GCC for all optee recipes until this issue can be resolved.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-17 23:00:16 -04:00
Bence Balogh 0792a314f6 arm-bsp/trusted-firmware-a: corstone1000: remove SMCCC_ARCH_FEATURES discovery workaround
The workaround is no longer needed because with the
0043-firmware-psci-Fix-bind_smccc_features-psci-check.patch file the
u-boot PSCI driver is compliant with the PSCI specifications.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-14 08:00:51 -04:00
Bence Balogh fb1a85a43c arm-bsp/u-boot: corstone1000: fix SMCCC_ARCH_FEATURES detection in the PSCI driver
The u-boot PSCI driver was not compliant with the PSCI specifications so
this patch had to be added.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-14 08:00:51 -04:00
Ali Can Ozaslan ab6e5f4788 arm/trusted-firmware-m: Change GNU Arm compiler version for TF-M 2.0
GNU Arm compiler version greater and equal than *11.3.Rel1*
has a linker issue in syscall for TF-M 1.8.0. Let's bump to
TF-M 2.0 which contains the fix for the issue.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-14 06:07:56 -04:00
Ali Can Ozaslan de57703654 arm-bsp/trusted-services: corstone1000: Client Id adjustments after TF-M 2.0
Corstone-1000 uses trusted-firmware-m as secure enclave software
component. Due to the changes in TF-M 2.0, psa services requires
a seperate client_id now. This commit adds smm-gateway-sp client id to
the FMP services since FMP structure accessed by u-boot via
smm-gateway-sp.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-14 06:07:56 -04:00
Ali Can Ozaslan a8f47e9504 arm-bsp/trusted-firmware-m: corstone1000: update to 2.0
This change upgrades the trusted-firmware-m version to 2.0
for Corstone-1000.

Emekcan Aras <emekcan.aras@arm.com>

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-14 06:07:56 -04:00
Jon Mason 74ac722826 arm/linux-yocto: remove unreferenced patch
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-13 15:00:22 -04:00
Jon Mason 2bfbb33518 README: Add information about release process and mailing list
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-13 15:00:22 -04:00
Ross Burton e867b0aa6a arm arm-bsp: enable patch-status warnings
Enable the patch-status warning for meta-arm and meta-arm-bsp.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-13 08:56:18 -04:00
Drew Reed 9ea97cf4f5 bsp: Corstone-1000 userguide updates
The user guide document for Corstone-1000 has been updated to reflect
the changes required following the multiconfig changes as well as now
running the fvp within the kas shell to ensure all environment variables
are picked up correctly.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-13 08:52:27 -04:00
Drew Reed 6e2a547482 kas: Corstone-1000 kas files updated
The 2 Corstone-1000 kas files files are updated following the
multiconfig changes. The pinned commits have been commented out and
the default branch changed to master to allow the file to build valid
images.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-13 08:52:27 -04:00
Emekcan Aras f6f616c38d arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.10
Upgrades trusted-firmware-a and align with changes in v2.10 for Corstone-1000.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-12 15:34:58 -04:00
Delane Brandy 697fcf4394 arm/trusted-firmware-a: fix mbedTLS version
Update mbedTLS version as TF-A 2.10 supports mbedTLS 3.4.1, as seen:
https://trustedfirmware-a.readthedocs.io/en/v2.10/change-log.html#new-features

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-07 11:33:04 -05:00
Alexander Sverdlin a01f272149 optee-ftpm: fix EARLY_TA_PATHS passed to optee-os
Fix the build with DISTRO_FEATURES containing "usrmerge":
make: *** No rule to make target '/.../optee-os/4.1.0/recipe-sysroot/lib/optee_armtz/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf', needed by '/.../optee-os/4.1.0/build/core/early_ta_bc50d971-d4c9-42c4-82cb-343fb7f37896.c'.  Stop.

Fixes: 6a105f47b9 ("optee-ftpm: Install artifacts into nonarch_base_libdir")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-03-07 11:33:04 -05:00
Drew Reed aba9250494 ci: Ensure tests are in the Corstone-1000 flash image
To ensure the psa and optee tests are included in the initramsfs based
rootfs included within the flash image so the tests can be run.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-28 17:17:41 +00:00
Drew Reed 1231e54ae8 ci: Add back testing of firmware only builds
Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-23 11:32:12 +00:00
Drew Reed 1e972c5637 bsp: Restore the ability to build firmware only
To allow us to continue to ship Corstone-1000 releases that only include
the firmware with the built in Linux image we need a way to build it
outside of the multiconfig builds.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-23 11:32:12 +00:00
Drew Reed 02a7283944 bsp,ci: Build Corstone-1000 firmware under multiconfig
By building the Corstone-1000 firmware under the firmware multiconfig we
can also build a minimal standard core image to be mounted in the fvp as
a mass storage device.
To do this we had to enable the MMC card interface in the Corstone-1000
kernel configuration.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-23 11:32:12 +00:00
Drew Reed a45dc44ab7 meta-arm: Support firmware building under a multiconfig
To enable building rescue or bootstrap images that can be included into
firmware a "firmware" multiconfig option is required to allow the
building with different options to any mass storage image they may also
be built.

As this multiconfig build will occur under a different TMPDIR, we also
provide a deployment image to allow easy copying of the firmware into
another deploy dir.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-23 11:32:12 +00:00
Bence Balogh c156893334 arm-bsp/trusted-firmware-m: disable libmetal doc generation
The TF-M configuration step can fail if the doxygen executable is found.
This commit disables the doc generation until this is fixed in the
upstream repos.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
2024-02-23 11:31:57 +00:00
Anusmita Dutta Mazumder 1560fbe0c9 arm-bsp/n1sdp: update to linux yocto kernel 6.6
Bumped kernel version to v6.6 and rebased N1SDP kernel PCIe quirk patches on top of this new version.

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
2024-02-21 09:52:03 +00:00
Anusmita Dutta Mazumder 5fb0044f03 arm-bsp/linux-yocto: Remove EOL Linux yocto kernel 6.1
Since there are no platforms using this version, the related files can
be removed.

Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
2024-02-21 09:52:03 +00:00
Drew Reed 025f76a14f bsp: Rename corstone1000-image
As we intend to build 2 Corstone-1000 disk images, one for the firmware
in flash and an external mass storage image the existing
corstone1000-image.bb file has been renamed to
corstone1000-flash-firmware-image.bb to make it clear what it's for.
The wks file for specifing the image layout has also been renamed to
make its purpose clearer.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-15 12:21:56 +00:00
Drew Reed 036274b3fb bsp,ci: Switch to poky distro
We can now use the standard poky distro configured to be small by
switching distrobution and using the standard minimal image
from poky.
To do this we also remove and image configuration options from the
machine config and apply them in the kas files.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-15 12:21:56 +00:00
Drew Reed 79c809ab57 bsp: Move machine settings
Moves a number of setting from the machine definition to the actual
recipes they apply too.
Added image configuration and dependancies to the flash image definition
file.
Reordered the settings in the machine definition to group them by
component that are related to.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-15 12:21:56 +00:00
Drew Reed 39ceb87324 bsp: Move Corstone-1000 U-Boot configuration entries
Moved the U-Boot configuration items from the machine definition to the
Corstone-1000 specific U-Boot append file as it makes it easier to the
U-Boot configuration for a machine in one place and to make it more
consistant with other platforms.

Signed-off-by: Drew Reed <Drew.Reed@arm.com>
2024-02-15 12:21:56 +00:00
Khem Raj 9975a3b3d9 layer.conf: Update for the scarthgap release series
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-02-15 12:21:42 +00:00
Ross Burton 238a6f1ebf CI: use https: to fetch meta-virtualization
Some firewalls may reject git: traffic, so use https.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-02-15 12:20:52 +00:00
Harsimran Singh Tungal 73dae39ad2 arm-bsp/optee: upgrade optee to 4.1.0 for N1SDP
This change upgrades the optee version to v4.1.0

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-02-14 12:02:05 +00:00
Vincent Stehlé 12e3e2b9c6 arm-bsp/documentation: corstone1000: fix typo
Add a couple of missing `bitbake' commands.

Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
2024-02-08 14:10:47 +00:00
Ali Can Ozaslan 145bb34865 arm-bsp/u-boot:corstone1000: Fix deployment of capsule files
The capsule_cert and capsule_key file generated by u-boot for
corstone1000 do not get deployed correctly since writingh the output directly
to ${DEPLOY_DIR_IMAGE} causes the sstate mechanism to malfunction
especially in the CI builds. This patch fixes the issue and deploy the
generated files correctly.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
2024-02-08 14:10:15 +00:00
Ross Burton 60202ad84d CI: allow the runner to set a NVD API key
Setting an API key means we get higher rate limits. Because keys are
private, the key must be set in the environment of the runner.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-29 14:00:23 -05:00
Ross Burton 8b94fee205 CI: add explanatory comments to variables
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-29 14:00:23 -05:00
Harsimran Singh Tungal c5e288d1bb n1sdp:arm arm-bsp: fix tftf tests for n1sdp
This changeset fix the tftf tests issue on n1sdp. Before this change, the tftf tests were getting stuck on n1sdp.
The following changes have been done:

1. There were some tftf tests based on multicore which involve powering up the other cores. These tests were creating
issues and the same thing has already been mentioned in the tests-to-skip.txt file for n1sdp platform in tftf source.
Those tests are skipped while executing tftf and patch has been created.

2. The TFTF_MODE variable added for tftf v2.10 recipe file, as did earlier for tftf v2.9. With the help of this, we can
enable debug or relase mode. The configuration based on this has been added for n1sdp in the corresponding bbappend file.

3. Add PREFERRED_VERSION_tf-a-tests for v2.10.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 22:10:57 -05:00
Ross Burton a91ddf4869 CI/cve.yml: add a CVE-checking Kas fragment
Add a Kas fragment to enable the CVE checker.  Disable warnings by
default but show them for the layers in meta-arm, because we only care
about meta-arm issues in this CI.

Explicitly hide kernel warnings as the kernel typically has tens of open
CVEs, and if we're carrying a kernel explicitly then it's typically an
interim kernel between releases.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 12:00:23 -05:00
Ross Burton 827129b05b CI: support extra kas files from environment
Extend jobs-to-kas so the first argument is still the GitLab job name,
but allow further arguments to specify extra Kas files to use in
addition.

Then add a variable EXTRA_KAS_FILES to the CI configuration that
defaults to the empty string and pass this to jobs-to-kas.

This lets specific pipeline runs add extra Kas files, for example to use
experimental branches or enable extra features without touching the CI
directly.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 12:00:23 -05:00
Jon Mason d1f0597822 arm-bsp/optee: remove unused v3.22.0 recipes
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 11:00:27 -05:00
Jon Mason 5a78c75f35 arm/optee: update to 4.1
Add 4.1.0 recipes and move 4.0.0 to meta-arm-bsp for n1sdp

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 11:00:27 -05:00
Jon Mason b422688735 arm/opencsd: update to v1.5.1
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-26 11:00:27 -05:00
Harsimran Singh Tungal 6bb1fc8d8c n1sdp:arm-bsp/optee: Update optee to v4.0
This change updates the optee version to v4.0

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-24 10:00:22 -05:00
Ross Burton 1ef1b0ab25 arm-bsp/linux-yocto: add 6.1 recipe
Linux 6.1 will be removed from oe-core master shortly, so whilst we
still have BSPs that use it (specifically, n1sdp) carry a 6.1 recipe in
meta-arm-bsp.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-23 20:17:32 -05:00
Vikas Katariya 1cad3c3813 arm-bsp/linux-yocto: Remove EOL Linux yocto kernel 6.5
Since there are no platforms using this version, this reciepe can
be removed.

Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 13:00:28 -05:00
Vikas Katariya 1c21b457db arm-bsp/n1sdp: Downgrade to 6.1 linux yocto kernel
Since linux yocto kernel 6.5 is EOL and other layers like
meta-virtualization dropping support for it, it would be
sensible to downgrade the kernel to 6.1 which is a LTS.

This is a temporary change and later we would move to 6.6 when its
officially supported on N1SDP.

This revert the following commits:
* 1fe76c893c
* 21df60b921

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 13:00:28 -05:00
Jon Mason 4ada485283 arm/opencsd: update to 1.4.2
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 10:00:22 -05:00
Ross Burton 3d3cf56dc9 arm/fvp-base-a-aem: upgrade to 11.24.11
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-18 10:00:21 -05:00
Jon Mason c538ae49ee arm/trusted-firmware-m: update to 2.0.0
Updated to the latest version.  Corstone1000 doesn't seem to boot.  So,
pull back the old version to meta-arm-bsp for it to use temporarily.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-15 19:00:22 -05:00
Jon Mason 8127e49f6b arm/pyhsslms: update to 2.0.0
Changes were needed due to the 2.0.0 version not being available for
download at pypi (though listed as the latest version there).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-15 19:00:22 -05:00
Ross Burton 83df70e181 arm-bsp/documentation: upgrade Sphinx slightly
Many Sphinx plugins now require Sphinx 5+ ([1], [2], and more), so
sphinx 4.5 isn't usable as the requirements in sphinx itself are not
pinned so you end up with a broken setup with errors such as:

sphinx.errors.VersionRequirementError: The sphinxcontrib.serializinghtml
extension used by this project needs at least Sphinx v5.0; it therefore
cannot be built with this version.

There's a sufficient number of plugins that manually pinning them all is
tedious, so upgrade the documentation to Sphinx 5 (and the corresponding
RTD theme).

Also remove sphinx-copybutton, as this extension is unused.

[1] https://github.com/sphinx-doc/sphinxcontrib-applehelp/commit/ccc77c814a92ef21c300e5ef725b76c40b7ce653
[2] https://github.com/sphinx-doc/sphinxcontrib-devhelp/commit/b2dc14bd8bdd7994c565d254772a0ba3ddecfe51

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-15 16:00:19 -05:00
Jon Mason 5712422011 arm-bsp/u-boot: rebase patches for v2024.01
Rebase the fvp-base and juno patches for v2024.01.  One patch was
upstreamed and thus dropped.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-11 11:00:26 -05:00
Jon Mason 98cf1495db arm/scp-firmware: update git repository to new location
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-09 12:00:34 -05:00
Jon Mason 2f9112a8fd arm/optee-os: remove unneeded clang patches
These patches don't appear to be needed anymore.  Removing them.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-09 12:00:33 -05:00
Jon Mason bcabc921f6 arm/optee-os: use sysroot in CFLAGS
Per the comment in https://github.com/OP-TEE/optee_os/issues/4188
use sysroot in CFLAGS instead of the patch

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-09 12:00:33 -05:00
Jon Mason 0d71ca11c6 arm-bsp/optee-os: remove unused 3.18 files
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-09 12:00:33 -05:00
Emekcan Aras 450e42e7c2 arm-bsp/linux-yocto: corstone1000: bump to v6.6%
Upgrade the kernel to v6.6%

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-05 12:00:21 -05:00
Jon Mason 6de882ae93 arm: modify patches to have email headers and correct date fields
Scripts processing data for the patch ages need correct information in
the relevant fields to determine the age.  Create/correct this
information where missing/incorrect.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-05 11:08:41 -05:00
Jon Mason 2cc6f05f3e arm-bsp/trusted-firmware-m: update libmetal and open-amp to 2023.04.0
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-05 11:00:35 -05:00
Jon Mason 01e60aa0e3 arm-bsp/trusted-firmware-m: update libmetal and open-amp to a release
The SHAs for both libmetal and open-amp are intermediate SHAs, which are
only a few patches behind the v2021.04.0 tags.  Update to those tags and make
the necessary changes to get them working.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-05 11:00:35 -05:00
Ross Burton ad9eadb70e arm-bsp/linux-yocto: add linux-yocto 6.5 temporarily
oe-core master has upgraded from 6.5 to 6.6, but as we have BSPs that
still use 6.5 (corstone1000, n1sdp) we need to carry the recipe. This
should be a short-term measure as 6.5 was EOL in December 2023.

Also, drop the unused 6.4 linux-yocto which was no longer needed since
N1SDP moved to 6.5 with 21df60b.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-01-05 10:00:16 -05:00
Harsimran Singh Tungal 4d22f982bc corstone1000:arm-bsp/tftf: Fix tftf tests on mps3
The tftf tests were getting crashed on the MPS3 and two issues were found
during investigation. This change set provide fix for those issues:
1. The tftf tests were getting crashed on the MPS3 when compiled with
LOG_LEVEL=50. So, reducing the log level and aligning it with the TF-A
allows us to get rid of the crash.

2. Once the above crash got resolved, it has been found that tftf tests
were getting asserted while reading the value of the register
GICD_ITARGETSR. The reason for the crash is that the value of this register
is zero. As per the GIC documentation, this register is RAZ/WI for uniprocessor
implementation and corstone1000 is uniprocessor implementation for FPGA.
So, this change compiles the tftf tests in release mode which allows us
to compile out the assert definitions.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-13 07:00:22 -05:00
Debbie Martin aec92016d2 ci: Add Arm SystemReady firmware and IR ACS builds
Add CI builds for Arm SystemReady Firmware within the fvp-base CI job and a new
Arm SystemReady IR ACS build job. Add the CI kas config for each of these
builds.

The ACS build can be controlled by the ACS_TEST GitLab variable to specify
whether or not to run the testimage. If this variable is not set, the
testimage step will not run. The job tag can be controlled by the ACS_TAG GitLab
variable.

Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-12 05:00:21 -05:00
Debbie Martin b59c60c03a arm-systemready: Add parted dependency and inherit testimage
Add the parted-native dependency explicitly which is needed to
use wic commands.

Also explicitly inherit testimage. This means that the kas config
is no longer required to include it in IMAGE_CLASSES.

Signed-off-by: Debbie Martin <Debbie.Martin@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-12 05:00:21 -05:00
Jon Mason 65460e5310 arm/edk2: update to 202311
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-09 10:39:50 -05:00
Jon Mason e6e7ac4d99 CI: rename meta-secure-core directory
meta-secure-core meta was renamed to meta-secure-core-common.  Update
the name to unbreak CI.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-09 00:05:27 -05:00
Harsimran Singh Tungal 553cadc720 corstone1000:arm-bsp/optee: Update optee to v4.0
This change updates the optee version to v4.0

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-06 09:21:21 -05:00
Harsimran Singh Tungal 32dfb759cd arm-bsp/documentation: corstone1000: fix the steps in the user guide and instructions
Provide updates and fixes in the user guide identified during testing.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-05 12:02:11 -05:00
Jon Mason 560075f050 arm/hafnium: update to v2.10
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-05 10:00:28 -05:00
Jon Mason 3835b78f03 arm/trusted-firmware-a: update to 2.10
Update tf-a and mbedtls to the latest versions.  Also, migrate the
previous version to meta-arm-bsp for corstone1000.

NOTE: in v2.10, the fiptool makefile was changed to reference LDOPTS
instead of LDLIBS.

NOTE: commit 408cde8a59080ac2caa11c4d99474b2ef09f90df in tf-a modifies
the qemu_sbsa starting offset, and per the commit comment, it requires
the edk2 same change.  This is why the edk-platforms SHA has been
changed.  There are only 19 patches between the previous SHA and this
one (most of which are adding a single platform).  So, it shouldn't be
too impactful to bump the SHA (instead of making it a patch to apply
on top of the existing SHA).

NOTE: tf-a-tests added LDFLAGS to the makefile, causing the need for it
to be removed in the recipe.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-05 10:00:28 -05:00
Jon Mason f0d7b9db31 arm/trusted-firmware-a: move patch file to bbappend
TF-A is being patched in the recipe for qemuarm64-secureboot.  This
should be done in the bbappend.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-12-05 10:00:28 -05:00
Ross Burton 310cd898ba CI: switch back to master
Now that we've released 4.3 and branched, we can switch master CI back
to master.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-30 08:48:31 -05:00
Ross Burton 0b61cc659a meta-arm/selftest: add test that PAC/BTI instructions are used
We enable PAC/BTI out of the box, but all of the pieces (such as gcc and
glibc) need to support it for the final binary to be protected.

Add a minimal test recipe to verify that the "Hello, World" binary is
using PAC/BTI, and add it to oe-selftest.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-28 11:00:16 -05:00
Emekcan Aras 1dff3300fb arm-bsp/documentation: corstone1000: fix the requirements.txt and conf.py path
Readthedocs server requires an absolute path from project's root
directory to find correct requirements.txt and conf.py.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 19:49:42 +00:00
Emekcan Aras db658a77af arm-bsp/documentation: corstone1000: add readthedocs.yaml file
Migrate Corstone-1000 documentation to .readthedocs.yaml configuration file v2.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 16:31:49 +00:00
Abdellatif El Khlifi 5f8b6a2d26 kas: corstone1000: pin the SHAs
Upgrade the Corstone-1000 YMLs as follows:

- Set the layers SHAs
- Align with Kas v4
- Update the layers list

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:06 +00:00
Emekcan Aras 222544ae97 arm-bsp/documentation: corstone1000: add a note and fix instructions
Add a note for Capsule update negative test scenario and fixes instructions
regarding distro-boot in Corstone-1000 user guide.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:06 +00:00
Emekcan Aras 9033f88bb0 arm-bsp/documentation: corstone1000: Add EFI system partition section
Adds creating an EFI System Partition for Corstone-1000.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 15:12:06 +00:00
Abdellatif El Khlifi 938572f5fc arm-bsp/documentation: corstone1000: update the user guide
align the user guide with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:57:26 +00:00
Emekcan Aras e1424f8ac6 arm-bsp/documentation: corstone1000: update the architecture document
align the architecture document with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:57:26 +00:00
Abdellatif El Khlifi 86e2984459 arm-bsp/documentation: corstone1000: update the change log
align the change log with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:57:26 +00:00
Abdellatif El Khlifi 166551f05f arm-bsp/documentation: corstone1000: update the release note
align the release note with the upcoming CORSTONE1000-2023.11 release

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:57:26 +00:00
Emekcan Aras a6348c814d arm-bsp/u-boot: corstone1000: enable virtio-net support for FVP
Use Ethernet over VirtIO on FVP due to lan91c111 Ethernet driver support dropped from U-Boot.
This patch enables virtio-net device in u-boot to pass ACS tests related to
NIC and PXE. The current ethernet device still works in linux kernel and
corstone1000-mps3 Ethernet device is supported by u-boot, so no change is
required regarding existing Ethernet device.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:20:52 +00:00
Emekcan Aras b7cda5d084 arm-bsp/corstone1000-fvp: Disable Time Annotation
Timing Annotation is a feature of the model that enables high-level
performance estimations to be made [1]. This currently doesn't work
properly with the new models and it's recommended to unset FASTSIM_DISABLE_TA.

[1] https://developer.arm.com/documentation/100965/1119/Timing-Annotation

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:20:52 +00:00
Emekcan Aras 560f2c1de5 arm-bsp/corstone1000-fvp: add unpadded image support for MMC card config
Enables unpadded image support for MMC cards.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:20:52 +00:00
Emekcan Aras d5dc432df0 arm-bsp/corstone1000-fvp: Add virtio-net configuration
Adds virtio-net configuration to use virtio-net in corstone1000-fvp.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:20:52 +00:00
Emekcan Aras 5720e02f11 arm/fvp-corstone1000: upgrade to 11.23_25
Upgrade to the 11.23_25 release of the FVP.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2023-11-24 12:20:52 +00:00
Delane Brandy da41dd43f4 arm-bsp/documentation: corstone1000: Update the user guide
Update the user guide to include Linux distro installation on fvp

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-22 09:39:31 -05:00
Emekcan Aras 63bb9a306e arm-bsp/corstone1000: fix synchronization issue on openamp notification
This fixes a race that is observed rarely in the FVP. It occurs in FVP
when tfm sends the notication ack in openamp, and then reset the access
request which resets the mhu registers before received by the host
processor. It implements the fix both in SE and the host processor openamp
wrapper. This solution enables polling on the status register of mhu until
the notificaiton is read by the host processor. (Inspired by
signal_and_wait_for_signal function in mhu_wrapper_v2_x.c in trusted-firmware-m
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/arm/rss/common/native_drivers/mhu_wrapper_v2_x.c#n61)

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-22 09:39:31 -05:00
Ross Burton b99e5f3c1b arm-bsp/optee-os: update Upstream-Status tags
Fix some formatting, and switch Accepted to Backport.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-14 08:00:22 -05:00
Jon Mason 17f6cf33ba arm/toolchains: update to 13.2.Rel1
Upgrade the Arm binary toolchains to the latest version.  Of note, the
untarred directory has camelcased the "R" in Rel (which was "rel" in the
previous versions).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-13 10:12:13 -06:00
Ross Burton 8ea0a61add arm-bsp/trusted-firmware-a: use v8.4 instructions on fvp-base
The fvp-base machine uses a v8.4 tune and the FVP itself is configured
to be v8.4, so also tell TF-A to use v8.4.

This is normally done in the TF-A board configuration, but the fvp board
is configurable.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-13 11:08:25 -05:00
Ross Burton 63f98dc2e8 arm-bsp/fvp-base: upgrade tune to v8.4
We already tell the FVP to be v8.4 cores, so tell the compiler to
tune for that instruction set too.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-13 11:08:25 -05:00
Ross Burton d868eea7af arm/fvp-base-a-aem: upgrade to 11.23.9
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2023-11-13 11:08:25 -05:00
596 changed files with 15206 additions and 14996 deletions
+2
View File
@@ -0,0 +1,2 @@
[b4]
send-series-to = meta-arm@lists.yoctoproject.org
+236 -187
View File
@@ -1,16 +1,26 @@
image: ${MIRROR_GHCR}/siemens/kas/kas:4.0
image: ${MIRROR_GHCR}/siemens/kas/kas:4.4
variables:
CPU_REQUEST: ""
DEFAULT_TAG: ""
CACHE_DIR: $CI_BUILDS_DIR/persist
MIRROR_GHCR: ghcr.io
# These are needed as the k8s executor doesn't respect the container entrypoint
# by default
# These are needed as the k8s executor doesn't respect the container
# entrypoint by default
FF_KUBERNETES_HONOR_ENTRYPOINT: 1
FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0
# The default value for KUBERNETES_CPU_REQUEST
CPU_REQUEST: ""
# The default machine tag for the build jobs
DEFAULT_TAG: ""
# The machine tag for the ACS test jobs
ACS_TAG: "$DEFAULT_TAG"
# The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
CACHE_DIR: $CI_BUILDS_DIR/persist
# The container mirror to use
MIRROR_GHCR: ghcr.io
# Whether to run the SystemReady ACS tests
ACS_TEST: 0
ACS_TAG: ""
# The list of extra Kas fragments to be used when building
EXTRA_KAS_FILES: ""
# The NVD API key to use when fetching CVEs
NVDCVE_API_KEY: ""
stages:
- prep
@@ -23,28 +33,24 @@ stages:
stage: build
interruptible: true
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
KAS_WORK_DIR: $CI_PROJECT_DIR/work
KAS_REPO_REF_DIR: $CACHE_DIR/repos
KAS_BUILD_DIR: $KAS_WORK_DIR/build
# Set this in the environment to enable local repository caches
KAS_REPO_REF_DIR: ""
SSTATE_DIR: $CACHE_DIR/sstate
DL_DIR: $CACHE_DIR/downloads
BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
TOOLCHAIN_DIR: $CACHE_DIR/toolchains
IMAGE_DIR: $CI_PROJECT_DIR/work/build/tmp/deploy/images
TOOLCHAIN_LINK_DIR: $CI_PROJECT_DIR/work/build/toolchains
IMAGE_DIR: $KAS_BUILD_DIR/tmp/deploy/images
TOOLCHAIN_LINK_DIR: $KAS_BUILD_DIR/toolchains
before_script:
- echo KAS_WORK_DIR = $KAS_WORK_DIR
- echo SSTATE_DIR = $SSTATE_DIR
- echo DL_DIR = $DL_DIR
- rm -rf $KAS_WORK_DIR
- mkdir --verbose --parents $KAS_WORK_DIR $KAS_REPO_REF_DIR $SSTATE_DIR $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Must do this here, as it's the only way to make sure the toolchain is installed on the same builder
- ./ci/get-binary-toolchains $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Generalised fragment to do a Kas build
.build:
extends: .setup
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
rules:
# Don't run MR pipelines
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
@@ -61,16 +67,21 @@ stages:
# Catch all for everything else
- if: '$KERNEL != "linux-yocto-dev"'
script:
- KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME"):lockfile.yml
- KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml
- echo KASFILES=$KASFILES
- kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
- kas build $KASFILES
- ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log
- ./ci/check-warnings $KAS_BUILD_DIR/warnings.log
- kas shell ci/base.yml:lockfile.yml --command "$CI_PROJECT_DIR/ci/junit.sh $KAS_WORK_DIR/build"
artifacts:
name: "logs"
when: always
paths:
- $CI_PROJECT_DIR/work/build/tmp*/work*/**/temp/log.do_*.*
- $CI_PROJECT_DIR/work/build/tmp*/work*/**/testimage/*
- $KAS_BUILD_DIR/tmp*/work*/**/temp/log.do_*.*
- $KAS_BUILD_DIR/tmp*/work*/**/testimage/*
reports:
junit: $KAS_BUILD_DIR/tmp/log/oeqa/junit.xml
#
# Prep stage, update repositories once.
@@ -83,7 +94,18 @@ update-repos:
exit_codes: 128
script:
- |
flock --verbose --timeout 60 $KAS_REPO_REF_DIR ./ci/update-repos
exit_code=0
# Dump the environment for reference
printenv
# Update the reference repositories if needed
if [ -n "$KAS_REPO_REF_DIR" ]; then
flock --verbose --timeout 60 $KAS_REPO_REF_DIR --command ./ci/update-repos || exit_code=$?
# Exit now if that failed, unless the status was 128 (fetch failed)
test $exit_code != 0 -a $exit_code != 128 && exit 1
fi
# Only generate if doesn't already exist, to allow feature branches to drop one in.
if test -f lockfile.yml; then
echo Using existing lockfile.yml
@@ -91,44 +113,26 @@ update-repos:
# Be sure that this is the complete list of layers being fetched
kas dump --lock --update ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/clang.yml:ci/meta-virtualization.yml | tee lockfile.yml
fi
exit $exit_code
artifacts:
name: "lockfile"
when: always
paths:
- lockfile.yml
#
# Build stage, the actual build jobs
#
# Available options for building are
# DISTRO: [poky, poky-tiny]
# Available options for building are (VIRT _must_ be last for ssh override)
# DISTRO: [poky, poky-altcfg, poky-tiny]
# KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
# TOOLCHAINS: [gcc, clang, external-gccarm]
# TOOLCHAINS: [gcc, clang]
# TCLIBC: [glibc, musl]
# FIRMWARE: [u-boot, edk2]
# TS: [none, trusted-services]
# VIRT: [none, xen]
# TESTING: testimage
corstone1000-fvp:
extends: .build
parallel:
matrix:
- TESTING: [testimage, tftf]
corstone1000-mps3:
extends: .build
parallel:
matrix:
- TESTING: [none, tftf]
fvp-base:
extends: .build
parallel:
matrix:
- TESTING: testimage
- FIRMWARE: edk2
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
# SECUREDEBUG: [none, secure-debug]
# VIRT: [none, xen]
arm-systemready-ir-acs:
extends: .build
@@ -138,121 +142,11 @@ arm-systemready-ir-acs:
# arm-systemready-ir-acs must be specified after fvp-base for ordering
# purposes for the jobs-to-kas output. It is not enough to just have it
# in the job name because fvp-base.yml overwrites the target.
- PLATFORM: fvp-base
- PLATFORM: [fvp-base, corstone1000-fvp]
ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
tags:
- ${ACS_TAG}
fvps:
extends: .build
generic-arm64:
extends: .build
juno:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
musca-b1:
extends: .build
musca-s1:
extends: .build
n1sdp:
extends: .build
parallel:
matrix:
- TESTING: [none, n1sdp-ts, n1sdp-optee, tftf]
qemu-generic-arm64:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TESTING: testimage
qemuarm64-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
qemuarm64:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
qemuarm-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- TOOLCHAINS: external-gccarm
TESTING: testimage
qemuarm:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
qemuarmv5:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
sgi575:
extends: .build
tc1:
extends: .build
parallel:
matrix:
- TESTING: testimage
tags:
- x86_64
toolchains:
extends: .build
selftest:
extends: .setup
script:
- KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
- kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'
# Validate layers are Yocto Project Compatible
check-layers:
extends: .setup
@@ -263,35 +157,24 @@ check-layers:
matrix:
- LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain]
pending-updates:
extends: .setup
artifacts:
paths:
- update-report
script:
- rm -fr update-report
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
# Do this on x86 whilst the compilers are x86-only
tags:
- x86_64
corstone1000-fvp:
extends: .build
parallel:
matrix:
- FIRMWARE: corstone1000-firmware-only
TESTING: [testimage, tftf]
- FIRMWARE: none
TESTING: testimage
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
# What percentage of machines in the layer do we build
machine-coverage:
extends: .setup
script:
- ./ci/check-machine-coverage
coverage: '/Coverage: \d+/'
metrics:
extends: .setup
artifacts:
reports:
metrics: metrics.txt
script:
- kas shell --update --force-checkout ci/base.yml --command \
"$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"
corstone1000-mps3:
extends: .build
parallel:
matrix:
- FIRMWARE: corstone1000-firmware-only
TESTING: [none, tftf]
- FIRMWARE: none
SECUREDEBUG: [none, secure-debug]
documentation:
extends: .setup
@@ -315,3 +198,169 @@ documentation:
artifacts:
paths:
- build-docs/
fvp-base:
extends: .build
parallel:
matrix:
- TS: [none, fvp-base-ts]
TESTING: testimage
- FIRMWARE: [u-boot, edk2]
TESTING: testimage
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
fvps:
extends: .build
genericarm64:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
juno:
extends: .build
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
# What percentage of machines in the layer do we build
machine-coverage:
extends: .setup
script:
- ./ci/check-machine-coverage
coverage: '/Coverage: \d+/'
metrics:
extends: .setup
artifacts:
reports:
metrics: metrics.txt
script:
- kas shell --update --force-checkout ci/base.yml --command \
"$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"
musca-b1:
extends: .build
musca-s1:
extends: .build
pending-updates:
extends: .setup
# Only run this job for the default branch (master), or if forced with
# BUILD_FORCE_PENDING_UPDATES.
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $BUILD_FORCE_PENDING_UPDATES != null
artifacts:
paths:
- update-report
script:
- rm -fr update-report
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
qemuarm64-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
- TOOLCHAINS: [gcc, clang]
TS: [none, qemuarm64-secureboot-ts]
UEFISB: [none, uefi-secureboot]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm64:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm-secureboot:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- DISTRO: [poky, poky-altcfg]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarm:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
FIRMWARE: [u-boot, edk2]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
- VIRT: xen
- KERNEL: linux-yocto-dev
TESTING: testimage
qemuarmv5:
extends: .build
parallel:
matrix:
- DISTRO: poky
KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
TESTING: testimage
- DISTRO: poky-tiny
TESTING: testimage
sbsa-ref:
extends: .build
parallel:
matrix:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TESTING: testimage
- DISTRO: poky-altcfg
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
selftest:
extends: .setup
script:
- KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
- kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'
sgi575:
extends: .build
parallel:
matrix:
- TESTING: testimage
# FVP binary is x86-only
tags:
- x86_64
toolchains:
extends: .build
+46 -9
View File
@@ -8,7 +8,7 @@ This repository contains the Arm layers for OpenEmbedded.
* meta-arm-bsp
This layer contains machines for Arm reference platforms, for example FVP Base, N1SDP, and Juno.
This layer contains machines for Arm reference platforms, for example FVP Base, Corstone1000, and Juno.
* meta-arm-toolchain
@@ -19,15 +19,26 @@ Other Directories
* ci
This directory contains gitlab continuous integration configuration files (KAS yaml files) as well as scripts needed for this
This directory contains gitlab continuous integration configuration files (KAS yaml files) as well as scripts needed for this.
* documentation
This directory contains information on the files in this repository, building, and other relevant documents.
* kas
This directory contains KAS yaml files to describe builds for systems not used in CI
This directory contains KAS yaml files to describe builds for systems not used in CI.
* scripts
This directory contains scripts used in running the CI tests
This directory contains scripts used in running the CI tests.
Mailing List
------------
To interact with the meta-arm developer community, please email the meta-arm mailing list at <meta-arm@lists.yoctoproject.org>.
Currently, it is configured to only allow emails to members from those subscribed.
To subscribe to the meta-arm mailing list, please go to
https://lists.yoctoproject.org/g/meta-arm
Contributing
------------
@@ -35,25 +46,51 @@ Currently, we only accept patches from the meta-arm mailing list. For general
information on how to submit a patch, please read
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
E-mail meta-arm@lists.yoctoproject.org with patches created using this process. You can configure git-send-email to automatically use this address for the meta-arm repository with the following git command:
E-mail <meta-arm@lists.yoctoproject.org> with patches created using this process. You can configure git-send-email to automatically use this address for the meta-arm repository with the following git command:
$ git config --local --add sendemail.to meta-arm@lists.yoctoproject.org
`$ git config --local --add sendemail.to meta-arm@lists.yoctoproject.org`
Commits and patches added should follow the OpenEmbedded patch guidelines:
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
The component being changed in the shortlog should be prefixed with the layer name (without the meta- prefix), for example:
> arm-bsp/trusted-firmware-a: decrease frobbing level
arm-bsp/trusted-firmware-a: decrease frobbing level
> arm-toolchain/gcc: enable foobar v2
arm-toolchain/gcc: enable foobar v2
All contributions are under the [MIT License](/COPYING.MIT).
For a quick start guide on how to build and use meta-arm, go to [quick-start.md](/documentation/quick-start.md).
For information on the continuous integration done on meta-arm and how to use it, go to [continuous-integration-and-kas.md](/documentation/continuous-integration-and-kas.md).
Backporting
--------------
Backporting patches to older releases may be done upon request, but only after a version of the patch has been accepted into the master branch. This is done by adding the branch name to email subject line. This should be between the square brackets (e.g., "[" and "]"), and before or after the "PATCH". For example,
> [nanbield PATCH] arm/linux-yocto: backport patch to fix 6.5.13 networking issues
Automatic backporting will be done to all branches if the "Fixes: <SHA>" wording is added to the patch commit message. This is similar to how the Linux kernel community does their LTS kernel backporting. For more information see the "Fixes" portion of
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#submittingpatches
Releases and Release Schedule
--------------
We follow the Yocto Project release methodology, schedule, and stable/LTS support timelines. For more information on these, please reference:
* https://docs.yoctoproject.org/ref-manual/release-process.html
* https://wiki.yoctoproject.org/wiki/Releases
* https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS
For more in-depth information on the meta-arm release and branch methodology, go to </documentation/releases.md>.
Reporting bugs
--------------
E-mail meta-arm@lists.yoctoproject.org with the error encountered and the steps
E-mail <meta-arm@lists.yoctoproject.org> with the error encountered and the steps
to reproduce the issue.
Security and Reporting Security Issues
--------------
For information on the security of meta-arm and how to report issues, please consult [SECURITY.md](/SECURITY.md).
Maintainer(s)
-------------
* Jon Mason <jon.mason@arm.com>
+46
View File
@@ -0,0 +1,46 @@
# Reporting vulnerabilities
Arm takes security issues seriously and welcomes feedback from researchers and
the security community in order to improve the security of its products and
services. We operate a coordinated disclosure policy for disclosing
vulnerabilities and other security issues.
Security issues can be complex and one single timescale doesn't fit all
circumstances. We will make best endeavours to inform you when we expect
security notifications and fixes to be available and facilitate coordinated
disclosure when notifications and patches/mitigations are available.
## How to Report a Potential Vulnerability?
If you would like to report a public issue (for example, one with a released CVE
number), please contact the meta-arm mailing list at
meta-arm@lists.yoctoproject.org and arm-security@arm.com.
If you are dealing with a not-yet released or urgent issue, please send a mail
to the maintainers \(see [README.md](/README.md)\) and arm-security@arm.com, including as much
detail as possible. Encrypted emails using PGP are welcome.
For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
## Branches maintained with security fixes
meta-arm follows the Yocto release model, so see
[Stable release and LTS](https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS)
for detailed info regarding the policies and maintenance of stable
branches.
The [Release page](https://wiki.yoctoproject.org/wiki/Releases) contains a list of all
releases of the Yocto Project. Versions in grey are no longer actively maintained with
security patches, but well-tested patches may still be accepted for them for
significant issues.
# Disclaimer
Arm reference solutions are Arm public example software projects that track and
pull upstream components, incorporating their respective security fixes
published over time. Arm partners are responsible for ensuring that the
components they use contain all the required security fixes, if and when they
deploy a product derived from Arm reference solutions.
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 11
includes:
+5
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 11
includes:
@@ -12,3 +14,6 @@ local_conf_header:
target:
- arm-systemready-ir-acs
- arm-systemready-linux-distros-debian
- arm-systemready-linux-distros-opensuse
- arm-systemready-linux-distros-fedora
+5 -3
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -5,7 +7,7 @@ distro: poky
defaults:
repos:
branch: nanbield
branch: walnascar
repos:
meta-arm:
@@ -15,7 +17,7 @@ repos:
meta-arm-toolchain:
poky:
url: https://git.yoctoproject.org/git/poky
url: https://git.yoctoproject.org/poky
layers:
meta:
meta-poky:
@@ -27,12 +29,12 @@ env:
local_conf_header:
base: |
CONF_VERSION = "2"
BB_SERVER_TIMEOUT = "300"
setup: |
PACKAGE_CLASSES = "package_ipk"
PACKAGECONFIG:remove:pn-qemu-system-native = "gtk+ sdl"
PACKAGECONFIG:append:pn-perf = " coresight"
INHERIT += "rm_work"
DISTRO_FEATURES:remove = "ptest"
extrapackages: |
CORE_IMAGE_EXTRA_INSTALL += "perf opencsd"
CORE_IMAGE_EXTRA_INSTALL:append:aarch64 = " gator-daemon"
+2 -9
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -8,12 +10,3 @@ repos:
local_conf_header:
toolchain: |
TOOLCHAIN = "clang"
PREFERRED_PROVIDER_llvm = "clang"
PREFERRED_PROVIDER_llvm-native = "clang-native"
PREFERRED_PROVIDER_nativesdk-llvm = "nativesdk-clang"
PROVIDES:pn-clang = "llvm"
PROVIDES:pn-clang-native = "llvm-native"
PROVIDES:pn-nativesdk-clang = "nativesdk-llvm"
# This is needed to stop bitbake getting confused about what clang/llvm is
# being used, see https://github.com/kraj/meta-clang/pull/766
BBMASK += "/meta/recipes-devtools/llvm/llvm.*\.bb"
+4 -6
View File
@@ -1,15 +1,13 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
- ci/meta-openembedded.yml
- ci/poky-tiny.yml
- ci/meta-secure-core.yml
local_conf_header:
extrapackages: |
# Intentionally blank to prevent perf from being added to the image in base.yml
- kas/corstone1000-image-configuration.yml
target:
- corstone1000-image
- core-image-minimal
- perf
+10
View File
@@ -0,0 +1,10 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- kas/corstone1000-firmware-only.yml
target:
- corstone1000-flash-firmware-image
- perf
+2 -5
View File
@@ -1,12 +1,9 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/corstone1000-common.yml
- ci/fvp.yml
local_conf_header:
fvp-config: |
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = " ssh-server-dropbear"
machine: corstone1000-fvp
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+21
View File
@@ -0,0 +1,21 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
cve: |
INHERIT += "cve-check"
# Allow the runner environment to provide an API key
NVDCVE_API_KEY = "${@d.getVar('BB_ORIGENV').getVar('NVDCVE_API_KEY') or ''}"
# Just show the warnings for our layers
CVE_CHECK_SHOW_WARNINGS = "0"
CVE_CHECK_SHOW_WARNINGS:layer-arm-toolchain = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-bsp = "1"
CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-systemready = "1"
# Ignore the kernel, we sometime carry kernels in meta-arm
CVE_CHECK_SHOW_WARNINGS:pn-linux-yocto = "0"
+4 -2
View File
@@ -1,7 +1,9 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
# Add universally helpful features when testing boards
local_conf_header:
debug: |
EXTRA_IMAGE_FEATURES:append = " debug-tweaks"
rootlogin: |
EXTRA_IMAGE_FEATURES:append = " allow-empty-password empty-root-password allow-root-login"
+2 -2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -13,5 +15,3 @@ local_conf_header:
QB_DEFAULT_BIOS = "QEMU_EFI.fd"
WKS_FILE ?= "efi-disk.wks.in"
failing_tests: |
TEST_SUITES:remove = "xorg"
-11
View File
@@ -1,11 +0,0 @@
header:
version: 14
local_conf_header:
cc: |
SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain"
TCMODE = "external-arm"
EXTERNAL_TOOLCHAIN = "${TOPDIR}/toolchains/${TARGET_ARCH}"
# Temporary workaround for a number binaries in the toolchains that are using 32bit timer API
# This must be done here instead of the recipe because of all the libraries in the toolchain have the issue
INSANE_SKIP:append = " 32bit-time"
+34
View File
@@ -0,0 +1,34 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/fvp-base.yml
- ci/meta-openembedded.yml
- ci/testimage.yml
local_conf_header:
trusted_services: |
# Enable the needed test suites
TEST_SUITES = " ping ssh trusted_services"
# Include all Secure Partitions into the image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
MACHINE_FEATURES:append = " ts-block-storage ts-fwu"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
IMAGE_INSTALL:append = " packagegroup-ts-tests-psa"
CORE_IMAGE_EXTRA_INSTALL += "optee-test"
# Set the TS environment
TS_ENV="sp"
# Enable and configure semihosting
FVP_CONFIG[cluster0.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster0.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[cluster1.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
FVP_CONFIG[semihosting-enable] = "True"
+6
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -5,3 +7,7 @@ header:
- ci/fvp.yml
machine: fvp-base
target:
- core-image-full-cmdline
- boot-wrapper-aarch64
+2 -5
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -5,8 +7,3 @@ local_conf_header:
testimagefvp: |
LICENSE_FLAGS_ACCEPTED += "Arm-FVP-EULA"
IMAGE_CLASSES += "fvpboot"
failing_tests: |
# This fails but we can't add to the ignorelist from meta-arm yet
# https://bugzilla.yoctoproject.org/show_bug.cgi?id=14604
TEST_SUITES:remove = "parselogs"
TEST_SUITES:remove = "xorg"
+8 -2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# Simple target to build the FVPs that are publically available
header:
@@ -17,9 +19,13 @@ target:
# Target packages to test aarch64
- fvp-base-a-aem
- fvp-corstone1000
- fvp-rd1-ae
- fvp-v3-r1
# Nativesdk to test x86-64
- nativesdk-fvp-base-a-aem
- nativesdk-fvp-corstone1000
- nativesdk-fvp-n1-edge
- nativesdk-fvp-rd1-ae
- nativesdk-fvp-v3-r1
# These are x86 only... :(
- nativesdk-fvp-sgi575
- nativesdk-fvp-tc1
- nativesdk-fvp-tc3
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-6
View File
@@ -1,6 +0,0 @@
header:
version: 14
includes:
- ci/base.yml
machine: generic-arm64
+21
View File
@@ -0,0 +1,21 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
repos:
poky:
layers:
meta-yocto-bsp:
local_conf_header:
bootloader: |
# If running genericarm64 in a qemu we need to manually build the bootloader
EXTRA_IMAGEDEPENDS += "virtual/bootloader"
sshpregen: |
# Allow the use of the pregen keys as this is CI so safe
COMPATIBLE_MACHINE:pn-ssh-pregen-hostkeys:genericarm64 = "genericarm64"
machine: genericarm64
-51
View File
@@ -1,51 +0,0 @@
#!/bin/bash
set -u -e
BASENAME=arm-gnu-toolchain
VER=${VER:-12.2.rel1}
HOST_ARCH=${HOST_ARCH:-$(uname -m)}
# Use the standard kas container locations if nothing is passed into the script
DOWNLOAD_DIR="${1:-/builds/persist/downloads/}"
TOOLCHAIN_DIR="${2:-/builds/persist//toolchains/}"
TOOLCHAIN_LINK_DIR="${3:-build/toolchains/}"
# These should be already created by .gitlab-ci.yml, but do here if run outside of that env
mkdir -p $DOWNLOAD_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
download() {
TRIPLE=$1
URL=https://developer.arm.com/-/media/Files/downloads/gnu/$VER/binrel/$BASENAME-$VER-$HOST_ARCH-$TRIPLE.tar.xz
wget -P $DOWNLOAD_DIR -nc $URL
}
if [ $HOST_ARCH = "aarch64" ]; then
# AArch64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
elif [ $HOST_ARCH = "x86_64" ]; then
# x86_64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
# AArch64 GNU/Linux target
download aarch64-none-linux-gnu
else
echo "ERROR - Unknown build arch of $HOST_ARCH"
exit 1
fi
for i in arm aarch64; do
if [ ! -d $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*/ ]; then
if [ ! -f $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz ]; then
continue
fi
tar -C $TOOLCHAIN_DIR -axvf $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz
fi
# Setup a link for the toolchain to use local to the building machine (e.g., not in a shared location)
ln -s $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu* $TOOLCHAIN_LINK_DIR/$i
done
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+21 -5
View File
@@ -3,17 +3,28 @@
# This script is expecting an input of machine name, optionally followed by a
# colon and a list of one or more parameters separated by commas between
# brackets. For example, the following are acceptable:
# corstone1000-mps3
# fvp-base: [testimage]
# qemuarm64-secureboot: [clang, glibc, testimage]
# corstone1000-mps3
# fvp-base: [testimage]
# qemuarm64-secureboot: [clang, glibc, testimage]
# This argument should be quoted to avoid expansion and to be handled
# as a single value.
#
# Any further arguments will be handled as further yml file basenames.
#
# Turn this list into a series of yml files separated by colons to pass to kas
set -e -u
FILES="ci/$(echo $1 | cut -d ':' -f 1).yml"
# First, parse the GitLab CI job name (CI_JOB_NAME via $1) and accumulate a list
# of Kas files.
JOBNAME="$1"
shift
for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
# The base name of the job
FILES="ci/$(echo $JOBNAME | cut -d ':' -f 1).yml"
# The list of matrix variations
for i in $(echo $JOBNAME | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
# Given that there are no yml files for gcc or glibc, as those are the
# defaults, we can simply ignore those parameters. They are necessary
# to pass in so that matrix can correctly setup all of the permutations
@@ -24,4 +35,9 @@ for i in $(echo $1 | cut -s -d ':' -f 2 | sed 's/[][,]//g'); do
FILES+=":ci/$i.yml"
done
# Now pick up any further names
for i in $*; do
FILES+=":ci/$i.yml"
done
echo $FILES
Executable
+15
View File
@@ -0,0 +1,15 @@
#! /bin/bash
# $ ci/junit.sh <build directory>
#
# If there is a OEQA test report in JSON format present in the build directory,
# transform it to JUnit XML using resulttool.
set -e -u
BUILDDIR=$1
JSON=$BUILDDIR/tmp/log/oeqa/testresults.json
if test -f $JSON; then
resulttool junit $JSON
fi
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+3 -1
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
@@ -5,7 +7,7 @@ repos:
meta-secure-core:
url: https://github.com/Wind-River/meta-secure-core.git
layers:
meta:
meta-secure-core-common:
meta-signing-key:
meta-efi-secure-boot:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-12
View File
@@ -1,12 +0,0 @@
header:
version: 14
# Config specific for the optee-xtests
local_conf_header:
optee-test: |
# Include ARM FFA
MACHINE_FEATURES:append = " arm-ffa"
# Include trusted services
TEST_SUITES:append = " trusted_services"
# Include Optee xtests
IMAGE_INSTALL:append = " optee-test"
-14
View File
@@ -1,14 +0,0 @@
header:
version: 14
includes:
- ci/meta-openembedded.yml
local_conf_header:
trusted_services: |
TEST_SUITES:append = " trusted_services"
# Include TS Crypto, TS Protected Storage, TS Internal and Trusted Storage SPs into optee-os image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
IMAGE_INSTALL:append = " packagegroup-ts-tests-psa"
-10
View File
@@ -1,10 +0,0 @@
header:
version: 14
includes:
- ci/base.yml
machine: n1sdp
local_conf_header:
unsupported_trusted_services: |
MACHINE_FEATURES:remove = "ts-smm-gateway"
+4
View File
@@ -0,0 +1,4 @@
header:
version: 14
distro: poky-altcfg
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
-14
View File
@@ -1,14 +0,0 @@
header:
version: 14
includes:
- ci/generic-arm64.yml
local_conf_header:
failing_tests: |
DEFAULT_TEST_SUITES:remove = "parselogs"
machine: qemu-generic-arm64
target:
- core-image-sato
- sbsa-acs
+7 -3
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -7,6 +9,8 @@ machine: qemuarm-secureboot
target:
- core-image-base
- optee-examples
- optee-test
- optee-os-tadevkit
local_conf_header:
optee: |
IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
TEST_SUITES:append = " optee ftpm"
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+5 -2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -6,8 +8,9 @@ header:
local_conf_header:
trusted_services: |
TEST_SUITES:append = " trusted_services"
# Include TS Crypto, TS Protected Storage, TS Internal Trusted Storage and SMM-Gateway SPs into optee-os image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-smm-gateway"
# Include TS Crypto, TS Protected Storage, and TS Internal Trusted Storage and SPs into optee-os image
# FIXME - remove TS SMM Gateway due to QEMU v9.0.0 test failures
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
+7 -3
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -7,6 +9,8 @@ machine: qemuarm64-secureboot
target:
- core-image-base
- optee-examples
- optee-test
- optee-os-tadevkit
local_conf_header:
optee: |
IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
TEST_SUITES:append = " optee ftpm"
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
+12
View File
@@ -0,0 +1,12 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
machine: sbsa-ref
target:
- core-image-sato
- sbsa-acs
+8
View File
@@ -0,0 +1,8 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
secure-debug: |
MACHINE_FEATURES += "secure-debug"
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+8
View File
@@ -1,6 +1,14 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/base.yml
- ci/fvp.yml
local_conf_header:
sshpregen: |
# Allow the use of the pregen keys as this is CI so safe
COMPATIBLE_MACHINE:pn-ssh-pregen-hostkeys:sgi575 = "sgi575"
machine: sgi575
+11
View File
@@ -0,0 +1,11 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
sstate_mirror: |
BB_HASHSERVE_UPSTREAM = "wss://hashserv.yoctoproject.org/ws"
SSTATE_MIRRORS = "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
BB_HASHSERVE = "auto"
BB_SIGNATURE_HANDLER = "OEEquivHash"
-11
View File
@@ -1,11 +0,0 @@
header:
version: 14
includes:
- ci/base.yml
- ci/fvp.yml
- ci/meta-openembedded.yml
machine: tc1
target:
- core-image-minimal
+3 -1
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -12,7 +14,7 @@ local_conf_header:
slirp: |
TEST_RUNQEMUPARAMS = "slirp"
sshd: |
IMAGE_FEATURES:append = " ssh-server-dropbear"
IMAGE_FEATURES += "ssh-server-dropbear"
sshkeys: |
CORE_IMAGE_EXTRA_INSTALL += "ssh-pregen-hostkeys"
universally_failing_tests: |
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+2 -2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
@@ -16,5 +18,3 @@ target:
- nativesdk-gcc-aarch64-none-elf
- gcc-arm-none-eabi
- nativesdk-gcc-arm-none-eabi
- gcc-arm-none-eabi-11.2
- nativesdk-gcc-arm-none-eabi-11.2
+2
View File
@@ -1,3 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
+51
View File
@@ -0,0 +1,51 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
# during the boot process.
header:
version: 14
includes:
- ci/meta-openembedded.yml
- ci/meta-secure-core.yml
local_conf_header:
uefi_secureboot: |
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
# Detected by passing kernel parameter
QB_KERNEL_ROOT = ""
# kernel is in the image, should not be loaded separately
QB_DEFAULT_KERNEL = "none"
WKS_FILE = "efi-disk.wks.in"
KERNEL_IMAGETYPE = "Image"
MACHINE_FEATURES:append = " efi uefi-secureboot uefi-http-boot uefi-capsule-updates"
EFI_PROVIDER = "systemd-boot"
# Use systemd as the init system
INIT_MANAGER = "systemd"
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
TEST_SUITES:append = " uefi_secureboot uki"
IMAGE_CLASSES += "uki"
IMAGE_CLASSES += "sbsign"
UKI_SB_KEY = "${SBSIGN_KEY}"
UKI_SB_CERT = "${SBSIGN_CERT}"
QB_KERNEL_ROOT = ""
IMAGE_BOOT_FILES:remove = "Image"
INITRAMFS_IMAGE = "core-image-initramfs-boot"
# not for initramfs image recipe
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "uki"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "sbsign"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "testimage"
IMAGE_FEATURES:remove:pn-core-image-initramfs-boot = "ssh-server-dropbear"
CORE_IMAGE_EXTRA_INSTALL:remove:pn-core-image-initramfs-boot = "ssh-pregen-hostkeys"
+3 -3
View File
@@ -20,9 +20,9 @@ def repo_shortname(url):
.replace('*', '.'))
repositories = (
"https://git.yoctoproject.org/git/poky",
"https://git.yoctoproject.org/poky",
"https://git.openembedded.org/meta-openembedded",
"https://git.yoctoproject.org/git/meta-virtualization",
"https://git.yoctoproject.org/meta-virtualization",
"https://github.com/kraj/meta-clang",
)
@@ -44,7 +44,7 @@ if __name__ == "__main__":
if repodir.exists():
try:
print("Updating %s..." % repo)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch"], check=True)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch", repo], check=True)
except subprocess.CalledProcessError as e:
print(e)
failed = True
+5
View File
@@ -1,11 +1,16 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/meta-virtualization.yml
- ci/poky-altcfg.yml
local_conf_header:
meta-virt: |
DISTRO_FEATURES:append = " virtualization xen"
sshd: |
IMAGE_FEATURES:append = " ssh-server-openssh"
target:
- xen-image-minimal
@@ -0,0 +1,67 @@
# **CI for Yocto Project and meta-arm**
# **CI for Yocto Project**
The Yocto Project has an autobuilder that performs nightly builds and image tests on all of the defined QEMU machines, including qemuarm and qemuarm64 Also, it currently runs builds on the hardware reference platforms including genericarm64 and meta-arm mahines fvp-base and sbsa-ref. More information on the autobuilder can be found at <https://autobuilder.yoctoproject.org/>.
More information on the image tests can be found at <https://wiki.yoctoproject.org/wiki/Image_tests>.
The Yocto Project also has the ability to have individual package tests, ptests.  For more information on those, go to <https://wiki.yoctoproject.org/wiki/Ptest>.
# **CI for meta-arm**
meta-arm is using the Gitlab CI infrastructure.  This is currently being done internal to Arm, but an external version can be seen at <https://gitlab.com/jonmason00/meta-arm/-/pipelines>.
This CI is constantly being expanded to provide increased coverage of the software and hardware supported in meta-arm. All platforms are required to add a kas file and `.gitlab-ci.yml` entry as part of the initial patch series. More information on kas can be found at <https://github.com/siemens/kas>.
To this end, it would be wise to run kas locally to verify everything works prior to pushing to the CI build system.
## **Running kas locally**
### **Install kas**
kas can be installed with pip, for example:
```
$ pip3 install --user kas
```
See <https://kas.readthedocs.io/en/latest/userguide/getting-started.html> for information on the dependencies and more.
This assumes that the kas path ($HOME/.local/bin) is in $PATH. If not, the user will need to manually add this or the kas command will not be found.
### **Run kas locally**
```
$ cd ~/meta-arm/
$ kas build kas/juno.yml
```
By default kas will create a build directory under meta-arm to contain the checked out layers, build directory, and downloads.  You can change this by setting environment variables. DL\_DIR and SSTATE\_DIR are respected so these can point at existing directories, and setting KAS\_WORK\_DIR to the directory where repositories are already cloned will save having to re-fetch. This can look something like:
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/qemuarm64.yml:ci/testimage.yml
```
See the [quick start guide](/documentation/quick-start.md) for more information on how to set this up.
## **Locked Revisions in CI with lockfiles**
The CI in meta-arm will generate a kas "lock file" when it starts to ensure that all of the builds checkout the same revision of the various different layers that are used. If this isn't done then there's a chance that a layer will be modified upstream during the CI, which results in some builds failing and some builds passing.
This lock file is saved as an artefact of the update-repos job by the CI, and only generated if it doesn't already exist in the repository. This can be used to force specific revisions of layers to be used instead of HEAD, which can be useful if upstream changes are causing problems in development.
The lockfile.yml can be downloaded manually, but there's a script in meta-arm to fetch the lock file for the latest successful build of the specified branch:
```
$ ./ci/download-lockfile.py --help
usage: download-lockfile.py [-h] server project refspec
positional arguments:
server GitLab server name
project meta-arm project name
refspec Branch/commit
$ ./ci/download-lockfile.py https://gitlab.com/jonmason00/meta-arm master
Fetched lockfile.yml
Commit this lockfile.yml to the top-level of the meta-arm repository and the CI will use it automatically.
```
# **Relevant Links for kas, CI, and testing**
<https://github.com/siemens/kas.git>
<https://wiki.yoctoproject.org/wiki/Oe-selftest>
<https://wiki.yoctoproject.org/wiki/Image_tests>
<https://wiki.yoctoproject.org/wiki/Ptest>
<https://wiki.yoctoproject.org/wiki/BSP_Test_Plan>
+105
View File
@@ -0,0 +1,105 @@
# **Yocto Project quick start for Arm system software developers**
If you want to read the The Yocto Project official quick start documentation, go to <https://docs.yoctoproject.org/brief-yoctoprojectqs/index.html>
If that looks like too much reading, then here is how to do it even faster!
# **Step 0: Install build deps and kas**
```
$ sudo apt install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev python3-subunit mesa-common-dev zstd liblz4-tool file locales libacl1
$ pip install kas
```
OR, if you prefer to use a docker will all that stuff already installed:
```
$ sudo docker run -it --name kas-test --volume /mnt/yocto/:/builds/persist ghcr.io/siemens/kas/kas /bin/bash
```
> **_NOTE:_**
> the “--volume” is the directory where your persistent stuff (like downloads and build artifacts) will go to help speed up your builds and can be sharable amongst your builds/containers.  If you want to go completely clean-room, feel free to remove it
# **Step 1: clone meta-arm and build meta-arm**
```
$ git clone https://git.yoctoproject.org/meta-arm
$ cd meta-arm/
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/testimage.yml
```
> **_NOTE:_**
> “ci/testimage.yml” will cause the build to run some basic system tests.  If you dont care about verifying basic functionality, then remove it and it should be faster (a few less programs will be added to the system image and the 2-3mins that it takes to run the test will not happen).
> **_NOTE:_**
> You may wish to add the Yocto Project SSTATE Mirror (especially the first time) to speed up the build by downloading the build fragments (built by the Yocto Project autobuilder) from the internet. This can be done by adding "ci/sstate-mirror.yml" in kas or adding the relevant lines to your local.conf. Using the above example:
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/sstate-mirror.yml
```
> **_NOTE:_**
> This only fetches the parts necessary for your build and may take several minutes depending on your internet connection speed. Also, it only fetches what is available. There may still be a need to build things depending on your configuration.
For more information on kas and various commands, please reference <https://kas.readthedocs.io/en/latest/>.
Depending on what software you are building, fvp-base might not be the machine you want to build for.
The following website provides an EXTREMELY rough way to tell what software is in what machines, and what versions are being run:
<https://gitlab.com/jonmason00/meta-arm/-/jobs/artifacts/master/file/update-report/index.html?job=pending-updates>
If, as an example, were wanting to develop trusted-firmware-a; then fvp-base will work for us. 
### **Okay, you are done!  VICTORY!**
### **Oh, you actually wanted to mess around with the system software source code?**
# **Step 2: use devtool to get your source**
Setup your environment via the (non-kas) Yocto Project tools
```
$ source poky/oe-init-build-env
```
Use devtool to checkout the version of software being used on the machine above (in the above example, this will be trusted-firmware-a for fvp-base).
```
$ devtool modify trusted-firmware-a
```
This will download the source, hopefully in git (depending on how the Yocto Project recipe was written), and should print a path at the end where the source code was checked out.  In the trusted-firmware-a example, I got:
> /builder/meta-arm/build/workspace/sources/trusted-firmware-a
Inside of that directory, you should see the relevant source code.  In this example, it is a standard git tree.  So, you can add remotes, checkout different SHAs, etc
Ok, so you are set with your changes and want to build them.
```
$ devtool build trusted-firmware-a
```
This should build the software in question, but it is not yet integrated into a system image.  To do that, run:
```
$ devtool build-image core-image-sato
```
The image should match the image being used on your machine above.  Most of them in meta-arm are set to core-image-sato.  
Also, if you used testimage above, it will run testimage now
### **Okay, you are done!  VICTORY!**
# **Step 3.  Testing your patches outside of devtool**
At this point I will assume you have a patch and want to add it to the base recipe.  Using the above example, in the devtool directory:
```
$ git format-patch -1
0001-example.patch
$ mv 0001-example.patch ~/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/
$ cd ~/meta-arm
$ devtool reset trusted-firmware-a
$ echo SRC_URI:append = " file://0001-example.patch" >> meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb
```
> **_NOTE:_**
> there is a space before the “file” and yes it matters very much
At this point, you can go back using kas and verify that the patch works in a clean-ish tree.
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/testimage.yml
```
There is obviously much more that can be done and other ways to do similar things.
## **If there are issues or questions then please ask them on the #meta-arm irc channel on libera.chat**
+43
View File
@@ -0,0 +1,43 @@
# **meta-arm Releases and Branching**
## **Release and Branching background**
The Yocto Project releases twice a year (April and October): "stable" releases are made every six months and have a lifetime of seven months to allow for migration, while "long term support" (LTS) releases are picked every two years starting from Dunfell in April 2020. The standard practice for all Yocto Compatible layers is to create a "named" branch consistent with the code name of that release. For example, the “dunfell” release of the Yocto Project will have a branch named “dunfell” in the official git repository, and layers compatible with dunfell will have a branch named “dunfell”. Thus, a customer can easily organize a collection of appropriate layers to make a product.
In the Yocto Project, these named branches are “stable”, and only take bug fixes or security-critical upgrades. Active development occurs on the master branch. However, this methodology can be problematic if mimicked with the compatible layers. Companies, like Arm, may not wish to release a snapshot of the relevant “master” branches under active development, due to the amount of testing, fixing, and hardening necessary to make a product from a non-stable release. Also, changes to keep the master branch of a layer working with the upstream master branch of the Yocto Project may result in that branch no longer being compatible with named branches (e.g., it might not be possible to mix and match master and dunfell). So, a decision must be made on the branching policy of meta-arm.
## **Adding new Hardware or Software features**
There are many different ways to resolve this issue. After some discussion, the best solution for us is to allow new hardware enablement (and relevant software features) to be included in LTS named branches (not just bug fixes). This will allow for a more stable software platform for software to be developed, tested, and released. Also, the single branch allows for focused testing (limiting the amount of resources needed for CI/CD), lessens/eliminates code diverging on various branches, and lessens confusion on which branch to use. The risk of making this choice is a potentially non-stable branch which will require more frequent testing to lessen the risk, and not following the “stable” methodology of the core Yocto Project layers (though it is not uncommon for BSP layers to behave this way).
## **Process**
The process for patches intended on being integrated into only the master branch is the normal internal process of pushing for code review and CI, approval and integration into upstream meta-arm master branch.
For patches intended on being included in an LTS named branch, the preferred process is to upstream via the master branch, rebase the patch (or series against the intended LTS branch) and send email with the release name in the subject line after the "PATCH" (e.g., "[PATCH dunfell] Add foo to bar").
If there is a time crunch and the preferred way above cannot be completed in time, upstreaming via the LTS branch can occur. This follows the normal process above but without the master integration step. However, any patches upstreamed in this manner must be pushed to master in a timely fashion (after the time crunch). Nagging emails will be sent and managers will be involved as the time grows.
## **Testing**
See [continuous-integration-and-kas.md](/documentation/continuous-integration-and-kas.md) for information how the layer is tested and what tests are run. It is presumed that all code will be compiled as part of the CI process of the gerrit code review. Also, testing on virtual platforms and code conformity checks will be run when enabled in the process.
## **Branching strategy and releases**
Named branches for meta-arm will be released as close as possible to the release of the YP LTS release. Meta-arm named branches will be created from the meta-arm master branch.
To minimize the additional work of maintaining multiple branches it is assumed that there will only be two active development branches at any given time: master and the most recent Long Term Stable (LTS) as the named branch. All previous named LTS branches will be EOLed when a new LTS has been released. Any branches that are EOLed will still exist in the meta-arm, but bug fix patches will be accepted. Limited to no testing will occur on EOLed branches. Exceptions to this can be made, but must be sized appropriately and agreed to by the relevant parties.
Named branch release will coincide with Yocto Project releases. These non-LTS branches will be bug fix only and will be EOLed on the next release (similar to the YP branching behavior).
### **Branch transitions**
When YP is approaching release, meta-arm will attempt to stabilize master so that the releases can coincide.
* T-6 weeks - Email is sent to meta-arm mailing list notifying of upcoming code freeze of features to meta-arm
* T-4 weeks - Code freeze to meta-arm. Only bug fixes are taken at this point.
* T-0 - Official upstream release occurs. With no outstanding critical bugs, a new named branch is created based on the current meta-arm master branch. Previous named branches are now frozen and will not accept new patches (but will continue to be present for reference and legacy usage).
## **Tagging**
### **Branch Tagging**
When each branch is released, a git tag with the Yocto Project version number will be added. For example, `4.3`. Also, this tag version number will be prepended with "yocto" in a duplicate tag (e.g., "yocto-4.3").
Conciding with the Yocto Project release schedule, every branch which has one or more changes added to it in the previous 6 months will get a minor versioned tag (e.g., "4.3.1" and "yocto-4.3.1").
### **BSP Release Tagging**
BSP releases for those boards supported in meta-arm-bsp maybe have an additional tag to denote their software releases. The tag will consist of the board name (in all capital letters), year, and month. For example, "CORSTONE1000-2023.11".
The release schedule for this is outside the standard Yocto Project release candence, but is generally encouraged to be as close to these releases as possible. Similarily, it is recommended the BSP releases be based on the latest LTS branch.
# **Relevant Links**
<https://wiki.yoctoproject.org/wiki/Releases>
+2 -2
View File
@@ -4,10 +4,10 @@ The `runfvp` tool in meta-arm makes it easy to run Yocto Project disk images ins
## Running images with `runfvp`
To build images with the FVP integration, the `fvpboot` class needs to be inherited. If the machine does not do this explicitly it can be done in `local.conf`:
To build images with the FVP integration, the `fvpboot` image class needs to be inherited. If the machine does not do this explicitly it can be done in `local.conf`:
```
INHERIT += "fvpboot"
IMAGE_CLASSES += "fvpboot"
```
The class will download the correct FVP and write a `.fvpconf` configuration file when an image is built.
+11 -8
View File
@@ -18,17 +18,18 @@ features for each [Secure Partition][^2] you would like to include:
| ----------------- | --------------- |
| Attestation | ts-attesation |
| Crypto | ts-crypto |
| Firmware Update | ts-fwu
| Internal Storage | ts-its |
| Protected Storage | ts-storage |
| se-proxy | ts-se-proxy |
| smm-gateway | ts-smm-gateway |
| spm-test[1-3] | optee-spmc-test |
| spm-test[1-4] | optee-spmc-test |
Other steps depend on your machine/platform definition:
1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.
(Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.)
(Please see ` meta-arm/recipes-kernel/arm-tstee`.)
For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is
enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled.
@@ -36,17 +37,19 @@ Other steps depend on your machine/platform definition:
2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
for N1SDP and Corstone1000 platforms accordingly.
and in `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` for the Corstone1000 platform.
3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for theCorstone1000 platform.
4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be
set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation.
## Normal World applications
Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests.
## OEQA Trusted Services tests
@@ -62,4 +65,4 @@ See `ci/trusted-services.yml` for an example how to include them into an image.
[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html
[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-debian
@@ -0,0 +1,8 @@
header:
version: 16
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-fedora
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-opensuse
@@ -0,0 +1,11 @@
header:
version: 16
env:
DISTRO_UNATTENDED_INST_TESTS:
# The full testimage run typically takes around 12-24h on fvp-base.
TEST_OVERALL_TIMEOUT: "${@ 24*60*60}"
local_conf_header:
systemready-unattended-inst: |
TESTIMAGE_AUTO = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "1", "", d)}"
+9 -10
View File
@@ -1,14 +1,11 @@
header:
version: 14
env:
DISPLAY: ""
distro: poky-tiny
distro: poky
defaults:
repos:
branch: nanbield
branch: walnascar
repos:
meta-arm:
@@ -19,14 +16,14 @@ repos:
poky:
url: https://git.yoctoproject.org/git/poky
commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff
commit: ee0d8d8a61d8e22a3dd00c32cde58ee6e8ec458f
layers:
meta:
meta-poky:
meta-openembedded:
url: https://git.openembedded.org/meta-openembedded
commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d
commit: 2169c9afcc0945045bea49f58011080942d4ddb4
layers:
meta-oe:
meta-python:
@@ -34,15 +31,17 @@ repos:
meta-secure-core:
url: https://github.com/wind-river/meta-secure-core.git
commit: e29165a1031dcf601edbed1733cedd64826672a5
commit: 423bc85b050594cc42fe3f2e0d0229960e70b94e
layers:
meta:
meta-secure-core-common:
meta-signing-key:
meta-efi-secure-boot:
local_conf_header:
base: |
CONF_VERSION = "2"
setup: |
PACKAGE_CLASSES = "package_ipk"
BB_NUMBER_THREADS ?= "16"
PARALLEL_MAKE ?= "-j16"
@@ -51,4 +50,4 @@ local_conf_header:
machine: unset
target:
- corstone1000-image
- corstone1000-flash-firmware-image
+6
View File
@@ -0,0 +1,6 @@
header:
version: 14
local_conf_header:
extsys: |
MACHINE_FEATURES += "corstone1000-extsys"
+23
View File
@@ -0,0 +1,23 @@
---
header:
version: 14
local_conf_header:
firmwarebuild: |
BBMULTICONFIG:remove = "firmware"
# Need to ensure the rescue linux options are selected
OVERRIDES .= ":firmware"
# Need to ensure we build with a small libc
TCLIBC="musl"
mass-storage: |
# Ensure the Mass Storage device is absent
FVP_CONFIG[board.msd_mmc.p_mmc_file] = "invalid.dat"
test-configuration: |
TEST_SUITES = "_qemutiny ping"
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = "ssh-server-dropbear"
CORE_IMAGE_EXTRA_INSTALL:remove = "ssh-pregen-hostkeys"
+8
View File
@@ -0,0 +1,8 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
fvp-multicore: |
MACHINE_FEATURES += "corstone1000_fvp_smp"
+13 -7
View File
@@ -2,15 +2,21 @@ header:
version: 14
includes:
- kas/corstone1000-base.yml
- kas/corstone1000-image-configuration.yml
- kas/corstone1000-firmware-only.yml
- kas/fvp-eula.yml
machine: corstone1000-fvp
env:
DISPLAY:
WAYLAND_DISPLAY:
XAUTHORITY:
local_conf_header:
fvp-config: |
# Remove Dropbear SSH as it will not fit into the corstone1000 image.
IMAGE_FEATURES:remove = " ssh-server-dropbear"
INHERIT += "fvpboot"
testimagefvp: |
IMAGE_CLASSES += "fvpboot"
target:
- corstone1000-image
mass-storage: |
# Ensure the Mass Storage device is absent
FVP_CONFIG[board.msd_mmc.p_mmc_file] = "invalid.dat"
machine: corstone1000-fvp
+49
View File
@@ -0,0 +1,49 @@
header:
version: 14
local_conf_header:
extrapackages: |
# Intentionally blank to prevent perf from being added to the image in base.yml
firmwarebuild: |
# Only needed as kas doesn't add it automatically unless you have 2 targets in seperate configs
BBMULTICONFIG ?= "firmware"
distrosetup: |
DISTRO_FEATURES = "usbhost ipv4"
initramfsetup: |
# Telling the build system which image is responsible of the generation of the initramfs rootfs
INITRAMFS_IMAGE_BUNDLE:firmware = "1"
INITRAMFS_IMAGE:firmware ?= "corstone1000-recovery-image"
IMAGE_FSTYPES:firmware:pn-corstone1000-recovery-image = "${INITRAMFS_FSTYPES}"
IMAGE_NAME_SUFFIX:firmware = ""
# enable mdev/busybox for init
INIT_MANAGER:firmware = "mdev-busybox"
VIRTUAL-RUNTIME_init_manager:firmware = "busybox"
# prevent the kernel image from being included in the intramfs rootfs
PACKAGE_EXCLUDE:firmware += "kernel-image-*"
# Disable openssl in kmod to shrink the initramfs size
PACKAGECONFIG:remove:firmware:pn-kmod = "openssl"
imageextras: |
# Don't include kernel binary in rootfs /boot path
RRECOMMENDS:${KERNEL_PACKAGE_NAME}-base = ""
# all optee packages
CORE_IMAGE_EXTRA_INSTALL += "optee-client"
# TS PSA API tests commands for crypto, its, ps and iat
CORE_IMAGE_EXTRA_INSTALL += "packagegroup-ts-tests-psa"
CORE_IMAGE_EXTRA_INSTALL:firmware += "packagegroup-ts-tests-psa"
# external system firmware
CORE_IMAGE_EXTRA_INSTALL:firmware += "external-system-elf"
capsule: |
CAPSULE_EXTENSION = "uefi.capsule"
CAPSULE_FW_VERSION = "6"
CAPSULE_NAME = "${MACHINE}-v${CAPSULE_FW_VERSION}"
+2
View File
@@ -2,5 +2,7 @@ header:
version: 14
includes:
- kas/corstone1000-base.yml
- kas/corstone1000-image-configuration.yml
- kas/corstone1000-firmware-only.yml
machine: corstone1000-mps3
+7 -1
View File
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "meta-arm-bsp"
BBFILE_PATTERN_meta-arm-bsp = "^${LAYERDIR}/"
BBFILE_PRIORITY_meta-arm-bsp = "5"
LAYERSERIES_COMPAT_meta-arm-bsp = "nanbield"
LAYERSERIES_COMPAT_meta-arm-bsp = "styhead walnascar"
LAYERDEPENDS_meta-arm-bsp = "core meta-arm"
# This won't be used by layerindex-fetch, but works everywhere else
@@ -24,3 +24,9 @@ BBFILES_DYNAMIC += " \
meta-arm-systemready:${LAYERDIR}/dynamic-layers/meta-arm-systemready/*/*/*.bb \
meta-arm-systemready:${LAYERDIR}/dynamic-layers/meta-arm-systemready/*/*/*.bbappend \
"
WARN_QA:append:layer-meta-arm-bsp = " patch-status"
addpylib ${LAYERDIR}/lib oeqa
IMAGE_ROOTFS_EXTRA_ARGS ?= ""
@@ -9,12 +9,16 @@ TFM_PLATFORM_IS_FVP = "TRUE"
# testimage config
TEST_TARGET = "OEFVPTarget"
TEST_SUITES = "fvp_boot"
TEST_TARGET_IP = "127.0.0.1:2222"
DEFAULT_TEST_SUITES:append = " fvp_boot fvp_devices"
# FVP Config
FVP_PROVIDER ?= "fvp-corstone1000-native"
FVP_EXE ?= "FVP_Corstone-1000"
FVP_CONSOLE ?= "host_terminal_0"
FVP_CONSOLES[default] = "host_terminal_0"
FVP_CONSOLES[tf-a] = "host_terminal_1"
FVP_CONSOLES[se] = "secenc_terminal"
FVP_CONSOLES[extsys] = "extsys_terminal"
#Disable Time Annotation
FASTSIM_DISABLE_TA = "0"
@@ -35,7 +39,7 @@ FVP_CONFIG[se.nvm.update_raw_image] ?= "0"
FVP_CONFIG[se.cryptocell.USER_OTP_FILTERING_DISABLE] ?= "1"
# Boot image
FVP_DATA ?= "board.flash0=${IMAGE_NAME}.wic@0x68000000"
FVP_DATA ?= "board.flash0=corstone1000-flash-firmware-image-${MACHINE}.wic@0x68000000"
# External system (cortex-M3)
FVP_CONFIG[extsys_harness0.extsys_flashloader.fname] ?= "es_flashfw.bin"
@@ -49,18 +53,20 @@ FVP_TERMINALS[extsys0.extsys_terminal] ?= "Cortex M3"
# MMC card configuration
FVP_CONFIG[board.msd_mmc.card_type] ?= "SDHC"
FVP_CONFIG[board.msd_mmc.p_fast_access] ?= "0"
FVP_CONFIG[board.msd_mmc.diagnostics] ?= "2"
FVP_CONFIG[board.msd_mmc.diagnostics] ?= "0"
FVP_CONFIG[board.msd_mmc.p_max_block_count] ?= "0xFFFF"
FVP_CONFIG[board.msd_config.pl180_fifo_depth] ?= "16"
FVP_CONFIG[board.msd_mmc.support_unpadded_images] ?= "true"
FVP_CONFIG[board.msd_mmc.p_mmc_file] ?= "${IMAGE_NAME}.wic"
# MMC2 card configuration
FVP_CONFIG[board.msd_mmc_2.card_type] ?= "SDHC"
FVP_CONFIG[board.msd_mmc_2.p_fast_access] ?= "0"
FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "2"
FVP_CONFIG[board.msd_mmc_2.diagnostics] ?= "0"
FVP_CONFIG[board.msd_mmc_2.p_max_block_count] ?= "0xFFFF"
FVP_CONFIG[board.msd_config_2.pl180_fifo_depth] ?= "16"
FVP_CONFIG[board.msd_mmc_2.support_unpadded_images] ?= "true"
FVP_CONFIG[board.msd_mmc_2.p_mmc_file] ?= "corstone1000-esp-image-${MACHINE}.wic"
# Virtio-Net configuration
FVP_CONFIG[board.virtio_net.enabled] ?= "1"
+15 -9
View File
@@ -4,24 +4,25 @@
#@NAME: Armv8-A Base Platform FVP machine
#@DESCRIPTION: Machine configuration for Armv8-A Base Platform FVP model
require conf/machine/include/arm/arch-armv8a.inc
TUNE_FEATURES = "aarch64"
require conf/machine/include/arm/arch-armv8-5a.inc
ARM_SYSTEMREADY_FIRMWARE = "trusted-firmware-a:do_deploy"
ARM_SYSTEMREADY_ACS_CONSOLE = "default"
EXTRA_IMAGEDEPENDS = "${ARM_SYSTEMREADY_FIRMWARE}"
MACHINE_FEATURES = "efi"
MACHINE_FEATURES = "efi vfat"
IMAGE_NAME_SUFFIX = ""
IMAGE_FSTYPES += "wic"
WKS_FILE ?= "efi-disk.wks.in"
SERIAL_CONSOLES = "115200;ttyAMA0"
# FIXME - This is being upstreamed. Remove once that has occurred.
KERNEL_CONSOLE ?= "${@','.join(d.getVar('SERIAL_CONSOLES').split(' ')[0].split(';')[::-1]) or 'ttyS0'}"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
KERNEL_DEVICETREE = "arm/fvp-base-revc.dtb"
KERNEL_DTB_NAME = "fvp-base-revc.dtb"
KERNEL_DEVICETREE = "arm/${KERNEL_DTB_NAME}"
KERNEL_IMAGETYPE = "Image"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
@@ -29,7 +30,7 @@ EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
# FVP u-boot configuration
UBOOT_MACHINE = "vexpress_fvp_defconfig"
EFI_PROVIDER ?= "grub-efi"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
# As this is a virtual target that will not be used in the real world there is
# no need for real SSH keys.
@@ -49,14 +50,19 @@ FVP_CONFIG[bp.virtio_net.hostbridge.userNetworking] ?= "1"
FVP_CONFIG[bp.virtio_net.hostbridge.userNetPorts] = "2222=22"
FVP_CONFIG[bp.virtio_rng.enabled] ?= "1"
FVP_CONFIG[cache_state_modelled] ?= "0"
FVP_CONFIG[cluster0.check_memory_attributes] ?= "0"
FVP_CONFIG[cluster1.check_memory_attributes] ?= "0"
FVP_CONFIG[cluster0.stage12_tlb_size] ?= "1024"
FVP_CONFIG[cluster1.stage12_tlb_size] ?= "1024"
FVP_CONFIG[bp.secureflashloader.fname] ?= "bl1-fvp.bin"
FVP_CONFIG[bp.flashloader0.fname] ?= "fip-fvp.bin"
FVP_CONFIG[bp.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
# Set the baseline to ARMv8.4, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-4] = "1"
FVP_CONFIG[cluster1.has_arm_v8-4] = "1"
# Set the baseline to ARMv8.5, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-5] = "1"
FVP_CONFIG[cluster1.has_arm_v8-5] = "1"
FVP_CONSOLES[default] = "terminal_0"
FVP_TERMINALS[bp.terminal_0] ?= "Console"
FVP_TERMINALS[bp.terminal_1] ?= ""
FVP_TERMINALS[bp.terminal_2] ?= ""
FVP_TERMINALS[bp.terminal_3] ?= ""
FVP_CONFIG[bp.secure_memory] ?= "1"
@@ -2,81 +2,68 @@ require conf/machine/include/arm/armv8a/tune-cortexa35.inc
MACHINEOVERRIDES =. "corstone1000:"
# TF-M
PREFERRED_VERSION_trusted-firmware-m ?= "2.1.%"
# TF-A
TFA_PLATFORM = "corstone1000"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
PREFERRED_VERSION_trusted-firmware-a ?= "2.9.%"
PREFERRED_VERSION_tf-a-tests ?= "2.8.%"
PREFERRED_VERSION_trusted-firmware-a ?= "2.11.%"
PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
TFA_BL2_BINARY = "bl2-corstone1000.bin"
TFA_FIP_BINARY = "fip-corstone1000.bin"
# TF-M
EXTRA_IMAGEDEPENDS += "virtual/trusted-firmware-m"
# optee
PREFERRED_VERSION_optee-os ?= "4.4.%"
PREFERRED_VERSION_optee-client ?= "4.4.%"
# TF-M settings for signing host images
TFA_BL2_RE_IMAGE_LOAD_ADDRESS = "0x62353000"
TFA_BL2_RE_SIGN_BIN_SIZE = "0x2d000"
TFA_FIP_RE_IMAGE_LOAD_ADDRESS = "0x68130000"
TFA_FIP_RE_SIGN_BIN_SIZE = "0x00200000"
RE_LAYOUT_WRAPPER_VERSION = "0.0.7"
TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
RE_IMAGE_OFFSET = "0x1000"
# Trusted Services
TS_PLATFORM = "arm/corstone1000"
TS_SP_SE_PROXY_CONFIG = "corstone1000"
# Include smm-gateway and se-proxy SPs into optee-os binary
MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy"
# u-boot
PREFERRED_VERSION_u-boot ?= "2023.07%"
EXTRA_IMAGEDEPENDS += "u-boot"
MACHINE_FEATURES += "efi"
EFI_PROVIDER ?= "grub-efi"
UBOOT_CONFIG ??= "EFI"
UBOOT_CONFIG[EFI] = "corstone1000_defconfig"
UBOOT_ENTRYPOINT = "0x80000000"
UBOOT_LOADADDRESS = "0x80000000"
UBOOT_BOOTARGS = "earlycon=pl011,0x1a510000 console=ttyAMA0 loglevel=9"
UBOOT_ARCH = "arm"
UBOOT_EXTLINUX = "0"
#optee
PREFERRED_VERSION_optee-os ?= "3.22%"
PREFERRED_VERSION_optee-client ?= "3.22%"
EXTRA_IMAGEDEPENDS += "optee-os"
OPTEE_ARCH = "arm64"
OPTEE_BINARY = "tee-pager_v2.bin"
# Include smm-gateway and se-proxy SPs into optee-os binary
MACHINE_FEATURES += "ts-smm-gateway ts-se-proxy"
TS_PLATFORM = "arm/corstone1000"
TS_SP_SE_PROXY_CONFIG = "corstone1000"
# External System(Cortex-M3)
EXTRA_IMAGEDEPENDS += "external-system"
# Grub
LINUX_KERNEL_ARGS ?= "earlycon=pl011,0x1a510000 console=ttyAMA0,115200"
GRUB_LINUX_APPEND ?= "${LINUX_KERNEL_ARGS}"
IMAGE_CMD:wic[vardeps] += "GRUB_LINUX_APPEND"
# Linux kernel
PREFERRED_PROVIDER_virtual/kernel:forcevariable = "linux-yocto"
PREFERRED_VERSION_linux-yocto = "6.5%"
KERNEL_IMAGETYPE = "Image.gz"
INITRAMFS_IMAGE_BUNDLE ?= "1"
#telling the build system which image is responsible of the generation of the initramfs rootfs
INITRAMFS_IMAGE = "corstone1000-initramfs-image"
IMAGE_NAME_SUFFIX = ""
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.12.%"
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPE:firmware = "Image.gz"
# add FF-A support in the kernel
MACHINE_FEATURES += "arm-ffa"
# prevent the kernel image from being included in the intramfs rootfs
PACKAGE_EXCLUDE = "kernel-image-*"
# enable this feature for kernel debugging
# MACHINE_FEATURES += "corstone1000_kernel_debug"
# login terminal serial port settings
SERIAL_CONSOLES ?= "115200;ttyAMA0"
IMAGE_FSTYPES += "wic"
# Need to clear the suffix so TESTIMAGE_AUTO works
IMAGE_NAME_SUFFIX = ""
WKS_FILE ?= "efi-disk-no-swap.wks.in"
WKS_FILE:firmware ?= "corstone1000-flash-firmware.wks.in"
# making sure EXTRA_IMAGEDEPENDS will be used while creating the image
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
WKS_FILE ?= "corstone1000-image.corstone1000.wks"
# If not building under the firmware multiconf we need to build the actual firmware
FIRMWARE_DEPLOYMENT ?= "firmware-deploy-image"
FIRMWARE_DEPLOYMENT:firmware ?= ""
EXTRA_IMAGEDEPENDS += "${FIRMWARE_DEPLOYMENT}"
# Disable openssl in kmod to shink the initramfs size
PACKAGECONFIG:remove:pn-kmod = "openssl"
ARM_SYSTEMREADY_FIRMWARE = "${FIRMWARE_DEPLOYMENT}:do_deploy \
corstone1000-esp-image:do_image_complete \
"
ARM_SYSTEMREADY_ACS_CONSOLE ?= "default"
# Workaround IMAGE_ROOTFS_EXTRA_SPACE being ignored when images are repacked
IMAGE_ROOTFS_EXTRA_ARGS += "--extra-space ${@${IMAGE_ROOTFS_EXTRA_SPACE}}K"
-36
View File
@@ -1,36 +0,0 @@
TUNE_FEATURES = "aarch64"
require conf/machine/include/arm/arch-armv8a.inc
MACHINEOVERRIDES =. "tc:"
# Das U-boot
UBOOT_MACHINE ?= "total_compute_defconfig"
UBOOT_RD_LOADADDRESS = "0x88000000"
UBOOT_RD_ENTRYPOINT = "0x88000000"
UBOOT_LOADADDRESS = "0x80080000"
UBOOT_ENTRYPOINT = "0x80080000"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
# OP-TEE
PREFERRED_VERSION_optee-os ?= "3.20%"
PREFERRED_VERSION_optee-client ?= "3.20%"
PREFERRED_VERSION_optee-test ?= "3.20%"
# Cannot use the default zImage on arm64
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPES += "fitImage"
KERNEL_CLASSES = " kernel-fitimage "
IMAGE_FSTYPES += "cpio.gz"
INITRAMFS_IMAGE ?= "core-image-minimal"
IMAGE_NAME_SUFFIX = ""
SERIAL_CONSOLES = "115200;ttyAMA0"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a optee-os"
PREFERRED_VERSION_trusted-firmware-a ?= "2.8.%"
# FIXME - there is signed image dependency/race with testimage.
# This should be fixed in oe-core
TESTIMAGEDEPENDS:append = " virtual/kernel:do_deploy"
-46
View File
@@ -1,46 +0,0 @@
# Configuration for Arm N1SDP development board
#@TYPE: Machine
#@NAME: N1SDP machine
#@DESCRIPTION: Machine configuration for N1SDP
require conf/machine/include/arm/armv8-2a/tune-neoversen1.inc
KERNEL_IMAGETYPE = "Image"
IMAGE_FSTYPES += "wic wic.gz wic.bmap tar.bz2 ext4"
SERIAL_CONSOLES = "115200;ttyAMA0"
# Set default WKS
WKS_FILE ?= "n1sdp-efidisk.wks"
IMAGE_EFI_BOOT_FILES ?= "n1sdp-multi-chip.dtb n1sdp-single-chip.dtb"
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# Use kernel provided by yocto
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.5%"
# RTL8168E Gigabit Ethernet Controller is attached to the PCIe interface
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "linux-firmware-rtl8168"
# TF-A
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
TFA_PLATFORM = "n1sdp"
# SCP
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
#UEFI EDK2 firmware
EXTRA_IMAGEDEPENDS += "edk2-firmware"
PREFERRED_VERSION_edk2-firmware ?= "202305"
#optee
PREFERRED_VERSION_optee-os ?= "3.22.%"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
MACHINE_FEATURES += "efi"
# SD-Card firmware
EXTRA_IMAGEDEPENDS += "sdcard-image-n1sdp"
@@ -1,14 +1,17 @@
#@TYPE: Machine
#@NAME: qemu-generic-arm64
#@DESCRIPTION: Generic Arm64 machine for typical SystemReady platforms, which
#have working firmware and boot via EFI.
#@NAME: sbsa-ref
#@DESCRIPTION: Reference SBSA machine in qemu-system-aarch64 on Neoverse N2
MACHINEOVERRIDES =. "generic-arm64:"
require conf/machine/generic-arm64.conf
require conf/machine/include/arm/armv9a/tune-neoversen2.inc
require conf/machine/include/qemu.inc
EXTRA_IMAGEDEPENDS += "edk2-firmware"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
KERNEL_IMAGETYPE = "Image"
MACHINE_EXTRA_RRECOMMENDS += "kernel-modules"
MACHINE_FEATURES = " alsa bluetooth efi qemu-usermode rtc screen usbhost vfat wifi"
IMAGE_FSTYPES += "wic.qcow2"
# This unique WIC file is necessary because kernel boot args cannot be passed
# because there is no default kernel (see below). There is no default kernel
@@ -17,17 +20,27 @@ EXTRA_IMAGEDEPENDS += "edk2-firmware"
# boot arg (which we need for testimage), we have to have a WIC file unique to
# this platform.
WKS_FILE = "qemu-efi-disk.wks.in"
IMAGE_FSTYPES += "wic.qcow2"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0"
EXTRA_IMAGEDEPENDS += "edk2-firmware"
# FIXME - Currently seeing a kernel warning for the CPU topology when bumping
# the version past this. The issue is being tracked in
# https://github.com/tianocore/edk2-platforms/issues/752
PREFERRED_VERSION_edk2-firmware ?= "202408%"
QB_SYSTEM_NAME = "qemu-system-aarch64"
QB_MACHINE = "-machine sbsa-ref"
QB_CPU = "-cpu neoverse-n2"
QB_MEM = "-m 1024"
QB_DEFAULT_FSTYPE = "wic.qcow2"
QB_NETWORK_DEVICE = "-device virtio-net-pci,netdev=net0,mac=@MAC@"
QB_DRIVE_TYPE = "/dev/hd"
QB_ROOTFS_OPT = "-drive file=@ROOTFS@,if=ide,format=qcow2"
QB_DEFAULT_KERNEL = "none"
QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH0.fd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH1.fd"
QB_OPT_APPEND = "-device usb-tablet -device usb-kbd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH0.fd -pflash @DEPLOY_DIR_IMAGE@/SBSA_FLASH1.fd"
QB_SERIAL_OPT = "-device virtio-serial-pci -chardev null,id=virtcon -device virtconsole,chardev=virtcon"
QB_TCPSERIAL_OPT = "-device virtio-serial-pci -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device virtconsole,chardev=virtcon"
# sbsa-ref is a true virtual machine so can't use KVM
+42 -4
View File
@@ -7,18 +7,56 @@
require conf/machine/include/arm/armv8-2a/tune-cortexa75.inc
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
KERNEL_IMAGETYPE ?= "Image"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
SERIAL_CONSOLES = "115200;ttyAMA0"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
MACHINE_FEATURES += "efi"
IMAGE_FSTYPES += "cpio.gz wic"
IMAGE_NAME_SUFFIX = ""
IMAGE_CLASSES += "fvpboot"
WKS_FILE ?= "sgi575-efidisk.wks"
WKS_FILE ?= "efi-disk.wks.in"
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# testimage config
TEST_TARGET = "OEFVPTarget"
#TEST_TARGET_IP = "127.0.0.1:222"
TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-sgi575-native"
FVP_EXE ?= "FVP_CSS_SGI-575"
# Virtio-Net configuration
FVP_CONFIG[board.virtio_net.enabled] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetworking] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetPorts] = "2222=22"
FVP_CONFIG[board.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
#FVP_CONFIG[cache_state_modelled] ?= "0"
FVP_CONFIG[css.cmn600.mesh_config_file] = "SGI-575_cmn600.yml"
FVP_CONFIG[css.cmn600.force_rnsam_internal] ?= "false"
FVP_CONFIG[css.gic_distributor.ITS-device-bits] ?= "20"
FVP_DATA ?= "css.scp.armcortexm7ct=scp_ramfw.bin@0x0BD80000"
FVP_CONFIG[css.mcp.ROMloader.fname] ?= "mcp_romfw.bin"
FVP_CONFIG[css.scp.ROMloader.fname] ?= "scp_romfw.bin"
FVP_CONFIG[css.trustedBootROMloader.fname] ?= "bl1-sgi575.bin"
FVP_CONFIG[board.flashloader0.fname] ?= "fip-sgi575.bin"
FVP_CONSOLES[default] = "terminal_uart_ap"
FVP_TERMINALS[css.scp.terminal_uart_aon] ?= "SCP Console"
FVP_TERMINALS[css.mcp.terminal_uart0] ?= ""
FVP_TERMINALS[css.mcp.terminal_uart1] ?= ""
FVP_TERMINALS[css.terminal_uart_ap] ?= "Console"
FVP_TERMINALS[css.terminal_uart1_ap] ?= ""
FVP_TERMINALS[soc.terminal_s0] ?= ""
FVP_TERMINALS[soc.terminal_s1] ?= ""
FVP_TERMINALS[soc.terminal_mcp] ?= ""
FVP_TERMINALS[board.terminal_0] ?= ""
FVP_TERMINALS[board.terminal_1] ?= ""
-31
View File
@@ -1,31 +0,0 @@
# Configuration for TC1
#@TYPE: Machine
#@NAME: TC1
#@DESCRIPTION: Machine configuration for TC1
require conf/machine/include/tc.inc
TEST_TARGET = "OEFVPTarget"
TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-tc1-native"
FVP_EXE ?= "FVP_TC1"
# FVP Parameters
FVP_CONFIG[css.scp.ROMloader.fname] ?= "scp_romfw.bin"
FVP_CONFIG[css.trustedBootROMloader.fname] ?= "bl1-tc.bin"
FVP_CONFIG[board.flashloader0.fname] ?= "fip_gpt-tc.bin"
#FVP_CONFIG[board.hostbridge.userNetworking] ?= "true"
#FVP_CONFIG[board.hostbridge.userNetPorts] ?= "2222=22"
#smsc ethernet takes a very long time to come up. disable now to prevent testimage timeout
#FVP_CONFIG[board.smsc_91c111.enabled] ?= "1"
FVP_CONSOLE = "terminal_s1"
FVP_TERMINALS[soc.terminal_s0] ?= "Secure Console"
FVP_TERMINALS[soc.terminal_s1] ?= "Console"
# Boot image
FVP_DATA ?= "board.dram=fitImage-core-image-minimal-tc1-tc1@0x20000000"
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -10,6 +10,205 @@ Change Log
This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack.
***************
Version 2025.05
***************
Changes
=======
- OP-TEE OS: Added support for v4.4
- Trusted Services: PSA-Crypto structures aligned with TF-M, added protobuf interface to crypto-sp
- Documentation: fixed typos, added host-level authentication section, enabled fly-out sidebar menu
- Das U-Boot: Reserved memory for RSS communication-pointer access protocol
- Linux Kernel: Upgraded kernel to v6.12, updated Upstream-Status notes for remoteproc patches
- Corstone-1000 image: Implemented IMAGE_ROOTFS_EXTRA_SPACE workaround
Corstone-1000 components versions
=================================
+-------------------------------------------+-------------------+
| linux-yocto | 6.12.30 |
+-------------------------------------------+-------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-------------------+
| optee-client | 4.4.0 |
+-------------------------------------------+-------------------+
| optee-os | 4.4.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-m | 2.1.1 |
+-------------------------------------------+-------------------+
| libts | 602be60719 |
+-------------------------------------------+-------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+----------------+
| meta-arm | walnascar |
+-------------------------------------------+----------------+
| poky | ee0d8d8a61 |
+-------------------------------------------+----------------+
| meta-openembedded | 2169c9afcc |
+-------------------------------------------+----------------+
| meta-secure-core | 423bc85b05 |
+-------------------------------------------+----------------+
| busybox | 1.37.0 |
+-------------------------------------------+----------------+
| musl | 1.2.5 |
+-------------------------------------------+----------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+----------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+----------------+
| openssl | 3.4.1 |
+-------------------------------------------+----------------+
***************
Version 2024.11
***************
Changes
=======
- Implementation of a replication strategy for FWU metadata in TF-M according to the FWU specification.
- Upgrade to metadata version 2 in TF-M.
- Increase the ITS and PS memory size in Secure Flash for TF-M.
- SW components upgrades.
- Bug fixes.
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.10.14 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | styhead |
+-------------------------------------------+------------------------------+
| poky | 5465094be9 |
+-------------------------------------------+------------------------------+
| meta-openembedded | 461d85a183 |
+-------------------------------------------+------------------------------+
| meta-secure-core | 59d7e90542 |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.5 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.3.1 |
+-------------------------------------------+------------------------------+
***************
Version 2024.06
***************
Changes
=======
- Re-enabling support for the External System using linux remoteproc (only supporting switching on and off the External System)
- UEFI Secure Boot and Authenticated Variable support
- RSE Comms replaces OpenAMP
- The EFI System partition image is now created by the meta-arm build system.
This image is mounted on the second MMC card by default in the FVP.
- The capsule generation script is now part of the meta-arm build system.
Corstone1000-flash-firmware-image recipe generates a capsule binary using the U-Boot capsule generation tool that includes
all the firmware binaries and recovery kernel image.
- SW components upgrades
- Bug fixes
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| arm-tstee | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.6.23 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.10.4 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | scarthgap |
+-------------------------------------------+------------------------------+
| poky | scarthgap |
+-------------------------------------------+------------------------------+
| meta-openembedded | scarthgap |
+-------------------------------------------+------------------------------+
| meta-secure-core | scarthgap |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.4 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.2.Rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 13.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.2.1 |
+-------------------------------------------+------------------------------+
***************
Version 2023.11
***************
@@ -298,4 +497,4 @@ Changes
--------------
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
@@ -1,3 +1,8 @@
# SPDX-FileCopyrightText: <text>Copyright 2020-2024 Arm Limited and/or its
# affiliates <open-source-office@arm.com></text>
#
# SPDX-License-Identifier: MIT
# Configuration file for the Sphinx documentation builder.
#
# This file only contains a selection of the most common options. For a full
@@ -10,15 +15,19 @@
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#
# import os
# import sys
# sys.path.insert(0, os.path.abspath('.'))
import os
import sys
# Append the documentation directory to the path, so we can import variables
sys.path.append(os.path.dirname(__file__))
# -- Project information -----------------------------------------------------
project = 'corstone1000'
copyright = '2020-2022, Arm Limited'
copyright = '2020-2024, Arm Limited'
author = 'Arm Limited'
@@ -28,6 +37,7 @@ author = 'Arm Limited'
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'sphinx_rtd_theme',
]
# Add any paths that contain templates here, relative to this directory.
@@ -45,6 +55,19 @@ exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'docs/infra']
# a list of builtin themes.
#
html_theme = 'sphinx_rtd_theme'
html_theme_options = {
'flyout_display': 'attached',
}
# Define the canonical URL if you are using a custom domain on Read the Docs
html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "")
# Tell Jinja2 templates the build is running on Read the Docs
if os.environ.get("READTHEDOCS", "") == "True":
if "html_context" not in globals():
html_context = {}
html_context["READTHEDOCS"] = True
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
Binary file not shown.

After

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 86 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 69 KiB

@@ -1,11 +1,21 @@
..
# Copyright (c) 2022, Arm Limited.
# Copyright (c) 2022, 2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
################
ARM Corstone1000
################
#################
Arm Corstone-1000
#################
*************************
Disclaimer
*************************
Arm reference solutions are Arm public example software projects that track and
pull upstream components, incorporating their respective security fixes
published over time. Arm partners are responsible for ensuring that the
components they use contain all the required security fixes, if and when they
deploy a product derived from Arm reference solutions.
.. toctree::
:maxdepth: 1
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -19,6 +19,57 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair
or correction.
***********************
Release notes - 2025.05
***********************
Known Issues or Limitations
---------------------------
- Crypto isolation is not supported in the Secure world of Corstone-1000. Additionally, clients in
the Normal world are not isolated from one another.Therefore, if an end user wants to add a new
Secure Partition (SP) (such as a software TPM) that accesses the Crypto service via the SE-Proxy,
they are responsible for implementing their own isolation mechanisms to ensure proper security boundaries.
- DSTREAM debug probe may experience unreliable USB connectivity when used with Arm DS for secure debug.
This issue is under active investigation, and we are working to identify and resolve compatibility issues in a future update.
As a more stable alternative, the ULINKpro debug probe is recommended for use with Corstone-1000 in secure debug scenarios.
***********************
Release notes - 2024.11
***********************
The same notes as the 2024.06 release still apply.
***********************
Release notes - 2024.06
***********************
Known Issues or Limitations
---------------------------
- Use Ethernet over VirtIO due to lan91c111 Ethernet driver support dropped from U-Boot.
- Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang).
- Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3.
- See previous release notes for the known limitations regarding ACS tests.
Platform Support
-----------------
- This software release is tested on Corstone-1000 FPGA version AN550_v2
https://developer.arm.com/downloads/-/download-fpga-images
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
SystemReady IR v2.0 Certification Milestone
-------------------------------------------
As of this release, Corstone-1000 has achieved `SystemReady IR v2.0 certification <https://www.arm.com/architecture/system-architectures/systemready-certification-program/ve>`__.
This milestone confirms compliance with the SystemReady IR requirements, ensuring broader compatibility and reliability for deployment.
Applied patch `313ad2a0e600 <https://git.yoctoproject.org/meta-arm/commit/?h=scarthgap&id=313ad2a0e600655d9bfbe53646e356372ff02644>`__ to address compatibility requirements for SystemReady IR v2.0.
This update is included in tag `CORSTONE1000-2024.06-systemready-ir-v2.0 <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06-systemready-ir-v2.0>`__ and builds on the `CORSTONE1000-2024.06` release.
***********************
Release notes - 2023.11
***********************
@@ -213,7 +264,7 @@ Support
-------
For technical support email: support-subsystem-iot@arm.com
For all security issues, contact Arm by email at arm-security@arm.com.
For all security issues, contact Arm by email at psirt@arm.com.
--------------
@@ -1,10 +1,10 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
######################
Software architecture
Software Architecture
######################
@@ -16,182 +16,343 @@ Arm Corstone-1000 is a reference solution for IoT devices. It is part of
Total Solution for IoT which consists of hardware and software reference
implementation.
Corstone-1000 software plus hardware reference solution is PSA Level-2 ready
certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
More information on the Corstone-1000 subsystem product and design can be
found at:
`Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_.
The combination of Corstone-1000 software and hardware reference solution is `PSA Level-2 ready
certified <psa_l2-ready_>`__ as well as `Arm SystemReady Devicetree certified <systemready-ir-certification_>`__.
This readme explicitly focuses on the software part of the solution and
More information on the Corstone-1000 subsystems product and design can be
found on `Arm Developer <arm-developer-cs1000-website_>`__.
This document explicitly focuses on the software part of the solution and
provides internal details on the software components. The reference
software package of the platform can be retrieved following instructions
present in the user-guide document.
present in the user guide document.
***************
Design Overview
***************
The software architecture of Corstone-1000 platform is a reference
implementation of Platform Security Architecture (`PSA`_) which provides
implementation of `Platform Security Architecture <psa-certified-website_>`__ which provides
framework to build secure IoT devices.
The base system architecture of the platform is created from three
different types of systems: Secure Enclave, Host and External System.
Each subsystem provides different functionality to overall SoC.
The base system architecture of the platform is created from three different types of subsystems:
- Secure Enclave
- Host System
- External System
Each subsystem provides different functionality to the overall system on a chip (SoC).
.. image:: images/CorstoneSubsystems.png
:width: 720
:alt: CorstoneSubsystems
Secure Enclave
==============
The Secure Enclave System, provides PSA Root of Trust (RoT) and
cryptographic functions. It is based on an Cortex-M0+ processor,
CC312 Cryptographic Accelerator and peripherals, such as watchdog and
secure flash. Software running on the Secure Enclave is isolated via
hardware for enhanced security. Communication with the Secure Encalve
is achieved using Message Handling Units (MHUs) and shared memory.
On system power on, the Secure Enclave boots first. Its software
comprises of a ROM code (TF-M BL1), Mcuboot BL2, and
TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
Secure Enclave follows Firmware Framework for M class
processor (`FF-M`_) specification.
The Secure Enclave boots first on system power on, it provides `PSA Root of Trust (RoT) <psa-certified-website_>`__ and
cryptographic functions. It is based on a Cortex-M0+ processor, CC312 Cryptographic Accelerator and
peripherals such as watchdog and secure flash.
The Host System is based on ARM Cotex-A35 processor with standardized
peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
the TrustZone technology that allows secure and non-secure security
states in the processor. The software design in the Host System follows
Firmware Framework for A class procseeor (`FF-A`_) specification.
The boot process follows Trusted Boot Base Requirement (`TBBR`_).
The Host Subsystem is taken out of reset by the Secure Enclave system
during its final stages of the initialization. The Host subsystem runs
FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS
(`OPTEE-OS`_) in the secure world, and U-Boot(`U-Boot repo`_) and
linux (`linux repo`_) in the non-secure world. The communication between
non-secure and the secure world is performed via FF-A messages.
.. image:: images/Corstone1000SecureFlashMPS3.png
:width: 400
:alt: Corstone1000SecureFlashMPS3
An external system is intended to implement use-case specific
functionality. The system is based on Cortex-M3 and run RTX RTOS.
Communication between the external system and Host (Cortex-A35) is performed
using MHU as transport mechanism and rpmsg messaging system (the external system
support in Linux is disabled in this release. More info about this change can be found in the
release-notes).
.. image:: images/Corstone1000SecureFlashFVP.png
:width: 400
:alt: Corstone1000SecureFlashFVP
Overall, the Corstone-1000 architecture is designed to cover a range
of Power, Performance, and Area (PPA) applications, and enable extension
for use-case specific applications, for example, sensors, cloud
connectivitiy, and edge computing.
Software running on the Secure Enclave is isolated via hardware for enhanced security.
Communication with the Secure Enclave is achieved using `Message Handling Units (MHUs) <arm-developer-mhu-website_>`__
and shared memory.
Its software components comprises:
- `Trusted Firmware-M (TF-M) BL1 <trusted-firmware-m-bl1-website_>`__
- `MCUboot <mcuboot-website_>`__
- `TrustedFirmware-M <trusted-firmware-m-website_>`__
The software design on the Secure Enclave follows `Arm Firmware Framework for M-Profile
processor <arm-fmw-framework-m-profile-pdf_>`__ (FF-M) specification.
Host System
===========
The Host System is based on ARM Cortex-A35 processor with standardized
peripherals to allow booting a Linux-based operating system (OS). The Cortex-A35 has
the `TrustZone <arm-trustzone-for-cortex-a-website_>`__ technology that allows Secure and Non-secure security
states in the processor.
The boot process follows `Trusted Boot Base Requirements Client <trusted-board-boot-requirements-client-pdf_>`__.
The Host System is taken out of reset by the Secure Enclave system during its final stages of the
initialization.
In the Secure world, the Host System runs:
- FF-A Secure Partitions (based on `Trusted Services <trusted-services-website_>`__)
- `OP-TEE OS <op-tee-os-repository_>`__
In the Non-secure World, the Host System runs:
- `U-Boot <das-u-boot-repository_>`__
- `Linux kernel <linux-repository_>`__
The software design in the Host System follows `Arm Firmware Framework for Arm A-profile
<arm-fmw-framework-a-profile-pdf_>`__ (FF-A) specification.
The communication between Non-secure and the Secure world is performed via FF-A messages.
External System
===============
The External System is intended to implement use-case specific functionality.
The system is based on Cortex-M3 and runs `Keil RTX5 <keil-rtx5-website_>`__.
Communication between the external system and Host (Cortex-A35) can be performed using MHU as transport
mechanism. The current software release supports switching the External System ON and OFF.
The Corstone-1000 architecture is designed to cover a range of
`Power, Performance, and Area (PPA) <ppa-website_>`__ applications, and enable extension
for use-case specific applications, for example, sensors, cloud connectivity, and edge computing.
*****************
Secure Boot Chain
*****************
For the security of a device, it is essential that only authorized
software should run on the device. The Corstone-1000 boot uses a
Secure Boot Chain process where an already authenticated image verifies
and loads the following software in the chain. For the boot chain
process to work, the start of the chain should be trusted, forming the
software should run on the device.
The Corstone-1000 boot uses a `Secure boot <arm-developer-secureboot-website_>`__ chain process
where an already authenticated image verifies and loads the following software in the chain.
For the boot chain process to work, the start of the chain should be trusted, forming the
Root of Trust (RoT) of the device. The RoT of the device is immutable in
nature and encoded into the device by the device owner before it
is deployed into the field. In Corstone-1000, the BL1 image of the secure
enclave and content of the CC312 OTP (One Time Programmable) memory
forms the RoT. The BL1 image exists in ROM (Read Only Memory).
nature and encoded into the device by the device manufacturer before it
is deployed into the field.
In Corstone-1000, the content of the ROM and CC312 One Time Programmable (OTP) memory forms the RoT.
Verification of an image can happen either by comparing the computed and stored hashes, or by
checking the signature of the image if the image is signed.
.. image:: images/SecureBootChain.png
:width: 870
:alt: SecureBootChain
It is a lengthy chain to boot the software on Corstone-1000. On power on,
the secure enclave starts executing BL1 code from the ROM which is the RoT
of the device. Authentication of an image involves the steps listed below:
It is a lengthy chain to boot the software on Corstone-1000.
- Load image from flash to dynamic RAM.
- The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
- The image is validated using the public key.
TF-M BL1_1
==========
In the secure enclave, BL1 authenticates the BL2 and passes the execution
control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2)
and TF-M. The execution control is now passed to TF-M. TF-M being the run
time executable of secure enclave which initializes itself and, at the end,
brings the host CPU out of rest. The host follows the boot standard defined
in the `TBBR`_ to authenticate the secure and non-secure software.
On power-up, the Secure Enclave begins execution from TF-M BL1_1, which resides in ROM and serves as
the Root of Trust (RoT) for the device.
TF-M BL1_1 is the immutable bootloader and is responsible for:
- Provisioning the device during the first boot
- Performing hardware initialization
- Verifying the integrity and authenticity of the next stage in the boot chain
At boot time, TF-M BL1_1:
- Copies the TF-M BL1_2 image from OTP to RAM.
- Verifies the integrity of BL1_2 by comparing its computed hash with the hash stored in OTP.
TF-M BL1_2
==========
During provisioning, the TF-M BL1_2 binary, along with its hashes and cryptographic keys, is stored
in One-Time Programmable (OTP) memory.
Once verified, TF-M BL1_2:
- Takes control and verifies the next stage in the boot chain, which is TF-M BL2.
- Computes the hash of the BL2 image and compares it with the BL2 hash stored in OTP to ensure
integrity before transferring execution to BL2.
.. note::
The TF-M BL1 design details can be found in the `TF-M design documents <trusted-firmware-m-bl1-website_>`_.
.. important::
Corstone-1000 has some differences compared to this design due to memory (OTP/ROM)
limitations:
- BL1_1 code size is larger than needed because it handles most of the hardware initialization instead of the BL1_2.
- BL1_2 cannot be updated during provisioning time because the provisioning bundle that contains its code is located in the ROM.
- BL1_2 does not use the post-quantum LMS verification.
- BL2 cannot be updated because it is verified by comparing the computed hash to the hash stored in the OTP.
TF-M BL2
========
In this system, TF-M BL2 refers to MCUBoot.
On the first boot, MCUBoot can provision additional cryptographic keys. It is responsible for authenticating both:
- TF-M (Trusted Firmware-M), and
- The initial bootloader of the Host system, `Trusted Firmware-A (TF-A) BL2 <trusted-firmware-a-bl2-website_>`__
This authentication is done by verifying the digital signatures of the respective images.
MCUBoot performs image verification in the following steps:
#. Load the image from non-volatile memory into RAM.
#. Validate the image's signature using the corresponding public key.
.. note::
The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
The execution control is passed to TF-M after the verification.
As the runtime executable of the Secure Enclave, TF-M initializes itself before
bringing the Host system out of reset.
Host System Authentication
==========================
The Host system follows the boot standard defined in the `Trusted Board Boot Requirements Client <trusted-board-boot-requirements-client-pdf_>`__
to authenticate the Secure and Non-secure software.
The `Firmware Image Package (FIP) <trusted-firmware-a-fip-guide_>`__ packs bootloader images and
other payloads into a single archive.
.. image:: images/FIPDiagram.png
:alt: FIPDiagram
The FIP for Corstone-1000 contains:
- Trusted firmware-A BL2
- AP EL3 Runtime firmware, BL31 image
- AP Secure Payload, BL32 image
- AP Normal world firmware -U-boot, BL33 image
- Trusted OS Firmware configuration file used by Trusted OS (BL32), TOS_FW_CONFIG
- Key certificates
- Content certificates
To load and validate TF-A BL2, TF-M BL2 first parses the GUID Partition Table (GPT)
to locate the FIP. It then determines the offset of TF-A BL2 within the FIP.
.. note::
TF-M does not check the FIP signature, it only checks the TF-A BL2's signature in the FIP.
.. important::
The implicitly trusted components are:
- A SHA-256 hash of the Root of Trust Public Key (ROTPK) -
For development purposes, a development ROTPK is used and its hash embedded into the TF-A BL2 image.
This public key is provided by the TF-A source code.
- TF-A BL2 image - it can be trusted because it has been verified by TF-M BL2 before starting TF-A.
The remaining components in the Chain of Trust (CoT) are either certificates or bootloader images.
Bootloader Authentication
-------------------------
The FIP contains two types of certificates:
- **Content Certificates** - used to store the hash of a bootloader image.
- **Key Certificates** - used to verify public keys used to sign Content Certificates.
The Host system bootloader images are authenticated by computing their hash and comparing it to the corresponding hash found in the Content Certificate.
Certificates Verification
-------------------------
The public keys defined in the Trusted Key Certificate are used to verify the later certificates in
the CoT process. The Trusted Key Certificate is verified with the Root of Trust Public Key.
UEFI Authenticated Variables
----------------------------
For UEFI Secure Boot, authenticated variables can be accessed from the secure flash.
The feature has been integrated in U-Boot, which authenticates the images as per the UEFI
specification before executing them.
***************
Secure Services
***************
Corstone-1000 is unique in providing a secure environment to run a secure
workload. The platform has TrustZone technology in the Host subsystem but
it also has hardware isolated secure enclave environment to run such secure
workloads. In Corstone-1000, known Secure Services such as Crypto, Protected
Storage, Internal Trusted Storage and Attestation are available via PSA
Functional APIs in TF-M. There is no difference for a user communicating to
these services which are running on a secure enclave instead of the
secure world of the host subsystem. The below diagram presents the data
flow path for such calls.
Corstone-1000 is unique in offering a secure environment for running trusted workloads.
While the Host system includes TrustZone technology, the platform also features a hardware-isolated
Secure Enclave, specifically designed to execute these secure workloads.
In Corstone-1000, essential Secure Services—such as Cryptography, Protected Storage,
Internal Trusted Storage, and Attestation—are provided through PSA Functional APIs implemented in TF-M.
From the user's perspective, there is no difference when communicating with these services,
whether they run in the Secure Enclave or in the Secure world of the Host system.
The diagram below illustrates the data flow for such calls.
.. image:: images/SecureServices.png
:width: 930
:alt: SecureServices
The Secure Enclave Proxy Secure Partition (SE Proxy SP) is a proxy managed by OP-TEE that forwards
Secure Service calls to the Secure Enclave. This communication uses the `RSE communication protocol <https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_.
While the protocol supports shared memory and MHU interrupts as a doorbell mechanism between cores,
in Corstone-1000, the entire message is currently transmitted through the MHU channels.
Corstone-1000 implements Isolation Level 2 using the Cortex-M0+ Memory Protection Unit (MPU).
The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition
managed by OPTEE which forwards such calls to the secure enclave. The
solution relies on OpenAMP which uses shared memory and MHU interrupts as
a doorbell for communication between two cores. Corstone-1000 implements
isolation level 2. Cortex-M0+ MPU (Memory Protection Unit) is used to implement
isolation level 2.
For a user to define its own secure service, both the options of the host
secure world or secure encalve are available. It's a trade-off between
lower latency vs higher security. Services running on a secure enclave are
secure by real hardware isolation but have a higher latency path. In the
second scenario, the services running on the secure world of the host
subsystem have lower latency but virtual hardware isolation created by
TrustZone technology.
Users can define their own secure services to run either in the Host system's Secure World or in
the Secure Enclave. This choice involves a trade-off between latency and security.
Services running in the Secure Enclave benefit from strong, hardware-enforced isolation,
offering higher security but at the cost of increased latency. In contrast, services running in the
Host Secure World experience lower latency, but rely on TrustZone technology for virtualized isolation,
which offers comparatively less robust security.
**********************
Secure Firmware Update
**********************
Apart from always booting the authorized images, it is also essential that
the device only accepts the authorized (signed) images in the firmware update
process. Corstone-1000 supports OTA (Over the Air) firmware updates and
follows Platform Security Firmware Update specification (`FWU`_).
As standardized into `FWU`_, the external flash is divided into two
banks of which one bank has currently running images and the other bank is
used for staging new images. There are four updatable units, i.e. Secure
Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel
Image (the initramfs bundle). The new images are accepted in the form of a UEFI capsule.
In addition to always booting authorized images, it is equally important that the device only accepts
authorized (signed) images during the firmware update process. Corstone-1000 supports over-the-air (OTA)
firmware updates and complies with the `Platform Security Firmware Update for the A-profile Arm Architecture <platform-security-fwu-for-a-profile-pdf_>`__
specification.
As defined in the specification, the external flash is divided into two banks: one bank holds the
currently running images, while the other is used to stage new images.
There are four updatable components: **BL2**, **TF-M**, **the FIP** and **the Kernel Image** (the initramfs bundle).
New images are delivered and accepted in the form of UEFI capsules.
.. image:: images/ExternalFlash.png
:width: 690
:alt: ExternalFlash
When Firmware update is triggered, u-boot verifies the capsule by checking the
capsule signature, version number and size. Then it signals the Secure Enclave
that can start writing UEFI capsule into the flash. Once this operation finishes
,Secure Enclave resets the entire system.
The Metadata Block in the flash has the below firmware update state machine.
TF-M runs an OTA service that is responsible for accepting and updating the
images in the flash. The communication between the UEFI Capsule update
subsystem and the OTA service follows the same data path explained above.
The OTA service writes the new images to the passive bank after successful
capsule verification. It changes the state of the system to trial state and
triggers the reset. Boot loaders in Secure Enclave and Host read the Metadata
block to get the information on the boot bank. In the successful trial stage,
the acknowledgment from the host moves the state of the system from trial to
regular. Any failure in the trial stage or system hangs leads to a system
reset. This is made sure by the use of watchdog hardware. The Secure Enclave's
BL1 has the logic to identify multiple resets and eventually switch back to the
previous good bank. The ability to revert to the previous bank is crucial to
guarantee the availability of the device.
When a firmware update is triggered, U-Boot begins by verifying the UEFI capsule by checking its signature,
version number, and size. After successful verification, it signals the Secure Enclave, which then
starts writing the capsule contents to flash memory.
Once the write operation is complete, the Secure Enclave resets the entire system. The update process
is tracked using a state machine stored in the Metadata Block within flash. TF-M runs an OTA service
that is responsible for verifying and updating the images in the passive flash bank. Communication
between the UEFI capsule update subsystem and the OTA service follows the same data path described
earlier. After verifying the capsule, the OTA service writes the new images to the passive bank,
updates the system state to 'trial,' and initiates a reset.
During boot, the bootloaders in both the Secure Enclave and the Host system read the Metadata Block to
determine which bank to boot from. If the trial boot succeeds, the Host system sends an acknowledgment
that transitions the system state from 'trial' to 'regular.' If the system fails during the trial phase
or hangs, a watchdog timer triggers a reset. The Secure Enclaves BL1 contains logic to detect multiple
resets and can revert to the previously known-good bank. This fallback mechanism is essential to ensure
the device remains available and functional.
.. image:: images/SecureFirmwareUpdate.png
@@ -204,13 +365,15 @@ guarantee the availability of the device.
UEFI Runtime Support in U-Boot
******************************
Implementation of UEFI boottime and runtime APIs require variable storage.
In Corstone-1000, these UEFI variables are stored in the Protected Storage
service. The below diagram presents the data flow to store UEFI variables.
The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to
communicate with the SMM Service in the secure world. The backend of the
SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS
calls are forwarded to the secure enclave as explained above.
The implementation of UEFI boot-time and runtime APIs requires persistent variable storage. In
Corstone-1000, UEFI variables are stored using the Protected Storage (PS) service.
The diagram below illustrates the data flow for storing UEFI variables. U-Boots UEFI subsystem
communicates with the Secure World using the U-Boot FF-A driver, which interfaces with the `UEFI System Management Mode (SMM) service <trusted-services-uefi-smm-website_>`__.
The SMM service provides support for the UEFI System Management Mode. This support is implemented by the SMM Gateway secure partition.
The SMM service then uses the Proxy Protected Storage (PS) provided by the SE Proxy SP.
These PS calls are forwarded to the Secure Enclave, following the communication path described earlier.
.. image:: images/UEFISupport.png
@@ -218,30 +381,38 @@ calls are forwarded to the secure enclave as explained above.
:alt: UEFISupport
***************
**********
References
***************
`ARM corstone1000 Search`_
`Arm security features`_
**********
* `Arm Developer <arm-developer-cs1000-search_>`__
* `Arm Security Architectures <arm-architecture-security-features-platform-security_>`_
--------------
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2025, Arm Limited. All rights reserved.*
.. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
.. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _Arm corstone1000 Search: https://developer.arm.com/search#q=corstone-1000
.. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
.. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _FF-A: https://developer.arm.com/documentation/den0077/latest
.. _FF-M: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _FWU: https://developer.arm.com/documentation/den0118/a/
.. _OPTEE-OS: https://github.com/OP-TEE/optee_os
.. _PSA: https://www.psacertified.org/
.. _PSA L2 Ready: https://www.psacertified.org/products/corstone-1000/
.. _SRIR cert: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ir-certification-arm-corstone-1000.pdf
.. _TBBR: https://developer.arm.com/documentation/den0006/latest
.. _TF-M: https://www.trustedfirmware.org/projects/tf-m/
.. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/
.. _U-Boot repo: https://github.com/u-boot/u-boot.git
.. _arm-developer-cs1000-website: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _arm-developer-cs1000-search: https://developer.arm.com/search#q=corstone-1000
.. _arm-developer-mhu-website: https://developer.arm.com/documentation/ka005129/latest/#:~:text=An%20MHU%20is%20a%20device,that%20a%20message%20is%20available
.. _arm-developer-secureboot-website: https://developer.arm.com/documentation/PRD29-GENC-009492/c/TrustZone-Software-Architecture/Booting-a-secure-system/Secure-boot
.. _arm-architecture-security-features-platform-security: https://www.arm.com/architecture/security-features/platform-security
.. _linux-repository: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _arm-trustzone-for-cortex-a-website: https://www.arm.com/technologies/trustzone-for-cortex-a
.. _arm-fmw-framework-a-profile-pdf: https://developer.arm.com/documentation/den0077/latest
.. _arm-fmw-framework-m-profile-pdf: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _platform-security-fwu-for-a-profile-pdf: https://developer.arm.com/documentation/den0118/a/
.. _op-tee-os-repository: https://github.com/OP-TEE/optee_os
.. _psa-certified-website: https://www.psacertified.org/
.. _psa_l2-ready: https://www.psacertified.org/products/corstone-1000/
.. _systemready-ir-certification: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ve-arm-neoverse.pdf
.. _trusted-board-boot-requirements-client-pdf: https://developer.arm.com/documentation/den0006/latest
.. _trusted-firmware-m-website: https://www.trustedfirmware.org/projects/tf-m/
.. _trusted-firmware-m-bl1-website: https://trustedfirmware-m.readthedocs.io/en/latest/design_docs/booting/bl1.html
.. _trusted-firmware-a-bl2-website: https://developer.arm.com/documentation/108028/0000/RD-TC22-software/Software-components/AP-firmware/Trusted-firmware-A-BL2
.. _trusted-firmware-a-fip-guide: https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#firmware-image-package-fip
.. _trusted-services-website: https://www.trustedfirmware.org/projects/trusted-services/
.. _trusted-services-uefi-smm-website: https://trusted-services.readthedocs.io/en/integration/services/uefi-smm-services.html#
.. _das-u-boot-repository: https://github.com/u-boot/u-boot.git
.. _keil-rtx5-website: https://developer.arm.com/Tools%20and%20Software/Keil%20MDK/RTX5%20RTOS
.. _ppa-website: https://developer.arm.com/documentation/102738/0100/Power--performance--and-area-analysis
.. _mcuboot-website: https://docs.mcuboot.com/
File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More