1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-18 16:37:08 +00:00

Compare commits

...

283 Commits

Author SHA1 Message Date
Ross Burton b68089f264 CI: only run pending-updates on master
This job takes a few minutes and isn't useful unless it's being ran for
master, or is being actively worked on.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-11-04 09:33:19 -05:00
Peter Hoyes 21894cc2ea arm/classes: Fix IMAGE_POSTPROCESS_COMMAND in fvpboot
Since OE-core 6fd8af0d, the semicolon delimeter in bb.build_exec_func
variables is not needed. The commit silently removes any stray ';' but
failed to handle ';' when assigning to vardeps.

In meta-arm, this has the effect of changes to FVP_* variables not being
picked up when rebuilding the image recipe since mickledore.

This is ancient history now, so just remove the semicolon to fix the
variable dependency issue when using fvpboot in meta-arm.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-08-13 05:00:22 -04:00
Hongxu Jia 2de04c3d31 optee-os_4.4.0: fix CVE-2025-46733
Backport a patch from upstream [1] to fix CVE-2025-46733

[1] https://github.com/OP-TEE/optee_os/commit/941a58d78c99c4754fbd4ec3079ec9e1d596af8f

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-07-30 05:01:19 -04:00
Hamideh Izadyar f87642b6ca arm/trusted-firmware-m: apply TF-M downstream patches
Apply TF-M downstream patches in the main TF-M recipe, rather than doing
it in corstone1000 recipe.

Signed-off-by: Hamideh Izadyar <hamideh.izadyar@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-07-29 17:57:58 +01:00
Ross Burton 8e2c715fab CI: use walnascar branch of meta-virtualization
This layer has a walnascar branch now, so use it as master is no longer
compatible with walnascar.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-07-14 11:41:23 +01:00
Jon Mason ed9d996aa9 arm-systemready/ir-acs: Update URL
The github URL where the image was located has gone away on the master
branch.  Update the URL to point to the legacy branch, which should stay
around (according to the documentation).

Fixes: aebe535aa8 ("arm-systemready: Introduce the Arm SystemReady layer")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-07-08 11:34:06 -04:00
Abdellatif El Khlifi c63ce2117e kas: corstone-1000: pin Yocto layer dependencies for CORSTONE1000-2025-05 release
Set the tested SHAs of the dependent community layers from
the Walnascar branch of each layer.

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-06-16 02:00:23 -04:00
Hugues KAMBA MPIANA 0acaf26833 arm-bsp/documentation: corstone1000: Amend for CORSTONE1000-2025.05
* Update software component recipe references
* Update Yocto Project release name
* Update Corstone-1000 release name
* Update release note
* Various other improvements

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-06-16 02:00:23 -04:00
Ali Can Ozaslan 4f8d2f4b2f arm-bsp/trusted-services: corstone1000: Align PSA crypto structs with TF-M
The TF-M was upgraded to v2.1.1 for the Corstone-1000. The TS had to be
aligned with it, to keep the Secure Enclave Proxy Secure Partition
compatible with TF-M.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-05-07 14:00:17 -04:00
Ross Burton 42928dcc17 CI: use walnascar branches
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-04-15 16:46:23 +01:00
Jon Mason ca5c51e25c arm/edk2-firmware: remove qemuarm64-secureboot
edk2 isn't booting on qemuarm64-secureboot, and hasn't for some time.
Also, it's not being tested as part of CI.  Remove until it is working
again.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Jon Mason 69121ff4e5 arm/edk2-firmware: update to 202502
Update to the latest tagged version of edk2-firmware.  This requires
rebasing the sbsa-acs patches.  Also, sgi575 works with the latest
version but requires a patch to compile cleanly.

There is an issue with qemuarm/qemuarm64 where the boot device is not
found in edk2 if 'RELEASE' is set as the build mode.  Temporarily
changing that to DEBUG while the issue is being worked on (in
https://github.com/tianocore/edk2/issues/10942).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Jon Mason ce4c7f6661 arm/edk2-firmware: add version to be printed out
Currently, the version number is not being specified, which is causing
the version to be printed as an empty string.  Such as:
    UEFI firmware (version  built at 00:50:36 on Feb 21 2025)
and
    Tianocore/EDK2 firmware version

Add the package version as the version to be printed out, which results
in:
    UEFI firmware (version 202502 built at 00:50:36 on Feb 21 2025)
and
    Tianocore/EDK2 firmware version 202502

An intermediate variable was used instead of PV to allow for the
variable to be overridden if necessary.

Also, minor white space clean-up to match the style in the rest of the
file.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 09:37:38 -04:00
Richard Purdie ca97d0fcec classes/tfm_sign_image: Fix assignment whitespace
Fix whitespace to avoid a warning with newer bitbake.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-11 06:00:04 -04:00
Yogesh Wani 385450558e arm-bsp/documentation: corstone1000: Fix typos in the documentation
The Corstone-1000 read the docs had some small typos in the
Design Overview section. Commit addresses these.

Copyright information now updated.

Signed-off-by: Yogesh Wani <yogesh.wani@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-09 05:00:04 -04:00
Gergely Kovacs 79eb13dd05 arm/trusted-firmware-a: remove optee-os dependency from tests
The TF-A tests should not depend on OPTEE-OS

Signed-off-by: Gergely Kovacs <Gergely.Kovacs2@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-08 06:00:05 -04:00
Ross Burton 1d119f24f9 arm/fvp-base-a-aem: remove spurious executable stack from one library
There are some objects in the FVP binary that are assembler source and
fail to declare what permissions the stack needs to have, so GCC falls
back to assuming that the final binary needs an executable stack.

glibc 2.41 (as now used in uninative) introduces changes here[1]: whether
to have an executable stack or not when the binary doesn't specify a
need (defaults to executable, but this is a tunable), and any binaries
that are dlopen()ed that require an executable stack will fail.

Thus, some FVPs on some platforms (notable, fvp-base-a-aem on x86-64)
now fail on startup:

  libarmctmodel.so: cannot enable executable stack as shared object requires: Invalid argument

Luckily the solution here is to simply clear the executable bit, as
an executable stack is not actually needed.  Until a new release of the
FVP is made we can fix the binary in our package using execstack.

[1] https://lists.gnu.org/archive/html/info-gnu/2025-01/msg00014.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:24 -04:00
Ross Burton b19f24bd0a arm/execstack-native: add new recipe
Add a recipe for the execstack binary from prelink-cross. This tool is
used to manipulate the GNU_STACK segment in ELF binaries, specifically
to control whether the binary requests an executable stack or not.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:24 -04:00
Martin Jansa 5a55c4aaf9 metadata: add whitespace around assignments
With:
https://lists.openembedded.org/g/bitbake-devel/message/17508
there are WARNINGs like:

WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="1"'
WARNING: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.3.rel1.bb: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/arm-binary-toolchain.inc:31 has a lack of whitespace around the assignment: 'SKIP_FILEDEPS="1"'
WARNING: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.3.rel1.bb: meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/arm-binary-toolchain.inc:31 has a lack of whitespace around the assignment: 'SKIP_FILEDEPS="1"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.3.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.3.bb:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.12.0.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.12.0.bb:38 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.12.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.12.1.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:80 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.1.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc:89 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-bsp/trusted-firmware-rmm/trusted-firmware-rmm_0.6.0.bb: meta-arm/meta-arm/recipes-bsp/trusted-firmware-rmm/trusted-firmware-rmm_0.6.0.bb:34 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.28.23.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-library.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-n1-edge.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-devtools/fvp/fvp-sgi575.bb: meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc:42 has a lack of whitespace around the assignment: 'PV_URL_SHORT="${@get_fm_short_pv_url(d)}"'
WARNING: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:21 has a lack of whitespace around the assignment: 'FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"'
WARNING: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb:53 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-examples_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend:1 has a lack of whitespace around the assignment: 'FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc:11 has a lack of whitespace around the assignment: 'TS_BIN_SPM_TEST= "${RECIPE_SYSROOT}/usr/opteesp/bin"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-os_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/optee/optee-test_4.3.0.bb: meta-arm/meta-arm/recipes-security/optee/optee.inc:34 has a lack of whitespace around the assignment: 'export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb:12 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb:13 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/ts-demo/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb:13 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/block-storage/config/${TS_SP_BLOCK_STORAGE_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb:14 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="1"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="2"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="3"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc:10 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb:3 has a lack of whitespace around the assignment: 'SP_INDEX="4"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc:42 has a lack of whitespace around the assignment: 'OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb:8 has a lack of whitespace around the assignment: 'OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}"'
WARNING: meta-arm/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb: meta-arm/meta-arm/recipes-security/trusted-services/trusted-services.inc:37 has a lack of whitespace around the assignment: 'export CROSS_COMPILE="${TARGET_PREFIX}"'

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 06:00:04 -04:00
Mikko Rapeli 7fca237eab trusted-firmware-a: set mbedtls git branch with SRCBRANCH_MBEDTLS
Enables building latest bleeding edge tf-a and mbedtls with
local.conf setup:

INHERIT += "poky-bleeding"
POKY_AUTOREV_RECIPES += "trusted-firmware-a"

SRCREV_mbedtls:pn-trusted-firmware-a = "AUTOINC"
SRCREV_tfa:pn-trusted-firmware-a = "AUTOINC"
SRCBRANCH:pn-trusted-firmware-a = "master"
SRCBRANCH_MBEDTLS:pn-trusted-firmware-a = "master"
LIC_FILES_CHKSUM:pn-trusted-firmware-a = "file://docs/license.rst;md5=1118e32884721c0be33267bd7ae11130"
BBMASK += "meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.12.bb"
BBMASK += "meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb"

This includes workarounds for poky-bleeding.bbclass which doesn't
work with multiple SRCREV variables, masking away
tf-a 2.10 and 2.11 recipes which cause recipe parsing problems
and only one recipe needed to build latest upstream master
branch to avoid 503 error codes from remote git server.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 05:00:04 -04:00
Gyorgy Szing 595cb0f1a0 arm/trusted-services: fix udev management in libts
- Change libts to stop making udev related configuration if optee-client
  is deployed to the target to avoid conflicts.
- Remove the executable permission from installed tee-udev.rules file.
- Remove teepriv device from udev file as this device is op-tee specific.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 158ce8e566 optee-client: use the same tee group as libts
Change optee-client to use the same bitbake variable to configure the
group name used for controlling access to /dev/tee* devices on the
target. The aim is to simplify system configuration by aligning the
two recipes.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 516eb0672f optee-client: drop privileges of tee-supplicant
Stop the tee-supplicant being run with root privileges when the system
is not using systemd.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 91cacb6332 optee-client: fix udev and systemd handling
Eliminate the systemd specific install content fix-up commands appended
to do_install.
  - patch optee-client to allow controlling installation of systemd and
    udev specific configuration files.
  - pass driver group names to optee-client build

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Gyorgy Szing 2ec60ece8d optee-os: add v4.4
Add recipes to allow building OP-TEE v4.4. This is the first version
carrying an SPMC implementation which supports branch protection.

Update corstone1000:
  - to use the new op-tee version
  - `CFG_TZDRAM_SIZE` is increased further from `0x340000` to `0x360000`
     as version 4.4.0 of OP-TEE OS requires more memory

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>

optee-os: corestone1000: udpate to op-tee v4.4

Update OP-TEE version and add a patch to increase TZDRAM size to add
more memory to OP-TEE.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Mikko Rapeli 94596e0fae optee-client: use udev rule and systemd service from upstream
Use backported upstream patch for udev rule and systemd service file.
sysvinit script is still used from meta-arm. Don't install systemd
service without systemd distro feature, other way round for
sysvinit script.

tee-supplicant started by systemd service runs as non-root teesuppl
user with teepriv group. sysvinit still runs as root since busybox
start-stop-daemon doesn't support -g group parameter and -u teesuppl
doesn't seem to change the effective user.

udev rules allow non-root /dev/tee* access from tee and
/dev/teepriv* access from teepriv groups.

Tested sysvinit changes with:

$ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml

and systemd changes with:

$ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml:ci/uefi-secureboot.yml

Cc: tom.hochstein@nxp.com
Cc: sahil.malhotra@nxp.com
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-02 11:00:04 -04:00
Mikko Rapeli 9f19b9b9a3 trusted-firmare-a: update qemu patch status
Submitted to upstream and worked through review
comments and CI issues:

https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/36514

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 10:42:55 -04:00
Mikko Rapeli 629fc54290 edk2-firmware: fix SOURCE_DATE_EPOCH
edk2-firmware build scripts use printenv to print SOURCE_DATE_EPOCH
but that is not in HOSTTOOLS and thus fails with configurations
which use VirtualRealTimeClockLib. Change to using SOURCE_DATE_EPOCH
environment variable directly to fix builds. I think this is OE
specific build config change but filed a bug report upstream
https://github.com/tianocore/edk2/issues/10910
since the fallback mechanism is not working.

Applying patch in 202411 recipe and not .inc since 202408 recipe
from meta-arm-bsp does not find the patch file from meta-arm
side.

[Jon Mason: corrected issues with email patch mangling for edk2]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 10:41:22 -04:00
Ross Burton 2cc1cd16ab CI: dump all environment variables in update-repos
Print all of the environment variables in the update-repos task for
introspection, instead of a subset.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Ross Burton 9b92d080b1 CI: disable KAS_REPO_REF_DIR by default
Having local repo caches is a little fiddly to manage, and by definition
we're running CI inside GitLab which supports mirroring repositories
automatically.

As these mirrors are always available and update automatically, make
Kas reference directories opt-in and instead expect that the site is
either fine with full fetches, or is using KAS_PREMIRRORS.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Ross Burton c8da42d7bd CI: always save the lockfile.yml in update-repos
The update-repos job can "fail with warnings" if the reference repository
fetch fails. This is intentionally a warning as the CI may have set
KAS_PREMIRRORS and a stale cache is fine.

However, by default artifacts are only saved on successful jobs, so if
this happens the lockfile.yml isn't saved. Ensure the artifacts are
always saved so the rest of the pipeline is successful.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-01 09:25:23 -04:00
Jon Mason f94c002d1d arm-bsp/sgi575: add FVP support
Add FVP support to sgi575 and run a boot test as part of CI.  Networking
is not currently working and seems to require an older version of edk2
to boot the kernel.  Also, the unique files for grub and wks do not seem
to be necessary.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Jon Mason 3bf8bf5d4d arm/fvp: add TC3 and Neoverse v3, remove n1 edge
Add Total Compute 2023, Neoverse V3 R1, and Reference Design-1 AE FVPs.
Also, remove Neoverse N1 Edge.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Jon Mason 957fcca083 arm/edk2-firmware: Fix branch name variables
In the SRC_URI, the branch name variables are switched for edk2 and
edk2-platforms.  Switch them as appropriate.

Fixes: bf204866e8 ("arm: Use SRC* variables consistently")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-28 10:00:08 -04:00
Ross Burton 49cad31d10 ci/update-repos: always pass the latest URL
Instead of assuming that the repository was created with the latest URL,
fetch the repository explicitly when fetching.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 95e4041c19 ci: show KAS_PREMIRRORS in preamble
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 69f9b2da14 ci: forward the exit code from update-repos
If update-repos fails with status 128 then that means it failed to fetch
the remote repositories.  This should result in a warning not a failure
but flock was just returning status 1.

Save the exit code and if it returns 128 continue but exit with it
later, so the lockfile generation still occurs but the job doesn't fail.

Also, only call the update-repos script if KAS_REPO_REF_DIR has been set.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Ross Burton 5d0fcd503b CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 15:00:07 -04:00
Mikko Rapeli 56c13c3648 trusted-firmware-a: move qemu patch
qemuarm64-secureboot directory in path to 0001-Add-spmc_manifest-for-qemu.patch
hides the patch from machines with different names and thus break builds
unless overrides are set to include "qemuarm64-secureboot".
Move patch to plain "files" directory to avoid build failures
and this cumbersome workaround.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:52 -04:00
Ross Burton 34c8608d87 arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:32 -04:00
Ross Burton c9fa84d0f7 CI: use DEFAULT_TAG as the default ACS_TAG
This stops the job being stuck if the runners will only take jobs that
have been tagged.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-25 14:05:32 -04:00
Jon Mason f78c6c0e4f arm/trusted-firmware-a: update 2.12.0 recipe to 2.12.1
Update to the lts-v2.12.1 tag.  Changes include a number of CVE fixes
and mbedtls minor version bump:
	8cf9edba5cc3 docs(changelog): changelog for lts-v2.12.1 release
	f5d048108bf3 Merge changes from topic "for-lts-v2.12.1" into lts-v2.12
	56472775f96d docs(maintainers): update LTS maintainers
	baab55315c7f docs: updates to LTS
	f00f71efc410 docs: add inital lts doc
	1a8ee82c6d77 Merge changes from topic "for-lts-v2.12.1" into lts-v2.12
	b19ce90a908c fix(rd1ae): fix rd1-ae device tree
	34f10e7d9fc7 feat(rd1ae): add Generic Timer in device tree
	551dc4c09f57 docs(rd1ae): update documentation to include BL32
	8e4240779867 feat(rd1ae): add support for OP-TEE SPMC
	8e4bb69c747e feat(mbedtls): mbedtls config update for v3.6.2
	a46d6a1320d7 docs(prerequisites): update mbedtls to version 3.6.2
	2ffe181a3982 refactor(mbedtls): rename default mbedtls confs
	3809359e2124 fix(cpus): workaround for Neoverse-V3 erratum 3701767
	4a9ff092c9b4 fix(cpus): workaround for Neoverse-N3 erratum 3699563
	7e41b706e97c fix(cpus): workaround for Neoverse-N2 erratum 3701773
	15300ac30c55 fix(cpus): workaround for Cortex-X925 erratum 3701747
	6e0efc7fe739 fix(cpus): workaround for Cortex-X4 erratum 3701758
	8299c1274617 fix(cpus): workaround for Cortex-X3 erratum 3701769
	fa6c9874485b fix(cpus): workaround for Cortex-X2 erratum 3701772
	4e78288fd2bc fix(cpus): workaround for Cortex-A725 erratum 3699564
	ae6edfd5b543 fix(cpus): workaround for Cortex-A720-AE erratum 3699562
	24526273fc50 fix(cpus): workaround for Cortex-A720 erratum 3699561
	a7b322706435 fix(cpus): workaround for Cortex-A715 erratum 3699560
	d4826882210b fix(cpus): workaround for Cortex-A710 erratum 3701772
	9d6143ec8ffb fix(cpus): workaround for accessing ICH_VMCR_EL2
	7e4bf042a0dd chore(cpus): fix incorrect header macro
	9427c061eb8d fix(security): apply SMCCC_ARCH_WORKAROUND_4 to affected cpus
	bea64fd5272d fix(security): add support in cpu_ops for CVE-2024-7881
	16b87247ed03 fix(security): add CVE-2024-7881 mitigation to Cortex-X3
	427c33bc0c0b fix(security): add CVE-2024-7881 mitigation to Neoverse-V3
	192a152448ae fix(security): add CVE-2024-7881 mitigation to Neoverse-V2
	3e4d94c43b64 fix(security): add CVE-2024-7881 mitigation to Cortex-X925
	41a52efd6f38 fix(security): add CVE-2024-7881 mitigation to Cortex-X4
	2f09b9f3c2af fix(security): enable WORKAROUND_CVE_2024_7881 build option
	70a7d3f2d030 fix(cpus): workaround for CVE-2024-5660 for Cortex-X925
	41b64fe36f42 fix(cpus): workaround for CVE-2024-5660 for Cortex-X2
	0b2d22097c96 fix(cpus): workaround for CVE-2024-5660 for Cortex-A77
	193370e1c6a2 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V1
	d52c52a5fa8c fix(cpus): workaround for CVE-2024-5660 for Cortex-A78_AE
	3bd6531a55a4 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78C
	eda09acd1b22 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78
	b9766da96365 fix(cpus): workaround for CVE-2024-5660 for Cortex-X1
	6324220805b1 fix(cpus): workaround for CVE-2024-5660 for Neoverse-N2
	6041f0723994 fix(cpus): workaround for CVE-2024-5660 for Cortex-A710
	b23f5da614e6 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V2
	ef378713fa4b fix(cpus): workaround for CVE-2024-5660 for Cortex-X3
	2898088f8ba6 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V3
	b8e111c72619 fix(cpus): workaround for CVE-2024-5660 for Cortex-X4
	a6f6396313ea fix(cpus): workaround for Cortex-X4 erratum 2923985
	d1c3a5d8b9d8 fix(build): do not force PLAT in plat_helpers.mk
	ea1b816b1763 chore(deps): update pytest for cot-dt2c
	65762d7b4cfc chore(deps): bump jinja2
	87f3125a0e45 chore(deps): bump jinja2 in the pip group across 1 directory
	b4530565c030 chore(deps): bump the pip group across 2 directories with 1 update
	11e5f92d3d43 build(deps): bump setuptools in the pip group across 1 directory
	850389f4acfe chore(deps): bump micromatch

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Jon Mason 27a88dd7bd arm/opencsd: update to v1.5.6
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Jon Mason b4e61d8c10 arm/edk2-firmware: update to edk2-stable202411
Update to the latest version of edk2.  Unfortunately, sbsa-ref has a
kernel warning due to the CPU topology that was added.  So, hold this
platform back to 202408 and move those recipes to meta-arm-bsp.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 12:49:21 -04:00
Mikko Rapeli 45daeba052 oeqa parselogs-ignores-sbsa-ref.txt: ignore screen error
It's not clear why this happens but this error is visible
in CI builds too often. Root cause needs analysis but
ignore the error for now.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/75/builds/1190/steps/23/logs/stdio

Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/meta-arm/build/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/srv/pokybuild/yocto-worker/meta-arm/build/meta/lib/oeqa/runtime/cases/parselogs.py", line 185, in test_parselogs
    self.assertEqual(errcount, 0, msg=self.msg)
AssertionError: 1 != 0 : Log: /srv/pokybuild/yocto-worker/meta-arm/build/build/tmp/work/sbsa_ref-poky-linux/core-image-sato/1.0/target_logs/Xorg.0.log
-----------------------
Central error: [   103.173] failed to find screen to remove
***********************
[   101.955] (**) QEMU QEMU USB Tablet: (accel) selected scheme none/0
[   101.955] (**) QEMU QEMU USB Tablet: (accel) acceleration factor: 2.000
[   101.958] (**) QEMU QEMU USB Tablet: (accel) acceleration threshold: 4
[   102.144] (II) event0  - QEMU QEMU USB Tablet: is tagged by udev as: Mouse
[   102.169] (II) event0  - QEMU QEMU USB Tablet: device is a pointer
[   102.228] (II) config/udev: Adding input device QEMU QEMU USB Keyboard (/dev/input/event1)
[   102.228] (**) QEMU QEMU USB Keyboard: Applying InputClass "libinput keyboard catchall"
[   102.229] (II) Using input driver 'libinput' for 'QEMU QEMU USB Keyboard'
[   102.229] (**) QEMU QEMU USB Keyboard: always reports core events
[   102.229] (**) Option "Device" "/dev/input/event1"
[   102.318] (II) event1  - QEMU QEMU USB Keyboard: is tagged by udev as: Keyboard
[   102.326] (II) event1  - QEMU QEMU USB Keyboard: device is a keyboard
[   102.345] (II) event1  - QEMU QEMU USB Keyboard: device removed
[   102.385] (**) Option "config_info" "udev:/sys/devices/platform/PNP0D10:00/usb1/1-2/1-2:1.0/0003:0627:0001.0002/input/input1/event1"
[   102.386] (II) XINPUT: Adding extended input device "QEMU QEMU USB Keyboard" (type: KEYBOARD, id 7)
[   102.519] (II) event1  - QEMU QEMU USB Keyboard: is tagged by udev as: Keyboard
[   102.527] (II) event1  - QEMU QEMU USB Keyboard: device is a keyboard
[   103.105] (II) modeset(0): Disabling kernel dirty updates, not required.
[   103.165] (II) config/udev: removing GPU device /sys/devices/pci0000:00/0000:00:01.0/drm/card0 /dev/dri/card0
[   103.173] xf86: remove device 0 /sys/devices/pci0000:00/0000:00:01.0/drm/card0
[   103.173] failed to find screen to remove
***********************
1 errors found in logs.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-20 11:00:04 -04:00
Ross Burton 00fa95aec1 CI: fix duplicate variables
I accidentally created two variables sections, resulting in our build
jobs running on very limited containers.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-03-20 11:50:21 +00:00
Ross Burton f20bd9ff62 CI: move CPU_REQUEST from .build to .setup
We were only setting the k8s CPU request in .build jobs not .setup. This
was intentional initially so that only the build jobs get more resources,
but some of the non-.build jobs are resource-heavy. For example, the
pending-updates job has to parse the entire metadata from scratch, and
that sometimes takes longer than usual when we only have two cores to
use.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 11:00:07 -04:00
Mikko Rapeli 53bfba8c5b optee-ftpm: support genericarm64
genericarm64 machines may have firmware with optee support
and thus also optee-ftpm may be compiled and used there.
tee-supplicant will load TAs at runtime if support is
detected.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 07:00:04 -04:00
Mikko Rapeli 11d3f0ad34 optee: support genericarm64
optee-client/tee-supplicant, optee-os-tadevkit and optee-test can be
compiled for genericarm64 and these detect firmware optee support at
runtime. Using qemuarm64 compatible config for them.
optee-os itself may need HW specific config for different boards
and SoCs but these components work with same config on multiple boards.
Tested on qemu and AMD kv260 with Linaro Trusted Substrate firmware
(https://gitlab.com/Linaro/trustedsubstrate/meta-ts).

Note: optee-test version in userspace and optee-os version in firmware
must match for tests to pass.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-11 07:00:04 -04:00
Ross Burton e02a77c055 CI: there's no need to run pending-updates on x86 machines
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-10 09:00:05 -04:00
Ross Burton af9375798f arm/arm-bsp/trusted-firmware-a: use main branch when fetching mbedtls
mbedtls pushes to both master and main, but main is preferred.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-10 09:00:05 -04:00
Ross Burton b6227e2962 arm-bsp/fvp-base: bump cores to to v8.5
The Pointer Authentication (PAC) instructions are part of v8.3, and BTI
(Branch Target Indentification) instructions are mandatory in v8.5.

As we want to use PAC/BTI everywhere in this BSP, bump the cores to
v8.5.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-06 10:40:44 -05:00
Andrew Jeffery f9f47ec15a arm/trusted-services: ts-sp-fw: Replace v2.7.0 tag with commit ID
Do so for the usual reason of avoiding network access during recipe
parsing. Occasionally parsing will stall for me as it seems connectivity
to trustedfirmware.org can be flaky.

Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-28 01:00:06 -05:00
Jon Mason 07fcd92a68 arm/boot-wrapper-aarch64: update to the latest
Update to the latest commit.
Changes in gn between 5e3760073454c72f3458805a1b7a89ecf80353cb and ac6742520ded1da30d500f74e8affe86e27cabd5
	ac6742520ded aarch64: Start Xen on Armv8-R at EL2
	ba899d1d7227 aarch64: Implement PSCI for Armv8-R
	476a0b6451d7 aarch64: Enable Armv8-R EL2 boot
	0f00cf4cb8b2 Introduce --with-bw-arch for boot-wrapper compile arch
	aafb5958eb9d Boot CPUs sequentially
	d62de19c8661 Add printing functions
	1ab497ed6c38 Simplify spin logic
	1e576e54d0a4 Unify assembly setup paths
	19ffbec99cf5 aarch32: Always enter kernel via exception return
	e8e6f797bafa aarch32: Implement cpu_init_arch()
	8745a2cd8e0a aarch32: Refactor inital entry
	77c3316737fc aarch64: Always enter kernel via exception return
	308d25f908a8 aarch64: Implement cpu_init_arch()
	4dcb17f55300 aarch64: Remove redundant EL1 entry logic
	400f0a86dcc8 Revert "configure: allow the use of bare-metal toolchains"
	1fea854771f9 configure: allow the use of bare-metal toolchains
	784feb9b0753 Makefile: suppress RWX segment warnings
	e1d7651f3c2f Makefile: rework test-dtc-option
	cd7fe8a88e82 aarch64: Enable access into RCW[S]MASK_EL1 registers from EL2 and below
	1ac203146003 aarch64: Enable access into 128 bit system registers from EL2 and below
	b13b3bdcb2a1 aarch64: Enable access into SCTLR2_ELx registers from EL2 and below
	61b84b4a1c02 aarch64: Remove TSCXT bit set from SCTLR_EL2_RESET
	3bac221638c4 configure: make --with-kernel-dir optional

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 9da0a47d07 arm/trusted-firmware-rmm: update to 0.6.0
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason b31af92555 arm/trusted-firmware-m: update to v2.1.1
Update trusted-firmware-m to the latest LTS (TF-Mv2.1.1)
Changes between 0c4c99ba33b3e66deea070e149279278dc7647f4 and 02bf279913439a07082dd581df033f370a8fbb92
	02bf27991343 docs: Release notes for v2.1.1
	7264a32e84a0 docs: rp2350: Minor docs & script improvements
	4bad159af017 Docs: Release dates update
	a5e02ec0c6a2 Align .gitignore contents to main branch
	8fe944a652f5 Platform: RP2350: Fix NV counters in ITS
	66bc1fa8eed9 Build: Fix patch formatting for 0001-iar-Add-missing-v8.1m-check.patch
	895d44a4eb52 Platform: RP2350: Add NV counters to ITS
	e81b741aa6cc tf-m-tests: Step version for rp2350 psa-arch-tests
	2be65a027c86 Platform: rp2350: Add rwx linker flag conditionally for GNUARM
	a85425417696 Platform: RP2350: Add RP2350 porting
	9ed2e7c7f52b Platform/TFM/ITS/Config: Commits required for new platform porting
	f12db7c872d5 cc3xx/low-level/pka: SRAM size depends on CC3XX version
	c7e0192fab6f cc3xx/low-level/hash: wait for hash engine to be idle
	42a4041bdff4 Crypto: Update to Mbed TLS 3.6.2
	471c127e7755 Crypto: Add option to enforce ABI compatibility
	7da71fd05445 tfm_spe_mailbox: Fix NULL pointer checks
	974bc101e0b2 cc3xx/low-level/pka: wait for sw reset to be done before proceeding
	89b9c4889c60 Crypto: Enforce MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS on Mbed TLS config
	62b1300557c5 Crypto: Additional checks for writes to avoid out-of-bound access
	a2cead6a9ef4 tfm_spe_mailbox: Use local vars for local_copy_vects
	15afe61d1194 TFMV-8: Fix unchecked user-supplied pointer via mailbox message
	22e8e89c8f56 tfm_spe_mailbox: Do not write-back on input vectors checks failure
	12a4c5342965 tfm_spe_mailbox: Validate vectors from NSPE
	75bbe3fc0240 CC3XX: Relax assert condition in aead_crypt for input
	0db7ebf32ba3 Crypto: Protect writes to avoid out-of-bound access
	2ecea430fbb4 Crypto: Prevent the scratch allocator from overflowing
	fbcdc69b794d SPM: mailbox_agent_api: Free connection if params association fails
	2a59580b5809 Crypto: Update to Mbed TLS 3.6.1
	6a54ec89f22f Platform: STM32: script all_stm_platfrom
	66596b4dae57 Platform: corstone1000: Fix isolation L2 memory protection
	7045675209ca stm : fix error on b_u585i_iot02a with TF-Mv2.1.0

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 55b41af673 arm/trusted-firmware-a: update the LTS to v2.10.12
Update trusted-firmware-a to lts-v2.10.12
Changes between 7e63213601425c7a6d83e47dc936b264deb9df2b and 408ba4ddfe9a8d55e3e2488bea89c39adef07981
	408ba4ddfe9a docs(changelog): changelog for lts-v2.10.12 release
	7bdf51628eab Merge "docs(maintainers): update LTS maintainers" into lts-v2.10
	8355ef7728ec docs(maintainers): update LTS maintainers
	faceedf4e5c2 Merge changes from topic "for-lts-v2.10.12" into lts-v2.10
	9007a3344e12 Merge changes from topic "gr/lts-doc-2.10" into lts-v2.10
	924c7f42ce4a chore(deps): bump cross-spawn
	7c8c034e5fed chore(deps): bump jinja2 in the pip group across 1 directory
	3d85a19f2f54 docs: updates to LTS
	13657a3f3f2a docs: add inital lts doc
	a4c57c122407 Merge changes from topic "lts-v2.10.12" into lts-v2.10
	564922601397 feat(mbedtls): mbedtls config update for v3.6.2
	44161dcb10ab docs(prerequisites): update mbedtls to version 3.6.2
	0ac65e7aa5ec refactor(mbedtls): rename default mbedtls confs
	8b2c885739dd fix(arm): add extra hash config to validate ROTPK
	832b92b7f615 docs(changelog): changelog for lts-v2.10.11 release
	a3fc7c18c461 Merge changes from topic "for-lts-2.10.11" into lts-v2.10
	196984e65da0 fix(cpus): workaround for Cortex-X4 erratum 2923985
	0eed05ee70aa chore(cpus): optimise runtime errata applications
	34e6d7cb8ce1 Merge changes from topic "sm/fix_erratum" into lts-v2.10
	ad9dfdc5800c fix(cpus): workaround for CVE-2024-5660 for Cortex-X2
	5673d345aaa3 fix(cpus): workaround for CVE-2024-5660 for Cortex-A77
	4fd2a6702dd1 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V1
	a02a863d3156 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78_AE
	87250d2bb1ea fix(cpus): workaround for CVE-2024-5660 for Cortex-A78C
	30c57c58abe3 fix(cpus): workaround for CVE-2024-5660 for Cortex-A78
	c7d3c9eb2d81 fix(cpus): workaround for CVE-2024-5660 for Cortex-X1
	282e63544d26 fix(cpus): workaround for CVE-2024-5660 for Neoverse-N2
	f7ae819f03ae fix(cpus): workaround for CVE-2024-5660 for Cortex-A710
	3efc9e13011d fix(cpus): workaround for CVE-2024-5660 for Neoverse-V2
	17e17ed3f1e6 fix(cpus): workaround for CVE-2024-5660 for Cortex-X3
	a6375e1feb42 fix(cpus): workaround for CVE-2024-5660 for Neoverse-V3
	e42abf298321 fix(cpus): workaround for CVE-2024-5660 for Cortex-X4
	698e68fe1fe9 fix(cpus): workaround for CVE-2024-5660 for Cortex-X925
	b229b47bd86c chore: rename Blackhawk to Cortex-X925
	96498991d1ce chore: rename Chaberton to Cortex-A725
	b28aa38e28cf docs(changelog): changelog for lts-v2.10.10 release
	8e74814ce52f Merge changes from topic "for-lts-v2.10.10" into lts-v2.10
	c9f3fb5822dc build(deps): bump setuptools in the pip group across 1 directory
	395ef3534cf1 chore(deps): bump micromatch
	6c6e986bffb3 build(npm): update Node.js and all packages
	c5d2a030a35f build(deps): bump braces
	ebf6430a01c5 build(deps): bump idna from 3.4 to 3.7
	93ad43e79ef7 build(deps): bump jinja2 from 3.1.2 to 3.1.4
	f8a06a0f82ce build(deps): bump urllib3 from 2.0.2 to 2.2.2
	3ea256c36a4b build(deps): bump pip from 23.1.2 to 23.3

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 74bd36ec63 arm/gn: update to latest commit
Update to the latest gn commit.
Changes in gn between 95b0f8fe31a992a33c040bbe3867901335c12762 and ab638bd7cbb9ac8468bf2fbe60c74ed4706a14a7
	ab638bd7cbb9 Revert "Speed-up GN with custom OutputStream interface."
	2dd9331a7041 Speed-up GN with custom OutputStream interface.
	ed1abc107815 Add `exec_script_allowlist` to replace `exec_script_whitelist`.
	c97a86a72105 Retry ReplaceFile in case of failure
	7296b601ea80 Fix crash when NinjaBuildWriter::RunAndWriteFile fails
	468c6128db7f fix include for escape.h
	5a47a93b9426 fix exit code for gn gen failure
	24e92acb8472 misc: Use html.escape instead of cgi.escape
	feafd1012a32 Do not copy parent build_dependency_files_ in Scope constructors.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 543adf67d2 arm/opencsd: update to 1.5.5
Update to the latest stable version (1.5.5), comprised of the following
commits:
	742d60ed7dc7 opencsd: Update version info and README for 1.5.5
	7ca491c516b8 build: Update docs for MacOS support
	cac83e59666e build: Add MacOS development makefile
	e56eff270ca2 build: Use .dylib shared library suffix for MacOS
	35f957d2a97a build: Create initial MacOS makefile
	44dff5b22a26 build: Restore Linux build support
	a0e13010e1d6 build: Rename build folders as 'unix_common' for upcoming MacOS support
	ecdde9f69307 tests: Add option to suppress elapsed processing time in test program.
	821632be920c tests: update mem_buff_demo test to add options.
	70e472c9387f opencsd: Memacc object cleanup fix

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason f1fc5c53a1 arm/hafnium: update to v2.12.0
Update to the latest version of halfnium

Changes between 2bef7ab3895c48d39b84ab58179b2d0de5156b8b and 2cf2ca7c4b81ab18e9cd363d9a5c8288e2a94fda
	2cf2ca7c4b81 docs: the change log for the v2.12 release
	69e18eb52d63 docs: update the threat model for IPI threats
	c9866ab33c7a docs: add description of single service IPI support
	b17856caec30 test: interrupt targeting blocked vcpu is queued
	0ee13d9cc510 test: add helpers to share page for coordination btw endpoints
	eda971da9f4c fix: queue interrupt targeting blocked vcpu
	0a69718c6298 fix(docs): fixes to the docs to fix build errors
	4b3d26803b56 test(ipi): IPI to invalid vCPU fails
	2f579f93c1d9 test: multiple SPs periodic deadlines on multiple cores
	8157b6897a8f test: multiple SPs with periodic deadline
	b390a0d12967 test(ipi): set target vCPU in VCPU_STATE_BLOCKED
	2affbc7a7bbb test(ipi): target vCPU set in VCPU_STATE_PREEMPTED
	180a65a7be5f feat(ipi): handle in VCPU_STATE_BLOCKED/PREEMPTED
	84d49b67d2d9 fix(ipi): small fixes to the ipi implementation
	0136b2bf3f35 test: migrate blocked vcpu with pending timer
	da42b544504b test: timer expired while vcpu is in PREEMPTED state
	7c9702280c62 chore: reduce verbosity of console messages for SPs
	9243e772b209 docs: support for arch timer in secure world
	c0110997e1f8 chore: add doc comment on Pauth fault tests
	a067dc1d77f8 test: add unit tests for timer management
	872742eec217 test: use watchdog timer as source of non secure interrupt
	febcb625856e test: add driver for normal world watchdog timer
	b9dd51451e46 test: introduce driver for sp805 peripheral
	65827d703535 test: migrate vCPU of SP with pending timer deadline
	593b8addcbdc test: multiple SPs programmed with timer deadlines
	fe10878b1e1c test: SP reprograms the arch timer deadline
	b2429b49c524 test: SP handles timer with short deadline
	34c050a04357 test: commands for SP services to configure timer
	64ae5a8d6a18 test: add SP helper utilities for arch timer
	6b8cf4f361f6 feat(arch timer): handle spurious host timer interrupt
	106bfc364d64 feat(arch timer): migrate vCPU with pending timer to another CPU
	cf069a65988e feat(arch timer): resume SP if deadline expires in NWd
	2efb3e103382 feat(arch timer): handle host timer interrupt tracking live deadline
	32424db1d5d6 feat(arch timer): inject timer virtual interrupt before resuming vCPU
	a3787c91a96c feat(arch timer): track pending timer configured by SP vCPU
	28e988f3bb56 chore: exclude physical timer source file from static checks
	f684d196422b feat(arch timer): trap and emulate physical timer access from SPs
	d3ac7383c10f feat(arch timer): helpers to configure EL1 physical timer
	f658f5e1a6e1 feat(arch timer): initialize timer list and host physical timer
	def48d0365b3 feat(arch timer): introduce host timer driver
	c31708afa85c feat(arch timer): helper utilities to add and remove from timer list
	eed861e514ba feat(arch timer): data structure to track pending timers
	08200fe0f2e2 test: physical interrupt preempts virtual interrupt handling
	75331b3ee028 test: SPMC call chain not preemptible
	179f567f17fe test: helpers commands to mimic secure interrupt scenarios
	94946a1451e3 fix(interrupts): SPMC scheduled call chain shall not be preempted
	025a451a9275 fix: simplify secure interrupt handling
	c3fd9756a53e feat(memory share): handle GPF in FFA_MEM_FRAG_RX
	e06384d55458 docs: document VM availability messages
	50ef91174b38 refactor: api_ffa_msg_send_direct_resp
	13f09815b474 refactor: don't pass sender/receiver ID
	79504ff11a86 refactor: remove unused functions
	a1a0235181b3 test: VM availability messaging tests
	06e8b732abc2 feat: forward VM availability messages from SPMC to SP
	d0356f85a2a2 refactor: `spmd_handler` refactorings
	520bcc86451b test: VM created/destroyed partition properties
	a603e0842531 feat: VM created/destroyed partition properties
	18694027d10d feat: parse `vm-availability-messages`
	1308a63f4851 test(ipi): FFA_NOTIFICATION_INFO_GET reports pending IPI
	d270b869c989 test(ipi): target waiting vCPU whilst in SWd
	537165559733 test(ipi): target waiting vCPU whilst in NWd
	3a9510e81960 test(ipi): handling SRI in the NWd
	377defd58730 test(ipi): send IPI to running vCPU
	d2efb134495d test(ipi): state machine to help testing IPI
	8be2651ff463 test(ipi): add unit tests for fetching pending IPIs
	1f2babf02fd8 feat(ipi): report IPIs in FFA_NOTIFICATION_INFO_GET
	960be20fecdc feat(ipi): handle IPI for waiting case
	f3cf28cf7d4b feat(ipi): introduce IPI paravirtualised interface
	18485946304c refactor: use bitfields for interrupt_descriptor struct
	e44e18e5702b fix: increase stack size in primary VM
	cc9d11383413 ci: increase timeout for long running tests
	b8f9a899f0be test: if SPs wake up with eret FFA_RUN
	4dbf4d95c63f fix: only normal world VMs need FFA_RUN
	478faac95b69 refactor: always eret FFA_RUN to the caller
	8ddb0e2d11e6 chore: drop the FFA_RUN tests
	3190f5401e09 chore: specify updated submodule commit hash
	baaf9e5bd0c5 docs: update FFA_PARTITION_INFO_GET(_REGS)
	0ffce75f8244 refactor(notifications): verbose validity check
	3e55c4d8e3de fix: check ff-a version for functionality support
	d96c931b233d test(ff-a): report features in partition info get
	7fb0fdb7ab97 fix: report indirect message and direct message 2
	11f50e5ff10b chore: drop linux/driver project checks
	d5d6c381e69c chore: drop the driver/linux submodule
	8018929656f3 doc: refer the checkpatch.pl setup
	d8e61447a1b5 ci: add script download checkpatch.pl
	94b0fa111104 chore: drop rule to update linux binary
	ddeedafa09d0 chore: drop the third_party/linux submodule
	6b756a10770a ci: drop the setup with the hafnium driver
	15e302616540 chore: drop hf_interrupt_inject
	da6b099e5dfb chore: drop mailbox waiting list
	9a9ed227a137 test(ff-a): FFA_MSG_WAIT called with pending message
	ccbf26c078c7 docs: add FFA_MSG_WAIT description
	ea8ccfe752cb refactor(notifications): drop the SRI state
	ac0cb263714c chore: drop legacy timer support in hypervisor
	9acc62973951 chore: remove legacy timer support tests
	a74c97c4c184 test: interrupt targets blocked SP
	23a7e58b6494 fix(interrupts): resume blocked vCPU and pend vIRQ line
	3e749afb2d9b test(pauth): test PAuth usage from S-EL0
	70c6ca0e0cb9 fix(pauth): use prng to generate S-EL0 pauth keys
	9478e32bb811 refactor: UUID packing/unpacking
	cca64d765bf0 refactor: `get_ffa_partition_info`
	fb9c2a27a319 refactor: `api_ffa_fill_partition_info`
	45abeebfd2b4 feat: report error if too many UUIDs in manifest
	6053297ef775 refactor(manifest): UUID parsing
	8c5de22b6b6a test: fork 'preempted_by_secure_interrupt'
	bd32c97bdb07 refactor: simplify interception of FF-A calls
	67f5ba3d10d3 refactor: boot order list to use list.h
	8e02186908e0 refactor: rename list functions
	3bfc36eab652 test(ff-a): cannot send indirect message when RX buffer full
	3d5a9609bf43 test(ff-a): add RX retention tests to S-EL0 setup
	a2103eb08381 feat(code-coverage): check elf files for folder include/exclude
	c7270b752e5f fix(memory share): hypervisor retrieve request check
	7640451f68fc fix(build): fix out of tree build specifying $OUT
	36fcf881497b fix: detect pauth algorithm in cpu
	483686441714 refactor: `memcpy` refactors
	5d5f27972dbb fix: use correct load-address while adding offset
	3bb825946fed fix(indirect message): set framework notifications
	8ccd2d0f0552 fix: rename load address relative offset node name
	67196c7ad3bc docs: document new `FFA_VERSION` behaviour
	c4d9ae80b40b fix(ff-a): don't report ME interrupt to EL0
	41c5da385103 fix(notifications): delay SRI flag use from NWd
	d9e7c8fd3cf9 fix: in case the mailbox is FULL return FFA_RUN
	77b4eef0071d fix(hftest): clear NPI when polling for notifications
	486ffdce7223 test(ff-a): FFA_MSG_WAIT multicore RX buffer test
	337dbdfa04ee test(ff-a): test FFA_MSG_WAIT with retain RX buffer flag
	7253bd5c43fc feat(ff-a): add retain RX buffer flag to ffa_msg_wait
	bc854180a4bb test(ff-a): verify FFA_MSG_WAIT releases RX buffer
	be1a0b7a4d43 fix(ffa): add RX buffer release to FFA_MSG_WAIT
	b8730e9f7263 refactor: moved api_interrupt_clear_decrement to vcpu
	cfc8174a3a22 refactor: added ffa_msg_wait_complete
	472f66a344c9 refactor: use vm_id_is_current_world
	ac9407556eca refactor: rename implicit_completion_signal
	3b31f09c4e80 refactor: create vcpu_secure_interrupt_complete
	9a4b9c0b9592 fix(notifications): per-vCPU for MP only
	318e90a733de feat: queue interrupt targeting blocked vcpu
	c023e39839c0 test: new setup with S-EL1 UP SP as Service2
	538b688a0865 test: register secondary entrypoint only for MP S-EL1
	ec3bf2223df0 test: queue interrupt targeting a migrated vcpu in blocked state
	97fa216c6ae9 test: queue interrupt targeting a migrated vcpu in running state
	ce6baae61eee test: queue interrupt targeting a migrated vcpu in waiting state
	4fff340ea012 test: queue multiple pending virtual interrupts
	e1bec84e69f1 test: handle secure interrupt triggered by Generic Timer
	95bb8fe60145 test: leverage build define to identify an S-EL0 SP
	75a1ab7b9c3c test: update manifests to accommodate AP REFCLK timer device region
	76fe642c630f test: add SP helper commands to manage generic timer
	ad3fb6698931 test: add driver for AP REFCLK Generic timer
	92b404ecffd6 test: driver for generic memory mapped system timer
	ae519e184f12 test: map MMIO regions from device region nodes
	7945bb578a0f refactor: reduce fields tracking interrupt handling for vcpus
	93d3d7015108 feat(interrupts): target migratable S-EL1 UP vCPU
	42e56c11d90e feat(interrupts): target migratable S-EL0 UP vCPU
	48dc41c3890c feat(interrupts): queue if unable to signal virtual interrupt
	c64d0645a4c4 feat(interrupts): prioritize servicing queued virtual interrupts
	32913cb081cf feat(interrupts): data structures, helpers for queueing
	b7c2558e1bbd fix(interrupts): drop the running priority before resuming vcpu
	6acc53703857 fix(hftest): logs from different setups would override
	ff651e335032 feat: hftest to disable_visualisation
	6f6bf8a117f9 refactor: simplify functions to pend VI
	33172403a44a fix: moved unsupported function log
	3e9f605eba42 test: interrupt to be pended before boot
	cc542042dbbd feat(interrupts): physical interrupt enabled
	d533859d7826 chore: add venv to gitignore
	1c56a252a966 fix(hftest): service set-up functions in core 0
	65deaa433730 refactor: drop hypervisor-specific tests
	6045881f4fe2 fix(notifications): vCPU ID check in get ABI
	a2c79226b56b docs: redirect to a common ff-a binding document in TF-A
	296ee70c7af7 refactor(memory share): split check of hyp retrieve request
	058ddee34d02 fix: remove memory region's device attribute
	71704804400a secure_tc: enable branch protection
	9c5b1d3708f8 refactor: split `api_ffa_features`
	650cb148d610 refactor: report FFA_YIELD
	1a8c0cdb812c refactor: report secondary EP register supported
	5a222641c137 refactor: permission get/set supported at S-EL0 partitions
	4271ff9734fe refactor: remove arch/platform specific ffa_features
	4e8e479805bb refactor: reduce log level of some log statements
	be12343e0ceb fix(hftest): interrupt enable/disable
	94f9a7303d06 fix(docs): refactor poetry dependency group
	734981e83008 fix(memory share): dont change the PAS for device memory
	9a444adfee0b refactor(hftest): update iris options
	fd374b8c9227 fix(memory share): v1.1 emad reserved field check
	5ebf4bf2c364 feat: parallelize `clang-tidy`
	2ad6b66ef5f6 chore: fix `clang-tidy` warnings
	a4d4a2b00cf2 fix: check `.h` files with `clang-tidy`
	20acb0118db9 refactor: remove `make check`
	ca9234c8510c refactor: reformat `.clang-tidy`
	67a7926ce341 fix: first vCPU runs in the VCPU_STATE_RUNNING
	77f39c21e52a fix(docs): point poetry readthedocs virtual env
	bd43209c3d7f refactor: console log verbosity
	052fa62be451 fix(docs): design doc typo fails the build
	a33eca997600 fix(qemu): memory barriers to operate DMA
	66a38bd5184d fix: fix build with clang-18
	a5ea909bfc61 fix: fix build with clang-17
	74ee3ab8bb56 fix: fix build with clang-16
	6f1f1210152d feat: print vCPU ID
	920362870c0d test: tests for printing sequentially and concurrently
	31e5c95fd1c7 fix(hftest): define stacks for all secondary cores
	7cdb36d7dfa8 test(mem share): RO mem cannot be zeroed during send
	72d53a15d7b7 fix(boot): remove limit all partition memory is RW
	c7a3848c7cc0 refactor: improve hftest error message
	133ae6e2e48b feat(dlog): adopt FF-A in `stdout_putchar`
	c5cebbc0e8d0 refactor: move log buffer from VM to vCPU
	99fe2434f9d9 refactor: add documentation for interrupt controller in DT
	1c26ae7ec65a fix(gic): add support for passing GIC data from DT in boot flow
	99c5eff25b84 test: add unit tests to validate dma properties
	718afa9ca629 refactor: create a helper function to obtain common fields
	9c764b3e5437 refactor: use dma device properties struct within device node
	7de26958d155 refactor: extract VM's log buffer into separate struct
	6027b4f0bd7a fix: fix signature of `memcpy`
	8f046e4873ea refactor: remove `CHECK_OR_ZERO` macro from `std.h`
	2b56fc163c19 refactor: replace some uses of `uintptr_t` with `cpu_id_t`
	b4ef4320e1d0 refactor: use typedef for CPU entry point functions
	71d887b7cad0 refactor(memory share): improve naming of sender_orig_mode
	c8e6e85d7f72 test(memory share): device as normal through descritor mem types
	3b65a25f2642 test(memory share): lend device memory as normal
	6e2613628196 fix(memory share): add precedence check for memory type
	2268412d6968 test(memory share): normal memory lent as device
	91052c3eb749 fix(memory share): log for invalid instruction access
	3f295b18c75c feat(manifest): add overlap checks for SPMC memory
	889cbf1e6e82 refactor: use enums for PSCI constants
	5e99699970bc refactor: add helper function to check if VM is primary
	8204182ee3d2 refactor: add helper functions for checking if VM is UP/MP
	0a824e972474 chore: fix log strings
	bd060340445e fix(memory share): relinquish from VM
	9bbcb87d8873 fix(memory share): assert pointer before dereferencing
	a39a84497eda feat(memory share): relinquish use `memcpy_trapped`
	3f6527cd56f9 feat(memory share): revert memory retrieve
	69cdfd9531f8 feat(memory share): avoid updating PTs
	7b9cc432ce38 feat(memory share): memcpy_trapped to copy retrieve resp
	8f2150d1d4c6 feat(memory share): `memcpy_trapped` to read from tx
	f220d57a4102 fix(memory share): retrieve request validation
	c9227c849e62 fix(memory share): multiple borrower with NWd VM
	540cddfcb118 feat: introduce gicd_set_ctrl helper utility
	cde596402559 test(ff-a): add tests for changing version through `FFA_VERSION`
	64d930ee6c33 fix: check that calls to FFA_VERSION actually succeed
	e9921275a326 fix: memory sharing tests
	08befddc43c0 refactor: move `update_mm_security_state` to `common/ffa.c`
	2909e54cf230 refactor: port tests due to new restrictions
	d319fbbb5b9b fix: remove log statement that caused `FFA_VERSION` to fail
	6eeec8e85a5f feat: restrict `FFA_VERSION` calls
	0e617d9d2245 refactor(ff-a): `FFA_VERSION` related refactorings
	4b846eb871c0 fix(mem share): zeroing RO memory during memory send
	8fc1b5054cb2 fix: error codes need to be uint32_t
	6fd6c1d6ecad fix: fix input validation in FFA_FEATURES
	49ec1e42e218 refactor: refactor `api_ffa_features`
	88851f90b88e feat: add macros to check bits
	d1c34b5edee1 feat(mte): add error log for sync tag fault in EL2
	95fbb31760eb feat(memory share): add memory share 64-bit ABIs
	b9ae416a7d55 refactor: use `GET_ESR_EC` macro
	5a13355b0802 refactor: add `GET_ESR_FNV`
	9f7ce018c967 test(dlog): unit tests for `dlog` with binary format specifier
	7efc8377234e feat(dlog): support binary unsigned integer format specifiers
	e8937d9c2a05 chore(dlog): fix uses of `dlog` to use new format strings
	544549064bb2 feat(dlog): check arguments to `dlog` at compile-time
	50af30574657 test(dlog): unit tests for `dlog` with length modifiers
	70894da99ab1 feat(dlog): handle length modifiers
	e980e611ed8a refactor(dlog): miscellaneous changes related to logging
	705b56e94b38 refactor(dlog): move `dlog_flush_buffer` to `api.c`
	e8fdaed4c376 refactor(dlog): replace macros with enums
	93157d09e78f test(dlog): unit tests for `dlog`
	c9df08b45438 feat(hftest): assertion macros for strings
	d2ef618a680c refactor(dlog): return number of characters written
	222d9fbb3dee fix: enable `-Wsign-compare` in `ASSERT_EQ`
	1064a9c8d3c3 refactor: use `enum ffa_error` for errors
	824b63d9b256 feat: enable `-Wsign-compare`
	b090762d1c4d fix: disable `-Wsign-compare` for dtc
	4a88b9625897 feat: enable `-Wextra` flag
	df099becb672 refactor(init): use memory pool for boot params
	dc759f53ddbe refactor: use an enum for FF-A error codes
	d38270c14fe8 refactor: use enum for SP commands
	6a7c95926233 feat(hftest): rewrite error messages for failed assertions
	76766e61e230 refactor: use `typeof` in `HFTEST_ASSERT_OP`
	871b41e33565 refactor: always expand `assert` macro
	3a3e08dbd653 fix: check for illegal values of gic related build flags
	346a09cfce7f fix: check for illegal branch protection feature
	0549849def41 fix: propagate enable_mte build flag to cflags
	00d3b632aeda fix: incorrect calculation for number of boot info desc
	b886d4930571 fix(memory share): drop check to instruction access

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-25 11:00:05 -05:00
Jon Mason 1adc206509 arm/fvp-base-a-aem: update to 11.28.23
Update to the latest version.

License SHA changed due to the addition of "Artistic License 2.0" and
was missing entries for a few others that were there previously.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-24 11:06:06 -05:00
Jose Quaresma a55e4445f2 bsp: optee-client: cleanup old tee-supplicant
The same tee-supplicant is available in the meta-arm layer
along with the recipe.

| meta-arm/recipes-security/optee/optee-client
| meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
| meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
| meta-arm/recipes-security/optee/optee-client.inc
| meta-arm/recipes-security/optee/optee-client_4.1.0.bb

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-21 09:07:49 -05:00
Jon Mason 25ca4ecb32 arm/trusted-firmware-a: update git recipe
Update the TF-A git recipe to the latest commit (as it was older than
the 2.12 release previously).  Also, update mbedtls to 3.6.2 (per the
tf-a docs in the master branch).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-20 09:00:07 -05:00
Jon Mason 48708ed3cc arm/trusted-firmware-a: re-add patches
TF-A Patches were erroneously moved to meta-arm-bsp, despite still being
needed by the recipes in meta-arm.  Copy them back and make copious
apologies.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-20 09:00:07 -05:00
Jon Mason 7c2df809e0 arm/trusted-firmware-a: move qemuarm64-secureboot file to the correct location
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-13 11:00:04 -05:00
Jon Mason 5773030601 CI/machine-summary: remove binary toolchains and sort entries alphabetically
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-13 11:00:04 -05:00
Jon Mason 8a457932df arm/trusted-firmware-a: Move 2.11 to meta-arm-bsp
Move v2.11 to meta-arm-bsp so that corstone1000 can still use it (though
2.12 does appear to work).  Move all the other platforms in meta-arm-bsp
to use 2.12.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-11 10:24:07 -05:00
Jon Mason f0f0be29a3 arm/trusted-firmware-a: Add cot-dt2c
Platforms with GENERATE_COT need to either have COT_DESC_IN_DTB set or
use cot-dt2c to generate it.  Add cot-dt2c from trusted-firmware-a
sources and its python dependencies to enable this for those that need
it.

Also, move all the relevant platforms in meta-arm-bsp to use 2.12

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-10 14:49:31 -05:00
Philip Puk d656275855 arm-bsp/u-boot: corstone1000: Reserve memory for RSS comm pointer access protocol
This memory was used by OpenAMP to establish communication between
the Secure Enclave and Trusted Services. After transitioning from
OpenAMP to RSE_COMMS, this shared memory is now configured for the
pointer access protocol in RSE_COMMS.

Since this memory may be still used by a user-space application
in linux as U-Boot is passing an EFI memory map starting from
0x80000000, this memory range should be reserved as the
pointer access protocol may be enabled on corstone1000 in the future.

Signed-off-by: Philip Puk <philip.puk@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-02-10 09:22:21 -05:00
Mikko Rapeli 34d326f107 systemd-boot: update systemd-bootaarch64.efi path
poky updated systemd from 256 to 257 which changed
the build time path.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Ross Burton <ross.burton@arm.com>
2025-02-10 14:04:58 +00:00
Ross Burton 03af0c72f1 arm-toolchain: remove external-arm-toolchain
Integrating the binary Arm GCC toolchain into OE is quite complicated
because the binary release and oe-core's toolchain are arranged slightly
differently, which makes it quite fragile.

As it's obviously a binary release we cannot patch it to fix issues.

Also it has some fairly sizable limitations: for example the kernel
headers are old (from linux 4.19) and the locale packaging is different
so locale package dependencies don't work.

The main historic users of the external toolchain no longer use it, so
remove it.  The recipes will remain in the LTS branches for users who
are using it currently, but will not be part of the next release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Acked-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-30 07:26:31 -05:00
Ross Burton 78f7c988e2 arm-toolchain/external-arm-toolchain: update for toolchain provider changes
The oe-core commit "classes/recipes: Switch virtual/XXX-gcc to
virtual/cross-cc (and c++/binutils)"[1] changes the virtual names that
the toolchain components use, so external-arm-toolchain needs updating
to use these new names.

[1] 4ccc3bc8266c327bcc18c9a3faf7536210dfb9f0

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-30 07:26:31 -05:00
Musa Antike b56ab3175d kas: Include unattended Debian test
Add unattended installation yml to Debian  target

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:41:59 -05:00
Musa Antike f1769d5640 arm-systemready/oeqa: Add unattended installation testcase
Add test for Debian unattended installation verification

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:41:52 -05:00
Musa Antike f0978b3067 arm-systemready/linux-distros: Implement unattended Debian
- Implement unattended installation for Debian
- Upgrade Debian version to 12.8.0

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Musa Antike 6e913cf30d arm-systemready/linux-distros: Move openSUSE unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Musa Antike 0702fbbcfa arm-systemready/linux-distros: Move Fedora unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 08:46:03 -05:00
Mikko Rapeli db933d55b4 trusted-firmware-a: fix mbedtls license checksum
tf-a 2.10.9 uses mbedtls 3.6.1 from 3.6 branch which
has the same checksum as in tf-a 2.11 recipe. Found when
downgrading tf-a from 2.12 to 2.10 to debug hangs on zcu102
board:

ERROR: trusted-firmware-a-2.10.9-r0 do_populate_lic: QA Issue: trusted-firmware-a: The LIC_FILES_CHKSUM does not match for file://mbedtls/LICENSE;
md5=3b83ef96387f14655fc854ddc3c6bd57
trusted-firmware-a: The new md5 checksum is 379d5819937a6c2f1ef1630d341e026d
trusted-firmware-a: Here is the selected license text:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html)
OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license.
This means that users may choose which of these licenses they take the code
under.

The full text of each of these licenses is given below.

                                 Apache License
                           Version 2.0, January 2004
...
  `Gnomovision' (which makes passes at compilers) written by James Hacker.

  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice

This General Public License does not permit incorporating your program into
proprietary programs.  If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library.  If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
trusted-firmware-a: Check if the license information has changed in /home/builder/src/base/repo/build/tmp_zynqmp-zcu102/work/zynqmp_zcu102-poky-linux/trusted-firmware-a/2.10.9/git/mbedtls/LICENSE to verify that the LICENSE value "BSD-2-Clause & BSD-3-Clause & MIT & Apache-2.0 & Apache-2.0" r
emains valid [license-checksum]
ERROR: trusted-firmware-a-2.10.9-r0 do_populate_lic: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: /home/builder/src/base/repo/build/tmp_zynqmp-zcu102/work/zynqmp_zcu102-poky-linux/trusted-firmware-a/2.10.9/temp/log.do_populate_lic.4070974
NOTE: recipe trusted-firmware-a-2.10.9-r0: task do_populate_lic: Failed
ERROR: Task (/home/builder/src/base/repo/build/../meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.9.bb:do_populate_lic) f
ailed with exit code '1'

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-17 09:30:29 -05:00
Mikko Rapeli eb9a1ec43b edk2-firmware: fix PlatformStandaloneMmRpmb.dsc build
With backported patch from upstream. Error was:

| build.py...
| /home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/edk2-platforms/Platform/StandaloneMm/PlatformS
tandaloneMmPkg/PlatformStandaloneMmRpmb.dsc(...): error 4000: Instance of library class [HobPrintLib] is not found
|       in [/home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/StandaloneMmPkg/Core/StandaloneMmCor
e.inf] [AARCH64]
|       consumed by module [/home/builder/src/base/repo/build/tmp_rockpi4b/work/rockpi4b-poky-linux/edk2-firmware/202408/edk2/StandaloneMmPkg/Core
/StandaloneMmCore.inf]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
2025-01-17 09:30:29 -05:00
Philip Puk 90123a287f arm-bsp/recipes-security: Add protobuf interface to crypto-sp in corstone1000
Adds protobuf interface to se-proxy-sp as the main crypto-sp uses it and
parsec service 1.4 also switch using protobuf interface.

Signed-off-by: Philip Puk <philip.puk@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-13 12:00:03 -05:00
Jon Mason 0905953af4 arm/trusted-firmware-a: bump fip and tests to 2.12
Bump fip and tf-a tests to use the 2.12 sources

Note: change to license is for CoT device tree python application (which
is Apache licensed).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Quentin Schulz 280018a5db arm/trusted-firmware-a: add support for 2.12.0
Add support for TF-A version v2.12.0 and mbedtls 3.6.1.

GCC-compiled boot tested on RK3588 Tiger, RK3399 Puma and PX30 Ringneck.

0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch is merged in
2.12.0 so no need to have it in SRC_URI as for 2.11.0 and earlier
recipes.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Jon Mason f52fb00f10 arm/trusted-firmware-a: update 2.10 LTS to the latest versions
Update TF-A LTS to 2.10.9 (which includes an mbedtls bump to 3.6.1, per
docs).  Also, bump the TF-A tests to the latest version.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-10 11:00:05 -05:00
Ali Can Ozaslan bc5967ad87 arm-bsp/linux-yocto: corstone1000: Update to version 6.12
* Set Linux kernel preferred version for Corstone-1000 to 6.12.
* Update version listed in Corstone-1000 user guide documentation.
* Remove Linux kernel version 6.10 recipe as was only used by Corstone-1000.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-07 09:00:04 -05:00
Bence Balogh 6c34f1e425 arm-bsp/documentation: corstone1000: describe host level authentication
A new section was added for the host level authentication which
explains how the FIP content is verified at TF-A level.

Signed-off-by: Abdellatif El Khlifi abdellatif.elkhlifi@arm.com
Signed-off-by: Bence Balogh bence.balogh@arm.com
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-30 11:00:04 -05:00
Hugues KAMBA MPIANA cc4399ad9a arm-bsp/documentation: corstone1000: Show flyout menu in sidebar
Use flyout menu enabled via the `flyout_display`
parameter to show the flyout in the bottom of the sidebar.

The default Read the Docs (RtD) flyout needs to be disabled in order
to not have 2 flyouts showing. It is done by disabling it in the
RtD project settings.

Additionally, the Sphinx theme needs to be upgraded from version
2.0.0 to version 3.0.0. The sphinx and docutils modules also need
to be update for compatibility reason.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-21 08:22:38 -05:00
Peter Hoyes 5adb315517 arm/lib: Relax "Listening for serial connection" regex
Newer versions of the FVP now contain a full log entry for the
"Listening for serial connection on port" regex of the form:

INFO: FVP_NAME: terminal_uart: Listening for serial connection...

Relax the regex to support this new logging format and change from
re.match to re.search as the regex may not appear at the start of the
line.

This change is backwards-compatible with older versions of the FVP.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-16 10:00:05 -05:00
Ross Burton 83d9575a38 arm-bsp/linux-yocto: add temporary 6.10 recipe
oe-core has removed 6.10, so until corstone1000 has upgraded to 6.12 add
it temporarily to meta-arm-bsp.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 11:00:03 -05:00
Ross Burton fd2ba2d290 arm-bsp/linux-yocto: fix Juno build with linux 6.12
The DesignWare platform driver is hidden behind a DesignWare Core option
now, so enable that too.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 11:00:03 -05:00
Adam Johnston 3df279b56a arm-bsp/corstone-1000: IMAGE_ROOTFS_EXTRA_SPACE workaround
When images are repacked IMAGE_ROOTFS_EXTRA_SPACE is ignored.
This is not necessarily a bug but an undocumented quirk of how wic
works.

Evaluate IMAGE_ROOTFS_EXTRA_SPACE and use the value with the
 --extra-space option. Note that, since IMAGE_ROOTFS_EXTRA_SPACE is in
Kb, the value for `--extra-space` requires the explicit 'K' suffix (the
default is 'M')

Signed-off-by: Adam Johnston <adam.johnston@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-13 10:00:05 -05:00
Abdellatif El Khlifi 258277bab5 arm-bsp/linux-yocto: corstone1000: Update the Upstream-Status of the remoteproc patches
Set the Upstream-Status to Denied because the community suggests a different design

The external system implementation in Corstone-1000 is user-defined.
In the implementation provided by he FPGA board and by the FVP, the
Cortex-A35 (Linux) can not access the memory of the external system (Cortex-M3).
So, Linux can not load the external system firmware and can not communicate
with the external system using Rpmsg over remoteproc subsystem. The reason is Rpmsg
needs vrings memory buffers to be shared between both cores.
The community prefers that the HW is updated with memory sharing before they
consider merging the remoteproc driver.

We reached the agreement that we will split the work in two parts:

Part 1: Writing an SSE-710 reset controller driver
Part 2: Corstone-1000 remoteproc driver

Part 1 is doable and we will be working on it.
Part 2 is waiting for the FPGA upgrade with the memory sharing feature.

For more details [1].

[1]: https://lore.kernel.org/all/20241009094635.GA14639@e130802.arm.com/

Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-12 06:00:04 -05:00
Jamin Lin 22de236233 arm: remove python3-pyhsslms recipe
I upstreamed this recipe in meta-openembedded/meta-python,
so removes this recipe from meta-arm meta layer.

https://github.com/openembedded/meta-openembedded/blob/master/meta-python/recipes-devtools/python/python3-pyhsslms_2.0.0.bb

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-11 22:00:04 -05:00
Gabor Abonyi b2c43dbf9b lib/fvp: add name to terminal title in FVP runner
Currently, terminal title is %title, which is populated with the
component name by the FVP. This commit prepends it with {name},
which is already a mandatory parameter for terminals to be launched.
E.g. FVP_TERMINALS[terminal_uart] ?= "My Name" will launch a terminal
with a title "My Name - terminal_uart".

Signed-off-by: Gabor Abonyi <gabor.abonyi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-09 09:00:03 -05:00
Hugues KAMBA MPIANA 8af2f218d4 kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release.
The SHA of the dependent community layers are commented out and set to
the tested SHA from the `styhead` branch of each layer.

The set SHAs are to be uncommented in the `styhead` branch which is
to be used to create the `CORSTONE1000-2024.11` tag.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 10:30:39 -05:00
Hugues KAMBA MPIANA 5c40c5f7f7 arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release
* Fix typographical error in documentation.
* Add missing instructions.
* Create paragraphs where necessary to improve readability.
* Change `note` box to `important` box

* Remove verification of arm_tstee driver presence:
arm-tstee driver has been integrated in Linux v6.10.14 which is
the one used in the software stack. It is built as part of Linux and
is no longer a loadable module.
The steps to verify the driver presence are no longer applicable.

* Standardise naming of the target platform:
Consistently use the name `Corstone-1000` to refer to the target platform.

* Update Debian OS version from 12.4 to 12.7
Debian version 12.4 has a bug in Shim 15.7.
This bug causes a fatal error when attempting to boot media installer
for Debian,and resets the platform before installation starts.
A patch to skip the Shim was applied to Corstone-1000 to avoid
the error.
Debian version 12.7 no longer has the bug in the Shim thus making
the usage of the patch redundant.
Bump Debian installer to version 12.7 and remove usage of the patch
for the Debian installation test.

* Replace xterm with tmux:
Update the user guide to specify tmux instead of xterm.
Using tmux as opposed to xterm provides a better user experience
when running the commands listed on the user guide.

* Use ACS image for FVP SystemReady test:
Due to fixed timeout values in the meta-arm-systemready the ACS time
test do not complete successfully.
Instead, specify commands to use the pre-built ACS image.

* List Trusted Services as a host component:
Add Trusted Services to the list of components used on the Host processor
of the Corstone-1000. The various BitBake recipes and append files used to
build Trusted Services are listed for the component.

* Update release version to CORSTONE1000-2024.11:
All references to the version of the Corstone-1000 software reference
stack have been updated from CORSTONE1000-2024.06 to CORSTONE1000-2024.11.
Add to the changelog the 2024.11 release information.
Add the 2024.11 release notes.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 10:30:39 -05:00
Ross Burton 82bb1d2190 arm/fvp-base-a-aem: upgrade to 11.27.19
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-03 10:00:04 -05:00
Bence Balogh 30519676ab arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch
Due to a mismatch between the ADAC dummy token major version and the version
in the secure-debug-manager repository [1]'s submodule [2], the secure debug connection was denied.
Update the ADAC token major and minor versions in TF-M to align with the expected
dummy token.

[1] https://github.com/ARM-software/secure-debug-manager/
[2] https://git.trustedfirmware.org/plugins/gitiles/shared/psa-adac.git/+/refs/heads/master/psa-adac/core/include/psa_adac.h

Fixes: 7e9466 ("arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-02 05:00:04 -05:00
Mikko Rapeli 737bfd0e63 linux-yocto: remove signing
Remove secure boot signature from kernel image.
It's signed as part of uki image now which signs
kernel, initramfs etc.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli 682fb426ee uefi-secureboot.yml: switch to Unified Kernel Image (UKI)
Unified Kernel Image includes kernel and initrd which
both are signed with UEFI secure boot. This brings secure
boot closer to userspace.

Use core-image-initramfs-boot to find the real
rootfs and boot systemd init there. No need to hard code
rootfs via qemuboot/runqemu variables.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli a3523586e5 uefi-secureboot.yml: remove duplicate distro features
Setting INIT_MANAGER to "systemd" already sets needed
feature flags. Appending to them only causes sstate
cache invalidation and recompilations.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Mikko Rapeli d0fd3e961a qemuarm64-secureboot.conf: append to WKS_FILE_DEPENDS
Various classes add dependencies so don't overwrite them.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-25 12:10:17 -05:00
Jon Mason 853fde2b24 CI: add poky-altcfg in xen.yml for systemd image requirement
xen-image-minimal now requires systemd.  Add poky-altcfg (which has
systemd amongst other things) as an includes in the xen.yml file to work
around this.  Also, xen requires openssh instead of dropbear.  So,
override that entry.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-21 11:00:04 -05:00
Romain Naour 9d9c2fb93e CI: test external-arm-toolchain with usrmerge enabled
We want to test meta-arm-toolchain layer with usrmerge enabled [1]
since it produce some breakage with current external ARM toolchains [2].

Instead of using a custom setting (poky + usrmerge enabled), use the
existing poky-altcfg provided by Yocto. poky-altcfg uses systemd as
init system and imply usermerge being enabled (new systemd v255
requirement) [3].

Note: It must be a 32bit machine, since there are currently no aarch64
host toolchains for aarch64 (some gitlab runner used by meta-arm are
aarch64 host) [4].

[1] https://docs.yoctoproject.org/scarthgap/ref-manual/features.html?highlight=usrmerge#distro-features
[2] https://lists.yoctoproject.org/g/meta-arm/message/5557
[3] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[4] 4bfa191ada

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:39 -05:00
Romain Naour de47f836e2 external-arm-toolchain: rebuild libmvec.so symlink if any
On some architectures (namely Aarch64), glibc may provide a libmvec
library since glibc 2.22, which programs built with gcc OpenMP
support might get linked to.

In order for these programs to work on the target, we need to copy this
library to the target filesystem.

Make sure that libmvec.so symlink is correct with or without usermerge
enabled otherwise libmvec.so symlink is broken.

For more details on libmvec, see
https://sourceware.org/glibc/wiki/libmvec.

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:33 -05:00
Romain Naour cb4c0c9a93 external-arm-toolchain: override dynamic loader path with usrmerge enabled
usrmerge nowaday required by systemd [1] but it broke
external-arm-toolchain in several ways...

When usrmerge is enabled, /lib is no longer part of SYSROOT_DIRS list
while the prebuilt toolchain expect the dynamic loader to be placed in
/lib not /usr/lib.

There is no /lib directory in the per-package sysroot directory
generated to build each package:

  [...]/build/tmp/sysroots-components/<target>/<package>/
  sysroot-providers/ usr/

But the cross-compiler still generate binaries with dynamic loarder
path set to "/lib/ld-linux-<target>.so*"

  strings sanitycheckc_cross.exe | grep ld
  /lib/ld-linux-aarch64.so.1

A symlink /lib -> /usr/lib is crated in the final rootfs image.

But this broke the meson-qemuwrapper used when "qemu-usermode"
(MACHINE_FEATURES) is available:

See [2]:
  do_write_config:append:class-target() {
       # Write out a qemu wrapper that will be used as exe_wrapper so that meson
       # can run target helper binaries through that.
       qemu_binary="${@qemu_wrapper_cmdline(d, '$STAGING_DIR_HOST', ['$STAGING_DIR_HOST/${libdir}','$STAGING_DIR_HOST/${base_libdir}'])}"

It produce a runtime issue while running a meson sanity check:

  meson-qemuwrapper [...]/build/meson-private/sanitycheckc_cross.exe

  qemu-aarch64: Could not open '/lib/ld-linux-aarch64.so.1': No such file or directory

Note: The binaries build by the Yocto internal toolchain seems be "patched" [3]
to look at /usr/lib instead of /lib.

We use -Wl,--dynamic-linker to make sure that the cross-compiler
generate binaries using the dynamic loader path defined by usrmerge
for all packages build by Yocto.

[1] https://git.openembedded.org/openembedded-core/commit/?id=802e853eeddf16d73db1900546cc5f045d1fb7ed
[2] https://git.openembedded.org/openembedded-core/tree/meta/classes-recipe/meson.bbclass?h=2024-04.3-scarthgap#n130
[3] https://github.com/openembedded/openembedded-core/blob/scarthgap/meta/recipes-devtools/gcc/gcc/0007-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:23 -05:00
Vasyl Vavrychuk 8634bdc2f2 external-arm-toolchain: remove ${base_libdir}/libpthread*.so from FILES:${PN}
When `usrmerge` distro feature is not enabled, then `${base_libdir}`
resolves to `/lib` and `/lib/libpthread*.so` does not match any files.
But, with `usrmerge` distro feature, `${base_libdir}` is `/usr/lib`, so
removed line leads to `/usr/lib/libpthread.so` symlink included in
`${PN}` which causes QA check failure.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:19 -05:00
Vasyl Vavrychuk 4b2cef379f external-arm-toolchain: in libc.so GNU ld script use base_libdir
`base_libdir` gets replaced with `/lib` or `/usr/lib` depending on
`usrmerge` distro feature.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:13 -05:00
Romain Naour a6f44bbb80 external-arm-toolchain: wrap symlink handling under usrmerge check
Rework the symlink handling when usermerge is enabled.
Indeed, "ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so" create a
dead link with usermerge...

Based on: https://lists.yoctoproject.org/g/meta-arm/message/5765

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: "Parthiban" <parthiban@linumiz.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:15:00 -05:00
Vasyl Vavrychuk 98eea62962 external-arm-toolchain: wrap base_libdir vs libdir manipulations under usrmerge check
With `usrmerge` disto feature `base_libdir` and `libdir` are the same,
so it does not make sense to:

* removing "duplicates" between them
* move files from `base_libdir` to `libdir`

This fixes build error

| mv: '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' and '.../tmp/work/cortexa15t2hf-neon-poky-linux-gnueabi/external-arm-toolchain/12.2.Rel1/image/usr/lib/libasan.a' are the same file

in case of `usrmerge` feature enabled.

Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:14:53 -05:00
Romain Naour 9a0451a959 external-arm-toolchain: remove old sed fixup for libc.so
As reported by Vasyl Vavrychuk [1], /${EAT_LIBDIR}/${EAT_TARGET_SYS}
is not present in libc.so in the latest prebuilt toolchains:

ARM32:
  $ cat ./gcc-arm-8.3-2019.03-x86_64-arm-linux-gnueabihf/arm-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-arm-none-linux-gnueabihf/arm-none-linux-gnueabihf/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf32-littlearm)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-armhf.so.3 ) )

Aarch64:
  $ cat ./gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/aarch64-linux-gnu/libc/usr/lib/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-12.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

  $ cat ./arm-gnu-toolchain-13.3.rel1-x86_64-aarch64-none-linux-gnu/aarch64-none-linux-gnu/libc/usr/lib64/libc.so
  OUTPUT_FORMAT(elf64-littleaarch64)
  GROUP ( /lib64/libc.so.6 /usr/lib64/libc_nonshared.a  AS_NEEDED ( /lib/ld-linux-aarch64.so.1 ) )

We can safely remove old sed fixup for libc.so.

[1] https://lists.yoctoproject.org/g/meta-arm/message/5565

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-14 16:12:08 -05:00
Ross Burton e7898787bb CI: don't use debug-tweaks
As of the following commit in oe-core[1]:

  classes-recipe/core-image: drop debug-tweaks IMAGE_FEATURE

The debug-tweaks feature is no longer valid. Replace it with the options
that we need to perform login over testimage.

[1] https://git.openembedded.org/openembedded-core/commit/?id=2c229f9542c6ba608912e14c9c3f783c3fa89349

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-08 09:00:03 -05:00
Hugues KAMBA MPIANA bf9010c684 arm-bsp/documentation: corstone1000: Add SystemReady IR v2.0 certification
- Add details on SystemReady IR v2.0 certification achievement
- Document additional patch added
- Update release notes with new milestone tag `CORSTONE1000-2024.06-systemready-ir-v2.0`

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 18:18:25 -05:00
Ziad Elhanafy ac05154c51 arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition
This adapts to the oe-core rework to enforce a separate directory
for unpacking local sources (UNPACKDIR) instead of polluting WORKDIR
directly.

Follows the guidelines from:
https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-05 18:18:25 -05:00
Jon Mason 2fdc139084 arm-bsp/tc: remove all references to total compute
The tc files were removed some time ago, but there are still entries
in the bbappends trying to reference those files.  Remove them.

Fixes: 0af53c6453 ("arm-bsp: Remove tc1")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-23 17:00:03 -04:00
Jon Mason 6165b9e7a1 arm-bsp/fvp-base: remove backported u-boot patches
With the recent update of u-boot to 2024.10, these patches are no longer
needed (as they are in this release).  Remove them and everything is
happy again.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-23 17:00:03 -04:00
Jon Mason e161d8aefb arm/scp-firmware: update to v2.15.0
Update SCP to the latest tagged version, and update the related patch to
the new location of the relevant files.

For a comparison of the changes, please go to
https://git.gitlab.arm.com/firmware/SCP-firmware/-/compare/v2.14.0...v2.15.0

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-14 13:00:03 -04:00
Jon Mason 8a03ee5fdf arm/edk2: update to 202408
Update edk2 to the latest stable release tag, and update edk2-platforms
to the last SHA that seems to work.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-14 13:00:03 -04:00
Ben 33fa7e75ed kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Ben 0e0b9e608c arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Ben 02ba927dfc arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-08 10:00:09 -04:00
Javier Tia d315a5dec9 arm/uefi-secureboot: Add uefi capsule update support
UEFI capsule update is a mechanism that allows firmware updates to be
delivered and applied in a standardized way. It is part of the UEFI
specification and provides a way to update system firmware components
like the BIOS, UEFI drivers, or other platform firmware.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 21:00:04 -04:00
Jon Mason 40cc644285 CI: Rework qemuarm64-secureboot matrix
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl).  So,
modify the matrix to keep the coverage of everything else but musl.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:16:20 -04:00
Javier Tia a93bdc8e4e arm/uefi-secureboot: Add uefi http boot support
Enable network boot via HTTP protocol. Many embedded and server-class
systems use network boot for booting. Enabling network boot on devices
allows:

- Shipping devices without OS images. When we power up the device, the
  firmware can connect to the Internet and download and install suitable
  boot images for this specific device. Administrators can centrally
  manage the boot images and configuration files on a network server.
  This centralization streamlines the management of boot options and
  ensures consistency across all devices.

- This is particularly useful in enterprise environments. On mass
  deployments, there is a need to install the operating system on
  multiple devices simultaneously.

- Ability to maintain a completely diskless system if needed 

The plain HTTP protocol lacks encryption. It's intended to be used on
local networks. Secure http protocol support is under review. 

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 00:00:04 -04:00
Khem Raj 72546aff89 layer.conf: Update to walnascar (5.2) layer/release series
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-04 23:00:03 -04:00
Javier Tia 847fd39b25 arm/qemuarm64-secureboot: Enable UEFI Secure Boot
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.

Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries. 

Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.

Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.

Advantages using systemd as Init Manager:

- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.

- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.

- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.

- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.

- Add CI settings to build and test UEFI Secure Boot.

Add one test to verify Secure Boot using OE Testing infraestructure:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-04 10:27:35 -04:00
Javier Tia fc08510f22 arm: Enable Secure Boot in all required recipes
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).

sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-03 18:00:04 -04:00
Mikko Rapeli 5720b1044f optee-client: switch systemd service to notify type
optee-client 4.3 supports systemd sd-notify to inform
systemd and other services that it has started.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-02 08:55:14 -04:00
Mikko Rapeli 210f5f7dcc arm/oeqa/optee.py: increase timeout value from 22 to 45 minutes
Tests are taking more time now and several devices are
timing out:

https://gitlab.com/jonmason00/meta-arm/-/pipelines/1467809227

qemuarm64-secureboot runs the test in 10 and
qemuarm-secureboot in 13 minutes.

Upstream optee CI shows xtest runs taking around 30 minutes on
slowest qemu machines:

https://github.com/OP-TEE/optee_os/actions/runs/10997530234?pr=7052

Guestimate limit to 45 minutes so that slowest and most loaded
machines could fit there too. optee xtest has internal test
specific timeouts so if something hangs it should be detected
earlier.

If these limits still cause issues, then we could disable some of
the longer running tests with "xtest -l" option. Default for
testing level is 1 but maybe 2 or 3 could be enough.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Cc: Jérôme Forissier <jerome@forissier.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 5c1407e904 arm/gn: update to latest commit
Update to the latest gn commit.
Changes in gn between b2afae122eeb6ce09c52d63f67dc53fc517dbdc8 and 95b0f8fe31a992a33c040bbe3867901335c12762
95b0f8fe31a9 Improve error message for duplicated items
e30a1fe26e5e [rust-project] Always use forward slashes in sysroot paths
20806f79c6b4 Update all_dependent_configs docs.
f792b9756418 set 'no_stamp_files' by default
60a28b636057 fix a typo
b5ff50936a72 Stop using transitional LFS64 APIs
a737c2849f13 do not use tool prefix for phony rule
e080b4d340c2 [rust] Add sysroot_src to rust-project.json
50ecf4c84d08 Implement and enable 'no_stamp_files'
4e4b8d989499 Add Target::dependency_output_alias()
225e90c5025b Add "outputs" to generated_file documentation.
9e0c7b7cefb2 Update bug database link.
d010e218ca70 remove a trailing space after variable bindings
32f63e70484f fix tool name in error
f190770a69a3 remove unused includes
54f5b539df8c Markdown optimization (follow-up)
e3d088c4b6ac Support link_output, depend_output in Rust linked tools.
fc8172f4a107 Properly verify runtime_outputs in rust tool definitions.
fdb90141934a BugFix: Syntax error in gen.py file
93550dc1701d generated_file: add output to input deps of stamp
449f3e4dfb45 Markdown optimization:
05eed8f6252e Revert "Rust: link_output, depend_output and runtime_outputs for dylibs"
8f2193f70793 hint using nogncheck on disallowed includes
0ee833e823f2 Rust: link_output, depend_output and runtime_outputs for dylibs
1b41f0502f87 Add missing reference section to function_toolchain.cc

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 453a531158 arm/arm-ffa-user: update to 5.0.2
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 5ead59d370 arm/opencsd: update to 1.5.4
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 6abc3b7daa arm/optee: update to 4.3.0
Update OP-TEE to version 4.3.0
NOTE: the license file in optee-test changed, but the license is the
same (commit a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7).  They chose to
change the URL of the licenses in question to be "LICENSE-GPL" and
"LICENSE-BSD".

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 15:00:15 -04:00
Jon Mason 7cce43e632 Revert "CI: switch to building against styhead branches where possible"
This reverts commit 2b1348d74f.

Revert to allow the meta-arm master branch to use the master branch of
other layers.
2024-10-01 11:08:47 -04:00
Ross Burton 00f4bd027c arm-base/linux-yocto: revert interim 6.10 patch for fvp-base
oe-core master now has 6.10.11 which incorporates this patch, so we don't
need to carry it anymore.

This reverts commit 60fd47edd0.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-01 07:01:16 -04:00
Bence Balogh 8abb62ccb7 arm-bsp/trusted-firmware-m: corstone1000: Update patches
Some of the existing patches were submitted and merged to the
upstream TF-M repository.
In this commit, the upstream statuses are updated, and the patches are
reordered so the submitted patches are applied first.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-30 13:24:50 -04:00
Mikko Rapeli 890cbb9841 trusted-firmware-a: fix panic on kv260/zynqmp
kv260 with optee and secure-boot panics without this fix:

https://ledge.validation.linaro.org/scheduler/job/93620

Xilinx Zynq MP First Stage Boot Loader

Release 2022.2   Oct  7 2022  -  04:56:16
MultiBootOffset: 0x40
Reset Mode	:	System Reset
Platform: Silicon (4.0), Running on A53-0 (64-bit) Processor, Device
Name: XCZUUNKNEG

QSPI 32 bit Boot Mode

FlashID=0x20 0xBB 0x20

PMU Firmware 2022.2	Oct  7 2022   04:56:16
PMU_ROM Version: xpbr-v8.1.0-0
�I/TC:
I/TC: OP-TEE version: 4.2.0-dev (gcc version 14.1.0 (GCC)) #1 Fri Apr 12
09:51:21 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check
https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
I/TC: Primary CPU switching to normal world boot
PANIC at PC : 0x00000000fffed94c

Fix proposed by MaheedharSai.Bollapalli@amd.com

Cc: MaheedharSai.Bollapalli@amd.com
Cc: michal.simek@amd.com
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-30 10:00:17 -04:00
Jon Mason eefb6a12ba arm-bsp/fvp-base: use trusted-firmware-a v2.11
Update to use the latest version of tf-a.  The patch for virtio was
upstreamed and already in v2.11.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 14:00:07 -04:00
Jon Mason 0d0b8ffac2 arm/optee-os: Backport the clang fixes
The Clang bug in OP-TEE OS has been resolved (see
https://github.com/OP-TEE/optee_os/issues/6754).  Backport those patches
and remove the forcing of GCC in the recipe.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 14:00:05 -04:00
Ali Can Ozaslan 94c54c4f57 arm-bsp/optee: corstone1000: Update upstream status
The patch with pending status was submitted to the upstream OP-TEE
repo.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:12 -04:00
Ross Burton f22852b353 CI: transform testimage reports into JUnit XML reports
Using resulttool we can transform the oeqa JSON reports into JUnit XML,
which GitLab can display in pipelines and merge requests.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Ross Burton 8696545747 CI: remove duplicate arm-systemready-ir-acs
We had two instances of the same job, so consolidate them into one.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Ross Burton d96bebfded CI: add KAS_BUILD_DIR variable
Instead of always using KAS_WORK_DIR/build to refer to the build tree,
on the assumption that is where the build tree is, export KAS_BUILD_DIR
and use that variable instead.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 12:00:05 -04:00
Quentin Schulz 7eac705805 arm/trusted-firmware-a: add recipe for more-recent-but-not-yet-released source code
The point of this recipe is to allow people to quickly test more recent
commits that aren't yet part of any release just yet.

One should really not use it in any product, but it's nice for CI and
development purposes.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Bence Balogh 3db8bc67b4 arm-bsp/trusted-firmware-m: corstone1000: Update metadata handling
The added TF-M patches:
- Remove unused files from TF-M's BL1
- Remove unecessary duplications in metadata write functions
- Fix compiler switches in metadata handling functions: the runtime TF-M
  uses the GPT to get the offsets for the metadata.
- Validate both metadata replica in the beginning by checking the crc32
  checksum. If one of the replicas is corrupted then update it using the
  other replica.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Ross Burton 2b1348d74f CI: switch to building against styhead branches where possible
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Quentin Schulz a754b2beac add basic b4 config file
b4[1] is a very nice tool for mail-based contribution. A config[2] file
exists to set up a few defaults. We can use it to set the To recipients
to always add, in our case the mailing list.

This shouldn't be necessary if we had a script that b4 prep --auto-to-cc
could call to find the mail address(es) to send to. Let's start without
it for now.

[1] https://pypi.org/project/b4/
[2] https://b4.docs.kernel.org/en/latest/config.html

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-27 11:25:37 -04:00
Mikko Rapeli 6def088acd arm/optee-client: fix systemd service dependencies
udev starts tee-supplicant once optee has been found.
Fix dependencies in systemd service so that starting it in
initrd is possible. Stopping requires that ftpm
kernel module is disabled or any TPM related actions will fail until
the next reboot so working around these in the service file. These
are limitations of current kernel optee and ftpm drivers.

tpm2.target requires systemd 256 or newer. With older system version
there is no simple way to queue in service before TPM device is
available.

https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target

Note that
https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html
detects TPM support from either existing kernel driver (built in or
loaded really early in initrd and rootfs boot) or ACPI table entry for
TPM device. If firmware used a TPM device but doesn't provide ACPI table
entry for it, then a kernel patch has been proposed to expose this to
userspace:

https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/

and matching change proposal for systemd:

https://github.com/systemd/systemd/pull/32400

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-26 12:00:04 -04:00
Javier Tia 2d28195634 arm/optee: Add optee udev rules
If a /dev/teepriv[0-9]* device is detected, start an instance of
tee-supplicant.service with the device name as parameter.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-26 12:00:04 -04:00
Luca Fancellu 139e87e119 arm/lib: Handle timeout for spawn object on stop()
The current code is waiting 5 seconds to get an EOF on the
console pexpect spawn object, on a particularly slow machine
this timeout was not enough ending up into a TIMEOUT exception.

To solve this, increase the timeout and handle the TIMEOUT exception
by printing an error on the debug console instead of letting the
exception raise up to the stack, force the spawn object close() call
as well, since at this stage we would like the process to terminate
anyway.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-23 13:00:04 -04:00
Harsimran Singh Tungal f7ea72db24 arm-bsp/trusted-services: corstone1000: Update Trusted-Services patches
Modify the upstream status and commit descriptions of Trusted-Services patches.
Few patches have been been upstreamed to external Trusted-Services gerrit repository
for review. So, update upstream status of those patches accordingly.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 12:00:04 -04:00
Jon Mason ea2c1ab5db arm-bsp/fvp: Re-enable parselogs
Re-enable parselogs testing for fvp-base and corstone1000-fvp, and add
an ignore file for the relevant entries.  Also, increase the testing
being done on corstone1000-fvp.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason 60fd47edd0 arm-bsp/fvp-base: Get 6.10 kernel working
Apply upstream patch to get virtio networking functioning again and
switch to the 6.10 kernel.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason a6e74d3926 arm-bsp/fvp-base: support poky-altcfg
Add the bits to enable poky-altcfg to boot to prompt on fvp-base.
Unfortunately, ssh takes a very long time to come up, which causes the
ssh test to timeout.  So, don't enable this by default in CI.
Also, switch to building full-cmdline instead of sato, since we're never
actually testing the graphics on this platform.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-20 09:00:04 -04:00
Jon Mason 45a2b44284 arm-toolchain: remove libmount-mountfd-support when using binary toolchain
util-linux is failing when compiling with:
| configure: error: libmount_mountfd_support selected, but required mount FDs based API not available
Remove this feature when building with the binary toolchain to avoid
this issue.

Acked-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-19 12:00:04 -04:00
Bence Balogh d75cf2dd53 arm-bsp/trusted-firmware-m: corstone1000: Fix MPU configuration
The Application Root of Trust and the PSA Root of Trust was not
isolated in TF-M Isolation Level 2 beacuse of the misconfiguration of
the MPU. The added patch fixes this issue.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 17:00:05 -04:00
Jon Mason 5eb457b526 arm-bsp/documentation: corstone1000: Improve user guide
Includes:
* Sentence clarifications
* Usage of list numbering where steps are given
* Usage of code syntax where appropriate
* Usage of RST syntax for notes
* Appropriate capitalization of component names
* Consistently use the term MPS3 to refer to the physical hardware
* Present tests in a clear and consistent manner
* Wrap commands to reduce horizontal scrolling
* Creating paragraphs to improve readability
* Usage of shell variables for placeholders so user can
  create their shell variables and use the provided commands
  as in the user guide.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:59:23 -04:00
Bence Balogh 6ce3f43792 arm-bsp/documentation: corstone1000: remove TEE driver load
The arm-tstee driver was upstreamed to the v6.10 kernel so it doesn't
have to be loaded manually. Updated the related parts in the
Corstone-1000 user guide.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:25 -04:00
Bence Balogh bd1e228d4a arm-bsp/linux-yocto: corstone1000: bump to v6.10
This commit updates the linux-yocto version to the latest availabe one.
No additional work was needed to make it work in Corstone-1000.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:13 -04:00
Jon Mason 5c12aab797 arm/libts: Patch to fix 6.10 kernel builds breaks
The ts-tee driver was upstreamed into the v6.10 kernel.  Remove
arm-tstee driver package, since the upstream one should be used.

optee and arm ffa driver are logging non-fatal errors in dmesg, which is
causing the parselogs test to fail.  This is due to arm ffa needing
givc3.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-17 08:55:13 -04:00
Jon Mason 60361945cf arm/musl: work around trusted services error
CI test for Trusted Services is failing with the recent musl update.
The issue was bisected to an update in musl modifying the behavior of
PAGE_SIZE.  Revert this change in musl while using trusted-services
until a proper solution can be found.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-11 10:00:03 -04:00
Martin Jansa f3d1c0293e layer.conf: Update to styhead release name series
oe-core switched to styhead only in:
https://git.openembedded.org/openembedded-core/commit/?h=styhead&id=b4cf6d5236a3eacaf56ca2f805b006efac65b26c

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-06 15:31:04 -04:00
Hugues KAMBA MPIANA f975faf4c3 arm-bsp/documentation: corstone1000: Mention PMOD module as prerequisite
Add a warning in the Corstone-1000 documentation to indicate to the
end user that a 32 MB QSPI flash PMOD module is required to run
the Corstone-1000 software stack on MPS3-FPGA with the AN550 Application
note programmed.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-04 05:00:03 -04:00
Harsimran Singh Tungal 9d00aa03f6 arm-bsp,documentation: corstone1000: update user documentation
Add new usage details for running the secure boot testing
script located in the `systemready-patch` repository.

This script is used to create UEFI authenticated variables and sign the
Linux kernel image for the MPS3-FPGA and FVP secure boot tests.
Reflect the latest modifications to the script usage in the Corstone-1000 user guide.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-03 11:31:32 -04:00
Harsimran Singh Tungal 0f87b7c46a arm-bsp,kas: corstone1000: enable External System based on new yml file
Create new yml file "corstone1000-extsys.yml" which adds "corstone1000-extsys" as
new MACHINE_FEATURE.
Based on this, external system components can be enabled or disabled from the
Linux Kernel and U-Boot.

Reason for change:
DT-schema test is failing for the SystemReady-IR v2.0 certification because
device tree binding for remoteproc dts node corresponds to external system has
not been upstreamed in the Linux Kernel yet.
So, it has been decided to make enablement of external system configurable in
order to make Corstone1000 FVP SystemReady-IR v2.0 certifiable.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-09-03 11:31:32 -04:00
Jon Mason f741b4d8b9 arm/trusted-firmware-a: update LICENSE entry
As pointed out by Denys Dmytriyenko, the LICENSE entry in
trusted-firmware-a is not accurate.  docs/license.rst specifies the
licenses to be BSD 3 Clause for the project, with code from other
projects imported as:
libc BSD-3-Clause
libfdt BSD-2-Clause
LLVM BSD-3-Clause
zlib BSD-3-Clause
STMicroelectronics platform source code BSD-3-Clause
Linux source  MIT
DICE Apache 2.0

Note: these are the license the code is imported with (according to
license.rst), not a listing of the license(s) of those sources.

Signed-off-by: Jon Mason <jon.mason@arm.com>
Acked-by: Denys Dmytriyenko <denys@konsulko.com>
2024-09-03 11:31:21 -04:00
Bence Balogh 36e8641cc9 CI: Add secure debug build for Corstone-1000
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Bence Balogh db2b46a464 arm-bsp/documentation: corstone1000: add Secure Debug test
The new section writes down the steps that are needed for reproducing
the Secure Debug authentication.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Bence Balogh 7e94669f60 arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug
The Secure Debug functionality can be enabled on MPS3 by using the new
corstone1000-mps3-secure-debug.yml kas file. The kas file adds the new
secure-debug machine feature. The TF-M recipe adds the needed TF-M
build flags and patches in order to make the Secure Debug work.

This way, the Corstone-1000 will only boot fully if a debugger is
connected and a debug authentication is initiated.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-29 08:36:35 -04:00
Jon Mason 11d6e24167 arm/arm-tstee: pin kernel to 6.6 to workaround issue
arm-tstee doesn't compile on 6.8 or newer kernels.  Temporarily pin the
kernels of machines using this package back to 6.6 while developing a
fix.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-20 10:00:05 -04:00
Jon Mason 5a3ca1e23f arm/qemu-efi-disk: add rootwait to bootargs
Adding "rootwait" to bootargs for uniformity with the other wic files,
and this _could_ resolve Yocto Bugzilla Bug 15562 (as the intermittent
inability to find the root disk could be because of a race between
needing the disk and it not being mounted yet).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-20 10:00:05 -04:00
Mikko Rapeli 3a850ee377 ts-newlib: setup git with check_git_config
ts-newlib has a custom do_patch function which is not setting
up git like poky do_patch. Build without working git config
may fail:

| *** Please tell me who you are.
|
| Run
|
|   git config --global user.email "you@example.com"
|   git config --global user.name "Your Name"
|
| to set your account's default identity.
| Omit --global to set the identity only in this repository.
|
| fatal: unable to auto-detect email address (got 'tuxbake@81d82e1ac791.(none)')

Fix this by calling check_git_config from poky utils
to setup git correctly.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-13 11:00:05 -04:00
Hugues Kamba-Mpiana 74e7bcfcdf arm-bsp/documentation: corstone1000: Install Sphinx theme as recommended
Read the Docs recommends installing the Sphinx theme by listing
it as an enabled extensions prior to setting it as the active theme.

This commit adds it to the enabled extensions list as it was already
set as the active theme.

Signed-off-by: Hugues Kamba-Mpiana <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 12:00:06 -04:00
Hugues Kamba-Mpiana 7d2e8681e4 arm-bsp/documentation: corstone1000: Deprecation of Sphinx context injection
Read the Docs will stop defining `html_baseurl` Sphinx configuration,
which means that projects will need to define it by themselves to keep the
canonical custom domain properly configured.

The `READTHEDOCS_CANONICAL_URL` environment variable is used to define
`html_baseurl` to keep the previous behavior.

Also inject the `READTHEDOCS` variable into the `html_context`.

Code fragment taken from the blog post here:
https://about.readthedocs.com/blog/2024/07/addons-by-default/

Signed-off-by: Hugues Kamba-Mpiana <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 12:00:06 -04:00
Bence Balogh aea2c9b003 arm-bsp/trusted-firmware-m: corstone1000: fix bank offset
A patch was added to fix the address of the bank erasing and flashing
during the capsule update procedure. Previously the BL2 partition was
not erased properly.

The offset in the corstone1000-flash-firmware.wks.in was updated to
be aligned with the changes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-12 05:00:06 -04:00
Bence Balogh c965cf722f arm-bsp/trusted-firmware-m: Remove TF-M v2.0 recipe
There no longer is a platform in meta-arm that uses this version of
TF-M. The last platform that did use it (Corstone-1000) now uses
a later version.
See meta-arm-bsp/conf/machine/include/corstone1000.inc for more info.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Bence Balogh 50b4d9cca9 arm-bsp/trusted-services: corstone1000: align PSA crypto structs with TF-M
The TF-M was upgraded to v2.1.0 for the Corstone-1000. The TS had to be
aligned with it, to keep the Secure Enclave Proxy Secure Partition
compatible with TF-M.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Bence Balogh d362e3a7ee arm-bsp/trusted-firmware-m: corstone1000: upgrade to TF-M v2.1.x
Update the preferred version of TrustedFirmware-M for Cortsone-1000
from 2.0.x to 2.1.x to benefit from the latest fixes and improvements
as well as to reduce the number of out-of-tree patches.

As a result of updating the version:
* Remove no longer required out-of-tree patches
* Rebase and update the numbering of the remaining out-of-tree patches

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-09 11:52:37 -04:00
Ross Burton 8a3b84ac38 arm-bsp/linux-yocto: update for linux 6.10
CONFIG_FB_ARMCLCD is long obsolete, has been replaced with a DRM driver
enabled by CONFIG_DRM_PL111, and was removed in 6.8.

CONFIG_THERMAL_WRITABLE_TRIPS was removed in 6.9.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-08 11:00:06 -04:00
Mariam Elshakfy 5e27594771 arm/trusted-services: Move ts-newlib compilation fix to meta-arm
This change moves ts-newlib compilation fix from
meta-arm-bsp to meta-arm, as this compilation failure
is not specific to meta-arm-bsp platforms.

Signed-off-by: Mariam Elshakfy <mariam.elshakfy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-07 17:00:05 -04:00
Ross Burton 1d21bf1577 arm/edk2-firmware: set CVE_PRODUCT to the correct CPE
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-06 10:00:07 -04:00
Bence Balogh 3f78e99e0f arm-bsp/trusted-firmware-a: corstone1000: update upstream statuses
The patches with Pending status were submitted to the upstream TF-A
repo.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-03 09:00:05 -04:00
Jon Mason bf85e4a9a1 arm/trusted-firmware-a: remove workaround patch for qemuarm64-secureboot
bl31 interrupt type regression has been fixed in v2.11 of trusted
firmware a.  Since qemuarm64-secureboot is using that version, this
patch can be removed.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason e687068e5a arm-bsp: remove unreferenced patches and configs
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason 6657b15b31 arm: use devtool to clean-up patches
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Jon Mason 3880bc18bc arm-bsp/fvp-base: u-boot patch clean-up
Move the fvp-base unique u-boot patches to the proper nested directory
and rename them to match convention (devtool style).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 15:25:27 -04:00
Mikko Rapeli 1e7cac70cc optee-os: fix buildpaths QA failure on corstone1000
Patches applied upstream:

https://github.com/OP-TEE/optee_os/pull/6974

Fixes:

https://gitlab.com/jonmason00/meta-arm/-/jobs/7472950159

ERROR: mc:firmware:optee-os-4.2.0-r0 do_package_qa: QA Issue: File /lib/firmware/tee.elf in package optee-os contains reference to TMPDIR [buildpaths]

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-08-02 09:42:31 -04:00
Mikko Rapeli b1db172d51 optee-os: remove buildpaths INSANE_SKIP
Embedded build paths are now removed and test passes.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 9a6a118924 optee-os-tadevkit: remove buildpaths INSANE_SKIP
Embedded build paths are now removed and test passes.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 677d9937f2 optee-os: remove absolute paths
Change optee-os build scripts to not use absolute
build time paths in generated header files and scripts.

Two patches are backports from master/4.3.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Mikko Rapeli 96da3de1ea optee-os: asm debug prefix fixes
The .S files compiled by optee-os were including
absolute path of the recipe git tree. Fix this by
applying CFLAGS with correct debug prefix maps to AFLAGS
used by optee makefiles. Fixes optee-os and optee-os-tadevkit
buildpaths QA errors.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 23:08:43 -04:00
Luca Fancellu f3b60ee389 arm/oeqa: Introduce retry mechanism for fvp_devices run_cmd
Currently the run_cmd, which is a wrapper for self.target.run()
that uses SSH to spawn commands on the target, can fail spuriously
with error 255 and cause the test to fail on slow systems.

In order to address that, introduce a retry mechanism for the call,
that is able to wait some time for the system to settle and retry
the command when the error code from SSH is 255.

Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:05:46 -04:00
Amr Mohamed 88a47b37f7 kas: Add new yml file for Distros unattended installation
Define “DISTRO_UNATTENDED_INST_TESTS” variable in meta-arm-systemready
independently from meta-arm-auto-solutions. This will allow running
the unattended installation without meta-arm-auto-solutions.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed 9c95daa244 arm-systemready/oeqa: Add new test for Fedora unattended installation
The oeqa test responds to the boot loader prompt error message and
waits till the distro installation is finished.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed c014f118a1 arm-systemready/linux-distros: Add kickstart file for Fedora unattended
Add the Fedora kickstart configuration file and define a function to
modify the unpacked ISO image to add the kickstart file inside and
modify the grub.cfg file.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Amr Mohamed bd95810d77 arm-systemready/linux-distros: new inc file for unattended installation
Add a new inc file to unpack and repack the distro ISO image after
adding the kickstart configuration file inside.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-30 10:02:47 -04:00
Ross Burton c850a8624c arm-systemready: explicitly disable SPDX in the fake image classes
If SPDX 3.0 has been enabled then it :appends to IMAGE_CLASSES and then
breaks at build time because there are several classes and recipes that
look like but are not images.

Explicitly :remove the relevant class, but this really needs a better
solution in the long term.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-26 08:44:08 -04:00
Ali Can Ozaslan e8b60718a8 arm-bsp/trusted-firmware-m: corstone1000: Increase PS size
Increase the size of PS storage in Secure Flash.

The SecureBoot and Security Interface Extension (SIE) tests for MPS3
are failing when the Secure Flash runs out of memory. The frequency
of the errors is at least 50-60%. The aim of this is to increase
the size of PS storage in Secure Flash, so as to minimize
the possibilities of it to run out of memory.

FLASH_PS_AREA_SIZE is increased.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-26 08:44:08 -04:00
Jon Mason 14d24b5526 arm-bsp/fvp-base: add edk2 testimage support
Add the changes necessary to get edk2 booting and testimage passing on
fvp-base.  All that is really necessary is adding the dtb to the too
partition.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:16:57 -04:00
Jon Mason 105338c069 CI: remove xorg test removal from edk2
The edk file removed xorg from being tested, which is currently working
on qemuarm and qemuarm64.  Also, the section name collies with one in
fvp.yml, which has other things that are removed.  Remove this removal
to get things working as expected.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:16:57 -04:00
Jon Mason 6e383417d7 arm/gn: update to the latest commit
Update to the latest gn commit.  The previous commit was from 23 April 2024.
The commits since that commit are:
    Do not cleanup args.gn imports located in the output directory.
    Fix expectations in NinjaRustBinaryTargetWriterTest.SwiftModule
    Do not add native dependencies to the library search path
    Support linking frameworks and swiftmodules in Rust targets
    [desc] Silence print() statements when outputing json
    infra: Move CI/try builds to Ubuntu-22.04
    [MinGW] Fix mingw building issues
    [gn] Fix "link" in the //examples/simple_build/build/toolchain/BUILD.gn
    [template] Fix "rule alink_thin" in the //build/build_linux.ninja.template
    Allow multiple --ide switches

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason 091f102ea5 arm/boot-wrapper-aarch64: update with latest patch
Update to the latest commit.  The previous top commit was from 27 July 2021.
The commits since that commit are:
    aarch64: Enable access to MDSELR_EL1 from EL2 and below
    aarch64: enable Permission Indirection Extension
    aarch64: enable access to TCR2_ELx
    model.lds.S: Quote file paths
    Makefile: Change COUNTER_FREQ to 100 MHz
    sme: Fix sign-extension bug in SMCR_EL3 write
    fix array boundary check in find_logical_id
    aarch64: enable access to HCRX_EL2
    aarch64: Enable use of SME by EL2 and below
    aarch64: Document what we're doing when setting ZCR_EL3.LEN
    aarch64: Recognize PAuth QARMA3
    Makefile: avoid dtc warnings on re-compiling DTB
    Unify start_el3 & start_no_el3
    Rework bootmethod initialization
    Announce locations of memory objects
    aarch32: move the bulk of Secure PL1 initialization to C
    aarch64: move the bulk of EL3 initialization to C
    Announce boot-wrapper mode / exception level
    Rework common init C code
    aarch64: initialize SCTLR_ELx for the boot-wrapper
    aarch64: add mov_64 macro
    aarch32: add coprocessor accessors
    aarch64: add system register accessors

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason e9f00ab335 arm/opencsd: update to 1.5.3
Update to the latest opencsd commit.  The previous commit was from 28 March 2024.
The commits since that commit are:
    opencsd: Update Version info and README for v1.5.3
    build: Minor adjustments to improve clang compatibility
    build: vs2022: Fix minor git tracking issues.
    opencsd: test: update tests for memacc cache api
    opencsd: Add external memacc cache interface.
    opencsd: memory accessor - update caching.
    opencsd: docs: Update man files
    opencsd: etm4: Fix packet print typo.
    opencsd: Fix error handling in snapshot loader
    opencsd: Fix error string ordering.
    opencsd: memacc: Add logging for cache pages and size.
    opencsd: Add timing to trc_packet_lister
    docs: Minor document corrections.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-12 11:00:05 -04:00
Jon Mason a1b240fa55 CI: add poky-altcfg
Add poky-altcfg to give us coverage for systemd (and the other things
that it exercises).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-10 12:11:37 -04:00
Amr Mohamed b2f6758fde arm-systemready/README.md: add ARM_FVP_EULA_ACCEPT
Update README.md file to add "ARM_FVP_EULA_ACCEPT=1"
with kas build commands.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-10 09:00:05 -04:00
Jon Mason 4cddc5f600 CI: remove unnecessary clang settings
With the resolution of meta-clang issue 766 and
OE-Core 15d09b02b2632ab1cabc3b1bd9f521e6d3d3b83f
many of the settings are no longer necessary to be set as part of our
CI.  Remove them, as it is causing other issues with CI.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-09 14:40:05 -04:00
Jon Mason f646ee4507 arm-toolchain: update to 13.3
Update the Arm Binary toolchain to version 13.3-rel1.  The upper to
lowercase 'r' in rel was intentional, as the exact match is needed for
devtool to properly determine the correct version.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-09 14:35:23 -04:00
Bence Balogh af0b47160e arm-bsp/u-boot: corstone1000: use mdata v2
The mdata structure was modified to use the v2 and did the minimal
necessarry changes to make it build without errors. This way the
U-Boot metadata is aligned with the TF-A and TF-M structs.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Emekcan Aras f219bed333 arm-bsp/trusted-firmware-m: corstone1000: Switch to metadata v2
Upgrades metadata structs in secure-enclave from v1 to v2 as described
in psa-fwu spec: https://developer.arm.com/documentation/den0118/latest/

The TrustedFirmware-A v2.11 release supports only the metadata v2. The
structs in TF-M side had to be aligned to keep the compatibility.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Bence Balogh 45cc1d2e2c arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.11
Update the preferred version of TrustedFirmware-A for Cortsone-1000
from 2.10.x to 2.11.x to benefit from the latest fixes and improvements
as well as to reduce the number of out-of-tree patches.

As a result of updating the version:
* Remove no longer required out-of-tree patches
* Update the numbering of the remaining out-of-tree patches

Additionally remove unnecessary white spaces in modified BitBake files.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 14:49:10 -04:00
Bence Balogh 0ec9dedc00 arm-bsp/optee: Remove OP-TEE OS v4.1 recipe
There no longer is a platform in meta-arm that uses this version of
OP-TEE OS. The last platform that did use it (Corstone-1000) now uses
a later version.
See `meta-arm-bsp/conf/machine/include/corstone1000.inc` for more info.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 08:00:06 -04:00
Bence Balogh 9532dca1a6 arm-bsp/optee:corstone1000: Update optee to v4.2
Update the preferred version of OP-TEE OS for Cortsone-1000 from
4.1.x to 4.2.x to benefit from the latest fixes and improvements.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-08 08:00:06 -04:00
Delane Brandy 61f5a0b1b6 arm-bsp/corstone1000: Update Corstone-1000 user guide
Update the Corstone-1000 user guide with the new instructions on how to
rebuild the platform to enable multicore support and run a test to
verify this.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-04 06:00:05 -04:00
Jon Mason 390b9824dd CI: remove ts-smm-gateway for qemuarm64-secureboot-ts
uefi-test is failing on qemuarm64-secureboot with TS enabled with a "Bus
Error".  This regression is caused by the update of QEMU from v8.2.1 to
v9.0.0.  Temporarily disable this test (via disabling ts-smm-gateway) to
get CI green until it can be root caused.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-02 16:28:33 -04:00
Harsimran Singh Tungal b5903ce6ea arm-bsp/trusted-firmware-a: corstone1000: fix compilation issue for FVP multicore
Include platform header file in order to remove compiler warnings.
Due to GCC upgrades to 14.1, some warnings are being treated as errors.
This change resolves TF-A compilation issue when FVP multicore
is enabled.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-02 12:00:05 -04:00
Jon Mason 1d65894556 arm-systemready: WORKDIR to UNPACKDIR changes
Recent upstream changes to what is acceptable use of WORKDIR have broken
where the meta-arm-systemready recipes are expecting things to be.  Fix
them to point to the correct location.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-01 20:38:32 -04:00
Peter Hoyes 1a2004428d arm/fvpboot: Revert "Disable timing annotation by default"
Fast Models 11.26 now print the following warning if the env var
FASTSIM_DISABLE_TA is set:

  Warning: /ARM/FastModels/deprecated: the use of FASTSIM_DISABLE_TA
  environment variable is deprecated and will beremoved in a future
  release.

Remove the env var from the default env passthrough vars in the fvpboot
bbclass.

This reverts commit 735f560aeb.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-07-01 08:24:26 -04:00
Harsimran Singh Tungal b13a35906a arm-bsp/trusted-services: fix compilation issues for ts-newlib
Fix compilation issues with newer GCC version 14.1 for ts-newlib package
by disabling GCC flags for now.
This is just to unblock meta-arm master compilation issues.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Harsimran Singh Tungal 0e5be70176 arm-bsp/trusted-services: corstone1000: fix compilation issues
Fix compilation issues with newer GCC version 14.1 for Trusted-Services
patches by disabling some GCC flags for now.
This is just to unblock the meta-arm master compilation issues.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Harsimran Singh Tungal 6db296637b arm-bsp/u-boot: corstone1000: fix U-Boot patch
Fix compilation issues with newer GCC version 14.1 in U-Boot patch

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:26 -04:00
Ziad Elhanafy 5f64790152 arm/oeqa: Enable pexpect profiling for testcase debugging
This patch enables logging with timestamps for individual pexpect
assertions to ease the debugging of failed tests and the tuning of
timeouts. It measures the execution time of all pexpect calls and logs
the actual duration for each.

Only "callable" pexpect calls are timed (e.g. expect, sendline, but not
before or after).

Signed-off-by: Divin Raj <divin.raj@arm.com>
Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-28 10:15:03 -04:00
Ross Burton c4c562c179 CI: update to Kas 4.4 image
The Kas 4.4 image includes the websocket module, needed to use the
public hashserv/sstate.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-26 12:00:06 -04:00
Jon Mason 751e4817c9 arm-toolchain: fix for WORKDIR changes
Fallout from the upstream WORKDIR changes.  do_copy_locale expects
SUPPORTED to be in WORKDIR, but recent changes have made it so that the
source/unpack location is no  longer WORKDIR and cannot be pointed to
be such.  So, do this copy manually here.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-24 11:00:05 -04:00
Jon Mason 8024166d6c arm/qemuarm64-secureboot: fix qemu parameter
QEMU has deprecated the no-acpi parameter, in favor of "acpi=off" machine
setting.  Modify the machine conf to use the new method.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-20 15:48:11 -04:00
Jon Mason 794262c783 arm-bsp/fvp-base: update version to 11.26.11
Update to the latest version of fvp-base-a-aem.  The licence files
changed with an addition of language to add 'Arm License Management
Utilities', but still is licensed under the Arm Proprietary license (and
still requires the EULA to be acknowledged).

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-19 17:00:05 -04:00
Ross Burton 981425c54e arm/libts: use UNPACKDIR
Single files in SRC_URI are now in UNPACKDIR not WORKDIR.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Ross Burton 80be96437e arm-bsp/firmware-image-juno: use UNPACKDIR
Update the source/fetching for the new S/UNPACKDIR behaviour. This patch
is complicated by the recipe using UNPACK_DIR already, so I changed that
to avoid confusion.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Ross Burton 1985604beb arm/optee-ftpm: silence new compiler errors from GCC 14.1
GCC 14.1 is stricter with code validation and the build now fails.
However as upstream appear to be about to remove this source entirely from
upstream[1] I didn't want to spend long investigating this if upstream
changes will obsolete it, so just silence the errors for now.

[1] https://github.com/microsoft/ms-tpm-20-ref/pull/108

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:47 -04:00
Harsimran Singh Tungal bd9fc4bbfc ci,arm-bsp: corstone1000: New MACHINE_FEATURES for Corstone-1000 FVP multicore
Introduce `corstone1000_fvp_smp` as a value of the `MACHINE_FEATURES`
variable to support Corstone-1000 FVP Symmetric Multiprocessing.

A new YAML file is created to add this new machine only for the FVP
variant of the target platform.

The multicore feature is enabled in TrustedFirmware-A,
TrustedFirmware-M, and OP-TEE based on this machine feature.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal e437bc8f7d arm-bsp/trusted-firmware-m: corstone1000: Multicore support for Corstone-1000 FVP
This changeset introduces the multicore support for the Corstone-1000
FVP.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal 3eaa5c632c arm-bsp/trusted-firmware-a: corstone1000: Multicore support for Corstone-1000 FVP
This changeset adds the multicore support in trusted-firmware-a for the Corstone-1000
FVP.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal c42a7ffd3e arm-bsp/u-boot: corstone1000: Enable secondary cores for Corstone-1000 FVP
This changeset adds secondary cpu nodes for Corstone-1000 FVP dts.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Harsimran Singh Tungal 3e13dfa18a arm-bsp/optee: corstone1000: Remove MMCOMM buffer address
Remove MMCOMM buffer address and its mapping, as it is not being used anymore

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
2024-06-18 13:59:28 -04:00
Ross Burton 156141c014 documentation/runfvp: use IMAGE_CLASSES instead of INHERIT
The fvpboot class specifically hooks into the image creation, so it
should use IMAGE_CLASSES instead of INHERIT (which is global in scope).

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 13:59:05 -04:00
Jon Mason 150cd18d15 Docs: add ci/kas, quick start, and release information
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-18 13:58:39 -04:00
Ross Burton e6796bf18a arm-bsp/edk2-firmware: work around alignment problem with EDK/qemu
Since switching to master, EDK2 is doing an unaligned access to memory
when drawing the boot logo which causes qemu 9.0.0 (since 728b923f54) to
raise an exception.

There is upstream discussion about where and what the underling bug here
actually is, but until that is resolved we can simply align the logo.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-18 08:52:21 -04:00
Amr Mohamed 88b78f5558 arm-systemready/linux-distros: Add a third Linux distribution installation
Add Fedora distribution version 39.1.5 installation to fulfill
the SystemReady IR.

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
2024-06-18 08:51:59 -04:00
Bence Balogh 71d36251eb arm-bsp/documentation: corstone1000: improve tests documentation
Improve the documentation in the user guide of the following tests:

- SystemReady-IR tests
- Manual capsule update and ESRT checks
- Linux distros tests
- UEFI Secureboot (SB) test
- PSA API tests

In addition, we moved the tests in one section for better readability.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-13 13:00:06 -04:00
Bence Balogh 841b88fdc2 arm-bsp/documentation: corstone1000: update the boot chain
The Secure Boot chain section is updated in the architecture document
to reflect the TF-M BL1 design.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-13 13:00:06 -04:00
Andrey Zhizhikin 30872ba12a optee-client: Switch away from S = WORKDIR
Since OE-Core commit 32cba1cc916a ("insane: Error for S == WORKDIR")
usage of WORKDIR in tasks is fatal, and shall be replaced with UNPACKDIR.
Similar change is introduced in OE-Core commit d9328e3b0b06 ("recipes:
Switch away from S = WORKDIR"), follow the same pattern for OP-TEE client.

Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-12 09:29:29 -04:00
Jon Mason f8338c3af2 Revert "CI: temporarily backport the procps fix"
This reverts commit fef5eafc08.
2024-06-11 12:39:50 -04:00
Ryan Eatmon b08bf096a0 arm/test-pacbti: Use UNPACKDIR
Fix parsing recipes error:

  Parsing recipes...
  ERROR: meta-arm/recipes-test/pacbti/test-pacbti.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: Parsing halted due to errors, see error messages above

There was a change in oe-core [1] and was further discussed here [2].

[1]  https://git.openembedded.org/openembedded-core/commit/?h=master&id=32cba1cc916ad530c5e6630a927e74ca6f06289b
[2] https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ryan Eatmon <reatmon@ti.com>
2024-06-11 11:37:58 -04:00
Ross Burton 8ce0dc290f arm-bsp/ssh-pregen-hostkeys: fix corstone1000 typo
Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 8769c92fc1 arm-bsp/u-boot: update tick.patch to merged patches
These patches have been merged, so refresh the patches.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton d7f8e985ba arm/u-boot: remove obsolete qemuarm patch
This has been obsoleted by "arm: enable support for QEMU firmware tables"
upstream, in v2024.04.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 680e121bb2 CI: use pregenerated SSH keys in genericarm64
We boot genericarm64 inside a qemu, so add the pregenerated keys to speed
up testing.  This isn't a risk because we don't publish the images.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Ross Burton 419736b6ad CI: back to master
Move meta-arm's CI for master branch back to master of the upstream layers.

Signed-off-by: Ross Burton <ross.burton@arm.com>
2024-06-11 11:37:58 -04:00
Thomas Perrot 43e4afbd7a optee-os: remove NOWERROR from EXTRA_OEMAKE
NOWERROR=1 has been made obsolete by commit beb065df6ee5 ("Do not set
-Werror by default"). Remove it.

Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-11 04:00:05 -04:00
Jon Mason 8d2a45af05 arm/arm-tstee: add UPSTREAM_CHECK
Add UPSTREAM_CHECK_GITTAGREGEX to allow devtool to check for the latest
version

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason a4761c2edc arm/trusted-firmware-rmm: update to 0.5.0
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 9010839803 arm/trusted-firmware-rmm: add UPSTREAM_CHECK and tweak recipe version
Adding UPSTREAM_CHECK_GITTAGREGEX to properly check the upstream
version, and modify the recipe name to follow the version in the git
tree.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 1bcc820850 arm/edk2: update to edk2-stable202405
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 3cf4301fb9 arm/hafnium: update to v2.11
Update hafnium to the latest version

Changes in hafnium between 946fde92bedc95e1320684b0bc2dc752bc1e1bc7 and 2bef7ab3895c48d39b84ab58179b2d0de5156b8b
2bef7ab3895c docs: the change log for the v2.11 release
2aea748eb344 docs: add SIMD support section
dac0ae1bf74a docs: threat model GPF with memory share
9dbe17a3fc60 docs: threat model to NWd rxtx buffer
0b45a2e28f65 docs: fix FFA_CONSOLE_LOG description
c28ee3eda25d docs: device regions in SPMC manifest
d547d6df4228 docs(memory management): rme integration
963a5d73abb5 docs: document `FFA_FEATURES`
d40979fd9974 docs: document `FFA_CONSOLE_LOG` ABI
dfc312e2a965 docs: add description of device memory lending
ce8526ecac0f docs: update threat model for static dma isolation
17c9ad327bfa fix(ff-a): report NPI and MEI unsupported to normal world
27a4df506d83 refactor(simd): cosmetic rename sm local variable
4695ce892967 fix(simd): fix SME-only save/restore conditions
4fd8f364ff43 fix(simd): omit setting SVE VL in SIMD restore
034a31970f4e fix(simd): cosmetic comments
79dbd6f9ab99 fix(simd): mask out SMCCC SVE hint bit
96ffeee3175b fix(simd): use SMCCC SVE hint bit mask
ca92fb0d303a refactor(simd): FPU save/restore convert to C
42a5262ebd4a fix: SVE/SME unsupported in processor feature regs
731f40b91e39 fix(test): reorder log before sync call in echo_mp
9b579d365a2d chore: remove extra lines from echo_mp test log
8a5fd9d9163a feat(indirect message): use 'memcpy_trapped'
0a21db13d12d feat(ff-a): use memcpy that is trapped GPF
a2d1c3b9c94a feat: add implementation of `memcpy_trapped`
7388c18ef222 refactor: exception handling macros for reuse at EL2
568f2a7b8fb9 feat(aarch64): define macros to process GPF
462ad8d90796 chore(hftest): use common secondary stack definition
491ff30f1ac4 test(dir_msg): demo MP test with direct message
0c029c2719cd feat: prepare for MP tests
b186fecfdf78 feat: added macro SERVICE_SELECT_MP
592ede3c7b95 test(memory share): NWd to SWd device memory sharing
63af1fab1656 feat(memory share): enable NWd to SWd device memory lending
4339edcf0bb0 feat(memory share): validate sp device mem ranges
6dff8271fbdc test(memory share): check limits on device mem sharing
a4de8a56b211 test(memory share): device lend SP to SP
a56ec8eff0f5 refactor(memory share): attributes in test helpers
9764ff6bd861 feat(memory share): allow device memory lend SP to SP
941ef34e5741 test(manifest): device memory for overlaps
4d16572b89ac feat(manifest): check device memory region for overlap
163e1a95a253 fix: ensure device regions are mapped as nGnRnE
899c4f28ab00 docs: drop unnecessary build option
03ba75fe13c3 refactor: set vcpu of the NWd in preempted state
0247fe68743e refactor: use `vcpu_set_running` function
874737a43d64 docs: mte build option in TF-A integration
2d570d1ef339 ci: increasing timeout
6976541fcc9e fix: update docs to use correct MTE build flag
b1dbca99bae7 docs: update docs with new RXTX_MAP/UNMAP behavior
738bee137e1d feat(ff-a): validate FFA_RXTX_MAP/UNMAP against NWd page tables
41e8d5b1f805 refactor: set vcpu in preempted state
e143080baf9b feat: add `vm_lock_both_in_order`
587cd29b5d3a test: FFA_CONSOLE_LOG with extended registers
740f74fc95c6 feat: support extended register set for `FFA_CONSOLE_LOG`
b9705e2bd383 fix(ff-a): check that hypervisor's TX buffer is set-up
95f0e6033ad9 fix: fix typo in static_assert
f98b2aa1d407 feat: add helpers for names of various enums
84710f315ae7 refactor(ff-a): use bitfields for memory access bitmaps
2fc6dcfa97e0 feat: update BL31 binary to optimize NS context management
5386559b386a feat: save and restore non-secure peripheral registers
80a7b7fe9abe feat: save and restore non-secure MTE context
0ec38247a973 feat: save and restore non-secure system reg context
c70bacdd5054 refactor: create helpers to save and restore sys reg context
3956b2e6074a fix(direct message): tests to look for FFA_BUSY
7ea3f7ec8cb9 fix(direct message): reorder checks for FFA_BUSY
e5262378c5d7 fix(memory share): missing flag if permissions RO
c972cc6de311 fix(memory share): data access permissions
7de61af932d1 fix(memory share): sender and receiver are the same
f779fb7ed4eb fix: ffa_msg_wait shall not change the mailbox state
dc8cf3b899e6 test(ff-a): NPI not supported on EL0 partition
f1ed5f16cd59 fix(ff-a): report NPI unsupported on EL0 partition
76f1c8f03c27 test(ff-a): SRI is unsupported on secure world
cb6642c1cd6a fix(ff-a): report SRI unsupported to secure partitions
f7861301c512 test(ff-a): FFA_FEATURES returns max RXTX buffer size
0fd672906e61 feat(ff-a): report RXTX buffer size in FFA_FEATURES
f2b6fd1e8e7d test(ff-a): fix counts for ffa_info_get with multiple uuids
a1de3c5f69f6 feat(ff-a): add multiple uuids to partition info desc
3bbed8f554d2 fix: allow code coverage tests to run despite fails
6e3abcff0f1b docs: add FFA_MSG_SEND_DIRECT_REQ2/RESP2 support
364400e8d91b refactor: linux driver statically allocate vms
e0ca9a07de7b refactor(memory share): introduce ffa_memory_access_impdef_init
f1dd1e1375a8 fix: partition message total size check
37b75119ed18 fix: partition message offset check
0abd88768e9a test: FFA_MSG_SEND_DIRECT_RESP2 intercepted
4847e3bdd837 test(dir_msg): cyclic dependency with two ABIs
9375a292b992 test(smccc): test register integrity across FF-A versions
bed1dae8b4c1 test(dir_msg): extend multiple uuids test
f06b52366f40 fix(mem sharing): return error if receiver count is 0
5e425040abf4 test(memory share): multiple borrowers from v1.1 SP
a76fd9165b4b fix(memory share): broken assert in send from SP to multiple
d50411214cb8 docs: update memory sharing to reflect recent changes
607c724cbda3 chore: increase timeout for sp_route_interrupt_to_secondary_vcpu
106c8cec1662 fix: reduce verbosity on passing tf-a-tests
9ae48e998450 test: intercept direct response between two SPs
ca2f92d3adf1 test: enable specifying options for sp_fwd_sleep command
0a704e559d7e fix: unwind call chain after intercepting direct response
5a0991746afa fix: error return in FFA_MEM_PERM_GET/SET
f06ee9df186d fix(memory share): drop assertion sender ID
89c221317513 fix: per-vCPU/global bind/set mismatch
30ac91dc9c78 fix: global notifications shall use vCPU ID 0
6b754a188dca fix: flags that mbz are checked
f020814b4105 chore: improve log message in notification set
7333dcfaf21a fix: notification set error code
1512acc0a69c chore: print bitmap on FFA_NOTIFICATION_BIND
7ccaccf2ab18 fix: invalid ID in bitmap create/destroy
2a500071f224 fix: spmc test script didn't capture failures
37e559da0f07 refactor(tc): remap console logs
a3905006b590 test(dir_msg): add FF-A version based tests
382e0c622a79 test(ff-a): registers preserved after dir_resp
352388760d18 feat(ff-a): preserve extended registers in dir_resp
81237694db4d test: exercise interrupt handling while processing indirect message
8922671489d9 test: support for services to parse device regions
93978b038e4d test: add twdog helpers to primary_with_secondaries
9a1b9c0bff6b test: make sp805 driver common across test setups
ba2488560be8 fix(interrupts): intercept ffa_msg_wait to signal virtual interrupt
ba22a72b8866 refactor: add helpers to intercept and resume ffa calls
7182163a2245 docs: update ff-a bindings for static dma isolation
555f8882f437 docs: add support for static dma isolation
7c7b1a7764ef feat: demonstrate specifying dma device count per partition
0715f32ba515 feat(smmuv3): restrict access of streams to limited memory regions
0e57d3d35892 feat(iommu): map memory regions into dma page tables
070f49ebfb4a feat: initialize page tables for enforcing dma isolation
8a3644777dc1 feat: allow platforms to specify dma device count per partition
e032af5e6a37 feat: track dma devices and map to stream ids
3c2b7911e6ee feat: retrieve dma properties for each memory region node
1ced4cb719ff feat(sme): add NS SME save/restore operations
ffdeb23a067b feat(sme): introduce an SME module
52bbdee7487c feat(sme): add SME related definitions
5b5883351c94 feat(simd): SIMD NS save/restore convert to C
dc112d50c258 refactor: make is_arch_feat_sve_supported inlined
d71c83aa8f44 feat(sve): introduce an SVE module
b0faf45a6c4a fix: ensure SVE traps are enabled when running SPs
063ad835b5bd feat(memory share): revert protect action
fd2060536fee feat(memory share): unprotect memory on reclaim
460d36c1fc58 feat(memory share): protect on memory lend/donate
cf6253e3abec feat(memory share): protect/unprotect memory
a2ff04126675 feat(rme): add protect/unprotect memory functions
0a83dc2bf94c feat(memory share): define ffa_map_actions
dad6003e1fcd feat: add build options for memory protect
cb4dc90811b6 feat: arch helpers to check RME support
2e14ebe8b6e3 fix(memory share): fix behaviour of relinquish clear flag
3d0a462034c0 ci: separate static checks in a script
674e4de6bb3a refactor: mailbox doesn't need size and sender
44e9b3b7bebb fix(memory share): hypervisor retrieve request
7b6ab6195d84 fix(memory share): set size of access descriptor
4f0d9c1843cf refactor(memory share): split memory retrieve req
d61246b6c5e1 fix(ff-a): do not report FFA_EL3_INTR_HANDLE to VM
40d09d2ce60c docs: added section for building a single platform
f90f1f12de0a feat(build): check platforms exist before building
41ef8baba363 refactor(memory share): use receiver_offsets to find receiver array
39bc21b07309 test(dir_msg): test direct message abi pairs
e468c1168124 fix(dir_msg): enforce direct message ABI pairs
cf7cc68012d3 test(ff-a): add FF-A v1.2 ffa_features test
58fe07d70fea test(dir_msg): end-to-end direct msg test with multiple uuids
422b10bc6991 feat(uuids): add support for multiple UUIDs per partition
036cc592731b test(ff-a v1.2): ffa_run to zero extended registers
434bea9652a1 test(dir_msg): add tests for FFA_MSG_SEND_DIRECT_REQ2
de0b0da535a1 test(dir_msg): extend registers in dir_msg tests
087e50241881 feat(dir_msg): add FFA_MSG_SEND_DIRECT_RESP2
db6a08b7cc6c feat(dir_msg) extend FFA_MSG_SEND_DIRECT_REQ2 registers
734ddc4e7cfb test(dir_msg) test FFA_MSG_SEND_DIRECT_REQ2
41fea93fe85b feat(dir msg): add FFA_MSG_SEND_DIRECT_REQ2
86d9fa741b86 feat(prebuilts): add SPMD support for ff-a v1.2 dir msg
c0e7dc20f2a9 docs: update messaging method ff-a binding
f71dee4c7bab feat(manifest): support FF-A v1.2 direct messages
9681574575c0 test(memory share): add test for FF-A v1.1 endpoints
63130e572dbe refactor(memory share): correct names of versioned share tests
909d3bbeca84 test(memory share): check memory access invalid values
59ffee9ba6bd test(memory share): introduce impdef value check
de974ca9b936 feat(memory share): add impdef field to ffa_memory_access
c7dc932e9a15 feat(memory share): check memory region desc values
d5ae44bed0c1 refactor(memory share): add helper for accessing receivers
36e0bdbf58e6 refactor(memory share): make ffa_memory_region update common
64400234fe31 refactor: make is_arch_feat_bti_supported inlined
109c6d4c0e5b fix: restrict HF_INTERRUPT_INJECT to Hypervisor
0926addea321 feat(amu): enable traps
0a1a9f861e6d feat(ff-a): update el0 services to v1.2
78788f863ca5 fix: ignore spurious interrupt and resume preempted vcpu
c5b20e7e0d6b chore: remove clang toolchain from prebuilts
6b351bc82c92 feat: build multiple targets at once
fdd59f75403f refactor: remove plat_ffa_other_world_mem_retrive function
ed7dee80b329 test: exercise interrupt handling with interrupts masked
3aafcb620cf4 test: add helpers and extend command args to mask interrupts
151c2e7f0bf3 fix(interrupts): intercept direct response to signal virtual interrupt
09e086a7dbcf fix(interrupts): reset implicit completion signal
e1562a1488c3 feat(rd): secure hafnium build for rdfremontcfg1 platform
e4fe29698285 feat(ff-a): update FF-A version to v1.2
ad7451b1faee feat(prebuilts): update TF-A prebuilt binary to FF-A v1.2
ed508c80a039 chore: make function private to ffa_memory
b56aac880e08 fix: explicit boolean for `share_state` pointer
639ddfc0193e fix(memory share): read-only memory can't clear memory
41d4fef0f044 fix(memory share): error code in retrieve request
03f08d3dc4b8 feat(gicv3): ensure implementation supports two security states

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 8cbc545e99 arm/trusted-firmware-a: add support for 2.11.0
Add support for tf-a version v2.11.0 and mbedtls 3.6.0.  Modifications
to the license checksum were necessary due to the addition to that file
for DICE (which is Apache 2.0 licensed) for TF-A and the dual license of
mbedtls (Apache 2.0 and addition of GPLv2).

NOTE: FVP base is having (more of) an issue with CI on the newest TF-A,
with SSH tests timing out.  Holding that back to the LTS version until
it cane be resolved.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:08 -04:00
Jon Mason 3a0081cba8 arm/trusted-firmware-m: update to 2.1.0
Adding CMSIS support, as it is now required.  Also, the SHA being
referenced by tf-m for cmsis is an intermediate SHA (between the v6.0.0
and v6.1.0 release tags).  Finally, mbedtls is now using git submodules.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 15:00:06 -04:00
Bence Balogh f609884595 kas: corstone1000: remove Arm-FVP-EULA flag
This flag should not be set here and the ARM_FVP_EULA_ACCEPT
should be set to True manually before building for the FVP, as it is
mentioned in the Corstone-1000 User guide:
export ARM_FVP_EULA_ACCEPT="True"

Fixes: 6e2a54748 ("kas: Corstone-1000 kas files updated")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-06-04 05:00:05 -04:00
Bence Balogh f5ebb36c59 arm-bsp/trusted-firmware-m: corstone1000: remove capsule update reset
The reset has to be removed from the TF-M side after capsule update
because it caused data abort exceptions on the host side.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
2024-05-29 14:05:46 -04:00
Delane Brandy 6207240ff4 arm-bsp/corstone1000: update the documentation
Update the Corstone-1000 Documentation for the
2024.06 release.

Signed-off-by: Delane Brandy <delane.brandy@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
2024-05-29 14:04:28 -04:00
Bence Balogh 1de50f4075 arm-bsp/trusted-firmware-m: corstone1000: increase RSE_COMMS buff size
The buffer size has to be increased to fit the EFI variables which got
increased metadata sizes.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 407471cf21 arm-bsp/trusted-services: corstone1000: increase comm buffer size
The increased EFI variable metadata need bigger buffer so it can
be transfered to the Secure Enclave without memory overflow
issues. The heap and buffer sizes had to be aligned with the.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh b4d7112b14 arm-bsp/trusted-firmware-m: corstone1000: increase PS sizes
The private authenticated variable changes increased the variables
metadata. The PS max asset size and related buffer sizes have to be
increased because of this.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 676d580a5c arm-bsp/trusted-services: corstone1000: add fixes for private auth vars
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Bence Balogh 3aa25c916c arm-bsp/trusted-services: corstone1000: add EFI var handling fixes
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 13:00:06 -04:00
Ross Burton 1f0a39b837 arm-bsp/linux-yocto: fvp-base: remove fvp-timer.cfg
The fvp-timer.cfg enables two modules for the SP804 and SP810 devices.
These are older pieces of hardware that predate the architectural timer
in modern systems, so even if the drivers are built they will not be used
by the kernel.

Whilst this is a good reason to remove them, another reason is that the
SP804 driver is incorrectly defined in the Kconfig so it can only be
built if a machine selects it explicitly (for arm64, only ARCH_BCM2835
and ARCH_HISI do this) or if COMPILE_TEST is enabled.

This led to COMPILE_TEST being enabled so that this driver can be built.
However, COMPILE_TEST does more, notably it turns on COMPILE_WERROR which
then makes any compile warnings fatal.  This is inconvenient, especially
when compiler upgrades happen.

Remove the timer configuration entirely: the architectural timer is used
so this is entirely redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-22 10:00:05 -04:00
Jon Mason 20966db076 CI: correct BB_HASHSERVE_UPSTREAM
The BB_HASHSERVE_UPSTREAM has issues which cause significantly less of a
match than expected.  Update with the correct values to get the expected
behavior.

Fixes: 6e9525115b ("CI: add Yocto Project SSTATE Mirror")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-21 15:00:05 -04:00
Jon Mason b8965bb95b arm/oeqa: increase optee and ftpm test timeouts
OPTEE and ftpm tests are failing in CI on slower systems due to timing
out, but actually finish when given enough time to complete.  Increase
the timeout value to be roughly 100 seconds longer than the time it is
currently taking to finish on the slower systems.

Fixes: d450786667 ("oeqa runtime: add optee.py test")
Fixes: ba315f7242 ("oeqa runtime: add ftpm.py test")
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-17 14:00:05 -04:00
Harsimran Singh Tungal d02467366d arm-bsp/documentation: corstone1000: Update user guide for secureboot test
This changeset updates the user guide to test the secureboot for both the
FVP and FPGA.

Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-17 07:00:05 -04:00
Amr Mohamed 6877a1c2bd arm-systemready/linux-distros: Upgrade the Debian license
Debian Licenses updated to reflect update from 11.7 to 12.4
License now includes: AFL-2.0, AFL-2.1,
GPL-2.0-with-autoconf-exception,
GPL-2.0-with-OpenSSL-exception,
GPL-3.0-with-autoconf-exception,
GPL-3-with-bison-exception, SMAIL_GPL,
BSD-2-Clause, BSD-3-Clause-Clear,
BSD-4-Clause-UC, TCP-wrappers, OLDAP-2.8,
PSF-2.0, BSL-1.0, bzip2-1.0.6, CC0-1.0,
Libpng, Latex2e, Unicode-TOU, Unicode-DFS-2016,
CC-BY-3.0, CC-BY-SA-3.0, CC-BY-SA-4.0, curl,
MS-PL, NTP, FSFAP, FSFUL, FSFULLR, FSF-Unlimited,
EDL-1.0, Vim, FTL, TCL, MPL-1.1, MPL-2.0,
GFDL-1.1-or-later, GFDL-1.2-or-later,
GFDL-1.3-no-invariants-or-later,
GFDL-1.3-no-invariants-only, Artistic-1.0,
Artistic-2.0, Apache-2.0,
Apache-2.0-with-LLVM-exception, Spencer-86,
MIT, MIT-CMU, MIT-advertising, Beerware,
Intel, X11, ISC, IPL-1.0, SSH-OpenSSH, SSH-short,
RSA-MD, OPL-1.0, PD

Licenses removed: Apache-1.0, Apache-1.1, Ruby, PHP-3.01,
W3C-20150513

Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:34 -04:00
Bence Balogh 679218cd84 arm-bsp/trusted-services: corstone1000: fix IAT test
The psa-iat-api-test was failing because the PLATFORM_HAS_ATTEST_PK
flag was added to the build for Corstone1000.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:27 -04:00
Ali Can Ozaslan 611909cd6d arm-bsp/trusted-firmware-m: corstone1000: fix crypto failure on mps3
Crypto-AEAD-APIs tests fails on mps3. Configures CC312 mps3 model
same as predefined cc312 FVP configuration while keeping debug
ports closed.

Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:44:27 -04:00
Emekcan Aras 7bae90d708 arm-bsp/trusted-firmware-a: corstone1000: fix reset sequence
Corstone1000 does not properly clean the cache and disable gic interrupts
before the reset. This causes a race condition especially in FVP after reset.
This adds proper sequence before resetting the platform.

Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 11:00:14 -04:00
Ben Cownley 8097a792db arm-systemready/linux-distros: Upgrade the openSUSE version to 15.5
openSUSE upgraded to 15.5
openSUSE Licenses updated to reflect update from 15.4 to 15.5
License now includes: Apache-1.1, BSL-1.0, IPL-1.0, Sleepycat, Zlib

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-16 07:00:05 -04:00
Ross Burton 200786d3a8 arm/oeqa/runtime/fvp_boot: move pexpect import into test method
Move the pexpect import inside the test method so that on machines without
pexpect installed we can still parse the test cases, even if this one
won't be pass.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-15 10:00:25 -04:00
Ross Burton f37a6b32ec arm-bsp/ssh-pregen-hostkeys: enable on virtual machines
As of oe-core b040597, the ssh-pregen-hostkeys recipe is limited to the
qemu* machines only, so that it can only be used in development or
emulation and not in production.

We have some virtual machines in meta-arm-bsp which don't match the
COMPATIBLE_MACHINE in the recipe but still benefit from this recipe, so
add a bbappend to enable it.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-14 07:00:05 -04:00
Ross Burton a6a4952e8c arm/trusted-firmware-a: use correct git URL
As per the documentation[1] the correct git server to use is
review.trustedfirmware.org. We occasionally see failures connecting to
git.trustedfirmware.org so hopefully the documented URLs are more stable.

[1] https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/prerequisites.html

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-13 12:00:05 -04:00
Jon Mason 6d6fa14744 arm/optee: update to 4.2.0
Update to the latest version of OP-TEE and move the 4.1 recipes still
being used to meta-arm-bsp

Changes in optee_client between f7e4ced15d1fefd073bbfc484fe0e1f74afe96c2 and 3eac340a781c00ccd61b151b0e9c22a8c6e9f9f0
3eac340a781c libteec: Move OP-TEE defined fields into an imp struct
7749688eb18d libteeacl: add pkgconfig file: teeacl.pc
07d2dfab2ecb libteec: pkgconfig: remove duplicate flags in teec.pc
6f992c52a8df libteec: pkgconfig: rename libteec.pc as teec.pc
cef6c7eca494 tee-supplicant: fix potential crash when TA isn't found
c5b3920f5808 libckteec: one shot encryption/decryption may have no input data
afbd31d9592e android: convert .mk files to .bp
bfe37714c20c libteec: drop benchmark framework support

Changes in optee_os between 18b424c23aa5a798dfe2e4d20b4bde3919dc4e99 and 12d7c4ee4642d2d761e39fbcf21a06fb77141dea
12d7c4ee4642 Update CHANGELOG for 4.2.0
fc57019cb35c plat-sam: add support for Microchip sama7g54-ek board
d10f2b2505b1 plat-sam: rename filename for sama5d2 functions to 'platform_sama5d2.c'
a557f87762b1 plat-sam: optimize the macro and makefile for building sama5d2 clocks
3b616eeadd7a drivers: atmel_wdt: update "#include" list of the header files
d8af06119772 drivers: atmel_wdt: remove the unused variable from "struct atmel_wdt"
ea9329ec8928 drivers: atmel_wdt: upgrade to support sama7g5 watchdog
a471cdecfb1c core: reset cancellation mask on TA exit
021a43d32b23 ci: add QEMUv7 job
46fdfeea761f vexpress-qemu_armv8a: increase CFG_CORE_HEAP_SIZE to 131072
bdde1c9927e8 drivers: stm32_i2c: protect bus access with a mutex
cbb0a9fc4309 drivers: firewall: stm32_rifsc: remove use of CFG_PM
cc707b8570d3 drivers: stm32_rng: remove use of CFG_PM
299f9bc19fce drivers: crypto: stm32_cryp: add pm to CRYP driver
14d68630950a drivers: crypto: stm32_cryp: add delay when resetting CRYP peripheral.
1d8b1184c370 drivers: crypto: stm32_cryp: remove reset binding requirements
a8cfcdf2387c ci.yml: add a make command to build HPRE code
9e25528294eb drivers: crypto: hisilicon: init HPRE hardware block
ee726ae9537e ci: remame WD to OPTEE_OS_TO_TEST
4f00b5beb8db ci: update QEMUv8 jobs to use newer Docker image
344ef8a4deda core: kernel: Fix typo in __do_panic()
c80790fe23c5 drivers: regulator: use mutex_pm_aware
9a3248fc031e drivers: clk: replace clock main spinlock with a mutex
3a20c6612811 core: kernel: mutex compliant with PM sequences
f6412fbd119a core: kernel: thread spin locking
19ad526cb139 core: spmc, sp: cleanup FF-A ID handling
4c4387dc246e core: riscv: Prepare SATP for each hart
fe9a26822286 core: riscv: Allocate root page table for each hart
6d7d9de348ec ci: qemuv8: add test case with CFG_WITH_PAGER=y
23f867d38149 core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0
1cf7e98d072c core: replace REGISTER_TIME_SOURCE()
63bfec5e264b core: riscv: Apply SM-based boot flow for secondary harts
058cf7120c26 core: riscv: Do not restrict primary hart to hart ID 0 only
1706a2840a9a core: riscv: Change the condition of communication with untrusted domain
83abc78438b4 riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'
a30b4486180b core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking
ea11f51262ac core: riscv: Apply mask/unmask exceptions when operating page table
d1d1ca2347e7 core: riscv: Apply STATUS helper for RPC resume
de45f2fb6384 core: riscv: Apply exception return to handle_user_mode_panic()
4fe3a3f7bf3c core: riscv: Refine thread trap handler
b5bb30b389ae core: riscv: Refine thread enter/exit user mode
09653bca94ae core: riscv: Apply exception return to resume thread
b2f99d2027f6 core: boot: fix memtag init sequence
5d2d37cd756d ta: pkcs11: Clarify context reference in step_symm_operation()
3844bc9816af core: introduce CFG_NOTIF_TEST_WD
82631bd42041 core: add CFG_CALLOUT
fc59f3d86e9f core: notif: assert callback is unpaged
c5b5aca0eaef core: callout: assert callback is unpaged
fd3f2d693456 core: add missing DECLARE_KEEP_PAGER()
7c9a7b0c779e plat-synquacer: use cpu_spin_lock_xsave() and friend
21773c96f4c2 core: arm: mm: use thread_unmask_exceptions() where applicable
54df46b5c06c core: arm: use cpu_spin_lock_xsave() in generic timer implementation
ad50321f47fd ta: remoteproc: allow remoteproc_load_fw re-entrance
47bcc886c285 core: notif_send_async(): remove debug print
1c3c4a5ffb52 core: tests: add a notification test watchdog
d378a547e848 plat-vexpress: qemu_armv8: define IT_SEC_PHY_TIMER
b008cf009961 plat-vexpress: initialize callout service
5b7afacfba96 core: arm64: implement timer_init_callout_service()
c41db53b5f25 core: define generic callout service initializer
cf707bd0d695 core: add callout service
2d8644ee993a core: arm64: add {read,write}_cntps_cval()
a355270852c7 drivers: clk: clk-stm32mp13: fix memory corruption on oscillator parent
622eef2d5511 plat-synquacer: add initialization value to local variables
b4d1c08a65d6 drivers: regulator: do not cache voltage level value
c4cdfb70e19b core: add __must_check attribute to cpu_spin_lock_xsave()
ccd64a523ab3 core: kernel: add timeout_elapsed_us()
fab37ad7dc71 core: kernel: factorize delay and timeout implementation
51b745fab86c core: riscv: force enable of CFG_CORE_HAS_GENERIC_TIMER
6b0ac81dbe5f core: kernel: describe udelay()/mdelay()
f5305d4dd98c plat-vexpress: disable PL011-specific code when CFG_SEMIHOSTING_CONSOLE=y
a9a3bf985e5d core: arm64: implement __do_semihosting() for Aarch64
31bb491f8e7c core: imx: enable TZC380 driver for all i.mx8m socs
d1c9f59a15c8 riscv: sbi_console: prefer SBI v2.0 DBCN ecall over legacy sbi_console_putchar()
76a2df57b630 riscv: sbi_console: remove unused sbi_console_flush()
db96d03011d3 riscv: sbi_console: remove global spinlock
4d36f99e02cb riscv: sbi_console: remove unneeded #ifdef CFG_RISCV_SBI_CONSOLE
2b31189c4c08 riscv: sbi_console: split FID 0 from SBI_EXT_0_1_CONSOLE_PUTCHAR
286e0fd9f01a riscv: sbi: minor cleanup for SBI HSM related definitions
d6a0fc9bb910 dts: at91: add device trees for sama7g54_ek
74fbd2732948 drivers: clk: sam: skip the NULL clocks when getting the clock by name
943d822aac00 drivers: clk: sam: add sama7g5 clock description
8bd542fcb2ae dts: sama5d2: add huk node for the NVMEM hardware unique key
6c6c4d9eb45d dts: sama5d2: add NVMEM die_id node
f673afe436c9 plat-sam: enable NVMEM unique hardware key and die id support
fc7169686724 drivers: nvmem: add nvmem-huk driver
31a85db883c5 drivers: nvmem: add nvmem-die-id driver
458ef4426c2d drivers: Implement semihosting based console driver for log
55ab8f06a831 core: Refactor console_init() and introduce plat_console_init()
6d716a4b4588 core: riscv: Add semihosting.S for semihosting instructions
7e2a10389c25 core: kernel: Add semihosting functions
f459d3c7d2e1 libutils: Import part of sys/fcntl.h
c6a18428f9e3 plat-sam: implement plat_get_freq() for sama7g5
eb3951bffd95 plat-sam: register additional sama7g5 clocks for SCMI usage
609ba8e3128d plat-sam: register sama7g5 clocks for SCMI usage
f8c1dacbeef9 drivers: clk: make API function description more consistent
821cb656cbb2 drivers: clk: get stm32mp13 PLL output clock duty cycle
1bc6d1bc0945 drivers: clk: set stm32mp13 clock flags
8baaac1ce3ac drivers: clk: pre-enable new parent on clock re-parent
8fbc005673cd drivers: clk: get linear rates description
20f97d9841ac drivers: clk: enable clock on rate change
0ba7ae74a1ff drivers: clk: change parent clock rate if needed
05771552b189 drivers: clk: Get duty cycle from parent clock
59db7f68c4d8 drivers: clk: Add clock duty cycle
0d98c255fb4d plat-stm32mp2: add pm support on stm32mp25
9a4ec17240c1 core: pm: add macro for PM_HINT_STATE access
b8514c1376b1 plat-sam: fix static shared memory address and size
58dbe3dff530 plat-mediatek: add support for MT7988 SoC
4318c69fa77d drivers: clk: sam: add PLL clock driver for sama7g5
9aab6fb2f263 drivers: clk: sam: update to support generic clock for sama7g5
5110b3e7ade5 drivers: clk: sam: update to support main system bus clock for sama7g5
40944c5ccf0b .gitignore: Ignore all dot files and folders except the standard ones
5b4a782ebccf .gitignore: Change entries to only ignore in the source root folder
7f124eb8587b core: arm: kernel: add runtime check for CE
f73f678ca5c6 core: arm: add helper functions for checking CE support
a0635f174d2f core: arm: add check in aarch32 for feat_crc32_implemented()
8a4a051b3a76 core: arm64: remove ID_AA64ISAR0_EL1 macros
443b5e0186c0 core: arm: rewrite feat_crc32_implemented()
f9aaf11e8928 core: arm64: add masks for ID_AA64ISAR0_EL1 fields
85c99f3965f6 core: arm: add masks for ID_ISAR5_EL1 fields
4078bcde942c core: virt, ffa: keep guest partition until resources are reclaimed
3e0b361ef4fd core: ffa: store shm_bits in partition for SPMC at S-EL1
070d197fa568 core: ffa: add SPMC_CORE_SEL1_MAX_SHM_COUNT
05c6a7631891 core: thread_spmc.c: add set_simple_ret_val()
27acbe2b64fc ci: add RISC-V build (rv64, PLATFORM=virt)
2825530b3637 mk/lib.mk: add library to link line only when it does contain objects
339a78c2743f libunw: riscv: simplify architecture test
9fed4516d1f0 libunw: arm: unwind_arm32.c should be compiled only for Arm
209c34dc0356 ldelf: riscv: e64_relocate(): tag sym_idx as __maybe_unused
31bcbe52258e riscv: set default cross-compilers
6c2d2e8a2300 core: gic: wait for writes to propagate
9e935234082a core: gic: support to configure PPI interrupts
49d0c90dd69a core: call init_multi_core_panic_handler() earlier
d5dc9152c8ef core: riscv: Fix PTE creation when freeing PTE
e6a66e30cd41 core: riscv: Rename mattr_to_perms() to mattr_to_pte_bits()
da1a293e65b5 drivers: clk: clk-stm32mp13: round up VCO to the nearest frequency
95f2142bf848 drivers: clk: clk-stm32mp13: don't gate/ungate oscillators not wired
e84c299885a7 drivers: clk: clk-stm32mp13: add ADC and SPI clocks
571857c05c40 ta: pkcs11: factorize second operation handle
63778faac4b7 ta: pkcs11: implement AES GCM operations
5fee6cc9826f ta: pkcs11: pkcs11_ta.h: define PKCS11_CKM_AES_GCM
a2c1c8e408d3 core: mmu: add MEM_AREA_ROM_SEC in check_mem_map()
3b3dff5f5652 MAINTAINERS: update NXP i.MX platforms and Crypto Driver Interface
35a9139e779f drivers: caam: add CAAM key support for DH
8993bfd8dbab drivers: caam: add CAAM key support for ECC
014494479f9d drivers: caam: add CAAM key support for DSA
ccbcceeb73c1 drivers: caam: add CAAM key support for RSA
1495f6c4a82a drivers: caam: add CAAM key driver
9d38cd9151e9 drivers: caam: fix DSA_DUMPDESC macro
a5b52f5092a0 drivers: caam: add missing header
2d53e979f05a drivers: caam: add class field to FIFO_ST macro
f8388fdc2f3e core: move CFG_CORE_BIGNUM_MAX_BITS default definition
9e35f116f9bd dts: stm32: add RIFSC compatible to RIFSC node in stm32mp251.dtsi
d6a8ef58da15 dts: stm32: Add RIFSC configuration support for stm32mp257f-ev1
82e290753e45 plat-stm32mp2: conf: enable RIFSC driver
196cb5a09923 dt-bindings: add RIFSC to default bindings config for STM32MP25
066c3a39a4ac dt-bindings: add RIFSC bindings
cd187630b280 drivers: add stm32 RIFSC support
203147e2b737 plat-stm32mp2: conf: support RIF driver
0179d5f8d520 dt-bindings: add RIF to default bindings config for stm32mp25
e1767b3b5dc4 dt-bindings: firewall: add RIF bindings
1506f47af917 drivers: firewall: add stm32_rif driver for common RIF features
98d105a565ce core: io: fix IO_READ32_POLL_TIMEOUT() when delay is 0us
cf2c8f0959af libutils: Implement speculation barrier for RISC-V
407023cade6b plat-stm32mp1: default enable SAES software fallback
03de2c7bb316 drivers: crypto: stm32_saes: fallback to software on 192bit AES keys
99205375555b drivers: crypto: stm32: cleanup cipher operation structure
496497dc1a00 drivers: crypto: stm32: move context allocation/free functions
061e13f64e84 drivers: crypto: stm32: clean function references
57ad00904006 plat-hikey: Replace register_dynamic_shm() with register_ddr()
eee73fd09042 plat-hikey: make DRAM1_BASE configurable
4c2665755e26 drivers: clk: sam: update to support slow clock for sama7g5
afb609395def drivers: clk: sam: add PMC definitions for sama7g5
29f0ec7152e4 drivers: clk: sam: add UTMI clocks for sama7g5 USB PHY
417a10d1fa23 drivers: clk: sam: update UTMI clock for sama7g5
09c44b0d8b97 driver: crypto: hisilicon: fix error handling
4199b52fe3b8 core: notif_register_driver() assert ndrv is nexus memory
7037ff8aaede core: move _time_source into __nex_bss
dcad180014e0 core: add nex_*init-calls
3d52f27cdb77 core: move multi_core_panic_handler into __nex_data
ba4f5940f45a core: add is_nexus() and refactor is_unpaged()
897aaf117e39 ta: pkcs11: fix build warning on unused arguments
d99b271aed2f drivers: se050: fix default configuration for the SE applet
974529332ded core: kernel: fix typo in huk_subkey.h inline comment
a7400fcded79 core: arm: fix lock in virt_add_cookie_to_current_guest()
89853006a609 core: crypto: fix crypto_asym_get_ecc_keypair_ops() stub
fa1950059f41 ci: qemuv8: preventively avoid "no space left on device" errors
ad194957b670 core: pta: widevine: Add the init implementation
64086346d6bc core: dts: lx2160a: add memory region
439c5ecbb68b core: arm: fix integer overflow in generic_timer_{handler,start}()
c847c2c9c62f ci: update actions/checkout@v3 to v4
c83a542f3734 drivers: crypto: stm32: fix SAES key selection
b8f45155eac7 ci: xen: fix "no space left in device" error"
b066e82535aa plat-vexpress: use serial callbacks rx_intr_{en,dis}able()
6d9ff02ee1f3 core: pl011: implement rx_intr_{enable,disable}() callbacks
e934bfa424d2 core: serial: add rx_intr_{enable,disable}() callbacks
fcabe15c7783 core: crypto: fix internal AES-GCM counter implementation
b4d33ca3ff42 core: ltc: add missing string_ext.h include
64a52f9dc228 drivers: clk: fix indentation in stm32mp13 clock driver
f4dba32508be drivers: clk: fix some stm32mp13 clock controls
a32213b8169c drivers: clk: fix stm32mp13 RNG1 parent clock
d615a7e62095 drivers: regulator: list voltages controlled by a GPIO
bbc33e2ad79c core: ls: correct CFG_CORE_ARM64_PA_BITS for LX2160A-RDB/QDS
5a982d0e96be core: dt: provide stubbed dt_getprop_as_number()
55cd94d198a5 core: ffa: add notifications with SPMC at S-EL2 or EL3
4965507859bb core: hfic: fix HF_INTERRUPT HVC calls
e37b526d7289 core: move hafnium.h into hfic.c
6959d59f0966 core: ffa: exit with native interrupts unmasked
55a80fa9b542 core: arm64.h: add DAIFBIT_{NATIVE,FOREIGN}_INTR
012cdca49db3 plat-k3: drivers: sec_proxy: increment while reading trail bytes
cb30e9d11a16 plat-stm32mp2: default enable embedded test
14c31b4fae40 plat-stm32mp2: allow up to 8GB of external RAM
774dc8aa526b ci: do not add $HOME/.cargo/bin to $PATH
d557d174c2d6 drivers: atmel_rstc: add the function to control sama7g5's USB reset
024af21c74ff drivers: atmel_tcb: update to compatible with sama7g5
7a6bbd59ef0b drivers: atmel_pio: update to compatible with sama7g5
f527a3b76ed8 drivers: atmel_shdwc: update to compatible with sama7g5
e5dba60318b1 driver: crypto: hisilicon: update qm init configs
851d05e65f9c core: riscv: Add .sbss and .sdata sections to linker script
e07f9212d5ad plat-stm32mp1: shared_resource: disable MCKPROT if not needed
6f3fc05370ef drivers: caam: sm2 operation fallback
963a90d842b5 drivers: caam: add caam_hal_rng_pr_enabled() for 8QX, 8DX platforms
54d90e3f0b47 plat-stm32mp2: conf: default enable RNG and RNG PTA
b82b7e73f63e drivers: stm32_rng: print RNG version at driver probe time
aa12f203f239 drivers: stm32_rng: put max noise freq in compatible data
5959d83f6f58 drivers: stm32_rng: move RNG configuration to compat data
45da6509d925 drivers: stm32_rng: add stm32mp25 support
59fea6838b20 core: pta: drop benchmark
a6f60e0f08a7 arm: plat: rcar: gen4: adjust memory map
e7dd9fbb056e arm: virtualization: don't allow hypervisor to issue std calls
6370f75d6fcc drivers: sam: use header file "platform_config.h" instead of "sama5d2.h"
fd286f75cf55 drivers: atmel_rtc: update to compatible with sama7g5
379dc2ae943d drivers: atmel_rstc: update to compatible with sama7g5
cc105e35cbdc drivers: atmel_trng: update to compatible with sama7g5
4b17205bb971 drivers: atmel_piobu: update compatible with sama7g5
c37489baeb29 core: msg_param: remove recursion in included headers
4584d00c9f44 ldelf: check val for NULL dereference
239fae350391 core: tee: initialize dirfile|tadb_entry objects
a2431e9f66cb ta: pkcs11: check returned value of mbedtls_pk_rsa()
fa21a1fb4c6c core: check if string to uuid conversion succeed
2cc2a44c9fce core: check if binary to bignum conversion succeed
8f3afe0e6e8f core: mmu: assert pointer to manifest device tree
a039ffc675d3 core: kernel: dt: check return values from snprintf()
b51aaa628c7c core: arm: fix dead code when ARM32 is not defined
e33c3ff5e9f0 core: kernel: check device tree property pointer
49286073c91e ldelf: remove unnecessary includes
4bc2a199d122 ta: remove unnecessary includes
5ca2c36555d1 core: remove unnecessary includes
34d6dc2ba938 plat-vexpress: remove unnecessary includes
c344db981197 riscv: mm: Set A/D bits of PTE(page table entry) by default
472c70be1569 core: riscv: Rename thread_return_to_ree() to thread_return_to_udomain()
655625e01f36 core: ffa: Read FF-A version from the SP manifest
602ff4f69104 pta: scmi: remove noisy info level message on message process
3f7122d9c558 drivers: scmi_msg: fix size_t trace format
37fbce01492d drivers: stm32_i2c: fix header file inclusion order
5395fe8961bc drivers: i2c: add missing __unused in stubbed function
8a6ca1480ddc core: arm: get DDR range from embedded DTB
c425380f2021 driver: i2c: stm32_i2c: fix call to stm32_i2c_init()
2b9d76616422 drivers: stm32_i2c: apply pinctrl config at init
87aead6ffab3 drivers: stm32_i2c: analog filter config cannot fail

Changes in optee_test between 2e1e7a9c9d659585566a75fc8802f4758c42bcb2 and 526d5bac1b65f907f67c05cd07beca72fbab88dd
526d5bac1b65 gp: update API files to use the imp field in TEEC_Session
a79e6ee457b6 regression_1025: use the imp field in TEEC_Context
dda3212f244f xtest: add SM4 perf test
3feb4fbbb19d ta: os_test: Unmask cancellation from invoke command handler
a641f180d847 xtest: pkcs11_1030: Test AES GCM processing
ea18800d10ce xtest: pkcs11_1006: Test AES GCM mode flag
96f6dd7db7b9 xtest: pkcs11_1005: Test AES GCM support flag
ac200fe2ae40 xtest: asym_perf: fix indentation issues
79ba734b5ff5 ta: crypto_perf: correct coding style issue in symm tests
babafcabdc2b ta: crypto_perf: fix coding style issues in asymm tests
bad11a957a6d ta: crypto_perf: fix build error on type mismatch
cb5136a47bb3 ta: crypto_perf: fix build warning on unused resources
967368b3c7bf regression_4000: check if the generated DH private key is a CAAM black key
4b4caf762cc2 ci: avoid "No space left on device" error
bcd55831e1f7 xtest: add asymmetric cipher perf test
14a2b2ac3db4 ta: crypto_perf: add asymmetric crypto perf tests
99d5c298ff03 xtest: pkcs11_1001: Test CK_UNAVAILABLE_INFORMATION output value
9d566212b3ce regression 4005: Add GCM counter overflow test vectors

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason ac517cbaa3 CI: increase bitbake server timeout
On some CI systems, the bitbake server is timing out at 1 mins.
Increase to 5 mins, which hopefully should give enough time without
letting it run forever.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason c366c322a7 arm-bsp: remove unused recipes
No references can be found for these recipes in meta-arm-bsp, so
removing them.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason 6db139e1fd arm-bsp: remove support for n1sdp
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason e623cc3b0d arm/gn: update to latest commit
Update to the latest gn commit and remove unnecessary patches and build
parameters

Changes in gn between 4bd1a77e67958fb7f6739bd4542641646f264e5d and f284b6b47039a2d7edfcbfc51f52664f82b5a789
f284b6b47039 [src] Add "#include <limits>" in the //src/base/files/file_enumerator_win.cc
155c53952ec2 Get updates to infra/recipes.py from upstream
d823fd85da3f Revert "Teach gn to handle systems with > 64 processors"
f07499aebcf5 [apple] Rename the code-signing properties of create_bundle
415b3b19e094 Fix a typo in "gn help refs" output
93ee9b91423c Revert "[bundle] Use "phony" builtin tool for create_bundle targets"
cfddfffb7913 [bundle] Use "phony" builtin tool for create_bundle targets
06cdcc8e1fa8 [ios] Simplify handling of assets catalog
22581fb46c0c [swift] List all outputs as deps of "source_set" stamp file
59c4bb920542 [swift] Update `gn check ...` to consider the generated header
dd0927eb34bb [swift] Set `restat = 1` to swift build rules
88e8054aff7b Fix build with gcc12
e05c0aa00938 [label_matches] Add new functions label_matches(), filter_labels_include() and filter_labels_exclude()
f19d5817e7ba [swift] Remove problematic use of "stamp" tool
6253a39dbc43 Implement new --ninja-outputs-file option.
5787e994aa4c Add NinjaOutputsWriter class
03d10f1657b4 Move InvokePython() function to its own source file.
0cdb7dd27f5c zos: build with -DZOSLIB_OVERRIDE_CLIB to override creat
d4f94f9a6c25 Enable C++ runtime assertions in debug mode.
0a2b8eac80f1 Fix regression in MakeRelativePath()
8b973aa51d02 fix: Fix Windows MakeRelativePath.
a3dcd7a7ad86 Add long path support for windows
a2e2717ea670 Ensure read_file() files are considered by "gn analyze"
fc722252439e apply 2to3 to for some Python scripts
5110a7f03e86 Add rustflags to desc and help output
f99e015ac35f strings: support case insensitive check only in StartsWith/EndsWith
b5adfe5f574d add .git-blame-ignore-revs
d6085ac6a95b use std::{string,string_view}::{starts_with,ends_with}
8bd36a27c076 apply clang-format to all C++ sources
5d76868385b8 add forward declaration in rust_values.h
b8562a4abd95 Add `root_patterns` list to build configuration.
5fd939de8a66 Use c++20 in GN build
d4be45bb28fb update windows sdk to 2024-01-11
71305b07d708 update windows sdk
85944ebc24a9 Add linux-riscv64.
7367b0df0a0a Update OWNERS list.
92e63272dc04 remove unused function
c7b223bfb225 Ignore build warning -Werror=redundant-move
bc5744174d9e Fix --as=buildfile `gn desc deps` output.
9a45b6123831 Update recipe engine to 9dea1246.
85bd0a62938b treewide: Fix spelling mistakes
e4702d740906 Optimize base::EscapeJSONString for ASCII inputs.
5d8727f3fbf4 [docs]: Mention implicit names in style guide
182a6eb05d15 Use magenta for warnings
991530ce394e Avoid unnecessary "Regenerating ninja files" step after running "gn gen"
c1fc04434c8e Fix variable use tracking for scope subscript accesses.
cc56a0f98bb3 [infra] Link to jemalloc instead of rpmalloc
811d332bd905 Move WriteSourceSetStamp to NinjaCBinaryTargetWriter
3fccef9033b9 [action][data deps] Make data-deps order-only deps of the action outputs
62ac86a938c3 [action] Add test for data_deps of an action target
1029a3b50873 Ninja: Always pass linker flags to rlib-generating command.
fae280eabe5d [serenity] Add SerenityOS port
11e12b0ef870 Remove obsolete comment
1de45d1a11cc Generate a StaticLibrary for rlibs and DynamicLibrary for proc macros
2a92efd396d3 Include library search paths when compiling rlibs
da5fe01bce4a Avoid unused and incorrect linker args in {{rustdeps}}

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-07 13:48:05 -04:00
Jon Mason 4ddf285c55 README: add backporting process information
Add entry for how to get patches backported.  Also, do some syntax
cleanups to make the README visualize better.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 14:00:04 -04:00
Jon Mason 1cd6c26bcf arm/trusted-firmware-a: add comment about location of deps
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 14:00:04 -04:00
Ross Burton c9c93da0dd arm/boot-wrapper-aarch64: use https to fetch git source
Some networks limit outgoing git: traffic, so use https:.

Fixes: 0cec3e5 ("arm/gem5/boot-wrapper-aarch64: Move main recipe to meta-arm")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-03 10:00:06 -04:00
Mathieu Poirier e043bc4884 arm/trusted-firmware-rmm: Add bitbake, include and patch file for RMM
Initial checking providing support for RMM on QEMU's "virt" machine.

Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-05-02 11:57:43 -04:00
392 changed files with 11875 additions and 13353 deletions
+2
View File
@@ -0,0 +1,2 @@
[b4]
send-series-to = meta-arm@lists.yoctoproject.org
+56 -45
View File
@@ -1,4 +1,4 @@
image: ${MIRROR_GHCR}/siemens/kas/kas:4.3.2
image: ${MIRROR_GHCR}/siemens/kas/kas:4.4
variables:
# These are needed as the k8s executor doesn't respect the container
@@ -10,7 +10,7 @@ variables:
# The default machine tag for the build jobs
DEFAULT_TAG: ""
# The machine tag for the ACS test jobs
ACS_TAG: ""
ACS_TAG: "$DEFAULT_TAG"
# The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
CACHE_DIR: $CI_BUILDS_DIR/persist
# The container mirror to use
@@ -33,28 +33,24 @@ stages:
stage: build
interruptible: true
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
KAS_WORK_DIR: $CI_PROJECT_DIR/work
KAS_REPO_REF_DIR: $CACHE_DIR/repos
KAS_BUILD_DIR: $KAS_WORK_DIR/build
# Set this in the environment to enable local repository caches
KAS_REPO_REF_DIR: ""
SSTATE_DIR: $CACHE_DIR/sstate
DL_DIR: $CACHE_DIR/downloads
BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
TOOLCHAIN_DIR: $CACHE_DIR/toolchains
IMAGE_DIR: $CI_PROJECT_DIR/work/build/tmp/deploy/images
TOOLCHAIN_LINK_DIR: $CI_PROJECT_DIR/work/build/toolchains
IMAGE_DIR: $KAS_BUILD_DIR/tmp/deploy/images
TOOLCHAIN_LINK_DIR: $KAS_BUILD_DIR/toolchains
before_script:
- echo KAS_WORK_DIR = $KAS_WORK_DIR
- echo SSTATE_DIR = $SSTATE_DIR
- echo DL_DIR = $DL_DIR
- rm -rf $KAS_WORK_DIR
- mkdir --verbose --parents $KAS_WORK_DIR $KAS_REPO_REF_DIR $SSTATE_DIR $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Must do this here, as it's the only way to make sure the toolchain is installed on the same builder
- ./ci/get-binary-toolchains $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Generalised fragment to do a Kas build
.build:
extends: .setup
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
rules:
# Don't run MR pipelines
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
@@ -75,13 +71,17 @@ stages:
- echo KASFILES=$KASFILES
- kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
- kas build $KASFILES
- ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log
- ./ci/check-warnings $KAS_BUILD_DIR/warnings.log
- kas shell ci/base.yml:lockfile.yml --command "$CI_PROJECT_DIR/ci/junit.sh $KAS_WORK_DIR/build"
artifacts:
name: "logs"
when: always
paths:
- $CI_PROJECT_DIR/work/build/tmp*/work*/**/temp/log.do_*.*
- $CI_PROJECT_DIR/work/build/tmp*/work*/**/testimage/*
- $KAS_BUILD_DIR/tmp*/work*/**/temp/log.do_*.*
- $KAS_BUILD_DIR/tmp*/work*/**/testimage/*
reports:
junit: $KAS_BUILD_DIR/tmp/log/oeqa/junit.xml
#
# Prep stage, update repositories once.
@@ -94,7 +94,18 @@ update-repos:
exit_codes: 128
script:
- |
flock --verbose --timeout 60 $KAS_REPO_REF_DIR ./ci/update-repos
exit_code=0
# Dump the environment for reference
printenv
# Update the reference repositories if needed
if [ -n "$KAS_REPO_REF_DIR" ]; then
flock --verbose --timeout 60 $KAS_REPO_REF_DIR --command ./ci/update-repos || exit_code=$?
# Exit now if that failed, unless the status was 128 (fetch failed)
test $exit_code != 0 -a $exit_code != 128 && exit 1
fi
# Only generate if doesn't already exist, to allow feature branches to drop one in.
if test -f lockfile.yml; then
echo Using existing lockfile.yml
@@ -102,23 +113,26 @@ update-repos:
# Be sure that this is the complete list of layers being fetched
kas dump --lock --update ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/clang.yml:ci/meta-virtualization.yml | tee lockfile.yml
fi
exit $exit_code
artifacts:
name: "lockfile"
when: always
paths:
- lockfile.yml
#
# Build stage, the actual build jobs
#
# Available options for building are
# DISTRO: [poky, poky-tiny]
# Available options for building are (VIRT _must_ be last for ssh override)
# DISTRO: [poky, poky-altcfg, poky-tiny]
# KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
# TOOLCHAINS: [gcc, clang, external-gccarm]
# TOOLCHAINS: [gcc, clang]
# TCLIBC: [glibc, musl]
# FIRMWARE: [u-boot, edk2]
# TS: [none, trusted-services]
# VIRT: [none, xen]
# TESTING: testimage
# SECUREDEBUG: [none, secure-debug]
# VIRT: [none, xen]
arm-systemready-ir-acs:
extends: .build
@@ -128,7 +142,7 @@ arm-systemready-ir-acs:
# arm-systemready-ir-acs must be specified after fvp-base for ordering
# purposes for the jobs-to-kas output. It is not enough to just have it
# in the job name because fvp-base.yml overwrites the target.
- PLATFORM: fvp-base
- PLATFORM: [fvp-base, corstone1000-fvp]
ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
tags:
- ${ACS_TAG}
@@ -160,6 +174,7 @@ corstone1000-mps3:
- FIRMWARE: corstone1000-firmware-only
TESTING: [none, tftf]
- FIRMWARE: none
SECUREDEBUG: [none, secure-debug]
documentation:
extends: .setup
@@ -190,22 +205,10 @@ fvp-base:
matrix:
- TS: [none, fvp-base-ts]
TESTING: testimage
- FIRMWARE: edk2
- FIRMWARE: [u-boot, edk2]
TESTING: testimage
- SYSTEMREADY_FIRMWARE: arm-systemready-firmware
arm-systemready-ir-acs:
extends: .build
timeout: 12h
parallel:
matrix:
# arm-systemready-ir-acs must be specified after fvp-base for ordering
# purposes for the jobs-to-kas output. It is not enough to just have it
# in the job name because fvp-base.yml overwrites the target.
- PLATFORM: [fvp-base, corstone1000-fvp]
ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
tags:
- ${ACS_TAG}
fvps:
extends: .build
@@ -247,14 +250,13 @@ musca-b1:
musca-s1:
extends: .build
n1sdp:
extends: .build
parallel:
matrix:
- TESTING: [none, n1sdp-ts, n1sdp-optee, tftf]
pending-updates:
extends: .setup
# Only run this job for the default branch (master), or if forced with
# BUILD_FORCE_PENDING_UPDATES.
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $BUILD_FORCE_PENDING_UPDATES != null
artifacts:
paths:
- update-report
@@ -263,9 +265,6 @@ pending-updates:
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
# Do this on x86 whilst the compilers are x86-only
tags:
- x86_64
qemuarm64-secureboot:
extends: .build
@@ -276,6 +275,10 @@ qemuarm64-secureboot:
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
- TOOLCHAINS: [gcc, clang]
TS: [none, qemuarm64-secureboot-ts]
UEFISB: [none, uefi-secureboot]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
@@ -302,7 +305,7 @@ qemuarm-secureboot:
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- TOOLCHAINS: external-gccarm
- DISTRO: [poky, poky-altcfg]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
@@ -339,6 +342,8 @@ sbsa-ref:
- KERNEL: [linux-yocto, linux-yocto-rt]
TOOLCHAINS: [gcc, clang]
TESTING: testimage
- DISTRO: poky-altcfg
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
@@ -350,6 +355,12 @@ selftest:
sgi575:
extends: .build
parallel:
matrix:
- TESTING: testimage
# FVP binary is x86-only
tags:
- x86_64
toolchains:
extends: .build
@@ -1,79 +0,0 @@
From 42358d889ed652a8c386862f8c65e5fbe7484de2 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Fri, 26 Apr 2024 10:38:28 +0000
Subject: [PATCH] procps: fix build with new glibc but old kernel headers
If you're building procps with a newer glibc (with pidfd_open()) but
older kernel headers (say 4.x, before __NR_pidfd_open) then procps will
fail to build because of a typo in configure.ac.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../procps/procps/pidfd.patch | 42 +++++++++++++++++++
meta/recipes-extended/procps/procps_4.0.4.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/pidfd.patch
diff --git a/meta/recipes-extended/procps/procps/pidfd.patch b/meta/recipes-extended/procps/procps/pidfd.patch
new file mode 100644
index 00000000000..f5e8183e547
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/pidfd.patch
@@ -0,0 +1,42 @@
+From c8f625e085b8249cc009e8b19c3a19100217eb35 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Thu, 25 Apr 2024 13:33:15 +0000
+Subject: [PATCH] Fix pidfd_open detection
+
+This check for pidfd_open uses AC_CHECK_FUNC which just runs the specified code, but
+src/pgrep.c checks HAVE_PIDFD_OPEN which will only be defined by AC_CHECK_FUNCS.
+
+Also pidfd_open is defined in sys/pidfd.h so that needs including.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+
+diff --git a/configure.ac b/configure.ac
+index fec27e3f..024731c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -170,7 +170,7 @@ AC_TRY_COMPILE([#include <errno.h>],
+ AC_MSG_RESULT(yes),
+ AC_MSG_RESULT(no))
+
+-AC_CHECK_FUNC([pidfd_open], [enable_pidwait=yes], [
++AC_CHECK_FUNCS([pidfd_open], [enable_pidwait=yes], [
+ AC_MSG_CHECKING([for __NR_pidfd_open])
+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+ #include <sys/syscall.h>
+diff --git a/src/pgrep.c b/src/pgrep.c
+index d8e57dff..c5211aec 100644
+--- a/src/pgrep.c
++++ b/src/pgrep.c
+@@ -44,7 +44,9 @@
+
+ #ifdef ENABLE_PIDWAIT
+ #include <sys/epoll.h>
+-#ifndef HAVE_PIDFD_OPEN
++#ifdef HAVE_PIDFD_OPEN
++#include <sys/pidfd.h>
++#else
+ #include <sys/syscall.h>
+ #endif /* !HAVE_PIDFD_OPEN */
+ #endif
diff --git a/meta/recipes-extended/procps/procps_4.0.4.bb b/meta/recipes-extended/procps/procps_4.0.4.bb
index 800384f22f7..ec8c4b0261b 100644
--- a/meta/recipes-extended/procps/procps_4.0.4.bb
+++ b/meta/recipes-extended/procps/procps_4.0.4.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
file://sysctl.conf \
+ file://pidfd.patch \
"
SRCREV = "4ddcef2fd843170c8e2d59a83042978f41037a2b"
--
2.34.1
+36 -13
View File
@@ -8,7 +8,7 @@ This repository contains the Arm layers for OpenEmbedded.
* meta-arm-bsp
This layer contains machines for Arm reference platforms, for example FVP Base, N1SDP, and Juno.
This layer contains machines for Arm reference platforms, for example FVP Base, Corstone1000, and Juno.
* meta-arm-toolchain
@@ -19,19 +19,23 @@ Other Directories
* ci
This directory contains gitlab continuous integration configuration files (KAS yaml files) as well as scripts needed for this
This directory contains gitlab continuous integration configuration files (KAS yaml files) as well as scripts needed for this.
* documentation
This directory contains information on the files in this repository, building, and other relevant documents.
* kas
This directory contains KAS yaml files to describe builds for systems not used in CI
This directory contains KAS yaml files to describe builds for systems not used in CI.
* scripts
This directory contains scripts used in running the CI tests
This directory contains scripts used in running the CI tests.
Mailing List
------------
To interact with the meta-arm developer community, please email the meta-arm mailing list at meta-arm@lists.yoctoproject.org
To interact with the meta-arm developer community, please email the meta-arm mailing list at <meta-arm@lists.yoctoproject.org>.
Currently, it is configured to only allow emails to members from those subscribed.
To subscribe to the meta-arm mailing list, please go to
https://lists.yoctoproject.org/g/meta-arm
@@ -42,32 +46,51 @@ Currently, we only accept patches from the meta-arm mailing list. For general
information on how to submit a patch, please read
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
E-mail meta-arm@lists.yoctoproject.org with patches created using this process. You can configure git-send-email to automatically use this address for the meta-arm repository with the following git command:
E-mail <meta-arm@lists.yoctoproject.org> with patches created using this process. You can configure git-send-email to automatically use this address for the meta-arm repository with the following git command:
$ git config --local --add sendemail.to meta-arm@lists.yoctoproject.org
`$ git config --local --add sendemail.to meta-arm@lists.yoctoproject.org`
Commits and patches added should follow the OpenEmbedded patch guidelines:
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
The component being changed in the shortlog should be prefixed with the layer name (without the meta- prefix), for example:
> arm-bsp/trusted-firmware-a: decrease frobbing level
arm-bsp/trusted-firmware-a: decrease frobbing level
> arm-toolchain/gcc: enable foobar v2
arm-toolchain/gcc: enable foobar v2
All contributions are under the [MIT License](/COPYING.MIT).
For a quick start guide on how to build and use meta-arm, go to [quick-start.md](/documentation/quick-start.md).
For information on the continuous integration done on meta-arm and how to use it, go to [continuous-integration-and-kas.md](/documentation/continuous-integration-and-kas.md).
Backporting
--------------
Backporting patches to older releases may be done upon request, but only after a version of the patch has been accepted into the master branch. This is done by adding the branch name to email subject line. This should be between the square brackets (e.g., "[" and "]"), and before or after the "PATCH". For example,
> [nanbield PATCH] arm/linux-yocto: backport patch to fix 6.5.13 networking issues
Automatic backporting will be done to all branches if the "Fixes: <SHA>" wording is added to the patch commit message. This is similar to how the Linux kernel community does their LTS kernel backporting. For more information see the "Fixes" portion of
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#submittingpatches
Releases and Release Schedule
--------------
We follow the Yocto Project release methodology, schedule, and stable/LTS support timelines. For more information on these, please reference:
https://docs.yoctoproject.org/ref-manual/release-process.html
https://wiki.yoctoproject.org/wiki/Releases
https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS
* https://docs.yoctoproject.org/ref-manual/release-process.html
* https://wiki.yoctoproject.org/wiki/Releases
* https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS
For more in-depth information on the meta-arm release and branch methodology, go to </documentation/releases.md>.
Reporting bugs
--------------
E-mail meta-arm@lists.yoctoproject.org with the error encountered and the steps
E-mail <meta-arm@lists.yoctoproject.org> with the error encountered and the steps
to reproduce the issue.
Security and Reporting Security Issues
--------------
For information on the security of meta-arm and how to report issues, please consult [SECURITY.md](/SECURITY.md).
Maintainer(s)
-------------
* Jon Mason <jon.mason@arm.com>
+13 -4
View File
@@ -18,7 +18,7 @@ number), please contact the meta-arm mailing list at
meta-arm@lists.yoctoproject.org and arm-security@arm.com.
If you are dealing with a not-yet released or urgent issue, please send a mail
to the maintainers (see README.md) and arm-security@arm.com, including as much
to the maintainers \(see [README.md](/README.md)\) and arm-security@arm.com, including as much
detail as possible. Encrypted emails using PGP are welcome.
For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
@@ -27,11 +27,20 @@ For more information, please visit https://developer.arm.com/support/arm-securit
## Branches maintained with security fixes
meta-arm follows the Yocto release model, so see
[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
LTS] for detailed info regarding the policies and maintenance of stable
[Stable release and LTS](https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS)
for detailed info regarding the policies and maintenance of stable
branches.
The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
The [Release page](https://wiki.yoctoproject.org/wiki/Releases) contains a list of all
releases of the Yocto Project. Versions in grey are no longer actively maintained with
security patches, but well-tested patches may still be accepted for them for
significant issues.
# Disclaimer
Arm reference solutions are Arm public example software projects that track and
pull upstream components, incorporating their respective security fixes
published over time. Arm partners are responsible for ensuring that the
components they use contain all the required security fixes, if and when they
deploy a product derived from Arm reference solutions.
+1
View File
@@ -16,3 +16,4 @@ target:
- arm-systemready-ir-acs
- arm-systemready-linux-distros-debian
- arm-systemready-linux-distros-opensuse
- arm-systemready-linux-distros-fedora
+3 -6
View File
@@ -7,7 +7,7 @@ distro: poky
defaults:
repos:
branch: scarthgap
branch: walnascar
repos:
meta-arm:
@@ -17,14 +17,10 @@ repos:
meta-arm-toolchain:
poky:
url: https://git.yoctoproject.org/git/poky
url: https://git.yoctoproject.org/poky
layers:
meta:
meta-poky:
patches:
procps:
path: 0001-procps-fix-build-with-new-glibc-but-old-kernel-heade.patch
repo: meta-arm
env:
BB_LOGCONFIG: ""
@@ -33,6 +29,7 @@ env:
local_conf_header:
base: |
CONF_VERSION = "2"
BB_SERVER_TIMEOUT = "300"
setup: |
PACKAGE_CLASSES = "package_ipk"
PACKAGECONFIG:remove:pn-qemu-system-native = "gtk+ sdl"
-9
View File
@@ -10,12 +10,3 @@ repos:
local_conf_header:
toolchain: |
TOOLCHAIN = "clang"
PREFERRED_PROVIDER_llvm = "clang"
PREFERRED_PROVIDER_llvm-native = "clang-native"
PREFERRED_PROVIDER_nativesdk-llvm = "nativesdk-clang"
PROVIDES:pn-clang = "llvm"
PROVIDES:pn-clang-native = "llvm-native"
PROVIDES:pn-nativesdk-clang = "nativesdk-llvm"
# This is needed to stop bitbake getting confused about what clang/llvm is
# being used, see https://github.com/kraj/meta-clang/pull/766
BBMASK += "/meta/recipes-devtools/llvm/llvm.*\.bb"
+2 -2
View File
@@ -5,5 +5,5 @@ header:
# Add universally helpful features when testing boards
local_conf_header:
debug: |
EXTRA_IMAGE_FEATURES:append = " debug-tweaks"
rootlogin: |
EXTRA_IMAGE_FEATURES:append = " allow-empty-password empty-root-password allow-root-login"
-2
View File
@@ -15,5 +15,3 @@ local_conf_header:
QB_DEFAULT_BIOS = "QEMU_EFI.fd"
WKS_FILE ?= "efi-disk.wks.in"
failing_tests: |
TEST_SUITES:remove = "xorg"
-13
View File
@@ -1,13 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
cc: |
SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain"
TCMODE = "external-arm"
EXTERNAL_TOOLCHAIN = "${TOPDIR}/toolchains/${TARGET_ARCH}"
# Disable ptest as this pulls target compilers, which don't
# work with external toolchain currently
DISTRO_FEATURES:remove = "ptest"
+1 -1
View File
@@ -9,5 +9,5 @@ header:
machine: fvp-base
target:
- core-image-sato
- core-image-full-cmdline
- boot-wrapper-aarch64
-5
View File
@@ -7,8 +7,3 @@ local_conf_header:
testimagefvp: |
LICENSE_FLAGS_ACCEPTED += "Arm-FVP-EULA"
IMAGE_CLASSES += "fvpboot"
failing_tests: |
# This fails but we can't add to the ignorelist from meta-arm yet
# https://bugzilla.yoctoproject.org/show_bug.cgi?id=14604
TEST_SUITES:remove = "parselogs"
TEST_SUITES:remove = "xorg"
+6 -1
View File
@@ -19,8 +19,13 @@ target:
# Target packages to test aarch64
- fvp-base-a-aem
- fvp-corstone1000
- fvp-rd1-ae
- fvp-v3-r1
# Nativesdk to test x86-64
- nativesdk-fvp-base-a-aem
- nativesdk-fvp-corstone1000
- nativesdk-fvp-n1-edge
- nativesdk-fvp-rd1-ae
- nativesdk-fvp-v3-r1
# These are x86 only... :(
- nativesdk-fvp-sgi575
- nativesdk-fvp-tc3
+3
View File
@@ -14,5 +14,8 @@ local_conf_header:
bootloader: |
# If running genericarm64 in a qemu we need to manually build the bootloader
EXTRA_IMAGEDEPENDS += "virtual/bootloader"
sshpregen: |
# Allow the use of the pregen keys as this is CI so safe
COMPATIBLE_MACHINE:pn-ssh-pregen-hostkeys:genericarm64 = "genericarm64"
machine: genericarm64
-51
View File
@@ -1,51 +0,0 @@
#!/bin/bash
set -u -e
BASENAME=arm-gnu-toolchain
VER=${VER:-13.2.Rel1}
HOST_ARCH=${HOST_ARCH:-$(uname -m)}
# Use the standard kas container locations if nothing is passed into the script
DOWNLOAD_DIR="${1:-/builds/persist/downloads/}"
TOOLCHAIN_DIR="${2:-/builds/persist//toolchains/}"
TOOLCHAIN_LINK_DIR="${3:-build/toolchains/}"
# These should be already created by .gitlab-ci.yml, but do here if run outside of that env
mkdir -p $DOWNLOAD_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
download() {
TRIPLE=$1
URL=https://developer.arm.com/-/media/Files/downloads/gnu/$VER/binrel/$BASENAME-$VER-$HOST_ARCH-$TRIPLE.tar.xz
wget -P $DOWNLOAD_DIR -nc $URL
}
if [ $HOST_ARCH = "aarch64" ]; then
# AArch64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
elif [ $HOST_ARCH = "x86_64" ]; then
# x86_64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
# AArch64 GNU/Linux target
download aarch64-none-linux-gnu
else
echo "ERROR - Unknown build arch of $HOST_ARCH"
exit 1
fi
for i in arm aarch64; do
if [ ! -d $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*/ ]; then
if [ ! -f $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz ]; then
continue
fi
tar -C $TOOLCHAIN_DIR -axvf $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz
fi
# Setup a link for the toolchain to use local to the building machine (e.g., not in a shared location)
ln -s $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu* $TOOLCHAIN_LINK_DIR/$i
done
Executable
+15
View File
@@ -0,0 +1,15 @@
#! /bin/bash
# $ ci/junit.sh <build directory>
#
# If there is a OEQA test report in JSON format present in the build directory,
# transform it to JUnit XML using resulttool.
set -e -u
BUILDDIR=$1
JSON=$BUILDDIR/tmp/log/oeqa/testresults.json
if test -f $JSON; then
resulttool junit $JSON
fi
-14
View File
@@ -1,14 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
# Config specific for the optee-xtests
local_conf_header:
optee-test: |
# Include ARM FFA
MACHINE_FEATURES:append = " arm-ffa"
# Include trusted services
TEST_SUITES:append = " trusted_services"
# Include Optee xtests
IMAGE_INSTALL:append = " optee-test"
-16
View File
@@ -1,16 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
includes:
- ci/meta-openembedded.yml
local_conf_header:
trusted_services: |
TEST_SUITES:append = " trusted_services"
# Include TS Crypto, TS Protected Storage, TS Internal and Trusted Storage SPs into optee-os image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
IMAGE_INSTALL:append = " packagegroup-ts-tests-psa"
+4
View File
@@ -0,0 +1,4 @@
header:
version: 14
distro: poky-altcfg
+3 -2
View File
@@ -8,8 +8,9 @@ header:
local_conf_header:
trusted_services: |
TEST_SUITES:append = " trusted_services"
# Include TS Crypto, TS Protected Storage, TS Internal Trusted Storage and SMM-Gateway SPs into optee-os image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-smm-gateway"
# Include TS Crypto, TS Protected Storage, and TS Internal Trusted Storage and SPs into optee-os image
# FIXME - remove TS SMM Gateway due to QEMU v9.0.0 test failures
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
+2 -6
View File
@@ -2,11 +2,7 @@
header:
version: 14
includes:
- ci/base.yml
machine: n1sdp
local_conf_header:
unsupported_trusted_services: |
MACHINE_FEATURES:remove = "ts-smm-gateway"
secure-debug: |
MACHINE_FEATURES += "secure-debug"
+6
View File
@@ -4,5 +4,11 @@ header:
version: 14
includes:
- ci/base.yml
- ci/fvp.yml
local_conf_header:
sshpregen: |
# Allow the use of the pregen keys as this is CI so safe
COMPATIBLE_MACHINE:pn-ssh-pregen-hostkeys:sgi575 = "sgi575"
machine: sgi575
+1 -1
View File
@@ -5,7 +5,7 @@ header:
local_conf_header:
sstate_mirror: |
BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
BB_HASHSERVE_UPSTREAM = "wss://hashserv.yoctoproject.org/ws"
SSTATE_MIRRORS = "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
BB_HASHSERVE = "auto"
BB_SIGNATURE_HANDLER = "OEEquivHash"
+51
View File
@@ -0,0 +1,51 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
# during the boot process.
header:
version: 14
includes:
- ci/meta-openembedded.yml
- ci/meta-secure-core.yml
local_conf_header:
uefi_secureboot: |
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
# Detected by passing kernel parameter
QB_KERNEL_ROOT = ""
# kernel is in the image, should not be loaded separately
QB_DEFAULT_KERNEL = "none"
WKS_FILE = "efi-disk.wks.in"
KERNEL_IMAGETYPE = "Image"
MACHINE_FEATURES:append = " efi uefi-secureboot uefi-http-boot uefi-capsule-updates"
EFI_PROVIDER = "systemd-boot"
# Use systemd as the init system
INIT_MANAGER = "systemd"
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
TEST_SUITES:append = " uefi_secureboot uki"
IMAGE_CLASSES += "uki"
IMAGE_CLASSES += "sbsign"
UKI_SB_KEY = "${SBSIGN_KEY}"
UKI_SB_CERT = "${SBSIGN_CERT}"
QB_KERNEL_ROOT = ""
IMAGE_BOOT_FILES:remove = "Image"
INITRAMFS_IMAGE = "core-image-initramfs-boot"
# not for initramfs image recipe
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "uki"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "sbsign"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "testimage"
IMAGE_FEATURES:remove:pn-core-image-initramfs-boot = "ssh-server-dropbear"
CORE_IMAGE_EXTRA_INSTALL:remove:pn-core-image-initramfs-boot = "ssh-pregen-hostkeys"
+3 -3
View File
@@ -20,9 +20,9 @@ def repo_shortname(url):
.replace('*', '.'))
repositories = (
"https://git.yoctoproject.org/git/poky",
"https://git.yoctoproject.org/poky",
"https://git.openembedded.org/meta-openembedded",
"https://git.yoctoproject.org/git/meta-virtualization",
"https://git.yoctoproject.org/meta-virtualization",
"https://github.com/kraj/meta-clang",
)
@@ -44,7 +44,7 @@ if __name__ == "__main__":
if repodir.exists():
try:
print("Updating %s..." % repo)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch"], check=True)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch", repo], check=True)
except subprocess.CalledProcessError as e:
print(e)
failed = True
+3
View File
@@ -4,10 +4,13 @@ header:
version: 14
includes:
- ci/meta-virtualization.yml
- ci/poky-altcfg.yml
local_conf_header:
meta-virt: |
DISTRO_FEATURES:append = " virtualization xen"
sshd: |
IMAGE_FEATURES:append = " ssh-server-openssh"
target:
- xen-image-minimal
@@ -0,0 +1,67 @@
# **CI for Yocto Project and meta-arm**
# **CI for Yocto Project**
The Yocto Project has an autobuilder that performs nightly builds and image tests on all of the defined QEMU machines, including qemuarm and qemuarm64 Also, it currently runs builds on the hardware reference platforms including genericarm64 and meta-arm mahines fvp-base and sbsa-ref. More information on the autobuilder can be found at <https://autobuilder.yoctoproject.org/>.
More information on the image tests can be found at <https://wiki.yoctoproject.org/wiki/Image_tests>.
The Yocto Project also has the ability to have individual package tests, ptests.  For more information on those, go to <https://wiki.yoctoproject.org/wiki/Ptest>.
# **CI for meta-arm**
meta-arm is using the Gitlab CI infrastructure.  This is currently being done internal to Arm, but an external version can be seen at <https://gitlab.com/jonmason00/meta-arm/-/pipelines>.
This CI is constantly being expanded to provide increased coverage of the software and hardware supported in meta-arm. All platforms are required to add a kas file and `.gitlab-ci.yml` entry as part of the initial patch series. More information on kas can be found at <https://github.com/siemens/kas>.
To this end, it would be wise to run kas locally to verify everything works prior to pushing to the CI build system.
## **Running kas locally**
### **Install kas**
kas can be installed with pip, for example:
```
$ pip3 install --user kas
```
See <https://kas.readthedocs.io/en/latest/userguide/getting-started.html> for information on the dependencies and more.
This assumes that the kas path ($HOME/.local/bin) is in $PATH. If not, the user will need to manually add this or the kas command will not be found.
### **Run kas locally**
```
$ cd ~/meta-arm/
$ kas build kas/juno.yml
```
By default kas will create a build directory under meta-arm to contain the checked out layers, build directory, and downloads.  You can change this by setting environment variables. DL\_DIR and SSTATE\_DIR are respected so these can point at existing directories, and setting KAS\_WORK\_DIR to the directory where repositories are already cloned will save having to re-fetch. This can look something like:
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/qemuarm64.yml:ci/testimage.yml
```
See the [quick start guide](/documentation/quick-start.md) for more information on how to set this up.
## **Locked Revisions in CI with lockfiles**
The CI in meta-arm will generate a kas "lock file" when it starts to ensure that all of the builds checkout the same revision of the various different layers that are used. If this isn't done then there's a chance that a layer will be modified upstream during the CI, which results in some builds failing and some builds passing.
This lock file is saved as an artefact of the update-repos job by the CI, and only generated if it doesn't already exist in the repository. This can be used to force specific revisions of layers to be used instead of HEAD, which can be useful if upstream changes are causing problems in development.
The lockfile.yml can be downloaded manually, but there's a script in meta-arm to fetch the lock file for the latest successful build of the specified branch:
```
$ ./ci/download-lockfile.py --help
usage: download-lockfile.py [-h] server project refspec
positional arguments:
server GitLab server name
project meta-arm project name
refspec Branch/commit
$ ./ci/download-lockfile.py https://gitlab.com/jonmason00/meta-arm master
Fetched lockfile.yml
Commit this lockfile.yml to the top-level of the meta-arm repository and the CI will use it automatically.
```
# **Relevant Links for kas, CI, and testing**
<https://github.com/siemens/kas.git>
<https://wiki.yoctoproject.org/wiki/Oe-selftest>
<https://wiki.yoctoproject.org/wiki/Image_tests>
<https://wiki.yoctoproject.org/wiki/Ptest>
<https://wiki.yoctoproject.org/wiki/BSP_Test_Plan>
+105
View File
@@ -0,0 +1,105 @@
# **Yocto Project quick start for Arm system software developers**
If you want to read the The Yocto Project official quick start documentation, go to <https://docs.yoctoproject.org/brief-yoctoprojectqs/index.html>
If that looks like too much reading, then here is how to do it even faster!
# **Step 0: Install build deps and kas**
```
$ sudo apt install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev python3-subunit mesa-common-dev zstd liblz4-tool file locales libacl1
$ pip install kas
```
OR, if you prefer to use a docker will all that stuff already installed:
```
$ sudo docker run -it --name kas-test --volume /mnt/yocto/:/builds/persist ghcr.io/siemens/kas/kas /bin/bash
```
> **_NOTE:_**
> the “--volume” is the directory where your persistent stuff (like downloads and build artifacts) will go to help speed up your builds and can be sharable amongst your builds/containers.  If you want to go completely clean-room, feel free to remove it
# **Step 1: clone meta-arm and build meta-arm**
```
$ git clone https://git.yoctoproject.org/meta-arm
$ cd meta-arm/
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/testimage.yml
```
> **_NOTE:_**
> “ci/testimage.yml” will cause the build to run some basic system tests.  If you dont care about verifying basic functionality, then remove it and it should be faster (a few less programs will be added to the system image and the 2-3mins that it takes to run the test will not happen).
> **_NOTE:_**
> You may wish to add the Yocto Project SSTATE Mirror (especially the first time) to speed up the build by downloading the build fragments (built by the Yocto Project autobuilder) from the internet. This can be done by adding "ci/sstate-mirror.yml" in kas or adding the relevant lines to your local.conf. Using the above example:
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/sstate-mirror.yml
```
> **_NOTE:_**
> This only fetches the parts necessary for your build and may take several minutes depending on your internet connection speed. Also, it only fetches what is available. There may still be a need to build things depending on your configuration.
For more information on kas and various commands, please reference <https://kas.readthedocs.io/en/latest/>.
Depending on what software you are building, fvp-base might not be the machine you want to build for.
The following website provides an EXTREMELY rough way to tell what software is in what machines, and what versions are being run:
<https://gitlab.com/jonmason00/meta-arm/-/jobs/artifacts/master/file/update-report/index.html?job=pending-updates>
If, as an example, were wanting to develop trusted-firmware-a; then fvp-base will work for us. 
### **Okay, you are done!  VICTORY!**
### **Oh, you actually wanted to mess around with the system software source code?**
# **Step 2: use devtool to get your source**
Setup your environment via the (non-kas) Yocto Project tools
```
$ source poky/oe-init-build-env
```
Use devtool to checkout the version of software being used on the machine above (in the above example, this will be trusted-firmware-a for fvp-base).
```
$ devtool modify trusted-firmware-a
```
This will download the source, hopefully in git (depending on how the Yocto Project recipe was written), and should print a path at the end where the source code was checked out.  In the trusted-firmware-a example, I got:
> /builder/meta-arm/build/workspace/sources/trusted-firmware-a
Inside of that directory, you should see the relevant source code.  In this example, it is a standard git tree.  So, you can add remotes, checkout different SHAs, etc
Ok, so you are set with your changes and want to build them.
```
$ devtool build trusted-firmware-a
```
This should build the software in question, but it is not yet integrated into a system image.  To do that, run:
```
$ devtool build-image core-image-sato
```
The image should match the image being used on your machine above.  Most of them in meta-arm are set to core-image-sato.  
Also, if you used testimage above, it will run testimage now
### **Okay, you are done!  VICTORY!**
# **Step 3.  Testing your patches outside of devtool**
At this point I will assume you have a patch and want to add it to the base recipe.  Using the above example, in the devtool directory:
```
$ git format-patch -1
0001-example.patch
$ mv 0001-example.patch ~/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/
$ cd ~/meta-arm
$ devtool reset trusted-firmware-a
$ echo SRC_URI:append = " file://0001-example.patch" >> meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb
```
> **_NOTE:_**
> there is a space before the “file” and yes it matters very much
At this point, you can go back using kas and verify that the patch works in a clean-ish tree.
```
$ SSTATE_DIR=/builds/persist/sstate DL_DIR=/builds/persist/downloads kas build ci/fvp-base.yml:ci/testimage.yml
```
There is obviously much more that can be done and other ways to do similar things.
## **If there are issues or questions then please ask them on the #meta-arm irc channel on libera.chat**
+43
View File
@@ -0,0 +1,43 @@
# **meta-arm Releases and Branching**
## **Release and Branching background**
The Yocto Project releases twice a year (April and October): "stable" releases are made every six months and have a lifetime of seven months to allow for migration, while "long term support" (LTS) releases are picked every two years starting from Dunfell in April 2020. The standard practice for all Yocto Compatible layers is to create a "named" branch consistent with the code name of that release. For example, the “dunfell” release of the Yocto Project will have a branch named “dunfell” in the official git repository, and layers compatible with dunfell will have a branch named “dunfell”. Thus, a customer can easily organize a collection of appropriate layers to make a product.
In the Yocto Project, these named branches are “stable”, and only take bug fixes or security-critical upgrades. Active development occurs on the master branch. However, this methodology can be problematic if mimicked with the compatible layers. Companies, like Arm, may not wish to release a snapshot of the relevant “master” branches under active development, due to the amount of testing, fixing, and hardening necessary to make a product from a non-stable release. Also, changes to keep the master branch of a layer working with the upstream master branch of the Yocto Project may result in that branch no longer being compatible with named branches (e.g., it might not be possible to mix and match master and dunfell). So, a decision must be made on the branching policy of meta-arm.
## **Adding new Hardware or Software features**
There are many different ways to resolve this issue. After some discussion, the best solution for us is to allow new hardware enablement (and relevant software features) to be included in LTS named branches (not just bug fixes). This will allow for a more stable software platform for software to be developed, tested, and released. Also, the single branch allows for focused testing (limiting the amount of resources needed for CI/CD), lessens/eliminates code diverging on various branches, and lessens confusion on which branch to use. The risk of making this choice is a potentially non-stable branch which will require more frequent testing to lessen the risk, and not following the “stable” methodology of the core Yocto Project layers (though it is not uncommon for BSP layers to behave this way).
## **Process**
The process for patches intended on being integrated into only the master branch is the normal internal process of pushing for code review and CI, approval and integration into upstream meta-arm master branch.
For patches intended on being included in an LTS named branch, the preferred process is to upstream via the master branch, rebase the patch (or series against the intended LTS branch) and send email with the release name in the subject line after the "PATCH" (e.g., "[PATCH dunfell] Add foo to bar").
If there is a time crunch and the preferred way above cannot be completed in time, upstreaming via the LTS branch can occur. This follows the normal process above but without the master integration step. However, any patches upstreamed in this manner must be pushed to master in a timely fashion (after the time crunch). Nagging emails will be sent and managers will be involved as the time grows.
## **Testing**
See [continuous-integration-and-kas.md](/documentation/continuous-integration-and-kas.md) for information how the layer is tested and what tests are run. It is presumed that all code will be compiled as part of the CI process of the gerrit code review. Also, testing on virtual platforms and code conformity checks will be run when enabled in the process.
## **Branching strategy and releases**
Named branches for meta-arm will be released as close as possible to the release of the YP LTS release. Meta-arm named branches will be created from the meta-arm master branch.
To minimize the additional work of maintaining multiple branches it is assumed that there will only be two active development branches at any given time: master and the most recent Long Term Stable (LTS) as the named branch. All previous named LTS branches will be EOLed when a new LTS has been released. Any branches that are EOLed will still exist in the meta-arm, but bug fix patches will be accepted. Limited to no testing will occur on EOLed branches. Exceptions to this can be made, but must be sized appropriately and agreed to by the relevant parties.
Named branch release will coincide with Yocto Project releases. These non-LTS branches will be bug fix only and will be EOLed on the next release (similar to the YP branching behavior).
### **Branch transitions**
When YP is approaching release, meta-arm will attempt to stabilize master so that the releases can coincide.
* T-6 weeks - Email is sent to meta-arm mailing list notifying of upcoming code freeze of features to meta-arm
* T-4 weeks - Code freeze to meta-arm. Only bug fixes are taken at this point.
* T-0 - Official upstream release occurs. With no outstanding critical bugs, a new named branch is created based on the current meta-arm master branch. Previous named branches are now frozen and will not accept new patches (but will continue to be present for reference and legacy usage).
## **Tagging**
### **Branch Tagging**
When each branch is released, a git tag with the Yocto Project version number will be added. For example, `4.3`. Also, this tag version number will be prepended with "yocto" in a duplicate tag (e.g., "yocto-4.3").
Conciding with the Yocto Project release schedule, every branch which has one or more changes added to it in the previous 6 months will get a minor versioned tag (e.g., "4.3.1" and "yocto-4.3.1").
### **BSP Release Tagging**
BSP releases for those boards supported in meta-arm-bsp maybe have an additional tag to denote their software releases. The tag will consist of the board name (in all capital letters), year, and month. For example, "CORSTONE1000-2023.11".
The release schedule for this is outside the standard Yocto Project release candence, but is generally encouraged to be as close to these releases as possible. Similarily, it is recommended the BSP releases be based on the latest LTS branch.
# **Relevant Links**
<https://wiki.yoctoproject.org/wiki/Releases>
+2 -2
View File
@@ -4,10 +4,10 @@ The `runfvp` tool in meta-arm makes it easy to run Yocto Project disk images ins
## Running images with `runfvp`
To build images with the FVP integration, the `fvpboot` class needs to be inherited. If the machine does not do this explicitly it can be done in `local.conf`:
To build images with the FVP integration, the `fvpboot` image class needs to be inherited. If the machine does not do this explicitly it can be done in `local.conf`:
```
INHERIT += "fvpboot"
IMAGE_CLASSES += "fvpboot"
```
The class will download the correct FVP and write a `.fvpconf` configuration file when an image is built.
+2 -4
View File
@@ -37,13 +37,11 @@ Other steps depend on your machine/platform definition:
2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
for N1SDP and Corstone1000 platforms accordingly.
and in `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` for the Corstone1000 platform.
3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for theCorstone1000 platform.
4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be
set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation.
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-debian
@@ -0,0 +1,8 @@
header:
version: 16
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-fedora
@@ -2,6 +2,7 @@ header:
version: 13
includes:
- kas/arm-systemready-firmware.yml
- kas/arm-systemready-linux-distros-unattended-installation.yml
target:
- arm-systemready-linux-distros-opensuse
@@ -0,0 +1,11 @@
header:
version: 16
env:
DISTRO_UNATTENDED_INST_TESTS:
# The full testimage run typically takes around 12-24h on fvp-base.
TEST_OVERALL_TIMEOUT: "${@ 24*60*60}"
local_conf_header:
systemready-unattended-inst: |
TESTIMAGE_AUTO = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "1", "", d)}"
+4 -4
View File
@@ -5,7 +5,7 @@ distro: poky
defaults:
repos:
branch: master
branch: walnascar
repos:
meta-arm:
@@ -16,14 +16,14 @@ repos:
poky:
url: https://git.yoctoproject.org/git/poky
# commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff
commit: ee0d8d8a61d8e22a3dd00c32cde58ee6e8ec458f
layers:
meta:
meta-poky:
meta-openembedded:
url: https://git.openembedded.org/meta-openembedded
# commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d
commit: 2169c9afcc0945045bea49f58011080942d4ddb4
layers:
meta-oe:
meta-python:
@@ -31,7 +31,7 @@ repos:
meta-secure-core:
url: https://github.com/wind-river/meta-secure-core.git
# commit: e29165a1031dcf601edbed1733cedd64826672a5
commit: 423bc85b050594cc42fe3f2e0d0229960e70b94e
layers:
meta-secure-core-common:
meta-signing-key:
+6
View File
@@ -0,0 +1,6 @@
header:
version: 14
local_conf_header:
extsys: |
MACHINE_FEATURES += "corstone1000-extsys"
+8
View File
@@ -0,0 +1,8 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
fvp-multicore: |
MACHINE_FEATURES += "corstone1000_fvp_smp"
-1
View File
@@ -13,7 +13,6 @@ env:
local_conf_header:
testimagefvp: |
LICENSE_FLAGS_ACCEPTED += "Arm-FVP-EULA"
IMAGE_CLASSES += "fvpboot"
mass-storage: |
+3 -1
View File
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "meta-arm-bsp"
BBFILE_PATTERN_meta-arm-bsp = "^${LAYERDIR}/"
BBFILE_PRIORITY_meta-arm-bsp = "5"
LAYERSERIES_COMPAT_meta-arm-bsp = "nanbield scarthgap"
LAYERSERIES_COMPAT_meta-arm-bsp = "styhead walnascar"
LAYERDEPENDS_meta-arm-bsp = "core meta-arm"
# This won't be used by layerindex-fetch, but works everywhere else
@@ -28,3 +28,5 @@ BBFILES_DYNAMIC += " \
WARN_QA:append:layer-meta-arm-bsp = " patch-status"
addpylib ${LAYERDIR}/lib oeqa
IMAGE_ROOTFS_EXTRA_ARGS ?= ""
@@ -9,7 +9,8 @@ TFM_PLATFORM_IS_FVP = "TRUE"
# testimage config
TEST_TARGET = "OEFVPTarget"
TEST_SUITES = "fvp_boot"
TEST_TARGET_IP = "127.0.0.1:2222"
DEFAULT_TEST_SUITES:append = " fvp_boot fvp_devices"
# FVP Config
FVP_PROVIDER ?= "fvp-corstone1000-native"
+11 -8
View File
@@ -4,22 +4,25 @@
#@NAME: Armv8-A Base Platform FVP machine
#@DESCRIPTION: Machine configuration for Armv8-A Base Platform FVP model
require conf/machine/include/arm/arch-armv8-4a.inc
require conf/machine/include/arm/arch-armv8-5a.inc
ARM_SYSTEMREADY_FIRMWARE = "trusted-firmware-a:do_deploy"
ARM_SYSTEMREADY_ACS_CONSOLE = "default"
EXTRA_IMAGEDEPENDS = "${ARM_SYSTEMREADY_FIRMWARE}"
MACHINE_FEATURES = "efi"
MACHINE_FEATURES = "efi vfat"
IMAGE_NAME_SUFFIX = ""
IMAGE_FSTYPES += "wic"
WKS_FILE ?= "efi-disk.wks.in"
SERIAL_CONSOLES = "115200;ttyAMA0"
# FIXME - This is being upstreamed. Remove once that has occurred.
KERNEL_CONSOLE ?= "${@','.join(d.getVar('SERIAL_CONSOLES').split(' ')[0].split(';')[::-1]) or 'ttyS0'}"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
KERNEL_DEVICETREE = "arm/fvp-base-revc.dtb"
KERNEL_DTB_NAME = "fvp-base-revc.dtb"
KERNEL_DEVICETREE = "arm/${KERNEL_DTB_NAME}"
KERNEL_IMAGETYPE = "Image"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
@@ -27,7 +30,7 @@ EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
# FVP u-boot configuration
UBOOT_MACHINE = "vexpress_fvp_defconfig"
EFI_PROVIDER ?= "grub-efi"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
# As this is a virtual target that will not be used in the real world there is
# no need for real SSH keys.
@@ -54,12 +57,12 @@ FVP_CONFIG[cluster1.stage12_tlb_size] ?= "1024"
FVP_CONFIG[bp.secureflashloader.fname] ?= "bl1-fvp.bin"
FVP_CONFIG[bp.flashloader0.fname] ?= "fip-fvp.bin"
FVP_CONFIG[bp.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
# Set the baseline to ARMv8.4, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-4] = "1"
FVP_CONFIG[cluster1.has_arm_v8-4] = "1"
# Set the baseline to ARMv8.5, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-5] = "1"
FVP_CONFIG[cluster1.has_arm_v8-5] = "1"
FVP_CONSOLES[default] = "terminal_0"
FVP_TERMINALS[bp.terminal_0] ?= "Console"
FVP_TERMINALS[bp.terminal_1] ?= ""
FVP_TERMINALS[bp.terminal_2] ?= ""
FVP_TERMINALS[bp.terminal_3] ?= ""
FVP_CONFIG[bp.secure_memory] ?= "1"
FVP_CONFIG[bp.secure_memory] ?= "1"
@@ -3,18 +3,19 @@ require conf/machine/include/arm/armv8a/tune-cortexa35.inc
MACHINEOVERRIDES =. "corstone1000:"
# TF-M
PREFERRED_VERSION_trusted-firmware-m ?= "2.0.%"
PREFERRED_VERSION_trusted-firmware-m ?= "2.1.%"
# TF-A
TFA_PLATFORM = "corstone1000"
PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
PREFERRED_VERSION_trusted-firmware-a ?= "2.11.%"
PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
TFA_BL2_BINARY = "bl2-corstone1000.bin"
TFA_FIP_BINARY = "fip-corstone1000.bin"
# optee
PREFERRED_VERSION_optee-os ?= "4.1.%"
PREFERRED_VERSION_optee-os ?= "4.4.%"
PREFERRED_VERSION_optee-client ?= "4.4.%"
# Trusted Services
TS_PLATFORM = "arm/corstone1000"
@@ -34,7 +35,7 @@ IMAGE_CMD:wic[vardeps] += "GRUB_LINUX_APPEND"
# Linux kernel
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.6.%"
PREFERRED_VERSION_linux-yocto ?= "6.12.%"
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPE:firmware = "Image.gz"
# add FF-A support in the kernel
@@ -63,3 +64,6 @@ ARM_SYSTEMREADY_FIRMWARE = "${FIRMWARE_DEPLOYMENT}:do_deploy \
corstone1000-esp-image:do_image_complete \
"
ARM_SYSTEMREADY_ACS_CONSOLE ?= "default"
# Workaround IMAGE_ROOTFS_EXTRA_SPACE being ignored when images are repacked
IMAGE_ROOTFS_EXTRA_ARGS += "--extra-space ${@${IMAGE_ROOTFS_EXTRA_SPACE}}K"
-51
View File
@@ -1,51 +0,0 @@
# Configuration for Arm N1SDP development board
#@TYPE: Machine
#@NAME: N1SDP machine
#@DESCRIPTION: Machine configuration for N1SDP
require conf/machine/include/arm/armv8-2a/tune-neoversen1.inc
KERNEL_IMAGETYPE = "Image"
IMAGE_FSTYPES += "wic wic.gz wic.bmap tar.bz2 ext4"
SERIAL_CONSOLES = "115200;ttyAMA0"
# Set default WKS
WKS_FILE ?= "n1sdp-efidisk.wks"
IMAGE_EFI_BOOT_FILES ?= "n1sdp-multi-chip.dtb n1sdp-single-chip.dtb"
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# Use kernel provided by yocto
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.6%"
# RTL8168E Gigabit Ethernet Controller is attached to the PCIe interface
MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "linux-firmware-rtl8168"
# TF-A
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
TFA_PLATFORM = "n1sdp"
PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
# SCP
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
#UEFI EDK2 firmware
EXTRA_IMAGEDEPENDS += "edk2-firmware"
PREFERRED_VERSION_edk2-firmware ?= "202311"
#optee
PREFERRED_VERSION_optee-os ?= "4.1.%"
PREFERRED_VERSION_optee-os-tadevkit ?= "4.1.%"
PREFERRED_VERSION_optee-test ?= "4.1.%"
PREFERRED_VERSION_optee-client ?= "4.1.%"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
MACHINE_FEATURES += "efi"
# SD-Card firmware
EXTRA_IMAGEDEPENDS += "sdcard-image-n1sdp"
+4
View File
@@ -26,6 +26,10 @@ EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boo
SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0"
EXTRA_IMAGEDEPENDS += "edk2-firmware"
# FIXME - Currently seeing a kernel warning for the CPU topology when bumping
# the version past this. The issue is being tracked in
# https://github.com/tianocore/edk2-platforms/issues/752
PREFERRED_VERSION_edk2-firmware ?= "202408%"
QB_SYSTEM_NAME = "qemu-system-aarch64"
QB_MACHINE = "-machine sbsa-ref"
+42 -4
View File
@@ -7,18 +7,56 @@
require conf/machine/include/arm/armv8-2a/tune-cortexa75.inc
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
KERNEL_IMAGETYPE ?= "Image"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
SERIAL_CONSOLES = "115200;ttyAMA0"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
MACHINE_FEATURES += "efi"
IMAGE_FSTYPES += "cpio.gz wic"
IMAGE_NAME_SUFFIX = ""
IMAGE_CLASSES += "fvpboot"
WKS_FILE ?= "sgi575-efidisk.wks"
WKS_FILE ?= "efi-disk.wks.in"
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# testimage config
TEST_TARGET = "OEFVPTarget"
#TEST_TARGET_IP = "127.0.0.1:222"
TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-sgi575-native"
FVP_EXE ?= "FVP_CSS_SGI-575"
# Virtio-Net configuration
FVP_CONFIG[board.virtio_net.enabled] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetworking] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetPorts] = "2222=22"
FVP_CONFIG[board.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
#FVP_CONFIG[cache_state_modelled] ?= "0"
FVP_CONFIG[css.cmn600.mesh_config_file] = "SGI-575_cmn600.yml"
FVP_CONFIG[css.cmn600.force_rnsam_internal] ?= "false"
FVP_CONFIG[css.gic_distributor.ITS-device-bits] ?= "20"
FVP_DATA ?= "css.scp.armcortexm7ct=scp_ramfw.bin@0x0BD80000"
FVP_CONFIG[css.mcp.ROMloader.fname] ?= "mcp_romfw.bin"
FVP_CONFIG[css.scp.ROMloader.fname] ?= "scp_romfw.bin"
FVP_CONFIG[css.trustedBootROMloader.fname] ?= "bl1-sgi575.bin"
FVP_CONFIG[board.flashloader0.fname] ?= "fip-sgi575.bin"
FVP_CONSOLES[default] = "terminal_uart_ap"
FVP_TERMINALS[css.scp.terminal_uart_aon] ?= "SCP Console"
FVP_TERMINALS[css.mcp.terminal_uart0] ?= ""
FVP_TERMINALS[css.mcp.terminal_uart1] ?= ""
FVP_TERMINALS[css.terminal_uart_ap] ?= "Console"
FVP_TERMINALS[css.terminal_uart1_ap] ?= ""
FVP_TERMINALS[soc.terminal_s0] ?= ""
FVP_TERMINALS[soc.terminal_s1] ?= ""
FVP_TERMINALS[soc.terminal_mcp] ?= ""
FVP_TERMINALS[board.terminal_0] ?= ""
FVP_TERMINALS[board.terminal_1] ?= ""
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -10,6 +10,205 @@ Change Log
This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack.
***************
Version 2025.05
***************
Changes
=======
- OP-TEE OS: Added support for v4.4
- Trusted Services: PSA-Crypto structures aligned with TF-M, added protobuf interface to crypto-sp
- Documentation: fixed typos, added host-level authentication section, enabled fly-out sidebar menu
- Das U-Boot: Reserved memory for RSS communication-pointer access protocol
- Linux Kernel: Upgraded kernel to v6.12, updated Upstream-Status notes for remoteproc patches
- Corstone-1000 image: Implemented IMAGE_ROOTFS_EXTRA_SPACE workaround
Corstone-1000 components versions
=================================
+-------------------------------------------+-------------------+
| linux-yocto | 6.12.30 |
+-------------------------------------------+-------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-------------------+
| optee-client | 4.4.0 |
+-------------------------------------------+-------------------+
| optee-os | 4.4.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-m | 2.1.1 |
+-------------------------------------------+-------------------+
| libts | 602be60719 |
+-------------------------------------------+-------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+----------------+
| meta-arm | walnascar |
+-------------------------------------------+----------------+
| poky | ee0d8d8a61 |
+-------------------------------------------+----------------+
| meta-openembedded | 2169c9afcc |
+-------------------------------------------+----------------+
| meta-secure-core | 423bc85b05 |
+-------------------------------------------+----------------+
| busybox | 1.37.0 |
+-------------------------------------------+----------------+
| musl | 1.2.5 |
+-------------------------------------------+----------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+----------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+----------------+
| openssl | 3.4.1 |
+-------------------------------------------+----------------+
***************
Version 2024.11
***************
Changes
=======
- Implementation of a replication strategy for FWU metadata in TF-M according to the FWU specification.
- Upgrade to metadata version 2 in TF-M.
- Increase the ITS and PS memory size in Secure Flash for TF-M.
- SW components upgrades.
- Bug fixes.
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.10.14 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.2.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | styhead |
+-------------------------------------------+------------------------------+
| poky | 5465094be9 |
+-------------------------------------------+------------------------------+
| meta-openembedded | 461d85a183 |
+-------------------------------------------+------------------------------+
| meta-secure-core | 59d7e90542 |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.5 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.3.1 |
+-------------------------------------------+------------------------------+
***************
Version 2024.06
***************
Changes
=======
- Re-enabling support for the External System using linux remoteproc (only supporting switching on and off the External System)
- UEFI Secure Boot and Authenticated Variable support
- RSE Comms replaces OpenAMP
- The EFI System partition image is now created by the meta-arm build system.
This image is mounted on the second MMC card by default in the FVP.
- The capsule generation script is now part of the meta-arm build system.
Corstone1000-flash-firmware-image recipe generates a capsule binary using the U-Boot capsule generation tool that includes
all the firmware binaries and recovery kernel image.
- SW components upgrades
- Bug fixes
Corstone-1000 components versions
=================================
+-------------------------------------------+-----------------------------------------------------+
| arm-tstee | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| linux-yocto | 6.6.23 |
+-------------------------------------------+-----------------------------------------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-----------------------------------------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-client | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| optee-os | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-a | 2.10.4 |
+-------------------------------------------+-----------------------------------------------------+
| trusted-firmware-m | 2.0.0 |
+-------------------------------------------+-----------------------------------------------------+
| libts | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-----------------------------------------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-----------------------------------------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+------------------------------+
| meta-arm | scarthgap |
+-------------------------------------------+------------------------------+
| poky | scarthgap |
+-------------------------------------------+------------------------------+
| meta-openembedded | scarthgap |
+-------------------------------------------+------------------------------+
| meta-secure-core | scarthgap |
+-------------------------------------------+------------------------------+
| busybox | 1.36.1 |
+-------------------------------------------+------------------------------+
| musl | 1.2.4 |
+-------------------------------------------+------------------------------+
| gcc-arm-none-eabi | 13.2.Rel1 |
+-------------------------------------------+------------------------------+
| gcc-cross-aarch64 | 13.2.0 |
+-------------------------------------------+------------------------------+
| openssl | 3.2.1 |
+-------------------------------------------+------------------------------+
***************
Version 2023.11
***************
@@ -298,4 +497,4 @@ Changes
--------------
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
@@ -1,3 +1,8 @@
# SPDX-FileCopyrightText: <text>Copyright 2020-2024 Arm Limited and/or its
# affiliates <open-source-office@arm.com></text>
#
# SPDX-License-Identifier: MIT
# Configuration file for the Sphinx documentation builder.
#
# This file only contains a selection of the most common options. For a full
@@ -10,15 +15,19 @@
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#
# import os
# import sys
# sys.path.insert(0, os.path.abspath('.'))
import os
import sys
# Append the documentation directory to the path, so we can import variables
sys.path.append(os.path.dirname(__file__))
# -- Project information -----------------------------------------------------
project = 'corstone1000'
copyright = '2020-2022, Arm Limited'
copyright = '2020-2024, Arm Limited'
author = 'Arm Limited'
@@ -28,6 +37,7 @@ author = 'Arm Limited'
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'sphinx_rtd_theme',
]
# Add any paths that contain templates here, relative to this directory.
@@ -45,6 +55,19 @@ exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'docs/infra']
# a list of builtin themes.
#
html_theme = 'sphinx_rtd_theme'
html_theme_options = {
'flyout_display': 'attached',
}
# Define the canonical URL if you are using a custom domain on Read the Docs
html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "")
# Tell Jinja2 templates the build is running on Read the Docs
if os.environ.get("READTHEDOCS", "") == "True":
if "html_context" not in globals():
html_context = {}
html_context["READTHEDOCS"] = True
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
Binary file not shown.

After

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 86 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 108 KiB

After

Width:  |  Height:  |  Size: 69 KiB

@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -19,6 +19,57 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair
or correction.
***********************
Release notes - 2025.05
***********************
Known Issues or Limitations
---------------------------
- Crypto isolation is not supported in the Secure world of Corstone-1000. Additionally, clients in
the Normal world are not isolated from one another.Therefore, if an end user wants to add a new
Secure Partition (SP) (such as a software TPM) that accesses the Crypto service via the SE-Proxy,
they are responsible for implementing their own isolation mechanisms to ensure proper security boundaries.
- DSTREAM debug probe may experience unreliable USB connectivity when used with Arm DS for secure debug.
This issue is under active investigation, and we are working to identify and resolve compatibility issues in a future update.
As a more stable alternative, the ULINKpro debug probe is recommended for use with Corstone-1000 in secure debug scenarios.
***********************
Release notes - 2024.11
***********************
The same notes as the 2024.06 release still apply.
***********************
Release notes - 2024.06
***********************
Known Issues or Limitations
---------------------------
- Use Ethernet over VirtIO due to lan91c111 Ethernet driver support dropped from U-Boot.
- Due to the performance uplimit of MPS3 FPGA and FVP, some Linux distros like Fedora Rawhide can not boot on Corstone-1000 (i.e. user may experience timeouts or boot hang).
- Corstone-1000 SoC on FVP doesn't have a secure debug peripheral. It does on the MPS3.
- See previous release notes for the known limitations regarding ACS tests.
Platform Support
-----------------
- This software release is tested on Corstone-1000 FPGA version AN550_v2
https://developer.arm.com/downloads/-/download-fpga-images
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
SystemReady IR v2.0 Certification Milestone
-------------------------------------------
As of this release, Corstone-1000 has achieved `SystemReady IR v2.0 certification <https://www.arm.com/architecture/system-architectures/systemready-certification-program/ve>`__.
This milestone confirms compliance with the SystemReady IR requirements, ensuring broader compatibility and reliability for deployment.
Applied patch `313ad2a0e600 <https://git.yoctoproject.org/meta-arm/commit/?h=scarthgap&id=313ad2a0e600655d9bfbe53646e356372ff02644>`__ to address compatibility requirements for SystemReady IR v2.0.
This update is included in tag `CORSTONE1000-2024.06-systemready-ir-v2.0 <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06-systemready-ir-v2.0>`__ and builds on the `CORSTONE1000-2024.06` release.
***********************
Release notes - 2023.11
***********************
@@ -213,7 +264,7 @@ Support
-------
For technical support email: support-subsystem-iot@arm.com
For all security issues, contact Arm by email at arm-security@arm.com.
For all security issues, contact Arm by email at psirt@arm.com.
--------------
@@ -1,10 +1,10 @@
..
# Copyright (c) 2022-2023, Arm Limited.
# Copyright (c) 2022-2025, Arm Limited.
#
# SPDX-License-Identifier: MIT
######################
Software architecture
Software Architecture
######################
@@ -16,185 +16,343 @@ Arm Corstone-1000 is a reference solution for IoT devices. It is part of
Total Solution for IoT which consists of hardware and software reference
implementation.
Corstone-1000 software plus hardware reference solution is PSA Level-2 ready
certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
More information on the Corstone-1000 subsystem product and design can be
found at:
`Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_.
The combination of Corstone-1000 software and hardware reference solution is `PSA Level-2 ready
certified <psa_l2-ready_>`__ as well as `Arm SystemReady Devicetree certified <systemready-ir-certification_>`__.
This readme explicitly focuses on the software part of the solution and
More information on the Corstone-1000 subsystems product and design can be
found on `Arm Developer <arm-developer-cs1000-website_>`__.
This document explicitly focuses on the software part of the solution and
provides internal details on the software components. The reference
software package of the platform can be retrieved following instructions
present in the user-guide document.
present in the user guide document.
***************
Design Overview
***************
The software architecture of Corstone-1000 platform is a reference
implementation of Platform Security Architecture (`PSA`_) which provides
implementation of `Platform Security Architecture <psa-certified-website_>`__ which provides
framework to build secure IoT devices.
The base system architecture of the platform is created from three
different types of systems: Secure Enclave, Host and External System.
Each subsystem provides different functionality to overall SoC.
The base system architecture of the platform is created from three different types of subsystems:
- Secure Enclave
- Host System
- External System
Each subsystem provides different functionality to the overall system on a chip (SoC).
.. image:: images/CorstoneSubsystems.png
:width: 720
:alt: CorstoneSubsystems
Secure Enclave
==============
The Secure Enclave System, provides PSA Root of Trust (RoT) and
cryptographic functions. It is based on an Cortex-M0+ processor,
CC312 Cryptographic Accelerator and peripherals, such as watchdog and
secure flash. Software running on the Secure Enclave is isolated via
hardware for enhanced security. Communication with the Secure Encalve
is achieved using Message Handling Units (MHUs) and shared memory.
On system power on, the Secure Enclave boots first. Its software
comprises of a ROM code (TF-M BL1), Mcuboot BL2, and
TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
Secure Enclave follows Firmware Framework for M class
processor (`FF-M`_) specification.
The Secure Enclave boots first on system power on, it provides `PSA Root of Trust (RoT) <psa-certified-website_>`__ and
cryptographic functions. It is based on a Cortex-M0+ processor, CC312 Cryptographic Accelerator and
peripherals such as watchdog and secure flash.
The Host System is based on ARM Cotex-A35 processor with standardized
peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
the TrustZone technology that allows secure and non-secure security
states in the processor. The software design in the Host System follows
Firmware Framework for A class procseeor (`FF-A`_) specification.
The boot process follows Trusted Boot Base Requirement (`TBBR`_).
The Host Subsystem is taken out of reset by the Secure Enclave system
during its final stages of the initialization. The Host subsystem runs
FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS
(`OPTEE-OS`_) in the secure world, and U-Boot(`U-Boot repo`_) and
linux (`linux repo`_) in the non-secure world. The communication between
non-secure and the secure world is performed via FF-A messages.
.. image:: images/Corstone1000SecureFlashMPS3.png
:width: 400
:alt: Corstone1000SecureFlashMPS3
An external system is intended to implement use-case specific
functionality. The system is based on Cortex-M3 and run RTX RTOS.
Communication between the external system and Host (Cortex-A35) is performed
using MHU as transport mechanism and rpmsg messaging system (the external system
support in Linux is disabled in this release. More info about this change can be found in the
release-notes).
.. image:: images/Corstone1000SecureFlashFVP.png
:width: 400
:alt: Corstone1000SecureFlashFVP
Overall, the Corstone-1000 architecture is designed to cover a range
of Power, Performance, and Area (PPA) applications, and enable extension
for use-case specific applications, for example, sensors, cloud
connectivitiy, and edge computing.
Software running on the Secure Enclave is isolated via hardware for enhanced security.
Communication with the Secure Enclave is achieved using `Message Handling Units (MHUs) <arm-developer-mhu-website_>`__
and shared memory.
Its software components comprises:
- `Trusted Firmware-M (TF-M) BL1 <trusted-firmware-m-bl1-website_>`__
- `MCUboot <mcuboot-website_>`__
- `TrustedFirmware-M <trusted-firmware-m-website_>`__
The software design on the Secure Enclave follows `Arm Firmware Framework for M-Profile
processor <arm-fmw-framework-m-profile-pdf_>`__ (FF-M) specification.
Host System
===========
The Host System is based on ARM Cortex-A35 processor with standardized
peripherals to allow booting a Linux-based operating system (OS). The Cortex-A35 has
the `TrustZone <arm-trustzone-for-cortex-a-website_>`__ technology that allows Secure and Non-secure security
states in the processor.
The boot process follows `Trusted Boot Base Requirements Client <trusted-board-boot-requirements-client-pdf_>`__.
The Host System is taken out of reset by the Secure Enclave system during its final stages of the
initialization.
In the Secure world, the Host System runs:
- FF-A Secure Partitions (based on `Trusted Services <trusted-services-website_>`__)
- `OP-TEE OS <op-tee-os-repository_>`__
In the Non-secure World, the Host System runs:
- `U-Boot <das-u-boot-repository_>`__
- `Linux kernel <linux-repository_>`__
The software design in the Host System follows `Arm Firmware Framework for Arm A-profile
<arm-fmw-framework-a-profile-pdf_>`__ (FF-A) specification.
The communication between Non-secure and the Secure world is performed via FF-A messages.
External System
===============
The External System is intended to implement use-case specific functionality.
The system is based on Cortex-M3 and runs `Keil RTX5 <keil-rtx5-website_>`__.
Communication between the external system and Host (Cortex-A35) can be performed using MHU as transport
mechanism. The current software release supports switching the External System ON and OFF.
The Corstone-1000 architecture is designed to cover a range of
`Power, Performance, and Area (PPA) <ppa-website_>`__ applications, and enable extension
for use-case specific applications, for example, sensors, cloud connectivity, and edge computing.
*****************
Secure Boot Chain
*****************
For the security of a device, it is essential that only authorized
software should run on the device. The Corstone-1000 boot uses a
Secure Boot Chain process where an already authenticated image verifies
and loads the following software in the chain. For the boot chain
process to work, the start of the chain should be trusted, forming the
software should run on the device.
The Corstone-1000 boot uses a `Secure boot <arm-developer-secureboot-website_>`__ chain process
where an already authenticated image verifies and loads the following software in the chain.
For the boot chain process to work, the start of the chain should be trusted, forming the
Root of Trust (RoT) of the device. The RoT of the device is immutable in
nature and encoded into the device by the device owner before it
is deployed into the field. In Corstone-1000, the BL1 image of the secure
enclave and content of the CC312 OTP (One Time Programmable) memory
forms the RoT. The BL1 image exists in ROM (Read Only Memory).
nature and encoded into the device by the device manufacturer before it
is deployed into the field.
In Corstone-1000, the content of the ROM and CC312 One Time Programmable (OTP) memory forms the RoT.
Verification of an image can happen either by comparing the computed and stored hashes, or by
checking the signature of the image if the image is signed.
.. image:: images/SecureBootChain.png
:width: 870
:alt: SecureBootChain
It is a lengthy chain to boot the software on Corstone-1000. On power on,
the secure enclave starts executing BL1 code from the ROM which is the RoT
of the device. Authentication of an image involves the steps listed below:
It is a lengthy chain to boot the software on Corstone-1000.
- Load image from flash to dynamic RAM.
- The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
- The image is validated using the public key.
TF-M BL1_1
==========
In the secure enclave, BL1 authenticates the BL2 and passes the execution
control. BL2 authenticates the initial boot loader of the host (Host TF-A BL2)
and TF-M. The execution control is now passed to TF-M. TF-M being the run
time executable of secure enclave which initializes itself and, at the end,
brings the host CPU out of rest. The host follows the boot standard defined
in the `TBBR`_ to authenticate the secure and non-secure software.
On power-up, the Secure Enclave begins execution from TF-M BL1_1, which resides in ROM and serves as
the Root of Trust (RoT) for the device.
TF-M BL1_1 is the immutable bootloader and is responsible for:
- Provisioning the device during the first boot
- Performing hardware initialization
- Verifying the integrity and authenticity of the next stage in the boot chain
At boot time, TF-M BL1_1:
- Copies the TF-M BL1_2 image from OTP to RAM.
- Verifies the integrity of BL1_2 by comparing its computed hash with the hash stored in OTP.
TF-M BL1_2
==========
During provisioning, the TF-M BL1_2 binary, along with its hashes and cryptographic keys, is stored
in One-Time Programmable (OTP) memory.
Once verified, TF-M BL1_2:
- Takes control and verifies the next stage in the boot chain, which is TF-M BL2.
- Computes the hash of the BL2 image and compares it with the BL2 hash stored in OTP to ensure
integrity before transferring execution to BL2.
.. note::
The TF-M BL1 design details can be found in the `TF-M design documents <trusted-firmware-m-bl1-website_>`_.
.. important::
Corstone-1000 has some differences compared to this design due to memory (OTP/ROM)
limitations:
- BL1_1 code size is larger than needed because it handles most of the hardware initialization instead of the BL1_2.
- BL1_2 cannot be updated during provisioning time because the provisioning bundle that contains its code is located in the ROM.
- BL1_2 does not use the post-quantum LMS verification.
- BL2 cannot be updated because it is verified by comparing the computed hash to the hash stored in the OTP.
TF-M BL2
========
In this system, TF-M BL2 refers to MCUBoot.
On the first boot, MCUBoot can provision additional cryptographic keys. It is responsible for authenticating both:
- TF-M (Trusted Firmware-M), and
- The initial bootloader of the Host system, `Trusted Firmware-A (TF-A) BL2 <trusted-firmware-a-bl2-website_>`__
This authentication is done by verifying the digital signatures of the respective images.
MCUBoot performs image verification in the following steps:
#. Load the image from non-volatile memory into RAM.
#. Validate the image's signature using the corresponding public key.
.. note::
The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
The execution control is passed to TF-M after the verification.
As the runtime executable of the Secure Enclave, TF-M initializes itself before
bringing the Host system out of reset.
Host System Authentication
==========================
The Host system follows the boot standard defined in the `Trusted Board Boot Requirements Client <trusted-board-boot-requirements-client-pdf_>`__
to authenticate the Secure and Non-secure software.
The `Firmware Image Package (FIP) <trusted-firmware-a-fip-guide_>`__ packs bootloader images and
other payloads into a single archive.
.. image:: images/FIPDiagram.png
:alt: FIPDiagram
The FIP for Corstone-1000 contains:
- Trusted firmware-A BL2
- AP EL3 Runtime firmware, BL31 image
- AP Secure Payload, BL32 image
- AP Normal world firmware -U-boot, BL33 image
- Trusted OS Firmware configuration file used by Trusted OS (BL32), TOS_FW_CONFIG
- Key certificates
- Content certificates
To load and validate TF-A BL2, TF-M BL2 first parses the GUID Partition Table (GPT)
to locate the FIP. It then determines the offset of TF-A BL2 within the FIP.
.. note::
TF-M does not check the FIP signature, it only checks the TF-A BL2's signature in the FIP.
.. important::
The implicitly trusted components are:
- A SHA-256 hash of the Root of Trust Public Key (ROTPK) -
For development purposes, a development ROTPK is used and its hash embedded into the TF-A BL2 image.
This public key is provided by the TF-A source code.
- TF-A BL2 image - it can be trusted because it has been verified by TF-M BL2 before starting TF-A.
The remaining components in the Chain of Trust (CoT) are either certificates or bootloader images.
Bootloader Authentication
-------------------------
The FIP contains two types of certificates:
- **Content Certificates** - used to store the hash of a bootloader image.
- **Key Certificates** - used to verify public keys used to sign Content Certificates.
The Host system bootloader images are authenticated by computing their hash and comparing it to the corresponding hash found in the Content Certificate.
Certificates Verification
-------------------------
The public keys defined in the Trusted Key Certificate are used to verify the later certificates in
the CoT process. The Trusted Key Certificate is verified with the Root of Trust Public Key.
UEFI Authenticated Variables
----------------------------
For UEFI Secure Boot, authenticated variables can be accessed from the secure flash.
The feature has been integrated in U-Boot, which authenticates the images as per the UEFI
specification before executing them.
***************
Secure Services
***************
Corstone-1000 is unique in providing a secure environment to run a secure
workload. The platform has TrustZone technology in the Host subsystem but
it also has hardware isolated secure enclave environment to run such secure
workloads. In Corstone-1000, known Secure Services such as Crypto, Protected
Storage, Internal Trusted Storage and Attestation are available via PSA
Functional APIs in TF-M. There is no difference for a user communicating to
these services which are running on a secure enclave instead of the
secure world of the host subsystem. The below diagram presents the data
flow path for such calls.
Corstone-1000 is unique in offering a secure environment for running trusted workloads.
While the Host system includes TrustZone technology, the platform also features a hardware-isolated
Secure Enclave, specifically designed to execute these secure workloads.
In Corstone-1000, essential Secure Services—such as Cryptography, Protected Storage,
Internal Trusted Storage, and Attestation—are provided through PSA Functional APIs implemented in TF-M.
From the user's perspective, there is no difference when communicating with these services,
whether they run in the Secure Enclave or in the Secure world of the Host system.
The diagram below illustrates the data flow for such calls.
.. image:: images/SecureServices.png
:width: 930
:alt: SecureServices
The Secure Enclave Proxy Secure Partition (SE Proxy SP) is a proxy managed by OP-TEE that forwards
Secure Service calls to the Secure Enclave. This communication uses the `RSE communication protocol <https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_.
While the protocol supports shared memory and MHU interrupts as a doorbell mechanism between cores,
in Corstone-1000, the entire message is currently transmitted through the MHU channels.
Corstone-1000 implements Isolation Level 2 using the Cortex-M0+ Memory Protection Unit (MPU).
The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition
managed by OPTEE which forwards such calls to the secure enclave. The
solution relies on the `RSE communication protocol
<https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_
which is a lightweight serialization of the psa_call() API. It can use shared
memory and MHU interrupts as a doorbell for communication between two cores
but currently the whole message is forwarded through the MHU channels in Corstone-1000.
Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection
Unit) is used to implement isolation level 2.
For a user to define its own secure service, both the options of the host
secure world or secure encalve are available. It's a trade-off between
lower latency vs higher security. Services running on a secure enclave are
secure by real hardware isolation but have a higher latency path. In the
second scenario, the services running on the secure world of the host
subsystem have lower latency but virtual hardware isolation created by
TrustZone technology.
Users can define their own secure services to run either in the Host system's Secure World or in
the Secure Enclave. This choice involves a trade-off between latency and security.
Services running in the Secure Enclave benefit from strong, hardware-enforced isolation,
offering higher security but at the cost of increased latency. In contrast, services running in the
Host Secure World experience lower latency, but rely on TrustZone technology for virtualized isolation,
which offers comparatively less robust security.
**********************
Secure Firmware Update
**********************
Apart from always booting the authorized images, it is also essential that
the device only accepts the authorized (signed) images in the firmware update
process. Corstone-1000 supports OTA (Over the Air) firmware updates and
follows Platform Security Firmware Update specification (`FWU`_).
As standardized into `FWU`_, the external flash is divided into two
banks of which one bank has currently running images and the other bank is
used for staging new images. There are four updatable units, i.e. Secure
Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel
Image (the initramfs bundle). The new images are accepted in the form of a UEFI capsule.
In addition to always booting authorized images, it is equally important that the device only accepts
authorized (signed) images during the firmware update process. Corstone-1000 supports over-the-air (OTA)
firmware updates and complies with the `Platform Security Firmware Update for the A-profile Arm Architecture <platform-security-fwu-for-a-profile-pdf_>`__
specification.
As defined in the specification, the external flash is divided into two banks: one bank holds the
currently running images, while the other is used to stage new images.
There are four updatable components: **BL2**, **TF-M**, **the FIP** and **the Kernel Image** (the initramfs bundle).
New images are delivered and accepted in the form of UEFI capsules.
.. image:: images/ExternalFlash.png
:width: 690
:alt: ExternalFlash
When Firmware update is triggered, u-boot verifies the capsule by checking the
capsule signature, version number and size. Then it signals the Secure Enclave
that can start writing UEFI capsule into the flash. Once this operation finishes
,Secure Enclave resets the entire system.
The Metadata Block in the flash has the below firmware update state machine.
TF-M runs an OTA service that is responsible for accepting and updating the
images in the flash. The communication between the UEFI Capsule update
subsystem and the OTA service follows the same data path explained above.
The OTA service writes the new images to the passive bank after successful
capsule verification. It changes the state of the system to trial state and
triggers the reset. Boot loaders in Secure Enclave and Host read the Metadata
block to get the information on the boot bank. In the successful trial stage,
the acknowledgment from the host moves the state of the system from trial to
regular. Any failure in the trial stage or system hangs leads to a system
reset. This is made sure by the use of watchdog hardware. The Secure Enclave's
BL1 has the logic to identify multiple resets and eventually switch back to the
previous good bank. The ability to revert to the previous bank is crucial to
guarantee the availability of the device.
When a firmware update is triggered, U-Boot begins by verifying the UEFI capsule by checking its signature,
version number, and size. After successful verification, it signals the Secure Enclave, which then
starts writing the capsule contents to flash memory.
Once the write operation is complete, the Secure Enclave resets the entire system. The update process
is tracked using a state machine stored in the Metadata Block within flash. TF-M runs an OTA service
that is responsible for verifying and updating the images in the passive flash bank. Communication
between the UEFI capsule update subsystem and the OTA service follows the same data path described
earlier. After verifying the capsule, the OTA service writes the new images to the passive bank,
updates the system state to 'trial,' and initiates a reset.
During boot, the bootloaders in both the Secure Enclave and the Host system read the Metadata Block to
determine which bank to boot from. If the trial boot succeeds, the Host system sends an acknowledgment
that transitions the system state from 'trial' to 'regular.' If the system fails during the trial phase
or hangs, a watchdog timer triggers a reset. The Secure Enclaves BL1 contains logic to detect multiple
resets and can revert to the previously known-good bank. This fallback mechanism is essential to ensure
the device remains available and functional.
.. image:: images/SecureFirmwareUpdate.png
@@ -207,13 +365,15 @@ guarantee the availability of the device.
UEFI Runtime Support in U-Boot
******************************
Implementation of UEFI boottime and runtime APIs require variable storage.
In Corstone-1000, these UEFI variables are stored in the Protected Storage
service. The below diagram presents the data flow to store UEFI variables.
The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to
communicate with the SMM Service in the secure world. The backend of the
SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS
calls are forwarded to the secure enclave as explained above.
The implementation of UEFI boot-time and runtime APIs requires persistent variable storage. In
Corstone-1000, UEFI variables are stored using the Protected Storage (PS) service.
The diagram below illustrates the data flow for storing UEFI variables. U-Boots UEFI subsystem
communicates with the Secure World using the U-Boot FF-A driver, which interfaces with the `UEFI System Management Mode (SMM) service <trusted-services-uefi-smm-website_>`__.
The SMM service provides support for the UEFI System Management Mode. This support is implemented by the SMM Gateway secure partition.
The SMM service then uses the Proxy Protected Storage (PS) provided by the SE Proxy SP.
These PS calls are forwarded to the Secure Enclave, following the communication path described earlier.
.. image:: images/UEFISupport.png
@@ -221,30 +381,38 @@ calls are forwarded to the secure enclave as explained above.
:alt: UEFISupport
***************
**********
References
***************
`ARM corstone1000 Search`_
`Arm security features`_
**********
* `Arm Developer <arm-developer-cs1000-search_>`__
* `Arm Security Architectures <arm-architecture-security-features-platform-security_>`_
--------------
*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2025, Arm Limited. All rights reserved.*
.. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
.. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _Arm corstone1000 Search: https://developer.arm.com/search#q=corstone-1000
.. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
.. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _FF-A: https://developer.arm.com/documentation/den0077/latest
.. _FF-M: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _FWU: https://developer.arm.com/documentation/den0118/a/
.. _OPTEE-OS: https://github.com/OP-TEE/optee_os
.. _PSA: https://www.psacertified.org/
.. _PSA L2 Ready: https://www.psacertified.org/products/corstone-1000/
.. _SRIR cert: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ir-certification-arm-corstone-1000.pdf
.. _TBBR: https://developer.arm.com/documentation/den0006/latest
.. _TF-M: https://www.trustedfirmware.org/projects/tf-m/
.. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/
.. _U-Boot repo: https://github.com/u-boot/u-boot.git
.. _arm-developer-cs1000-website: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _arm-developer-cs1000-search: https://developer.arm.com/search#q=corstone-1000
.. _arm-developer-mhu-website: https://developer.arm.com/documentation/ka005129/latest/#:~:text=An%20MHU%20is%20a%20device,that%20a%20message%20is%20available
.. _arm-developer-secureboot-website: https://developer.arm.com/documentation/PRD29-GENC-009492/c/TrustZone-Software-Architecture/Booting-a-secure-system/Secure-boot
.. _arm-architecture-security-features-platform-security: https://www.arm.com/architecture/security-features/platform-security
.. _linux-repository: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _arm-trustzone-for-cortex-a-website: https://www.arm.com/technologies/trustzone-for-cortex-a
.. _arm-fmw-framework-a-profile-pdf: https://developer.arm.com/documentation/den0077/latest
.. _arm-fmw-framework-m-profile-pdf: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _platform-security-fwu-for-a-profile-pdf: https://developer.arm.com/documentation/den0118/a/
.. _op-tee-os-repository: https://github.com/OP-TEE/optee_os
.. _psa-certified-website: https://www.psacertified.org/
.. _psa_l2-ready: https://www.psacertified.org/products/corstone-1000/
.. _systemready-ir-certification: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ve-arm-neoverse.pdf
.. _trusted-board-boot-requirements-client-pdf: https://developer.arm.com/documentation/den0006/latest
.. _trusted-firmware-m-website: https://www.trustedfirmware.org/projects/tf-m/
.. _trusted-firmware-m-bl1-website: https://trustedfirmware-m.readthedocs.io/en/latest/design_docs/booting/bl1.html
.. _trusted-firmware-a-bl2-website: https://developer.arm.com/documentation/108028/0000/RD-TC22-software/Software-components/AP-firmware/Trusted-firmware-A-BL2
.. _trusted-firmware-a-fip-guide: https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#firmware-image-package-fip
.. _trusted-services-website: https://www.trustedfirmware.org/projects/trusted-services/
.. _trusted-services-uefi-smm-website: https://trusted-services.readthedocs.io/en/integration/services/uefi-smm-services.html#
.. _das-u-boot-repository: https://github.com/u-boot/u-boot.git
.. _keil-rtx5-website: https://developer.arm.com/Tools%20and%20Software/Keil%20MDK/RTX5%20RTOS
.. _ppa-website: https://developer.arm.com/documentation/102738/0100/Power--performance--and-area-analysis
.. _mcuboot-website: https://docs.mcuboot.com/
File diff suppressed because it is too large Load Diff
-78
View File
@@ -1,78 +0,0 @@
# N1SDP Development Platform Support in meta-arm-bsp
## Overview
The N1SDP provides access to the Arm Neoverse N1 SoC. The N1SDP enables software development for key enterprise technology
and general Arm software development. The N1SDP consists of the N1 board containing the N1 SoC.
The N1 SoC contains two dual-core Arm Neoverse N1 processor clusters.
The system demonstrates Arm technology in the context of Cache-Coherent Interconnect for Accelerators (CCIX) protocol by:
- Running coherent traffic between the N1 SoC and an accelerator card.
- Coherent communication between two N1 SoCs.
- Enabling development of CCIX-enabled FPGA accelerators.
Further information on N1SDP can be found at
https://community.arm.com/developer/tools-software/oss-platforms/w/docs/458/neoverse-n1-sdp
## Configuration:
In the local.conf file, MACHINE should be set as follow:
MACHINE ?= "n1sdp"
## Building
```bash$ bitbake core-image-minimal```
## Running
# Update Firmware on SD card:
(*) To use n1sdp board in single chip mode, flash:
n1sdp-board-firmware_primary.tar.gz firmware.
(*) To use n1sdp board in multi chip mode, flash:
n1sdp-board-firmware_primary.tar.gz firmware to primary board,
n1sdp-board-firmware_secondary.tar.gz firmware to secondary board.
The SD card content is generated during the build here:
tmp/deploy/images/n1sdp/n1sdp-board-firmware_primary.tar.gz
tmp/deploy/images/n1sdp/n1sdp-board-firmware_secondary.tar.gz
Its content must be written on the N1SDP firmware SD card.
To do this:
- insert the sdcard of the N1SDP in an SD card reader and mount it:
```bash$ sudo mount /dev/sdx1 /mnt```
(replace sdx by the device of the SD card)
- erase its content and put the new one:
```bash$ sudo rm -rf /mnt/*```
```bash$ sudo tar --no-same-owner -xzf tmp/deploy/images/n1sdp/n1sdp-board-firmware_primary.tar.gz -C /mnt/```
```bash$ sudo umount /mnt```
- reinsert the SD card in the N1SDP board
Firmware tarball contains iofpga configuration files, scp and uefi binaries.
**NOTE**:
If the N1SDP board was manufactured after November 2019 (Serial Number greater
than 36253xxx), a different PMIC firmware image must be used to prevent
potential damage to the board. More details can be found in [1].
The `MB/HBI0316A/io_v123f.txt` file located in the microSD needs to be updated.
To update it, set the PMIC image (300k_8c2.bin) to be used in the newer models
by running the following commands on your host PC:
$ sudo umount /dev/sdx1
$ sudo mount /dev/sdx1 /mnt
$ sudo sed -i '/^MBPMIC: pms_0V85.bin/s/^/;/g' /mnt/MB/HBI0316A/io_v123f.txt
$ sudo sed -i '/^;MBPMIC: 300k_8c2.bin/s/^;//g' /mnt/MB/HBI0316A/io_v123f.txt
$ sudo umount /mnt
# Prepare an USB hard drive:
Grub boot partition is placed on first partition of the *.wic image,
Linux root file system is placed on the second partition of the *.wic image:
tmp/deploy/images/n1sdp/core-image-minimal-n1sdp.wic
This *.wic image should be copied to USB stick with simple dd call.
[1]: https://community.arm.com/developer/tools-software/oss-platforms/w/docs/604/notice-potential-damage-to-n1sdp-boards-if-using-latest-firmware-release
+4 -4
View File
@@ -1,4 +1,4 @@
# Copyright (c) 2022, Arm Limited.
# Copyright (c) 2022-2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -6,6 +6,6 @@
jinja2==3.1.1
# Required to build the documentation
sphinx~=5.0
sphinx_rtd_theme~=2.0.0
docutils==0.17.1
sphinx==7.1.2
sphinx_rtd_theme~=3.0.0
docutils~=0.18.1
+1 -1
View File
@@ -16,4 +16,4 @@
*A summary of how to deploy or execute the image*
*For example, an overview of the N1SDP SD structure, or FVP arguments*
*For example, an overview of FVP arguments*
@@ -0,0 +1,8 @@
psci: failed to boot CPU1 (-95)
CPU1: failed to boot: -95
psci: failed to boot CPU2 (-95)
CPU2: failed to boot: -95
psci: failed to boot CPU3 (-95)
CPU3: failed to boot: -95
ARM FF-A: Notification setup failed -95, not enabled
ARM FF-A: Failed to register driver sched callback -95
@@ -0,0 +1 @@
basic-mmio-gpio: Failed to locate of_node [id: -2]
@@ -3,3 +3,6 @@ NUMA: Failed to initialise from firmware
# TODO: we should be using bochsdrm over efifb?
efifb: cannot reserve video memory at 0x80000000
# TODO: debug why this sometimes happens
failed to find screen to remove
@@ -1,6 +1,5 @@
# Machine specific configurations
MACHINE_HAFNIUM_REQUIRE ?= ""
MACHINE_HAFNIUM_REQUIRE:tc = "hafnium-tc.inc"
require ${MACHINE_HAFNIUM_REQUIRE}
@@ -53,9 +53,11 @@ TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
RE_IMAGE_OFFSET = "0x1000"
# Offsets for the .nopt image generation
TFM_OFFSET = "102400"
FIP_OFFSET = "479232"
KERNEL_OFFSET = "2576384"
# These offset values have to be aligned with those in
# meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
TFM_OFFSET = "147456"
FIP_OFFSET = "475136"
KERNEL_OFFSET = "2572288"
do_sign_images() {
# Sign TF-A BL2
@@ -14,7 +14,7 @@ COMPATIBLE_MACHINE = "juno"
LINARO_RELEASE = "19.06"
SRC_URI = "http://releases.linaro.org/members/arm/platforms/${LINARO_RELEASE}/juno-latest-oe-uboot.zip;subdir=${UNPACK_DIR} \
SRC_URI = "http://releases.linaro.org/members/arm/platforms/${LINARO_RELEASE}/juno-latest-oe-uboot.zip;subdir=${S} \
file://images-r0.txt \
file://images-r1.txt \
file://images-r2.txt \
@@ -23,7 +23,8 @@ SRC_URI = "http://releases.linaro.org/members/arm/platforms/${LINARO_RELEASE}/ju
SRC_URI[md5sum] = "01b662b81fa409d55ff298238ad24003"
SRC_URI[sha256sum] = "b8a3909bb3bc4350a8771b863193a3e33b358e2a727624a77c9ecf13516cec82"
UNPACK_DIR = "juno-firmware-${LINARO_RELEASE}"
FIRMWARE_DIR = "juno-firmware-${LINARO_RELEASE}"
S = "${UNPACKDIR}/${FIRMWARE_DIR}"
inherit deploy nopackages
@@ -33,23 +34,23 @@ do_compile[noexec] = "1"
# The ${D} is used as a temporary directory and we don't generate any
# packages for this recipe.
do_install() {
cp -a ${WORKDIR}/${UNPACK_DIR} ${D}
cp -a ${S} ${D}/
cp -f ${RECIPE_SYSROOT}/firmware/bl1-juno.bin \
${D}/${UNPACK_DIR}/SOFTWARE/bl1.bin
${D}/${FIRMWARE_DIR}/SOFTWARE/bl1.bin
cp -f ${RECIPE_SYSROOT}/firmware/fip-juno.bin \
${D}/${UNPACK_DIR}/SOFTWARE/fip.bin
${D}/${FIRMWARE_DIR}/SOFTWARE/fip.bin
cp -f ${RECIPE_SYSROOT}/firmware/scp_romfw_bypass.bin \
${D}/${UNPACK_DIR}/SOFTWARE/scp_bl1.bin
${D}/${FIRMWARE_DIR}/SOFTWARE/scp_bl1.bin
# u-boot environment file
cp -f ${WORKDIR}/uEnv.txt ${D}/${UNPACK_DIR}/SOFTWARE/
cp -f ${UNPACKDIR}/uEnv.txt ${D}/${FIRMWARE_DIR}/SOFTWARE/
# Juno images list file
cp -f ${WORKDIR}/images-r0.txt ${D}/${UNPACK_DIR}/SITE1/HBI0262B/images.txt
cp -f ${WORKDIR}/images-r1.txt ${D}/${UNPACK_DIR}/SITE1/HBI0262C/images.txt
cp -f ${WORKDIR}/images-r2.txt ${D}/${UNPACK_DIR}/SITE1/HBI0262D/images.txt
cp -f ${UNPACKDIR}/images-r0.txt ${D}/${FIRMWARE_DIR}/SITE1/HBI0262B/images.txt
cp -f ${UNPACKDIR}/images-r1.txt ${D}/${FIRMWARE_DIR}/SITE1/HBI0262C/images.txt
cp -f ${UNPACKDIR}/images-r2.txt ${D}/${FIRMWARE_DIR}/SITE1/HBI0262D/images.txt
}
do_deploy() {
@@ -59,18 +60,18 @@ do_deploy() {
# task.
for f in ${KERNEL_DEVICETREE}; do
install -m 755 -c ${DEPLOY_DIR_IMAGE}/$(basename $f) \
${D}/${UNPACK_DIR}/SOFTWARE/.
${D}/${FIRMWARE_DIR}/SOFTWARE/
done
if [ "${INITRAMFS_IMAGE_BUNDLE}" -eq 1 ]; then
cp -L -f ${DEPLOY_DIR_IMAGE}/Image.gz-initramfs-juno.bin \
${D}/${UNPACK_DIR}/SOFTWARE/Image
${D}/${FIRMWARE_DIR}/SOFTWARE/Image
else
cp -L -f ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE} ${D}/${UNPACK_DIR}/SOFTWARE/
cp -L -f ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE} ${D}/${FIRMWARE_DIR}/SOFTWARE/
fi
# Compress the files
tar -C ${D}/${UNPACK_DIR} -zcvf ${WORKDIR}/${PN}.tar.gz ./
tar -C ${D}/${FIRMWARE_DIR} -zcvf ${WORKDIR}/${PN}.tar.gz ./
# Deploy the compressed archive to the deploy folder
install -D -p -m0644 ${WORKDIR}/${PN}.tar.gz ${DEPLOYDIR}/${PN}.tar.gz
@@ -1,37 +0,0 @@
SUMMARY = "Board Firmware binaries for N1SDP"
SECTION = "firmware"
LICENSE = "STM-SLA0044-Rev5"
LIC_FILES_CHKSUM = "file://LICENSES/MB/STM.TXT;md5=1b74d8c842307d03c116f2d71cbf868a"
inherit deploy
INHIBIT_DEFAULT_DEPS = "1"
PACKAGE_ARCH = "${MACHINE_ARCH}"
COMPATIBLE_MACHINE = "n1sdp"
SRC_URI = "git://git.gitlab.arm.com/arm-reference-solutions/board-firmware.git;protocol=https;branch=n1sdp"
SRCREV = "70ba494265eee76747faff38264860c19e214540"
PV .= "+git"
S = "${WORKDIR}/git"
INSTALL_DIR = "/n1sdp-board-firmware_source"
do_install() {
rm -rf ${S}/SOFTWARE
install -d ${D}${INSTALL_DIR}
cp -Rp --no-preserve=ownership ${S}/* ${D}${INSTALL_DIR}
}
FILES:${PN}-staticdev += " ${INSTALL_DIR}/LIB/sensor.a"
FILES:${PN} = "${INSTALL_DIR}"
SYSROOT_DIRS += "${INSTALL_DIR}"
do_deploy() {
install -d ${DEPLOYDIR}${INSTALL_DIR}
cp -Rp --no-preserve=ownership ${S}/* ${DEPLOYDIR}${INSTALL_DIR}
}
addtask deploy after do_install before do_build
@@ -1,85 +0,0 @@
SUMMARY = "Firmware image recipe for generating SD-Card artifacts."
inherit deploy nopackages
DEPENDS = "trusted-firmware-a \
virtual/control-processor-firmware \
n1sdp-board-firmware"
LICENSE = "MIT"
PACKAGE_ARCH = "${MACHINE_ARCH}"
COMPATIBLE_MACHINE = "n1sdp"
RM_WORK_EXCLUDE += "${PN}"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
do_install[noexec] = "1"
FIRMWARE_DIR = "n1sdp-board-firmware_source"
PRIMARY_DIR = "${WORKDIR}/n1sdp-board-firmware_primary"
SECONDARY_DIR = "${WORKDIR}/n1sdp-board-firmware_secondary"
SOC_BINARIES = "mcp_fw.bin scp_fw.bin mcp_rom.bin scp_rom.bin"
prepare_package() {
cd ${WORKDIR}
# Master/Primary
cp -av ${RECIPE_SYSROOT}/${FIRMWARE_DIR}/* ${PRIMARY_DIR}
mkdir -p ${PRIMARY_DIR}/SOFTWARE/
# Copy FIP binary
cp -v ${RECIPE_SYSROOT}/firmware/fip.bin ${PRIMARY_DIR}/SOFTWARE/
# Copy SOC binaries
for f in ${SOC_BINARIES}; do
cp -v ${RECIPE_SYSROOT}/firmware/${f} ${PRIMARY_DIR}/SOFTWARE/
done
sed -i -e 's|^C2C_ENABLE.*|C2C_ENABLE: TRUE ;C2C enable TRUE/FALSE|' \
${PRIMARY_DIR}/MB/HBI0316A/io_v123f.txt
sed -i -e 's|^C2C_SIDE.*|C2C_SIDE: MASTER ;C2C side SLAVE/MASTER|' \
${PRIMARY_DIR}/MB/HBI0316A/io_v123f.txt
sed -i -e 's|.*SOCCON: 0x1170.*PLATFORM_CTRL.*|SOCCON: 0x1170 0x00000100 ;SoC SCC PLATFORM_CTRL|' \
${PRIMARY_DIR}/MB/HBI0316A/io_v123f.txt
# Update load address for trusted boot
sed -i -e '/^IMAGE4ADDRESS:/ s|0x60200000|0x64200000|' ${PRIMARY_DIR}/MB/HBI0316A/images.txt
sed -i -e '/^IMAGE4UPDATE:/ s|FORCE |SCP_AUTO|' ${PRIMARY_DIR}/MB/HBI0316A/images.txt
sed -i -e '/^IMAGE4FILE: \\SOFTWARE\\/s|uefi.bin|fip.bin |' ${PRIMARY_DIR}/MB/HBI0316A/images.txt
# Slave/Secondary
cp -av ${RECIPE_SYSROOT}/${FIRMWARE_DIR}/* ${SECONDARY_DIR}
mkdir -p ${SECONDARY_DIR}/SOFTWARE/
# Copy SOC binaries
for f in ${SOC_BINARIES}; do
cp -v ${RECIPE_SYSROOT}/firmware/${f} ${SECONDARY_DIR}/SOFTWARE/
done
sed -i -e 's|^C2C_ENABLE.*|C2C_ENABLE: TRUE ;C2C enable TRUE/FALSE|' \
${SECONDARY_DIR}/MB/HBI0316A/io_v123f.txt
sed -i -e 's|^C2C_SIDE.*|C2C_SIDE: SLAVE ;C2C side SLAVE/MASTER|' \
${SECONDARY_DIR}/MB/HBI0316A/io_v123f.txt
sed -i -e 's|.*SOCCON: 0x1170.*PLATFORM_CTRL.*|SOCCON: 0x1170 0x00000101 ;SoC SCC PLATFORM_CTRL|' \
${SECONDARY_DIR}/MB/HBI0316A/io_v123f.txt
sed -i -e '/^TOTALIMAGES:/ s|5|4|' ${SECONDARY_DIR}/MB/HBI0316A/images.txt
sed -i -e 's|^IMAGE4|;&|' ${SECONDARY_DIR}/MB/HBI0316A/images.txt
}
do_deploy() {
# prepare Master & Slave packages
prepare_package
for dir in ${PRIMARY_DIR} ${SECONDARY_DIR}; do
dir_name=$(basename ${dir})
mkdir -p ${D}/${dir_name}
cp -av ${dir} ${D}
# Compress the files
tar -C ${D}/${dir_name} -zcvf ${DEPLOYDIR}/${dir_name}.tar.gz ./
done
}
do_deploy[dirs] += "${PRIMARY_DIR} ${SECONDARY_DIR}"
do_deploy[cleandirs] += "${PRIMARY_DIR} ${SECONDARY_DIR}"
do_deploy[umask] = "022"
addtask deploy after do_prepare_recipe_sysroot
@@ -1,35 +0,0 @@
# N1SDP specific SCP configurations and build instructions
COMPATIBLE_MACHINE:n1sdp = "n1sdp"
SCP_LOG_LEVEL = "INFO"
DEPENDS += "fiptool-native"
DEPENDS += "trusted-firmware-a"
DEPENDS += "n1sdp-board-firmware"
# The n1sdp sensor library is needed for building SCP N1SDP Platform
# https://github.com/ARM-software/SCP-firmware/tree/master/product/n1sdp
EXTRA_OECMAKE:append = " \
-DSCP_N1SDP_SENSOR_LIB_PATH=${RECIPE_SYSROOT}/n1sdp-board-firmware_source/LIB/sensor.a \
"
do_install:append() {
fiptool \
create \
--scp-fw "${D}/firmware/scp_ramfw.bin" \
--blob uuid=cfacc2c4-15e8-4668-82be-430a38fad705,file="${RECIPE_SYSROOT}/firmware/bl1.bin" \
"scp_fw.bin"
# This UUID is FIP_UUID_MCP_BL2 in SCP-Firmware.
fiptool \
create \
--blob uuid=54464222-a4cf-4bf8-b1b6-cee7dade539e,file="${D}/firmware/mcp_ramfw.bin" \
"mcp_fw.bin"
install "scp_fw.bin" "${D}/firmware/scp_fw.bin"
install "mcp_fw.bin" "${D}/firmware/mcp_fw.bin"
ln -sf "scp_romfw.bin" "${D}/firmware/scp_rom.bin"
ln -sf "mcp_romfw.bin" "${D}/firmware/mcp_rom.bin"
}
@@ -3,8 +3,6 @@
MACHINE_SCP_REQUIRE ?= ""
MACHINE_SCP_REQUIRE:juno = "scp-firmware-juno.inc"
MACHINE_SCP_REQUIRE:n1sdp = "scp-firmware-n1sdp.inc"
MACHINE_SCP_REQUIRE:sgi575 = "scp-firmware-sgi575.inc"
MACHINE_SCP_REQUIRE:tc = "scp-firmware-tc.inc"
require ${MACHINE_SCP_REQUIRE}
@@ -0,0 +1,33 @@
From f5b2fa90e0c0324f31e72429e7a7382f49a25912 Mon Sep 17 00:00:00 2001
From: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
Date: Wed, 24 Jul 2024 18:58:55 +0800
Subject: [PATCH] fix(zynqmp): handle secure SGI at EL1 for OP-TEE
OP-TEE requires SGIs to be handled at S-EL1. The
Makefile was not properly setting the flag
GICV2_G0_FOR_EL3 to 0 when the SPD is OP-TEE.
Change-Id: I256afa37ddf4ad4a154c43d51807de670c3689bb
Signed-off-by: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
---
plat/xilinx/zynqmp/platform.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Upstream-Status: Backport
diff --git a/plat/xilinx/zynqmp/platform.mk b/plat/xilinx/zynqmp/platform.mk
index c340009d0..22eceb621 100644
--- a/plat/xilinx/zynqmp/platform.mk
+++ b/plat/xilinx/zynqmp/platform.mk
@@ -21,7 +21,7 @@ ENABLE_LTO := 1
EL3_EXCEPTION_HANDLING := $(SDEI_SUPPORT)
# pncd SPD requires secure SGI to be handled at EL1
-ifeq (${SPD}, $(filter ${SPD},pncd tspd))
+ifeq (${SPD}, $(filter ${SPD},pncd tspd opteed))
ifeq (${ZYNQMP_WDT_RESTART},1)
$(error "Error: ZYNQMP_WDT_RESTART and SPD=pncd are incompatible")
endif
--
2.34.1
@@ -0,0 +1,33 @@
From b91c651e6d596cfe27448b19c8fb2f1168493827 Mon Sep 17 00:00:00 2001
From: Mikko Rapeli <mikko.rapeli@linaro.org>
Date: Mon, 15 Jan 2024 09:26:56 +0000
Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot
If firmware is configured with TPM support but it's missing
on HW, e.g. swtpm not started and/or configured with qemu,
then continue booting. Missing TPM is not a fatal error.
Enables testing boot without TPM device to see that
missing TPM is detected further up the SW stack and correct
fallback actions are taken.
Upstream-Status: Pending
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
plat/qemu/qemu/qemu_measured_boot.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c
index 76a4da17e6a9..ec7f44d3720d 100644
--- a/plat/qemu/qemu/qemu_measured_boot.c
+++ b/plat/qemu/qemu/qemu_measured_boot.c
@@ -80,7 +80,8 @@ void bl2_plat_mboot_finish(void)
* Note: In QEMU platform, OP-TEE uses nt_fw_config to get the
* secure Event Log buffer address.
*/
- panic();
+ ERROR("Ignoring TPM errors, continuing without\n");
+ return;
}
/* Copy Event Log to Non-secure memory */
@@ -6,7 +6,7 @@ Subject: [PATCH] fix(corstone1000): pass spsr value explicitly
Passes spsr value for BL32 (OPTEE) explicitly between different boot
stages.
Upstream-Status: Pending
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30116/2]
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
---
.../corstone1000/common/corstone1000_bl2_mem_params_desc.c | 3 ++-
@@ -9,7 +9,7 @@ for BL32 image, this patch removes NS_SHARED_RAM region which is not currently u
corstone1000 platform.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Upstream-Status: Pending
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30117/2]
---
.../corstone1000/common/corstone1000_plat.c | 1 -
.../common/include/platform_def.h | 19 +------------------
@@ -1,54 +0,0 @@
From 684b8f88238f522b52eb102485762e02e6b1671a Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Fri, 23 Feb 2024 13:17:59 +0000
Subject: [PATCH] fix(spmd): remove EL3 interrupt registration
This configuration should not be done for corstone1000 and similar
platforms. GICv2 systems only support EL3 interrupts and can have SEL1 component
as SPMC.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Upstream-Status: Inappropriate [Discussions of fixing this in a better way is ongoing in upstream]
---
services/std_svc/spmd/spmd_main.c | 24 ------------------------
1 file changed, 24 deletions(-)
diff --git a/services/std_svc/spmd/spmd_main.c b/services/std_svc/spmd/spmd_main.c
index 066571e9b..313f05bf3 100644
--- a/services/std_svc/spmd/spmd_main.c
+++ b/services/std_svc/spmd/spmd_main.c
@@ -580,30 +580,6 @@ static int spmd_spmc_init(void *pm_addr)
panic();
}
- /*
- * Permit configurations where the SPM resides at S-EL1/2 and upon a
- * Group0 interrupt triggering while the normal world runs, the
- * interrupt is routed either through the EHF or directly to the SPMD:
- *
- * EL3_EXCEPTION_HANDLING=0: the Group0 interrupt is routed to the SPMD
- * for handling by spmd_group0_interrupt_handler_nwd.
- *
- * EL3_EXCEPTION_HANDLING=1: the Group0 interrupt is routed to the EHF.
- *
- */
-#if (EL3_EXCEPTION_HANDLING == 0)
- /*
- * Register an interrupt handler routing Group0 interrupts to SPMD
- * while the NWd is running.
- */
- rc = register_interrupt_type_handler(INTR_TYPE_EL3,
- spmd_group0_interrupt_handler_nwd,
- flags);
- if (rc != 0) {
- panic();
- }
-#endif
-
return 0;
}
--
2.25.1
@@ -0,0 +1,46 @@
From 37f92eeb4361626072e690adb3b0bb20db7c2fca Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Wed, 15 May 2024 13:54:51 +0100
Subject: [PATCH] fix(corstone1000): clean the cache and disable interrupt
before system reset
Corstone1000 does not properly clean the cache and disable gic interrupts
before the reset. This causes a race condition especially in FVP after reset.
This adds proper sequence before resetting the platform.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30118/2]
---
plat/arm/board/corstone1000/common/corstone1000_pm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c
index 4b0a791e7..a52e945bf 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_pm.c
+++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c
@@ -7,6 +7,7 @@
#include <lib/psci/psci.h>
#include <plat/arm/common/plat_arm.h>
#include <platform_def.h>
+#include <drivers/arm/gicv2.h>
/*******************************************************************************
* Export the platform handlers via plat_arm_psci_pm_ops. The ARM Standard
* platform layer will take care of registering the handlers with PSCI.
@@ -18,6 +19,14 @@ static void __dead2 corstone1000_system_reset(void)
uint32_t volatile * const watchdog_ctrl_reg = (uint32_t *) SECURE_WATCHDOG_ADDR_CTRL_REG;
uint32_t volatile * const watchdog_val_reg = (uint32_t *) SECURE_WATCHDOG_ADDR_VAL_REG;
+ /* Flush and invalidate data cache */
+ dcsw_op_all(DCCISW);
+ /*
+ * Disable GIC CPU interface to prevent pending interrupt
+ * from waking up the AP from WFI.
+ */
+ gicv2_cpuif_disable();
+
*(watchdog_val_reg) = SECURE_WATCHDOG_COUNTDOWN_VAL;
*watchdog_ctrl_reg = SECURE_WATCHDOG_MASK_ENABLE;
while (1) {
--
2.25.1
@@ -0,0 +1,161 @@
From dcc9cf5111c41edc691f007bd97548d96f5efddb Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Thu, 9 May 2024 16:59:34 +0000
Subject: [PATCH] feat(corstone1000): add multicore support for fvp
This changeset adds the multicore support for the Corstone-1000 FVP.
It adds the PSCI CPU_ON and CPU_ON_FINISH power domain functionalities
for the secondary cores.
Upstream-Status: Backport [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/29176]
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
.../common/corstone1000_helpers.S | 26 +++++++++++
.../corstone1000/common/corstone1000_pm.c | 43 ++++++++++++++++++-
.../common/include/platform_def.h | 15 ++++++-
plat/arm/board/corstone1000/platform.mk | 7 +++
4 files changed, 89 insertions(+), 2 deletions(-)
diff --git a/plat/arm/board/corstone1000/common/corstone1000_helpers.S b/plat/arm/board/corstone1000/common/corstone1000_helpers.S
index cbe27c3b5..90dc4fee6 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_helpers.S
+++ b/plat/arm/board/corstone1000/common/corstone1000_helpers.S
@@ -21,8 +21,34 @@
* --------------------------------------------------------------------
*/
func plat_secondary_cold_boot_setup
+#if defined(CORSTONE1000_FVP_MULTICORE)
+
+ /* Calculate the address of our hold entry */
+ bl plat_my_core_pos
+ lsl x0, x0, #CORSTONE1000_SECONDARY_CORE_HOLD_SHIFT
+ mov_imm x2, CORSTONE1000_SECONDARY_CORE_HOLD_BASE
+
+ /* Set the wait state for the secondary core */
+ mov_imm x3, CORSTONE1000_SECONDARY_CORE_STATE_WAIT
+ str x3, [x2, x0]
+ dmb ish
+
+ /* Poll until the primary core signals to go */
+poll_mailbox:
+ ldr x1, [x2, x0]
+ cmp x1, #CORSTONE1000_SECONDARY_CORE_STATE_WAIT
+ beq 1f
+ mov_imm x0, PLAT_ARM_TRUSTED_MAILBOX_BASE
+ ldr x1, [x0]
+ br x1
+1:
+ wfe
+ b poll_mailbox
+#else
cb_panic:
b cb_panic
+#endif
+
endfunc plat_secondary_cold_boot_setup
/* ---------------------------------------------------------------------
diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c
index a52e945bf..979243317 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_pm.c
+++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c
@@ -33,10 +33,51 @@ static void __dead2 corstone1000_system_reset(void)
wfi();
}
}
+#if defined(CORSTONE1000_FVP_MULTICORE)
+int corstone1000_validate_ns_entrypoint(uintptr_t entrypoint)
+{
+ /*
+ * Check if the non secure entrypoint lies within the non
+ * secure DRAM.
+ */
+ if ((entrypoint >= ARM_NS_DRAM1_BASE) && (entrypoint < (ARM_NS_DRAM1_BASE + ARM_NS_DRAM1_SIZE))) {
+ return PSCI_E_SUCCESS;
+ }
+ return PSCI_E_INVALID_ADDRESS;
+}
+
+int corstone1000_pwr_domain_on(u_register_t mpidr)
+{
+ int core_index = plat_core_pos_by_mpidr(mpidr);
+ uint64_t *secondary_core_hold_base = (uint64_t *)CORSTONE1000_SECONDARY_CORE_HOLD_BASE;
+ /* Validate the core index */
+ if ((core_index < 0) || (core_index > PLATFORM_CORE_COUNT)) {
+ return PSCI_E_INVALID_PARAMS;
+ }
+ secondary_core_hold_base[core_index] = CORSTONE1000_SECONDARY_CORE_STATE_GO;
+ dsbish();
+ sev();
+
+ return PSCI_E_SUCCESS;
+}
+
+void corstone1000_pwr_domain_on_finish(const psci_power_state_t *target_state)
+{
+ (void)target_state;
+ plat_arm_gic_init();
+}
+#endif
plat_psci_ops_t plat_arm_psci_pm_ops = {
+#if defined(CORSTONE1000_FVP_MULTICORE)
+ .pwr_domain_on = corstone1000_pwr_domain_on,
+ .pwr_domain_on_finish = corstone1000_pwr_domain_on_finish,
+ .validate_ns_entrypoint = corstone1000_validate_ns_entrypoint,
+ .system_reset = corstone1000_system_reset,
+#else
+ .validate_ns_entrypoint = NULL,
.system_reset = corstone1000_system_reset,
- .validate_ns_entrypoint = NULL
+#endif
};
const plat_psci_ops_t *plat_arm_psci_override_pm_ops(plat_psci_ops_t *ops)
diff --git a/plat/arm/board/corstone1000/common/include/platform_def.h b/plat/arm/board/corstone1000/common/include/platform_def.h
index b9a1d43df..c4839ccf3 100644
--- a/plat/arm/board/corstone1000/common/include/platform_def.h
+++ b/plat/arm/board/corstone1000/common/include/platform_def.h
@@ -249,7 +249,20 @@
*/
#define ARM_LOCAL_STATE_OFF U(2)
-#define PLAT_ARM_TRUSTED_MAILBOX_BASE ARM_TRUSTED_SRAM_BASE
+#define PLAT_ARM_TRUSTED_MAILBOX_BASE ARM_TRUSTED_SRAM_BASE
+
+#if defined(CORSTONE1000_FVP_MULTICORE)
+/* The secondary core entrypoint address points to bl31_warm_entrypoint
+ * and the address size is 8 bytes */
+#define CORSTONE1000_SECONDARY_CORE_ENTRYPOINT_ADDRESS_SIZE UL(0x8)
+
+#define CORSTONE1000_SECONDARY_CORE_HOLD_BASE (PLAT_ARM_TRUSTED_MAILBOX_BASE + \
+ CORSTONE1000_SECONDARY_CORE_ENTRYPOINT_ADDRESS_SIZE)
+#define CORSTONE1000_SECONDARY_CORE_STATE_WAIT ULL(0)
+#define CORSTONE1000_SECONDARY_CORE_STATE_GO ULL(1)
+#define CORSTONE1000_SECONDARY_CORE_HOLD_SHIFT ULL(3)
+#endif
+
#define PLAT_ARM_NSTIMER_FRAME_ID U(1)
#define PLAT_ARM_NS_IMAGE_BASE (BL33_BASE)
diff --git a/plat/arm/board/corstone1000/platform.mk b/plat/arm/board/corstone1000/platform.mk
index fd08803e8..45092ace9 100644
--- a/plat/arm/board/corstone1000/platform.mk
+++ b/plat/arm/board/corstone1000/platform.mk
@@ -31,6 +31,13 @@ override NEED_BL31 := yes
NEED_BL32 ?= yes
override NEED_BL33 := yes
+ENABLE_MULTICORE := 0
+ifneq ($(filter ${TARGET_PLATFORM}, fvp),)
+ifeq (${ENABLE_MULTICORE},1)
+$(eval $(call add_define,CORSTONE1000_FVP_MULTICORE))
+endif
+endif
+
# Add CORSTONE1000_WITH_BL32 as a preprocessor define (-D option)
ifeq (${NEED_BL32},yes)
$(eval $(call add_define,CORSTONE1000_WITH_BL32))
--
2.25.1
@@ -0,0 +1,28 @@
From 8070bf4a89492727b6da3fb7bdec61748eae1d7d Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Tue, 2 Jul 2024 12:49:12 +0000
Subject: [PATCH] fix(corstone1000): include platform header file
Include platform.h file in order to remove compiler warnings
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/29727]
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
plat/arm/board/corstone1000/common/corstone1000_pm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c
index 979243317..9babe5b11 100644
--- a/plat/arm/board/corstone1000/common/corstone1000_pm.c
+++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c
@@ -8,6 +8,7 @@
#include <plat/arm/common/plat_arm.h>
#include <platform_def.h>
#include <drivers/arm/gicv2.h>
+#include <plat/common/platform.h>
/*******************************************************************************
* Export the platform handlers via plat_arm_psci_pm_ops. The ARM Standard
* platform layer will take care of registering the handlers with PSCI.
--
2.34.1
@@ -1,64 +0,0 @@
From b79d3cf319cc5698311ef83247110c93d3c2de2c Mon Sep 17 00:00:00 2001
Message-Id: <b79d3cf319cc5698311ef83247110c93d3c2de2c.1695834344.git.diego.sueiro@arm.com>
From: Diego Sueiro <diego.sueiro@arm.com>
Date: Wed, 27 Sep 2023 18:05:26 +0100
Subject: [PATCH] fdts/fvp-base: Add stdout-path and virtio net and rng nodes
Upstream-Status: Pending
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
fdts/fvp-base-psci-common.dtsi | 8 ++++++--
fdts/rtsm_ve-motherboard.dtsi | 12 ++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/fdts/fvp-base-psci-common.dtsi b/fdts/fvp-base-psci-common.dtsi
index 79cf37d3b0..b1ba5ce703 100644
--- a/fdts/fvp-base-psci-common.dtsi
+++ b/fdts/fvp-base-psci-common.dtsi
@@ -30,7 +30,9 @@
#if (ENABLE_RME == 1)
chosen { bootargs = "console=ttyAMA0 earlycon=pl011,0x1c090000 root=/dev/vda ip=on";};
#else
- chosen {};
+ chosen {
+ stdout-path = &v2m_serial0;
+ };
#endif
aliases {
@@ -243,6 +245,8 @@
<0 0 39 &gic 0 GIC_SPI 39 IRQ_TYPE_LEVEL_HIGH>,
<0 0 40 &gic 0 GIC_SPI 40 IRQ_TYPE_LEVEL_HIGH>,
<0 0 41 &gic 0 GIC_SPI 41 IRQ_TYPE_LEVEL_HIGH>,
- <0 0 42 &gic 0 GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>;
+ <0 0 42 &gic 0 GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>,
+ <0 0 44 &gic 0 GIC_SPI 44 IRQ_TYPE_LEVEL_HIGH>,
+ <0 0 46 &gic 0 GIC_SPI 46 IRQ_TYPE_LEVEL_HIGH>;
};
};
diff --git a/fdts/rtsm_ve-motherboard.dtsi b/fdts/rtsm_ve-motherboard.dtsi
index 0a824b349a..21a083a51a 100644
--- a/fdts/rtsm_ve-motherboard.dtsi
+++ b/fdts/rtsm_ve-motherboard.dtsi
@@ -230,6 +230,18 @@
interrupts = <42>;
};
+ virtio@150000 {
+ compatible = "virtio,mmio";
+ reg = <0x150000 0x200>;
+ interrupts = <44>;
+ };
+
+ virtio@200000 {
+ compatible = "virtio,mmio";
+ reg = <0x200000 0x200>;
+ interrupts = <46>;
+ };
+
rtc@170000 {
compatible = "arm,pl031", "arm,primecell";
reg = <0x170000 0x1000>;
--
2.39.1
@@ -1,42 +0,0 @@
From 2d305094f8f500362079e9e7637d46129bf980e4 Mon Sep 17 00:00:00 2001
From: Adam Johnston <adam.johnston@arm.com>
Date: Tue, 25 Jul 2023 16:05:51 +0000
Subject: [PATCH] n1sdp: Reserve OP-TEE memory from NWd
The physical memory which is used to run OP-TEE on the N1SDP is known
to the secure world via TOS_FW_CONFIG, but it may not be known to the
normal world.
As a precaution, explicitly reserve this memory via NT_FW_CONFIG to
prevent the normal world from using it. This is not required on most
platforms as the Trusted OS is run from secure RAM.
Upstream-Status: Pending (not yet submitted to upstream)
Signed-off-by: Adam Johnston <adam.johnston@arm.com>
Signed-off-by: Mariam Elshakfy <mariam.elshakfy@arm.com>
---
plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts
index da5e04ddb6..b7e2d4e86f 100644
--- a/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts
+++ b/plat/arm/board/n1sdp/fdts/n1sdp_nt_fw_config.dts
@@ -20,4 +20,16 @@
local-ddr-size = <0x0>;
remote-ddr-size = <0x0>;
};
+
+ reserved-memory {
+ #address-cells = <2>;
+ #size-cells = <2>;
+ ranges;
+
+ optee@0xDE000000 {
+ compatible = "removed-dma-pool";
+ reg = <0x0 0xDE000000 0x0 0x02000000>;
+ no-map;
+ };
+ };
};
\ No newline at end of file
@@ -1,46 +0,0 @@
From cc0153b56d634aa80b740be5afed15bedb94a2c9 Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Tue, 23 Jan 2024 14:19:39 +0000
Subject: [PATCH] n1sdp patch tests to skip
Upstream-Status: Pending
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
plat/arm/n1sdp/tests_to_skip.txt | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/plat/arm/n1sdp/tests_to_skip.txt b/plat/arm/n1sdp/tests_to_skip.txt
index b6e87bf..1848408 100644
--- a/plat/arm/n1sdp/tests_to_skip.txt
+++ b/plat/arm/n1sdp/tests_to_skip.txt
@@ -11,7 +11,7 @@ SMMUv3 tests
PSCI CPU Suspend in OSI mode
# PSCI is enabled but not tested
-PSCI STAT/Stats test cases after system suspend
+PSCI STAT
PSCI System Suspend Validation
# Disable FF-A Interrupt tests as TWDOG is not supported by TC platform
@@ -25,9 +25,14 @@ FF-A Interrupt
# files in TFTF, since the port was done purely to test the spectre workaround
# performance impact. Once that was done no further work was done on the port.
-Timer framework Validation/Target timer to a power down cpu
-Timer framework Validation/Test scenario where multiple CPUs call same timeout
-Timer framework Validation/Stress test the timer framework
+Timer framework Validation
PSCI Affinity Info/Affinity info level0 powerdown
PSCI CPU Suspend
-PSCI STAT/for valid composite state CPU suspend
+Framework Validation/NVM serialisation
+Framework Validation/Events API
+Boot requirement tests
+CPU Hotplug
+ARM_ARCH_SVC/SMCCC_ARCH_WORKAROUND_1 test
+ARM_ARCH_SVC/SMCCC_ARCH_WORKAROUND_2 test
+ARM_ARCH_SVC/SMCCC_ARCH_WORKAROUND_3 test
+FF-A Power management
--
2.34.1
@@ -1,30 +0,0 @@
From 15dab90c3cb8e7677c4f953c2269e8ee1afa01b0 Mon Oct 2 13:45:43 2023
From: Mariam Elshakfy <mariam.elshakfy@arm.com>
Date: Mon, 2 Oct 2023 13:45:43 +0000
Subject: [PATCH] Modify BL32 Location to DDR4
Since OP-TEE start address is changed to run
from DDR4, this patch changes BL32 entrypoint
to the correct one.
Upstream-Status: Pending (not yet submitted to upstream)
Signed-off-by: Mariam Elshakfy <mariam.elshakfy@arm.com>
---
plat/arm/board/n1sdp/fdts/n1sdp_optee_spmc_manifest.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/plat/arm/board/n1sdp/fdts/n1sdp_optee_spmc_manifest.dts b/plat/arm/board/n1sdp/fdts/n1sdp_optee_spmc_manifest.dts
index ed870803c..797dfe3a4 100644
--- a/plat/arm/board/n1sdp/fdts/n1sdp_optee_spmc_manifest.dts
+++ b/plat/arm/board/n1sdp/fdts/n1sdp_optee_spmc_manifest.dts
@@ -22,8 +22,8 @@
maj_ver = <0x1>;
min_ver = <0x0>;
exec_state = <0x0>;
- load_address = <0x0 0x08000000>;
- entrypoint = <0x0 0x08000000>;
+ load_address = <0x0 0xDE000000>;
+ entrypoint = <0x0 0xDE000000>;
binary_size = <0x2000000>;
};
@@ -1,28 +0,0 @@
From 9a1d11b9fbadf740c73aee6dca4fd0370b38e4a8 Tue Oct 3 13:49:13 2023
From: Mariam Elshakfy <mariam.elshakfy@arm.com>
Date: Tue, 3 Oct 2023 13:49:13 +0000
Subject: [PATCH] Modify SPMC Base to DDR4
Since OP-TEE start address is changed to run
from DDR4, this patch changes SPMC base to
the correct one.
Upstream-Status: Pending (not yet submitted to upstream)
Signed-off-by: Mariam Elshakfy <mariam.elshakfy@arm.com>
---
plat/arm/board/n1sdp/include/platform_def.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plat/arm/board/n1sdp/include/platform_def.h b/plat/arm/board/n1sdp/include/platform_def.h
index b3799a7b2..b12c61b61 100644
--- a/plat/arm/board/n1sdp/include/platform_def.h
+++ b/plat/arm/board/n1sdp/include/platform_def.h
@@ -118,7 +118,7 @@
#define PLAT_ARM_MAX_BL31_SIZE UL(0x40000)
-#define PLAT_ARM_SPMC_BASE U(0x08000000)
+#define PLAT_ARM_SPMC_BASE U(0xDE000000)
#define PLAT_ARM_SPMC_SIZE UL(0x02000000) /* 32 MB */
@@ -1,45 +0,0 @@
From 051c723a6463a579b05dcaa81f204516737a3645 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Wed, 9 Aug 2023 15:56:03 -0400
Subject: [PATCH] Binutils 2.39 now warns when a segment has RXW
permissions[1]:
aarch64-none-elf-ld.bfd: warning: bl31.elf has a LOAD segment with RWX
permissions
However, TF-A passes --fatal-warnings to LD, so this is a build failure.
There is a ticket filed upstream[2], so until that is resolved just
remove --fatal-warnings.
[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
[2] https://developer.trustedfirmware.org/T996
Upstream-Status: Inappropriate
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 1ddb7b84417d..9eae30c923ec 100644
--- a/Makefile
+++ b/Makefile
@@ -425,7 +425,7 @@ TF_LDFLAGS += $(TF_LDFLAGS_$(ARCH))
# LD = gcc (used when GCC LTO is enabled)
else ifneq ($(findstring gcc,$(notdir $(LD))),)
# Pass ld options with Wl or Xlinker switches
-TF_LDFLAGS += -Wl,--fatal-warnings -O1
+TF_LDFLAGS += -O1
TF_LDFLAGS += -Wl,--gc-sections
ifeq ($(ENABLE_LTO),1)
ifeq (${ARCH},aarch64)
@@ -442,7 +442,7 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
# LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
else
-TF_LDFLAGS += --fatal-warnings -O1
+TF_LDFLAGS += -O1
TF_LDFLAGS += --gc-sections
# ld.lld doesn't recognize the errata flags,
# therefore don't add those in that case
@@ -1,33 +0,0 @@
From 6635341615a5bcb36ce71479ee30dae1599081e2 Mon Sep 17 00:00:00 2001
From: Anton Antonov <anrton.antonov@arm.com>
Date: Wed, 9 Aug 2023 15:56:03 -0400
Subject: [PATCH] Binutils 2.39 now warns when a segment has RXW
permissions[1]:
aarch64-poky-linux-musl-ld: tftf.elf has a LOAD segment with RWX permissions
There is a ticket filed upstream[2], so until that is resolved just
disable the warning
[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
[2] https://developer.trustedfirmware.org/T996
Upstream-Status: Inappropriate
Signed-off-by: Anton Antonov <anrton.antonov@arm.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 286a47c7d454..3481187b62cf 100644
--- a/Makefile
+++ b/Makefile
@@ -246,7 +246,7 @@ TFTF_SOURCES := ${FRAMEWORK_SOURCES} ${TESTS_SOURCES} ${PLAT_SOURCES} ${LIBC_SR
TFTF_INCLUDES += ${PLAT_INCLUDES}
TFTF_CFLAGS += ${COMMON_CFLAGS}
TFTF_ASFLAGS += ${COMMON_ASFLAGS}
-TFTF_LDFLAGS += ${COMMON_LDFLAGS}
+TFTF_LDFLAGS += ${COMMON_LDFLAGS} --no-warn-rwx-segments
TFTF_EXTRA_OBJS :=
ifneq (${BP_OPTION},none)
@@ -1,16 +1,6 @@
# Machine specific TFAs
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
COMPATIBLE_MACHINE:corstone1000 = "corstone1000"
EXTRA_OEMAKE:append:corstone1000 = " DEBUG=0"
EXTRA_OEMAKE:append:corstone1000 = " LOG_LEVEL=30"
TFTF_MODE:corstone1000 = "release"
COMPATIBLE_MACHINE:n1sdp = "n1sdp"
EXTRA_OEMAKE:append:n1sdp = " DEBUG=1"
EXTRA_OEMAKE:append:n1sdp = " LOG_LEVEL=50"
TFTF_MODE:n1sdp = "debug"
SRC_URI:append:n1sdp = " \
file://0001-n1sdp-tftf-tests-to-skip.patch \
"
@@ -6,8 +6,10 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/corstone1000:"
SRC_URI:append = " \
file://0001-Fix-FF-A-version-in-SPMC-manifest.patch \
file://0002-fix-corstone1000-pass-spsr-value-explicitly.patch \
file://0003-fix-spmd-remove-EL3-interrupt-registration.patch \
file://0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch \
file://0003-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch \
file://0004-fix-corstone1000-clean-the-cache-and-disable-interru.patch \
file://0005-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch \
file://0006-feat-corstone1000-include-platform-header-file.patch \
"
TFA_DEBUG = "1"
@@ -24,13 +26,13 @@ TFA_SPMD_SPM_AT_SEL2 = "0"
# BL2 loads BL32 (optee). So, optee needs to be built first:
DEPENDS += "optee-os"
# Note: Regarding the build option: LOG_LEVEL.
# Note: Regarding the build option: LOG_LEVEL.
# There seems to be an issue when setting it
# to 50 (LOG_LEVEL_VERBOSE), where the kernel
# to 50 (LOG_LEVEL_VERBOSE), where the kernel
# tee driver sends yielding requests to OP-TEE
# at a faster pace than OP-TEE processes them,
# as the processing time is consumed by logging
# in TF-A. When this issue occurs, booting halts
# as the processing time is consumed by logging
# in TF-A. When this issue occurs, booting halts
# as soon as optee driver starts initialization.
# Therefore, it's not currently recommended to
# set LOG_LEVEL to 50 at all.
@@ -53,3 +55,4 @@ EXTRA_OEMAKE:append = " \
BL32=${RECIPE_SYSROOT}/${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
FVP_USE_GIC_DRIVER=FVP_GICV2 \
"
EXTRA_OEMAKE:append:corstone1000-fvp = "${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000_fvp_smp', ' ENABLE_MULTICORE=1', '', d)}"
@@ -7,7 +7,6 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files/:${THISDIR}/files/fvp-base"
SRC_URI:append = " \
file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch \
file://optee_spmc_maifest.dts;subdir=git/plat/arm/board/fvp/fdts \
"
@@ -63,3 +62,9 @@ EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t FVP_USE_GIC_DRIVER=FVP_GIC
# Our fvp-base machine explicitly has v8.4 cores
EXTRA_OEMAKE += "ARM_ARCH_MAJOR=8 ARM_ARCH_MINOR=4"
# If GENERATE_COT is set, then tf-a will try to use local poetry install
# to run the python cot-dt2c command. Disable the local poetry and use
# the provided cot-dt2c.
EXTRA_OEMAKE += "POETRY=''"
DEPENDS += "cot-dt2c-native"
@@ -1,41 +0,0 @@
# N1SDP specific TFA support
# Align with N1SDP-2023.06.22 Manifest
SRCREV_tfa = "31f60a968347497562b0129134928d7ac4767710"
PV .= "+git"
COMPATIBLE_MACHINE = "n1sdp"
TFA_BUILD_TARGET = "all fip"
TFA_INSTALL_TARGET = "bl1 bl2 bl31 n1sdp-multi-chip n1sdp-single-chip n1sdp_fw_config n1sdp_tb_fw_config fip"
TFA_DEBUG = "1"
TFA_MBEDTLS = "1"
TFA_UBOOT = "0"
TFA_UEFI ?= "1"
FILESEXTRAPATHS:prepend := "${THISDIR}/files/n1sdp:"
SRC_URI:append = " \
file://0001-Reserve-OP-TEE-memory-from-nwd.patch \
file://0002-Modify-BL32-Location-to-DDR4.patch \
file://0003-Modify-SPMC-Base-to-DDR4.patch \
"
TFA_ROT_KEY= "plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem"
# Enabling Secure-EL1 Payload Dispatcher (SPD)
TFA_SPD = "spmd"
# Cortex-A35 supports Armv8.0-A (no S-EL2 execution state).
# So, the SPD SPMC component should run at the S-EL1 execution state
TFA_SPMD_SPM_AT_SEL2 = "0"
# BL2 loads BL32 (optee). So, optee needs to be built first:
DEPENDS += "optee-os"
EXTRA_OEMAKE:append = "\
TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 \
CREATE_KEYS=1 \
ARM_ROTPK_LOCATION="devel_rsa" \
ROT_KEY="${TFA_ROT_KEY}" \
BL32=${RECIPE_SYSROOT}/${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
"
@@ -11,3 +11,9 @@ TFA_UEFI = "1"
EXTRA_OEMAKE += "TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem"
# If GENERATE_COT is set, then tf-a will try to use local poetry install
# to run the python cot-dt2c command. Disable the local poetry and use
# the provided cot-dt2c.
EXTRA_OEMAKE += "POETRY=''"
DEPENDS += "cot-dt2c-native"
@@ -6,9 +6,7 @@ MACHINE_TFA_REQUIRE ?= ""
MACHINE_TFA_REQUIRE:corstone1000 = "trusted-firmware-a-corstone1000.inc"
MACHINE_TFA_REQUIRE:fvp-base = "trusted-firmware-a-fvp-base.inc"
MACHINE_TFA_REQUIRE:juno = "trusted-firmware-a-juno.inc"
MACHINE_TFA_REQUIRE:n1sdp = "trusted-firmware-a-n1sdp.inc"
MACHINE_TFA_REQUIRE:sbsa-ref = "trusted-firmware-a-sbsa-ref.inc"
MACHINE_TFA_REQUIRE:sgi575 = "trusted-firmware-a-sgi575.inc"
MACHINE_TFA_REQUIRE:tc = "trusted-firmware-a-tc.inc"
require ${MACHINE_TFA_REQUIRE}
@@ -0,0 +1,20 @@
require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
# TF-A v2.11.0
SRCREV_tfa = "f2735ebccf5173f74c0458736ec526276106097e"
SRCBRANCH = "master"
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b5fbfdeb6855162dded31fadcd5d4dc5"
# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
# mbedtls-3.6.0
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=main"
SRCREV_mbedtls = "2ca6c285a0dd3f33982dd57299012dacab1ff206"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
# continue to boot also without TPM
SRC_URI += "\
file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
file://0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch \
"
@@ -0,0 +1,97 @@
From 6ac0d4ce58c1a957c5f086e8c32268fdfc3ea531 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Thu, 26 Oct 2023 11:46:04 +0100
Subject: [PATCH 1/9] Platform: Corstone1000: Align capsule UEFI structs
The UEFI capsules are generated using the U-Boot mkeficapsule tool.
U-Boot uses packed struct for the UEFI and FMP structures, see [1].
The structs have to be aligned in the TF-M side parser to avoid
crashes.
[1] https://github.com/u-boot/u-boot/blob/u-boot-2023.07.y/include/efi_api.h#L245
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Backport [6ac0d4ce58c1a957c5f086e8c32268fdfc3ea531]
---
.../fw_update_agent/uefi_capsule_parser.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
index c706c040a..44566e08d 100644
--- a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
+++ b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
@@ -1,10 +1,11 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
+#include "cmsis_compiler.h"
#include "uefi_capsule_parser.h"
#include "fwu_agent.h"
#include <string.h>
@@ -29,21 +30,21 @@ Update Capsule Structure (UEFI spec 2.9 1004)
Payload n (item_offset[embedded_driver_count + payload_item_count -1])
*/
-typedef struct {
+typedef __PACKED_STRUCT {
struct efi_guid capsule_guid;
uint32_t header_size;
uint32_t flags;
uint32_t capsule_image_size;
} efi_capsule_header_t;
-typedef struct {
+typedef __PACKED_STRUCT {
uint32_t version;
uint16_t embedded_driver_count;
uint16_t payload_item_count;
uint64_t item_offset_list[];
} efi_firmware_management_capsule_header_t;
-typedef struct {
+typedef __PACKED_STRUCT {
uint32_t version;
struct efi_guid update_image_type_id;
uint8_t update_image_index;
@@ -54,7 +55,7 @@ typedef struct {
uint64_t image_capsule_support; //introduced in v3
} efi_firmware_management_capsule_image_header_t;
-typedef struct {
+typedef __PACKED_STRUCT {
uint32_t signature;
uint32_t header_size;
uint32_t fw_version;
@@ -63,20 +64,20 @@ typedef struct {
#define ANYSIZE_ARRAY 0
-typedef struct {
+typedef __PACKED_STRUCT {
uint32_t dwLength;
uint16_t wRevision;
uint16_t wCertificateType;
uint8_t bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE;
-typedef struct {
+typedef __PACKED_STRUCT {
WIN_CERTIFICATE hdr;
struct efi_guid cert_type;
uint8_t cert_data[ANYSIZE_ARRAY];
} win_certificate_uefi_guid_t;
-typedef struct {
+typedef __PACKED_STRUCT {
uint64_t monotonic_count;
win_certificate_uefi_guid_t auth_info;
} efi_firmware_image_authentication_t;
--
2.25.1
@@ -1,274 +0,0 @@
From eb096e4c03b80f9f31e5d15ca06e5a38e4112664 Mon Sep 17 00:00:00 2001
From: Bence Balogh <bence.balogh@arm.com>
Date: Tue, 7 Nov 2023 20:25:49 +0100
Subject: [PATCH 1/2] platform: corstone1000: Update MPU configuration
In Armv6-M the MPU requires the regions to be aligned with
region sizes.
The commit aligns the different code/data sections using the
alignment macros. The code/data sections can be covered by
multiple MPU regions in order to save memory.
Small adjustments had to be made in the memory layout in order to
not overflow the flash:
- Decreased TFM_PARTITION_SIZE
- Increased S_UNPRIV_DATA_SIZE
Added checks to the MPU configuration function for checking the
MPU constraints:
- Base address has to be aligned to the size
- The minimum MPU region size is 0x100
- The MPU can have 8 regions at most
Change-Id: I059468e8aba0822bb354fd1cd4987ac2bb1f34d1
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25393]
---
.../target/arm/corstone1000/CMakeLists.txt | 19 +++++
.../arm/corstone1000/create-flash-image.sh | 8 +-
.../arm/corstone1000/partition/flash_layout.h | 2 +-
.../arm/corstone1000/partition/region_defs.h | 6 +-
.../arm/corstone1000/tfm_hal_isolation.c | 83 +++++++++++++++----
5 files changed, 93 insertions(+), 25 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
index e6cf15b11..8817f514c 100644
--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
@@ -22,6 +22,25 @@ target_compile_definitions(platform_region_defs
INTERFACE
$<$<BOOL:${TFM_S_REG_TEST}>:TFM_S_REG_TEST>
)
+
+# The Armv6-M MPU requires that the MPU regions be aligned to the region sizes.
+# The minimal region size is 0x100 bytes.
+#
+# The alignments have to be a power of two and ideally bigger than the section size (which
+# can be checked in the map file).
+# In some cases the alignment value is smaller than the actual section
+# size to save memory. In that case, multiple MPU region has to be configured to cover it.
+#
+# To save memory, the attributes are set to XN_EXEC_OK and AP_RO_PRIV_UNPRIV for
+# the SRAM so the PSA_ROT_LINKER_CODE, TFM_UNPRIV_CODE and APP_ROT_LINKER_CODE don't have to
+# be aligned. The higher-priority regions will overwrite these attributes if needed.
+# The RAM is also located in the SRAM so it has to be configured to overwrite these default
+# attributes.
+target_compile_definitions(platform_region_defs
+ INTERFACE
+ TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT=0x2000
+ TFM_LINKER_SP_META_PTR_ALIGNMENT=0x100
+)
#========================= Platform common defs ===============================#
# Specify the location of platform specific build dependencies.
diff --git a/platform/ext/target/arm/corstone1000/create-flash-image.sh b/platform/ext/target/arm/corstone1000/create-flash-image.sh
index 2522d3674..a6be61384 100755
--- a/platform/ext/target/arm/corstone1000/create-flash-image.sh
+++ b/platform/ext/target/arm/corstone1000/create-flash-image.sh
@@ -8,7 +8,7 @@
######################################################################
# This script is to create a flash gpt image for corstone platform
-#
+#
# Flash image layout:
# |------------------------------|
# | Protective MBR |
@@ -82,15 +82,15 @@ sgdisk --mbrtogpt \
--new=4:56:+4K --typecode=4:$PRIVATE_METADATA_TYPE_UUID --partition-guid=4:$(uuidgen) --change-name=4:'private_metadata_replica_1' \
--new=5:64:+4k --typecode=5:$PRIVATE_METADATA_TYPE_UUID --partition-guid=5:$(uuidgen) --change-name=5:'private_metadata_replica_2' \
--new=6:72:+100k --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
- --new=7:272:+376K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
+ --new=7:272:+368K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
--new=8:32784:+100k --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
- --new=9:32984:+376K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
+ --new=9:32984:+368K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
--new=10:65496:65501 --partition-guid=10:$(uuidgen) --change-name=10:'reserved_2' \
$IMAGE
[ $? -ne 0 ] && echo "Error occurs while writing the GPT layout" && exit 1
-# Write partitions
+# Write partitions
# conv=notrunc avoids truncation to keep the geometry of the image.
dd if=$BIN_DIR/bl2_signed.bin of=${IMAGE} seek=72 conv=notrunc
dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=272 conv=notrunc
diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
index 568c8de28..7fffd94c6 100644
--- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
@@ -134,7 +134,7 @@
/* Bank configurations */
#define BANK_PARTITION_SIZE (0xFE0000) /* 15.875 MB */
-#define TFM_PARTITION_SIZE (0x5E000) /* 376 KB */
+#define TFM_PARTITION_SIZE (0x5C000) /* 368 KB */
/************************************************************/
/* Bank : Images flash offsets are with respect to the bank */
diff --git a/platform/ext/target/arm/corstone1000/partition/region_defs.h b/platform/ext/target/arm/corstone1000/partition/region_defs.h
index 99e822f51..64ab786e5 100644
--- a/platform/ext/target/arm/corstone1000/partition/region_defs.h
+++ b/platform/ext/target/arm/corstone1000/partition/region_defs.h
@@ -1,8 +1,10 @@
/*
- * Copyright (c) 2017-2022 Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2023 Arm Limited. All rights reserved.
* Copyright (c) 2021-2023 Cypress Semiconductor Corporation (an Infineon company)
* or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
*
+ * SPDX-License-Identifier: Apache-2.0
+ *
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
@@ -53,7 +55,7 @@
#define S_DATA_START (SRAM_BASE + TFM_PARTITION_SIZE)
#define S_DATA_SIZE (SRAM_SIZE - TFM_PARTITION_SIZE)
-#define S_UNPRIV_DATA_SIZE (0x2160)
+#define S_UNPRIV_DATA_SIZE (0x4000)
#define S_DATA_LIMIT (S_DATA_START + S_DATA_SIZE - 1)
#define S_DATA_PRIV_START (S_DATA_START + S_UNPRIV_DATA_SIZE)
diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
index 01f7687bc..98e795dde 100644
--- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
* Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
@@ -14,9 +14,11 @@
#include "tfm_hal_isolation.h"
#include "mpu_config.h"
#include "mmio_defs.h"
+#include "flash_layout.h"
#define PROT_BOUNDARY_VAL \
((1U << HANDLE_ATTR_PRIV_POS) & HANDLE_ATTR_PRIV_MASK)
+#define MPU_REGION_MIN_SIZE (0x100)
#ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT
@@ -31,20 +33,38 @@ REGION_DECLARE(Image$$, TFM_SP_META_PTR, $$ZI$$Base);
REGION_DECLARE(Image$$, TFM_SP_META_PTR, $$ZI$$Limit);
#endif /* CONFIG_TFM_PARTITION_META */
-static void configure_mpu(uint32_t rnr, uint32_t base, uint32_t limit,
- uint32_t is_xn_exec, uint32_t ap_permissions)
+static enum tfm_hal_status_t configure_mpu(uint32_t rnr, uint32_t base,
+ uint32_t limit, uint32_t is_xn_exec, uint32_t ap_permissions)
{
- uint32_t size; /* region size */
+ uint32_t rbar_size_field; /* region size as it is used in the RBAR */
uint32_t rasr; /* region attribute and size register */
uint32_t rbar; /* region base address register */
- size = get_rbar_size_field(limit - base);
+ rbar_size_field = get_rbar_size_field(limit - base);
+
+ /* The MPU region's base address has to be aligned to the region
+ * size for a valid MPU configuration */
+ if ((base % (1 << (rbar_size_field + 1))) != 0) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ /* The MPU supports only 8 memory regions */
+ if (rnr > 7) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ /* The minimum size for a region is 0x100 bytes */
+ if((limit - base) < MPU_REGION_MIN_SIZE) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
rasr = ARM_MPU_RASR(is_xn_exec, ap_permissions, TEX, NOT_SHAREABLE,
- NOT_CACHEABLE, NOT_BUFFERABLE, SUB_REGION_DISABLE, size);
+ NOT_CACHEABLE, NOT_BUFFERABLE, SUB_REGION_DISABLE, rbar_size_field);
rbar = base & MPU_RBAR_ADDR_Msk;
ARM_MPU_SetRegionEx(rnr, rbar, rasr);
+
+ return TFM_HAL_SUCCESS;
}
#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
@@ -56,33 +76,60 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
uint32_t rnr = TFM_ISOLATION_REGION_START_NUMBER; /* current region number */
uint32_t base; /* start address */
uint32_t limit; /* end address */
+ enum tfm_hal_status_t ret;
ARM_MPU_Disable();
- /* TFM Core unprivileged code region */
- base = (uint32_t)&REGION_NAME(Image$$, TFM_UNPRIV_CODE_START, $$RO$$Base);
- limit = (uint32_t)&REGION_NAME(Image$$, TFM_UNPRIV_CODE_END, $$RO$$Limit);
-
- configure_mpu(rnr++, base, limit, XN_EXEC_OK, AP_RO_PRIV_UNPRIV);
-
- /* RO region */
- base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_CODE_START, $$Base);
- limit = (uint32_t)&REGION_NAME(Image$$, TFM_APP_CODE_END, $$Base);
+ /* Armv6-M MPU allows region overlapping. The region with the higher RNR
+ * will decide the attributes.
+ *
+ * The default attributes are set to XN_EXEC_OK and AP_RO_PRIV_UNPRIV for the
+ * whole SRAM so the PSA_ROT_LINKER_CODE, TFM_UNPRIV_CODE and APP_ROT_LINKER_CODE
+ * don't have to be aligned and memory space can be saved.
+ * This region has the lowest RNR so the next regions can overwrite these
+ * attributes if it's needed.
+ */
+ base = SRAM_BASE;
+ limit = SRAM_BASE + SRAM_SIZE;
+
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_OK, AP_RW_PRIV_UNPRIV);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
- configure_mpu(rnr++, base, limit, XN_EXEC_OK, AP_RO_PRIV_UNPRIV);
/* RW, ZI and stack as one region */
base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_START, $$Base);
limit = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_END, $$Base);
- configure_mpu(rnr++, base, limit, XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ /* The section size can be bigger than the alignment size, else the code would
+ * not fit into the memory. Because of this, the sections can use multiple MPU
+ * regions. */
+ do {
+ ret = configure_mpu(rnr++, base, base + TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+ base += TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT;
+ } while (base < limit);
+
#ifdef CONFIG_TFM_PARTITION_META
/* TFM partition metadata pointer region */
base = (uint32_t)&REGION_NAME(Image$$, TFM_SP_META_PTR, $$ZI$$Base);
limit = (uint32_t)&REGION_NAME(Image$$, TFM_SP_META_PTR, $$ZI$$Limit);
- configure_mpu(rnr++, base, limit, XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ do {
+ ret = configure_mpu(rnr++, base, base + TFM_LINKER_SP_META_PTR_ALIGNMENT,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+ base += TFM_LINKER_SP_META_PTR_ALIGNMENT;
+ } while (base < limit);
+
#endif
arm_mpu_enable();
@@ -0,0 +1,69 @@
From 47c54e8e79df52f40057c3d4be9411447d2787c2 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Wed, 21 Feb 2024 07:44:25 +0000
Subject: [PATCH 2/9] Platform: Corstone1000: Fix NV counter writing
The BL1 writes the PLAT_NV_COUNTER_BL1_0 NV counter directly without
updating the private metadata. Because of this the update_nv_counters()
function should not update the PLAT_NV_COUNTER_BL1_0 from the metadata.
The tfm_plat_set_nv_counter() had a typo and wrote the
priv_metadata->nv_counter[FWU_BL2_NV_COUNTER] to every NV counter.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Backport [47c54e8e79df52f40057c3d4be9411447d2787c2]
---
.../corstone1000/fw_update_agent/fwu_agent.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
index 9a9926a3d..b2f31e166 100644
--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
@@ -1120,12 +1120,13 @@ static enum fwu_agent_error_t update_nv_counters(
FWU_LOG_MSG("%s: enter\n\r", __func__);
- for (int i = 0; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
+ /* The FWU_BL2_NV_COUNTER (0) is not mirrored in the private metadata. It is
+ * directly updated in the bl1_2_validate_image_at_addr() function, in
+ * tfm/bl1/bl1_2/main.c.
+ * Because of this, the index starts from FWU_TFM_NV_COUNTER (1). */
+ for (int i = FWU_TFM_NV_COUNTER; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
switch (i) {
- case FWU_BL2_NV_COUNTER:
- tfm_nv_counter_i = PLAT_NV_COUNTER_BL1_0;
- break;
case FWU_TFM_NV_COUNTER:
tfm_nv_counter_i = PLAT_NV_COUNTER_BL2_0;
break;
@@ -1140,18 +1141,21 @@ static enum fwu_agent_error_t update_nv_counters(
err = tfm_plat_read_nv_counter(tfm_nv_counter_i,
sizeof(security_cnt), (uint8_t *)&security_cnt);
if (err != TFM_PLAT_ERR_SUCCESS) {
+ FWU_LOG_MSG("%s: couldn't read NV counter\n\r", __func__);
return FWU_AGENT_ERROR;
}
if (priv_metadata->nv_counter[i] < security_cnt) {
+ FWU_LOG_MSG("%s: staged NV counter is smaller than current value\n\r", __func__);
return FWU_AGENT_ERROR;
} else if (priv_metadata->nv_counter[i] > security_cnt) {
- FWU_LOG_MSG("%s: updaing index = %u nv counter = %u->%u\n\r",
+ FWU_LOG_MSG("%s: updating index = %u nv counter = %u->%u\n\r",
__func__, i, security_cnt,
- priv_metadata->nv_counter[FWU_BL2_NV_COUNTER]);
+ priv_metadata->nv_counter[i]);
err = tfm_plat_set_nv_counter(tfm_nv_counter_i,
- priv_metadata->nv_counter[FWU_BL2_NV_COUNTER]);
+ priv_metadata->nv_counter[i]);
if (err != TFM_PLAT_ERR_SUCCESS) {
+ FWU_LOG_MSG("%s: couldn't write NV counter\n\r", __func__);
return FWU_AGENT_ERROR;
}
}
--
2.25.1
@@ -1,76 +0,0 @@
From ca7696bca357cfd71a34582c65a7c7c08828b6dc Mon Sep 17 00:00:00 2001
From: Bence Balogh <bence.balogh@arm.com>
Date: Mon, 18 Dec 2023 14:00:14 +0100
Subject: [PATCH 2/2] platform: corstone1000: Cover S_DATA with MPU
The S_DATA has to be covered with MPU regions to override the
other MPU regions with smaller RNR values.
Change-Id: I45fec65f51241939314941e25d287e6fdc82777c
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25583]
---
.../target/arm/corstone1000/CMakeLists.txt | 8 +++++++
.../arm/corstone1000/tfm_hal_isolation.c | 22 +++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
index 8817f514c..541504368 100644
--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
@@ -40,6 +40,14 @@ target_compile_definitions(platform_region_defs
INTERFACE
TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT=0x2000
TFM_LINKER_SP_META_PTR_ALIGNMENT=0x100
+
+ # The RAM MPU Region block sizes are calculated manually. The RAM has to be covered
+ # with the MPU regions. These regions also have to be the power of 2 and
+ # the start addresses have to be aligned to these sizes. The sizes can be calculated
+ # from the S_DATA_START and S_DATA_SIZE defines.
+ RAM_MPU_REGION_BLOCK_1_SIZE=0x4000
+ RAM_MPU_REGION_BLOCK_2_SIZE=0x20000
+
)
#========================= Platform common defs ===============================#
diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
index 98e795dde..39b19c535 100644
--- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
@@ -15,6 +15,7 @@
#include "mpu_config.h"
#include "mmio_defs.h"
#include "flash_layout.h"
+#include "region_defs.h"
#define PROT_BOUNDARY_VAL \
((1U << HANDLE_ATTR_PRIV_POS) & HANDLE_ATTR_PRIV_MASK)
@@ -132,6 +133,27 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
#endif
+ /* Set the RAM attributes. It is needed because the first region overlaps the whole
+ * SRAM and it has to be overridden.
+ * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
+ * and added to the platform_region_defs compile definitions.
+ */
+ base = S_DATA_START;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+
+ base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+
arm_mpu_enable();
#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
@@ -1,14 +1,15 @@
From 1410dc5504d60219279581b1cf6442f81551cfe7 Mon Sep 17 00:00:00 2001
From 4b5a9546205e484ac7f53cee369b1db9a7bf2279 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Wed, 3 Apr 2024 13:37:40 +0100
Subject: [PATCH] Platform: Corstone1000: Enable host firewall in FVP
Subject: [PATCH 3/9] Platform: Corstone1000: Enable firewall in FVP
Enables host firewall and mpu setup for FVP. It also fixes secure-ram
configuration and disable access rights to secure ram from both normal world
for both mps3 and fvp.
Enables host firewall and MPU setup for FVP. It also fixes secure RAM
configuration and disables access rights to secure RAM from normal world
for both MPS3 and FVP.
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Upstream-Status: Pending [Not submitted to upstream yet]
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Backport [4b5a9546205e484ac7f53cee369b1db9a7bf2279]
---
.../Device/Include/platform_base_address.h | 2 +-
.../arm/corstone1000/bl1/boot_hal_bl1_1.c | 42 ++++---------------
@@ -16,7 +17,7 @@ Upstream-Status: Pending [Not submitted to upstream yet]
3 files changed, 11 insertions(+), 35 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
index 416f0ebcd..101cad9e7 100644
index 416f0ebcdb..101cad9e7c 100644
--- a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
+++ b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
@@ -67,7 +67,7 @@
@@ -29,7 +30,7 @@ index 416f0ebcd..101cad9e7 100644
#define CORSTONE1000_HOST_BASE_SYSTEM_CONTROL_BASE (0x7A010000U) /* Host SCB */
#define CORSTONE1000_EXT_SYS_RESET_REG (0x7A010310U) /* external system (cortex-M3) */
diff --git a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
index a5fee66af..7988c2392 100644
index 45d6768215..2f693d2b1b 100644
--- a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
+++ b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
@@ -35,7 +35,7 @@ REGION_DECLARE(Image$$, ER_DATA, $$Base)[];
@@ -159,7 +160,7 @@ index a5fee66af..7988c2392 100644
#if defined(TFM_BL1_LOGGING) || defined(TEST_BL1_1) || defined(TEST_BL1_2)
stdio_init();
diff --git a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
index 2b1cdfa19..06cc3f0f5 100644
index 2b1cdfa199..06cc3f0f52 100644
--- a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
+++ b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
@@ -70,7 +70,7 @@ int boot_get_image_exec_ram_info(uint32_t image_id,
@@ -174,4 +175,3 @@ index 2b1cdfa19..06cc3f0f5 100644
--
2.25.1
@@ -1,78 +0,0 @@
From 6807d4b30f7d4ed32d3c54dfcaf3ace63eaa4f02 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Thu, 26 Oct 2023 11:46:04 +0100
Subject: [PATCH] platform: corstone1000: align capsule update structs
U-boot mkefitool creates capsule image without packed and byte-aligned
structs. This patch aligns the capsule-update structures and avoids
crashes in case of unaligned pointer access.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Upstream-Status: Pending
---
.../fw_update_agent/uefi_capsule_parser.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
index c706c040ac..9f8d12ad4e 100644
--- a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
+++ b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
@@ -34,14 +34,14 @@ typedef struct {
uint32_t header_size;
uint32_t flags;
uint32_t capsule_image_size;
-} efi_capsule_header_t;
+} efi_capsule_header_t __attribute__((packed, aligned(1)));
typedef struct {
uint32_t version;
uint16_t embedded_driver_count;
uint16_t payload_item_count;
uint64_t item_offset_list[];
-} efi_firmware_management_capsule_header_t;
+} efi_firmware_management_capsule_header_t __attribute__((packed, aligned(1)));
typedef struct {
uint32_t version;
@@ -52,14 +52,14 @@ typedef struct {
uint32_t update_vendorcode_size;
uint64_t update_hardware_instance; //introduced in v2
uint64_t image_capsule_support; //introduced in v3
-} efi_firmware_management_capsule_image_header_t;
+} efi_firmware_management_capsule_image_header_t __attribute__((packed, aligned(1)));
typedef struct {
uint32_t signature;
uint32_t header_size;
uint32_t fw_version;
uint32_t lowest_supported_version;
-} fmp_payload_header_t;
+} fmp_payload_header_t __attribute__((packed, aligned(1)));
#define ANYSIZE_ARRAY 0
@@ -68,18 +68,18 @@ typedef struct {
uint16_t wRevision;
uint16_t wCertificateType;
uint8_t bCertificate[ANYSIZE_ARRAY];
-} WIN_CERTIFICATE;
+} WIN_CERTIFICATE __attribute__((packed, aligned(1)));
typedef struct {
WIN_CERTIFICATE hdr;
struct efi_guid cert_type;
uint8_t cert_data[ANYSIZE_ARRAY];
-} win_certificate_uefi_guid_t;
+} win_certificate_uefi_guid_t __attribute__((packed, aligned(1)));
typedef struct {
uint64_t monotonic_count;
win_certificate_uefi_guid_t auth_info;
-} efi_firmware_image_authentication_t;
+} efi_firmware_image_authentication_t __attribute__((packed, aligned(1)));
enum uefi_capsule_error_t uefi_capsule_retrieve_images(void* capsule_ptr,
--
2.25.1
@@ -0,0 +1,41 @@
From 2a7e418afc96a9c897d3511fd47dbe596f880074 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Wed, 17 Apr 2024 11:34:45 +0000
Subject: [PATCH 4/9] Platform: CS1000: Increase ITS max asset size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Increases the max asset size for ITS to enable Parsec services and
tests.
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Backport [2a7e418afc96a9c897d3511fd47dbe596f880074]
---
platform/ext/target/arm/corstone1000/config_tfm_target.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
index 2c7341afd..9522379cd 100644
--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
+++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -20,4 +20,7 @@
/* The maximum number of assets to be stored in the Protected Storage area. */
#define PS_NUM_ASSETS 20
+/* The maximum size of asset to be stored in the Internal Trusted Storage area. */
+#define ITS_MAX_ASSET_SIZE 2048
+
#endif /* __CONFIG_TFM_TARGET_H__ */
--
2.25.1

Some files were not shown because too many files have changed in this diff Show More