diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2023-03-31 17:57:23 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2023-03-31 18:06:58 +0300 |
commit | 2daf84b2d486da0b21344da999553c8fa1228195 (patch) | |
tree | 04a2402d258019103ad1a4c9da71d78301cd5d42 /meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a | |
parent | ced6278a187ae9eefe16fe59398f714857b7f76e (diff) | |
download | openbmc-2daf84b2d486da0b21344da999553c8fa1228195.tar.xz |
subtree updates: raspberrypi security arm
meta-arm: eb9c47a4e1..9b6c8c95e4:
Abdellatif El Khlifi (1):
CI: append classes to INHERIT in the common fvp.yml
Adam Johnston (1):
arm-bsp/linux-yocto: Update N1SDP PCI quirk patch
Jon Mason (10):
CI: add yml files for defaults
CI: add support for dev kernel, rt kernel, and poky-tiny
arm-bsp/fvp-base: update to u-boot 2023.01
arm-bsp/fvp-base-arm32: remove support
ci: add external-toolchain to qemuarm-secureboot
arm-bsp/optee: remove unused recipes
arm/optee: optee-os include cleanup
arm/optee-os: update to 3.20.0
arm/edk2: update version and relocate edk2-basetools to be with edk2
arm-bsp/fvp-base: Add edk2 build testing
Ross Burton (7):
arm-bsp/linux-arm64-ack: update Upstream-Status tags
CI: add CI_CLEAN_REPOS variable to allow cleaning the repo reference cache
arm/scp-firmware: fix up whitespace
arm/scp-firmware: enable verbose builds
arm/scp-firmware: remove textrel from INSANE_SKIP
arm/scp-firmware: improve debug packaging
CI: mask poky's llvm if we're using clang
Rui Miguel Silva (1):
arm-bsp/optee: bump corstone1000 to v3.20
Satish Kumar (1):
arm-bsp/corstone1000: new gpt based disk layout and fwu metadata
Xueliang Zhong (1):
arm-bsp/n1sdp: update to linux yocto kernel 6.1
meta-security: c06b9a18a6..a397a38ed9:
Armin Kuster (16):
openscap: update to 1.3.6
openscap: update to 1.3.7
openscap git: add DEFAULT_PREFERENCE
python3-fail2ban: update to 1.0.2
python3-privacyidea: update to 3.8.1
libhtp: update to 0.5.42
lkrg-modules: update to 0.9.6
chkrootkit: update to 0.57
fscrypt: update to 1.1.0
libmspack: update to 1.11
firejail: update 0.9.72
suricata: update to 6.0.10
apparmor: update to 3.1.3
krill: update 0.12.3
cryptmout: update to 6.2.0
packagegroup-core-security: refactor the inclusion of krill
Eero Aaltonen (1):
dm-verity-img.bbclass: fix syntax warning
Jose Quaresma (3):
meta-hardening/layer: lower the priority from 10 to 6
meta-security-compliance/layer: lower the priority from 10 to 6
meta-tpm/layer: lower the priority from 10 to 6
Kevin Hao (1):
dm-verity-img.bbclass: Fix the hash offset alignment issue
Mikko Rapeli (1):
ima-evm-utils: disable documentation from build
Paul Gortmaker (3):
dm-verity: update beaglebone wic to match meta-yocto
dm-verity: add basic non-arch/non-BSP yocto specific settings
dm-verity: document board specifics for Beaglebone Black
Peter Marko (1):
tpm2-tss: correct CVE product
meta-raspberrypi: e15b876155..3afdbbf782:
Carlos Alberto Lopez Perez (1):
mesa-demos: enable build with userland graphics drivers.
Khem Raj (6):
linux-raspberrypi: Add recipes for 6.1 kernel
psplash: Make psplash wait for the framebuffer to be ready
rpi-default-versions: Use 6.1 kernel as default
gstreamer1.0-plugins-bad: Drop gpl packageconfig
rpidistro-ffmpeg: Pin to use gcc always
rpidistro-vlc: Fix build with clang16
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ie6e60085306d31972098b87738eb550e5140b92a
Diffstat (limited to 'meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a')
5 files changed, 173 insertions, 15 deletions
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-feat-corstone1000-bl2-loads-fip-based-on-metadata.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-feat-corstone1000-bl2-loads-fip-based-on-metadata.patch new file mode 100644 index 0000000000..3afaa4b03b --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-feat-corstone1000-bl2-loads-fip-based-on-metadata.patch @@ -0,0 +1,167 @@ +From 360aa32846a97e775750e06865d462c6258179fa Mon Sep 17 00:00:00 2001 +From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> +Date: Mon, 9 Jan 2023 13:59:06 +0000 +Subject: [PATCH] feat(corstone1000): bl2 loads fip based on metadata + +Previously bl2 was reading the boot_index directly with a hard coded +address and then set the fip image spec with fip offsets base based on +the boot_index value. +This commit removes this logic and rely on PSA_FWU_SUPPORT +which reads the fip partition based on the active firmware bank written in +metadata. + +Note: fip partition contains signature area at the begining. Hence, the fip +image starts at fip partition + fip signature area size. + +Upstream-Status: Pending +Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com> + +%% original patch: 0002-feat-corstone1000-bl2-loads-fip-based-on-metadata.patch +--- + bl2/bl2_main.c | 4 +++ + .../corstone1000/common/corstone1000_plat.c | 32 ++++++------------- + .../common/include/platform_def.h | 12 +++---- + tools/cert_create/Makefile | 4 +-- + tools/fiptool/Makefile | 4 +-- + 5 files changed, 24 insertions(+), 32 deletions(-) + +diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c +index 5da803795..f25dc3029 100644 +--- a/bl2/bl2_main.c ++++ b/bl2/bl2_main.c +@@ -86,6 +86,10 @@ void bl2_main(void) + /* Perform remaining generic architectural setup in S-EL1 */ + bl2_arch_setup(); + ++#if ARM_GPT_SUPPORT ++ partition_init(GPT_IMAGE_ID); ++#endif ++ + #if PSA_FWU_SUPPORT + fwu_init(); + #endif /* PSA_FWU_SUPPORT */ +diff --git a/plat/arm/board/corstone1000/common/corstone1000_plat.c b/plat/arm/board/corstone1000/common/corstone1000_plat.c +index 0235f8b84..7f9708a82 100644 +--- a/plat/arm/board/corstone1000/common/corstone1000_plat.c ++++ b/plat/arm/board/corstone1000/common/corstone1000_plat.c +@@ -33,36 +33,17 @@ const mmap_region_t plat_arm_mmap[] = { + static void set_fip_image_source(void) + { + const struct plat_io_policy *policy; +- /* +- * metadata for firmware update is written at 0x0000 offset of the flash. +- * PLAT_ARM_BOOT_BANK_FLAG contains the boot bank that TF-M is booted. +- * As per firmware update spec, at a given point of time, only one bank +- * is active. This means, TF-A should boot from the same bank as TF-M. +- */ +- volatile uint32_t *boot_bank_flag = (uint32_t *)(PLAT_ARM_BOOT_BANK_FLAG); +- +- if (*boot_bank_flag > 1) { +- VERBOSE("Boot_bank is set higher than possible values"); +- } +- +- VERBOSE("Boot bank flag = %u.\n\r", *boot_bank_flag); + + policy = FCONF_GET_PROPERTY(arm, io_policies, FIP_IMAGE_ID); + + assert(policy != NULL); + assert(policy->image_spec != 0UL); + ++ /* FIP Partition contains Signature area at the begining which TF-A doesn't expect */ + io_block_spec_t *spec = (io_block_spec_t *)policy->image_spec; ++ spec->offset += FIP_SIGNATURE_AREA_SIZE; ++ spec->length -= FIP_SIGNATURE_AREA_SIZE; + +- if ((*boot_bank_flag) == 0) { +- VERBOSE("Booting from bank 0: fip offset = 0x%lx\n\r", +- PLAT_ARM_FIP_BASE_BANK0); +- spec->offset = PLAT_ARM_FIP_BASE_BANK0; +- } else { +- VERBOSE("Booting from bank 1: fip offset = 0x%lx\n\r", +- PLAT_ARM_FIP_BASE_BANK1); +- spec->offset = PLAT_ARM_FIP_BASE_BANK1; +- } + } + + void bl2_platform_setup(void) +@@ -75,6 +56,13 @@ void bl2_platform_setup(void) + set_fip_image_source(); + } + ++void bl2_early_platform_setup2(u_register_t arg0, u_register_t arg1, ++ u_register_t arg2, u_register_t arg3) ++{ ++ arm_bl2_early_platform_setup((uintptr_t)arg0, (meminfo_t *)arg1); ++ NOTICE("CS1k: early at bl2_platform_setup\n"); ++} ++ + /* corstone1000 only has one always-on power domain and there + * is no power control present + */ +diff --git a/plat/arm/board/corstone1000/common/include/platform_def.h b/plat/arm/board/corstone1000/common/include/platform_def.h +index 584d485f3..0bfab05a4 100644 +--- a/plat/arm/board/corstone1000/common/include/platform_def.h ++++ b/plat/arm/board/corstone1000/common/include/platform_def.h +@@ -173,16 +173,16 @@ + + /* NOR Flash */ + +-#define PLAT_ARM_BOOT_BANK_FLAG UL(0x08002000) +-#define PLAT_ARM_FIP_BASE_BANK0 UL(0x081EF000) +-#define PLAT_ARM_FIP_BASE_BANK1 UL(0x0916F000) +-#define PLAT_ARM_FIP_MAX_SIZE UL(0x1ff000) /* 1.996 MB */ +- + #define PLAT_ARM_NVM_BASE V2M_FLASH0_BASE + #define PLAT_ARM_NVM_SIZE (SZ_32M) /* 32 MB */ ++#define PLAT_ARM_FIP_MAX_SIZE UL(0x1ff000) /* 1.996 MB */ + +-#define PLAT_ARM_FLASH_IMAGE_BASE PLAT_ARM_FIP_BASE_BANK0 ++#define PLAT_ARM_FLASH_IMAGE_BASE UL(0x08000000) + #define PLAT_ARM_FLASH_IMAGE_MAX_SIZE PLAT_ARM_FIP_MAX_SIZE ++#define PLAT_ARM_FIP_OFFSET_IN_GPT (0x86000) ++ ++/* FIP Information */ ++#define FIP_SIGNATURE_AREA_SIZE (0x1000) /* 4 KB */ + + /* + * Some data must be aligned on the biggest cache line size in the platform. +diff --git a/tools/cert_create/Makefile b/tools/cert_create/Makefile +index ca548b836..32b5486a0 100644 +--- a/tools/cert_create/Makefile ++++ b/tools/cert_create/Makefile +@@ -69,8 +69,8 @@ INC_DIR += -I ./include -I ${PLAT_INCLUDE} -I ${OPENSSL_DIR}/include + # directory. However, for a local build of OpenSSL, the built binaries are + # located under the main project directory (i.e.: ${OPENSSL_DIR}, not + # ${OPENSSL_DIR}/lib/). +-LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} +-LIB := -lssl -lcrypto ++LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ++LIB := -lssl -lcrypto ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} + + HOSTCC ?= gcc + +diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile +index e6aeba95b..7c047479e 100644 +--- a/tools/fiptool/Makefile ++++ b/tools/fiptool/Makefile +@@ -29,7 +29,7 @@ endif + # directory. However, for a local build of OpenSSL, the built binaries are + # located under the main project directory (i.e.: ${OPENSSL_DIR}, not + # ${OPENSSL_DIR}/lib/). +-LDLIBS := -L${OPENSSL_DIR}/lib -L${OPENSSL_DIR} -lcrypto ++LDLIBS := -L${OPENSSL_DIR}/lib -L${OPENSSL_DIR} -lcrypto ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} ${BUILD_LDFLAGS} + + ifeq (${V},0) + Q := @ +@@ -37,7 +37,7 @@ else + Q := + endif + +-INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include ++INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} ${BUILD_CFLAGS} + + HOSTCC ?= gcc + +-- +2.25.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index 3034680d31..008103469e 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -6,7 +6,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/corstone1000:" SRC_URI:append = " \ file://0001-Fix-FF-A-version-in-SPMC-manifest.patch \ - " + file://0002-feat-corstone1000-bl2-loads-fip-based-on-metadata.patch \ + " TFA_DEBUG = "1" TFA_UBOOT ?= "1" @@ -31,6 +32,9 @@ EXTRA_OEMAKE:append = " \ CREATE_KEYS=1 \ GENERATE_COT=1 \ TRUSTED_BOARD_BOOT=1 \ + ARM_GPT_SUPPORT=1 \ + PSA_FWU_SUPPORT=1 \ + NR_OF_IMAGES_IN_FW_BANK=4 \ COT=tbbr \ ARM_ROTPK_LOCATION=devel_rsa \ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-arm32.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-arm32.inc deleted file mode 100644 index fdaadb9fc6..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-arm32.inc +++ /dev/null @@ -1,12 +0,0 @@ -# Armv7-A FVP specific TFA parameters - -COMPATIBLE_MACHINE = "fvp-base-arm32" -TFA_PLATFORM = "fvp" -TFA_UBOOT = "1" -TFA_BUILD_TARGET = "dtbs bl1 bl32 fip" - -EXTRA_OEMAKE:append = " \ - ARCH=aarch32 \ - AARCH32_SP=sp_min \ - " - diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp.inc index 43340cdc7b..ca96b4484f 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp.inc +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp.inc @@ -8,5 +8,5 @@ COMPATIBLE_MACHINE = "fvp-base" TFA_PLATFORM = "fvp" TFA_DEBUG = "1" TFA_MBEDTLS = "1" -TFA_UBOOT = "1" +TFA_UBOOT ?= "1" TFA_BUILD_TARGET = "bl1 bl2 bl31 dtbs fip" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend index 09ed3f793a..220dd6e33e 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.%.bbappend @@ -6,7 +6,6 @@ MACHINE_TFA_REQUIRE ?= "" MACHINE_TFA_REQUIRE:corstone500 = "trusted-firmware-a-corstone500.inc" MACHINE_TFA_REQUIRE:corstone1000 = "trusted-firmware-a-corstone1000.inc" MACHINE_TFA_REQUIRE:fvp-base = "trusted-firmware-a-fvp.inc" -MACHINE_TFA_REQUIRE:fvp-base-arm32 = "trusted-firmware-a-fvp-arm32.inc" MACHINE_TFA_REQUIRE:juno = "trusted-firmware-a-juno.inc" MACHINE_TFA_REQUIRE:n1sdp = "trusted-firmware-a-n1sdp.inc" MACHINE_TFA_REQUIRE:sgi575 = "trusted-firmware-a-sgi575.inc" |