diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2023-10-03 17:44:52 +0300 |
---|---|---|
committer | Andrew Geissler <geissonator@yahoo.com> | 2023-10-03 18:04:36 +0300 |
commit | 1e488cdf844bf4aa82d3c90875a56fb35c7f210d (patch) | |
tree | be163d890651760d24effea503cd567df3e119b5 /meta-arm/meta-arm | |
parent | 4f6b1c0dcf9f9cb734f71b277af913e0d58c503f (diff) | |
download | openbmc-mickledore.tar.xz |
subtree updates oct 3 2023mickledore
poky: fc25449687..a61e021c65:
Alberto Planas (1):
bitbake.conf: add unzstd in HOSTTOOLS
Alejandro Hernandez Samaniego (2):
baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures
baremetal-helloworld: Fix race condition
Alex Kiernan (2):
rootfs: Add debugfs package db file copy and cleanup
rpm: Pick debugfs package db files/dirs explicitly
Alexander Kanavin (35):
maintaines.inc: unassign Richard Weinberger from erofs-utils entry
maintainers.inc: unassign Andreas Müller from itstool entry
maintainers.inc: unassign Pascal Bach from cmake entry
maintainers.inc: correct unassigned entries
maintainers.inc: correct Carlos Rafael Giani's email address
apr: upgrade 1.7.3 -> 1.7.4
scripts/runqemu: split lock dir creation into a reusable function
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
qemu: a pending patch was submitted and accepted upstream
maintainers.inc: unassign Adrian Bunk from wireless-regdb
maintainers.inc: unassign Alistair Francis from opensbi
maintainers.inc: unassign Chase Qi from libc-test
maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items
maintainers.inc: unassign Ricardo Neri from ovmf
grub: submit determinism.patch upstream
gawk: upgrade 5.2.1 -> 5.2.2
gnupg: upgrade 2.4.0 -> 2.4.2
libx11: upgrade 1.8.4 -> 1.8.5
linux-firmware: upgrade 20230404 -> 20230515
serf: upgrade 1.3.9 -> 1.3.10
wget: upgrade 1.21.3 -> 1.21.4
wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
gdb: upgrade 13.1 -> 13.2
sysfsutils: fetch a supported fork from github
diffutils: update 3.9 -> 3.10
libproxy: fetch from git
cargo.bbclass: set up cargo environment in common do_compile
rust-common.bbclass: move musl-specific linking fix from rust-source.inc
Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock"
ref-manual: document image-specific variant of INCOMPATIBLE_LICENSE
glibc-locale: use stricter matching for metapackages' runtime dependencies
devtool/upgrade: raise an error if extracting source produces more than one directory
curl: ensure all ptest failures are caught
python3: upgrade 3.11.2 -> 3.11.3
python3: update 3.11.3 -> 3.11.4
Alexis Lothoré (2):
scripts/resulttool: add mention about new detected tests
oeqa/utils/gitarchive: fix tag computation when creating archive
Andrej Valek (2):
busybox: 1.36.0 -> 1.36.1
maintainers.inc: Modify email address
Anuj Mittal (7):
gstreamer1.0: upgrade 1.22.2 -> 1.22.3
selftest/cases/glibc.py: fix the override syntax
glibc/check-test-wrapper: don't emit warnings from ssh
selftest/cases/glibc.py: increase the memory for testing
oeqa/utils/nfs: allow requesting non-udp ports
selftest/cases/glibc.py: switch to using NFS over TCP
gstreamer1.0: upgrade 1.22.4 -> 1.22.5
Archana Polampalli (3):
qemu: fix CVE-2023-0330
bind: upgrade 9.18.15 -> 9.18.16
vim: upgrade 9.0.1592 -> 9.0.1664
BELOUARGA Mohamed (2):
meta: lib: oe: npm_registry: Add more safe caracters
linux-firmware : Add firmware of RTL8822 serie
Benjamin Bouvier (1):
util-linux: add alternative links for ipcs,ipcrm
Bruce Ashfield (33):
linux-yocto/6.1: update to v6.1.26
linux-yocto/6.1: update to v6.1.27
linux-yocto/6.1: update to v6.1.28
linux-yocto/6.1: update to v6.1.29
linux-yocto/6.1: update to v6.1.30
linux-yocto/6.1: update to v6.1.31
linux-yocto/6.1: update to v6.1.32
linux-yocto/5.15: update to v5.15.114
linux-yocto/5.15: update to v5.15.115
linux-yocto/5.15: update to v5.15.116
linux-yocto/5.15: update to v5.15.117
linux-yocto/5.15: update to v5.15.118
linux-yocto/5.15: cfg: fix DECNET configuration warning
linux-yocto/6.1: update to v6.1.33
linux-yocto/6.1: fix intermittent x86 boot hangs
linux-yocto/6.1: update to v6.1.34
linux-yocto/6.1: update to v6.1.35
linux-yocto/5.15: update to v5.15.119
linux-yocto/5.15: update to v5.15.120
linux-yocto/6.1: update to v6.1.36
linux-yocto/6.1: update to v6.1.37
linux-yocto/6.1: update to v6.1.38
linux-yocto/5.15: update to v5.15.122
linux-yocto/5.15: update to v5.15.123
linux-yocto/5.15: update to v5.15.124
linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity
linux-yocto/6.1: update to v6.1.41
linux-yocto/6.1: update to v6.1.43
linux-yocto/6.1: update to v6.1.44
linux-yocto/6.1: update to v6.1.45
linux-yocto/6.1: fix uninitialized read in nohz_full/isolcpus setup
linux-yocto/6.1: update to v6.1.46
linux-yocto/6.1: fix IRQ-80 warnings
Changqing Li (4):
systemd: fix a dead link under /var/log
dnf: only write the log lock to root for native dnf
rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock
erofs-utils: fix CVE-2023-33551/CVE-2023-33552
Charlie Wu (1):
devtool: Fix the wrong variable in srcuri_entry
Chee Yang Lee (6):
python3-requests: fix CVE-2023-32681
curl: fix CVE-2023-32001
ghostscript: fix CVE-2023-38559
librsvg: upgrade to 2.54.6
libssh2: fix CVE-2020-22218
python3: update to 3.11.5
Chen Qi (13):
cmake.bbclass: do not search host paths for find_program()
qemurunner.py: fix error message about qmp
sdk.py: error out when moving file fails
sdk.py: fix moving dnf contents
rpm: write macros under libdir
zip: fix configure check by using _Static_assert
zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS
unzip: fix configure check for cross compilation
unzip: remove hardcoded LARGE_FILE_SUPPORT
ncurses: fix CVE-2023-29491
cmake.bbclass: fix allarch override syntax
multilib.conf: explicitly make MULTILIB_VARIANTS vardeps on MULTILIBS
gcc-crosssdk: ignore MULTILIB_VARIANTS in signature computation
Daniel Semkowicz (1):
dev-manual: wic.rst: Update native tools build command
Deepthi Hemraj (2):
glibc: stable 2.37 branch updates.
binutils: stable 2.40 branch updates
Denys Dmytriyenko (1):
binutils: move packaging of gprofng static lib into common .inc
Dmitry Baryshkov (3):
openssl: fix building on riscv32
linux-firmware: package firmare for Dragonboard 410c
linux-firmware: split platform-specific Adreno shaders to separate packages
Ed Beroset (1):
ref-manual: add clarification for SRCREV
Enrico Scholz (1):
shadow-sysroot: add license information
Etienne Cordonnier (2):
libxcrypt: fix hard-coded ".so" extension
vim: update obsolete comment
Fabien Mahot (2):
useradd-example: package typo correction
oeqa/selftest/bbtests: add non-existent prefile/postfile tests
Frieder Paape (1):
image_types: Fix reproducible builds for initramfs and UKI img
Frieder Schrempf (1):
psmisc: Set ALTERNATIVE for pstree to resolve conflict with busybox
Hannu Lounento (1):
profile-manual: fix blktrace remote usage instructions
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jaeyoon Jung (1):
cml1: Fix KCONFIG_CONFIG_COMMAND not conveyed fully in do_menuconfig
Jermain Horsman (1):
logrotate: Do not create logrotate.status file
Joe Slater (1):
ghostscript: fix CVE-2023-36664
Joel Stanley (1):
kernel: don't fail if Modules.symvers doesn't exist
Jose Quaresma (8):
kernel: config modules directories are handled by kernel-module-split
kernel-module-split: install config modules directories only when they are needed
kernel-module-split: use context manager to open files
kernel-module-split: make autoload and probeconf distribution specific
kernel-module-split add systemd modulesloaddir and modprobedir config
openssl: add PERLEXTERNAL path to test its existence
openssl: use a glob on the PERLEXTERNAL to track updates on the path
go: update 1.20.5 -> 1.20.6
Julien Stephan (1):
automake: fix buildtest patch
Jörg Sommer (2):
runqemu-gen-tapdevs: Refactoring
runqemu-ifupdown/get-tapdevs: Add support for ip tuntap
Kai Kang (4):
pm-utils: fix multilib conflictions
webkitgtk: 2.38.5 -> 2.38.6
webkitgtk: fix CVE-2023-32439
webkitgtk: fix CVE-2023-32435
Khem Raj (10):
systemd: Drop a backport
perf: Make built-in libtraceevent plugins cohabit with external libtraceevent
glibc: Pass linker choice via compiler flags
babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature
parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so
rpcsvc-proto: Upgrade to 1.4.4
libxml2: Do not use lld linker when building with tests on rv64
python3-bcrypt: Use BFD linker when building tests
meson.bbclass: Point to llvm-config from native sysroot
build-sysroots: Add SUMMARY field
Lee Chee Yang (7):
migration-guides: add release notes for 4.0.10
migration-guides: add release notes for 4.0.11
migration-guides: add release notes for 4.2.2
migration-guides: add release notes for 4.2.3
migration-guides: add release notes for 4.0.12
bind: update to 9.18.19
ffmpeg: 5.1.2 -> 5.1.3
Marc Ferland (1):
connman: fix warning by specifying runstatedir at configure time
Marek Vasut (1):
linux-firmware: Fix mediatek mt7601u firmware path
Mark Hatle (1):
tcf-agent: Update to 1.8.0 release
Markus Niebel (1):
wic: fix wrong attempt to create file system in upartitioned regions
Markus Volk (3):
ell: upgrade 0.56 -> 0.57
gtk4: upgrade 4.10.3 -> 4.10.4
gtk4: upgrade 4.10.4 -> 4.10.5
Martin Jansa (8):
libx11: remove unused patch and FILESEXTRAPATHS
qemu: remove unused qemu-7.0.0-glibc-2.36.patch
minicom: remove unused patch files
inetutils: remove unused patch files
libgloss: remove unused patch file
kmod: remove unused ptest.patch
tcl: prevent installing another copy of tzdata
gcc: backport a fix for ICE caused by CVE-2023-4039.patch
Michael Halstead (4):
resulttool/resultutils: allow index generation despite corrupt json
yocto-uninative: Update hashes for uninative 4.1
yocto-uninative: Update to 4.2 for glibc 2.38
yocto-uninative: Update to 4.3
Michael Opdenacker (13):
ref-manual: releases.svg: updates
conf.py: add macro for Mitre CVE links
ref-manual: LTS releases now supported for 4 years
poky.conf: update SANITY_TESTED_DISTROS to match autobuilder
scripts/create-pull-request: update URLs to git repositories
ref-manual: system-requirements: update supported distros
manuals: add new contributor guide
dev-manual: disk-space: mention faster "find" command to trim sstate cache
sdk-manual: extensible.rst: fix multiple formatting issues
dev-manual: disk-space: improve wording for obsolete sstate cache files
dev-manual: new-recipe.rst fix inconsistency with contributor guide
contributor-guide: recipe-style-guide: add Upstream-Status
dev-manual: licenses: mention SPDX for license compliance
Mikko Rapeli (1):
useradd-staticids.bbclass: improve error message
Mingli Yu (5):
curl: fix CVE-2023-28319 through CVE-2023-28322
python3-numpy: remove NPY_INLINE, use inline instead
acpica: Update SRC_URI
cups: Fix CVE-2023-34241
ruby: Fix CVE-2023-36617
Narpat Mali (5):
python3-certifi: upgrade 2022.12.7 -> 2023.7.22
ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
python3-git: upgrade 3.1.31 -> 3.1.32
python3-pygments: fix for CVE-2022-40896
python3-git: upgrade 3.1.32 -> 3.1.37
Natasha Bailey (1):
tiff: backport a fix for CVE-2023-2731
Oleksandr Hnatiuk (2):
file: return wrapper to fix builds when file is in buildtools-tarball
file: fix the way path is written to environment-setup.d
Ovidiu Panait (7):
mdadm: fix util-linux ptest dependency
mdadm: fix 07revert-inplace ptest
mdadm: fix segfaults when running ptests
mdadm: skip running known broken ptests
mdadm: re-add mdadm-ptest to PTESTS_SLOW
mdadm: add util-linux-blockdev ptest dependency
mdadm: skip running 04update-uuid and 07revert-inplace testcases
Peter Marko (7):
cve-update-nvd2-native: fix cvssV3 metrics
cve-update-nvd2-native: retry all errors and sleep between retries
cve-update-nvd2-native: increase retry count
libjpeg-turbo: patch CVE-2023-2804
python3: ignore CVE-2023-36632
libarchive: ignore CVE-2023-30571
openssl: Upgrade 3.1.1 -> 3.1.2
Peter Suti (1):
externalsrc: fix dependency chain issues
Poonam Jadhav (1):
pixman: Remove duplication of license MIT
Quentin Schulz (3):
docs: bsp-guide: bsp: fix typo
docs: ref-manual: terms: fix typos in SPDX term
uboot-extlinux-config.bbclass: fix old override syntax in comment
Randolph Sapp (6):
weston-init: make sure the render group exists
weston-init: add weston user to the render group
weston-init: add the weston user to the wayland group
weston-init: fix the mixed indentation
weston-init: guard against systemd configs
weston-init: add profile to point users to global socket
Richard Purdie (24):
selftest/license: Exclude from world
layer.conf: Add missing dependency exclusion
v86d: Improve kernel dependency
strace: Disable failing test
bitbake: runqueue: Fix deferred task/multiconfig race issue
strace: Merge two similar patches
strace: Update patches/tests with upstream fixes
ptest-runner: Pull in sync fix to improve log warnings
ptest-runner: Ensure data writes don't race
ptest-runner: Pull in "runner: Remove threads and mutexes" fix
gcc-testsuite: Fix ppc cpu specification
ptest-runner: Pull in parallel test fixes and output handling
glibc-testsuite: Fix network restrictions causing test failures
oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
oeqa/runtime/ltp: Increase ltp test output timeout
ltp: Add kernel loopback module dependency
target/ssh: Ensure exit code set for commands
oeqa/ssh: Further improve process exit handling
pseudo: Fix to work with glibc 2.38
lib/package_manager: Improve repo artefact filtering
gnupg: Fix reproducibility failure
resulttool/report: Avoid divide by zero
build-sysroots: Ensure dependency chains are minimal
vim: Upgrade 9.0.1664 -> 9.0.1894
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Roland Hieber (2):
template: fix typo in section header
ref-manual: point outdated link to the new location
Ross Burton (24):
ninja: ignore CVE-2021-4336, wrong ninja
binutils: fix CVE-2023-1972
pkgconf: upgrade 1.9.4 -> 1.9.5
git: upgrade to 2.39.3
gobject-introspection: remove obsolete DEPENDS
cve-update-nvd2-native: handle all configuration nodes, not just first
cve-update-nvd2-native: use exact times, don't truncate
cve-update-nvd2-native: log a little more
cve-update-nvd2-native: actually use API keys
tiff: upgrade to 4.5.1
gcc: don't pass --enable-standard-branch-protection
machine/arch-arm64: add -mbranch-protection=standard
pkgconf: update SRC_URI
python3: fix missing comma in get_module_deps3.py
oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
rootfs_rpm: don't depend on opkg-native for update-alternatives
ltp: add RDEPENDS on findutils
openssh: upgrade to 9.3p2
linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
linux/cve-exclusion: add generated CVE_CHECK_IGNOREs
procps: backport fix for CVE-2023-4016
graphene: fix runtime detection of IEEE754 behaviour
gcc: Fix -fstack-protector issue on aarch64
linux-yocto: update CVE exclusions
Sakib Sajal (4):
go: Upgrade 1.20.4 -> 1.20.5
bno_plot.py, btt_plot.py: Ask for python3 specifically
go: fix CVE-2023-24531
go: upgrade 1.20.6 -> 1.20.7
Sanjana (1):
binutils: Fix CVE-2023-39128
Sanjay Chitroda (2):
cups: Fix CVE-2023-32324
curl: Add CVE-2023-28320 follow-up fix
Siddharth (1):
tiff: Security fix for CVE-2023-25434 and CVE-2023-26965
Siddharth Doshi (1):
gdb: Fix CVE-2023-39128
Soumya (1):
perl: Fix CVE-2023-31484 & CVE-2023-31486
Staffan Rydén (1):
kernel: Fix path comparison in kernel staging dir symlinking
Steve Sakoman (6):
maintainers.inc: update version for gcc-source
Revert "systemd: fix a dead link under /var/log"
poky.conf: bump version for 4.2.2 release
build-appliance-image: Update to mickledore head revision
poky.conf: bump version for 4.2.3 release
build-appliance-image: Update to mickledore head revision
Stéphane Veyret (1):
scripts/oe-setup-builddir: copy conf-notes.txt to build dir
Sudip Mukherjee (2):
dpkg: upgrade to v1.21.22
bind: upgrade to v9.18.17
Sundeep KOKKONDA (1):
gcc : upgrade to v12.3
Thomas Roos (1):
testimage/oeqa: Drop testimage_dump_host functionality
Tim Orling (1):
openssl: upgrade 3.1.0 -> 3.1.1
Tom Hochstein (1):
weston: Cleanup and fix x11 and xwayland dependencies
Trevor Gamblin (4):
bind: upgrade 9.18.13 -> 9.18.14
glib-networking: use correct error code in ptest
vim: upgrade 9.0.1527 -> 9.0.1592
linux-firmware: upgrade 20230515 -> 20230625
Wang Mingyu (24):
babeltrace2: upgrade 2.0.4 -> 2.0.5
fribidi: upgrade 1.0.12 -> 1.0.13
libdnf: upgrade 0.70.0 -> 0.70.1
libmicrohttpd: upgrade 0.9.76 -> 0.9.77
libxft: upgrade 2.3.7 -> 2.3.8
libxpm: upgrade 3.5.15 -> 3.5.16
mobile-broadband-provider-info: upgrade 20221107 -> 20230416
bind: upgrade 9.18.14 -> 9.18.15
xdpyinfo: upgrade 1.3.3 -> 1.3.4
libxml2: upgrade 2.10.3 -> 2.10.4
freetype: upgrade 2.13.0 -> 2.13.1
gstreamer1.0: upgrade 1.22.3 -> 1.22.4
libassuan: upgrade 2.5.5 -> 2.5.6
libksba: upgrade 1.6.3 -> 1.6.4
libx11: upgrade 1.8.5 -> 1.8.6
lttng-ust: upgrade 2.13.5 -> 2.13.6
taglib: upgrade 1.13 -> 1.13.1
libwebp: upgrade 1.3.0 -> 1.3.1
libnss-nis: upgrade 3.1 -> 3.2
opkg: upgrade 0.6.1 -> 0.6.2
opkg-utils: upgrade 0.5.0 -> 0.6.2
file: upgrade 5.44 -> 5.45
tar: upgrade 1.34 -> 1.35
bind: upgrade 9.18.17 -> 9.18.18
Xiangyu Chen (1):
dbus: upgrade 1.14.6 -> 1.14.8
Yash Shinde (1):
glibc: fix CVE-2023-4527
Yi Zhao (1):
ifupdown: install missing directories
Yoann Congal (3):
recipetool: Fix inherit in created -native* recipes
oeqa/selftest/devtool: add unit test for "devtool add -b"
dev-manual: remove unsupported :term: markup inside markup
Yogita Urade (8):
dmidecode: fix CVE-2023-30630
qemu: fix CVE-2023-3301
qemu: fix CVE-2023-3255
qemu: fix CVE-2023-2861
inetutils: fix CVE-2023-40303
nghttp2: fix CVE-2023-35945
dropbear: fix CVE-2023-36328
qemu: fix CVE-2023-3354
Yuta Hayama (1):
systemd-systemctl: fix errors in instance name expansion
nikhil (1):
libwebp: Fix CVE-2023-1999
sanjana (2):
binutils: stable 2.40 branch updates
glibc: stable 2.37 branch updates
meta-openembedded: 9286582126..922f41b39f:
Armin Kuster (1):
openldap: update to 2.5.16.
Beniamin Sandu (1):
lmsensors: do not pull in unneeded perl modules for run-time dependencies
Changqing Li (2):
redis: upgrade 6.2.12 -> 6.2.13
redis: upgrade 7.0.11 -> 7.0.12
Chee Yang Lee (2):
rabbitmq-c: Fix CVE-2023-35789
c-ares: upgrade 1.19.0 -> 1.19.1
Chen Qi (3):
redis: use the files path correctly
grpc: fix CVE-2023-32732
grpc: fix CVE-2023-33953
Chris Dimich (1):
image_types_sparse: Fix syntax error
Hitendra Prajapati (4):
wireshark: Fix CVE-2023-2855 & CVE-2023-2856
wireshark: Fix CVE-2023-2858 & CVE-2023-2879
wireshark: CVE-2023-2952 XRA dissector infinite loop
wireshark: Fix Multiple CVEs
Jasper Orschulko (1):
yaml-cpp: Fix cmake export
Joe Slater (3):
libgpiod: modify test 'gpioset: toggle (continuous)'
python3-sqlparse: fix CVE-2023-30608
libgpiod: modify RDEPENDS for ptest
Khem Raj (2):
fftw: Check for TOOLCHAIN_OPTIONS to be non-empty before sed ops
system-config-printer: Delete __pycache__ files
Lee Chee Yang (2):
opensc: fix CVE-2023-2977
x11vnc: Fix CVE-2020-29074
Linus Jacobson (1):
khronos-cts: Replace wayland feature dependancy with vulkan
Martin Jansa (5):
libiio: use main branch instead of master
mongodb: enable hardware crc32 only with crc in TUNE_FEATURES
khronos-cts.inc: respect MLPREFIX when appending DEPENDS with anonymous python
libcyusbserial: fix installed-vs-shipped QA issue with multilib
tcpreplay: fix pcap detection with /usr/lib32 multilib
Mingli Yu (6):
dialog: Update the SRC_URI
gnulib: Update SRC_URI
yajl: Fix CVE-2023-33460
iniparser: Fix CVE-2023-33461
php: Upgrade to 8.2.8
mcelog: Drop unneeded autotools-brokensep
Polampalli, Archana (6):
tcpreplay: upgrade 4.4.3 -> 4.4.4
nodejs: upgrade 18.14.2 -> 18.16.1
yasm: fix CVE-2023-31975
nodejs: upgrade 18.16.1 -> 18.17.1
hwloc: fix CVE-2022-47022
python3-appdirs: print ptest results in unified format
Ross Burton (5):
glade: add autoconf-archive-native DEPENDS
libgxim: add autoconf-archive-native DEPENDS
libblockdev: clean up DEPENDS
imsettings: add missing DEPENDS on autoconf-archive-native
system-config-printer: clean up DEPENDS
Sandeep Gundlupet Raju 837 (1):
opencv: Revert fix runtime dependencies
Sanjay Chitroda (1):
netkit-telnet: Fix CVE-2022-39028
Soumya (1):
yasm: fix CVE-2023-37732
Soumya Sambu (1):
krb5: Fix CVE-2023-36054
Soumya via (1):
opencv: Fix for CVE-2023-2617
Urade, Yogita t.mo (1):
c-ares: fix CVE-2023-32067
Wang Mingyu (3):
python3-django: upgrade 4.1.7 -> 4.2.1
iperf3: upgrade 3.13 -> 3.14
tcpdump: upgrade 4.99.3 -> 4.99.4
Xiangyu Chen (2):
libbpf: installing uapi headers for native package
meta-oe: add pahole to NON_MULTILIB_RECIPES
Yi Zhao (4):
frr: upgrade 8.4.2 -> 8.4.4
mbedtls: upgrade 2.28.2 -> 2.28.3
open-vm-tools: Security fix CVE-2023-20867
frr: Security fix CVE-2023-3748
Yogita Urade (1):
poppler: fix CVE-2023-34872
meta-arm: 8db460fa5d..6e199b354e:
Abdellatif El Khlifi (6):
arm-bsp/documentation: corstone1000: Update change log
arm-bsp/doc: corstone1000: Update the software architecture document
arm-bsp/documentation: corstone1000: update the release note
arm-bsp/documentation: corstone1000: update user guide
kas: set the SHAs for 2023.06 release
arm-bsp/trusted-firmware-a: corstone1000: enable ERRATA_A35_855472
Adam Johnston (2):
CI: Platform specific Trusted Services config
arm-bsp/trusted-firmware-a: Reserve OP-TEE memory from NWd on N1SDP
Anton Antonov (1):
arm/oeqa: Make ts-service-test config match selected SPs
Denys Dmytriyenko (1):
optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y
Emekcan Aras (7):
arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure
arm-bsp/u-boot: corstone1000: Enable EFI set/get time services
arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix
arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches
arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings
arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test
arm-bsp/trusted-services: corstone1000: Fix Capsule Update
Gyorgy Szing (11):
arm/trusted-services: update TS version
optee-os: remove v3.18 pin of OP-TEE on qemuarm64-secureboot
optee-os: Add support for TOS_FW_CONFIG on qemu
arm/trusted-firmware-a: Add TOS_FW_CONFIG handling for quemu
optee-test: backport SWd ABI compatibility changes
optee-os: enable SPMC test
arm/oeqa: enable OP-TEE SPMC tests
trusted-services: update documentation
arm/trusted-services: disable psa-iat on qemuarm64-secureboot
arm/trusted-services: fix nanopb build error
optee-os: unblock NWd interrupts
Jon Mason (3):
CI: remove master refspec for meta-virtualization yml file
arm/linux-yocto: move 6.1 patches to a unique bbappend
README: remove reference to meta-arm-autonomy
Robbie Cao (1):
arm/recipes-kernel: Add preempt-rt support for generic-arm64
Rui Miguel Silva (3):
arm-bsp/trusted-services:corstone1000: remove already merged patches
arm-bsp/trusted-services: remove merged patches for corstone1000
arm-bps/corstone1000: setup trusted service proxy configuration
Tomás González (2):
arm-bsp/documentation: corstone1000: Update the user guide
arm-bsp/documentation: corstone1000: Update the release notes
Change-Id: I19ad289a1580a28192b5c063d06553d4e171687b
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Diffstat (limited to 'meta-arm/meta-arm')
44 files changed, 1614 insertions, 51 deletions
diff --git a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf index 7277817ddf..55c4cab457 100644 --- a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,6 +23,3 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" - -PREFERRED_VERSION_optee-os ?= "3.18.%" - diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index a5f9376062..882989561d 100644 --- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -3,25 +3,23 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotInDataVar class TrustedServicesTest(OERuntimeTestCase): - def run_test_tool(self, cmd, expected_status=0 ): + def run_test_tool(self, cmd, expected_status=0, expected_output=None ): """ Run a test utility """ status, output = self.target.run(cmd) self.assertEqual(status, expected_status, msg='\n'.join([cmd, output])) + if expected_output is not None: + self.assertEqual(output, expected_output, msg='\n'.join([cmd, output])) @OEHasPackage(['ts-demo']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_00_ts_demo(self): self.run_test_tool('ts-demo') - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_01_ts_service_test(self): - self.run_test_tool('ts-service-test') - @OEHasPackage(['ts-uefi-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_02_ts_uefi_test(self): @@ -30,7 +28,8 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a few expected PSA Crypto tests failing + # There are a two expected PSA Crypto tests failures testing features + # TS will not support. self.run_test_tool('psa-crypto-api-test', expected_status=46) @OEHasPackage(['ts-psa-its-api-test']) @@ -48,3 +47,74 @@ class TrustedServicesTest(OERuntimeTestCase): @OETestDepends(['ssh.SSHTest.test_ssh']) def test_06_psa_iat_api_test(self): self.run_test_tool('psa-iat-api-test') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_09_ts_service_grp_check(self): + # If this test fails, available test groups in ts-service-test have changed and all + # tests using the test executable need to be double checked to ensure test group to + # TS SP mapping is still valid. + test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" + test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" + test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" + test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" + test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" + test_grp_list+=" DiscoveryServiceTests" + self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) + + @OEHasPackage(['optee-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'optee-spmc-test', 'SPMC Test SPs are not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_07_spmc_test(self): + self.run_test_tool('xtest -t ffa_spmc') + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-fwu', 'FWU SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_10_fwu_service_tests(self): + self.run_test_tool('ts-service-test -g FwuServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_11_ps_service_tests(self): + if 'ts-storage' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g PsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_12_its_service_tests(self): + if 'ts-its' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Internal Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g ItsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_14_attestation_service_tests(self): + if 'ts-attestation' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Attestation SP is not included into OPTEE') + for grp in ["AttestationProvisioningTests", "AttestationServiceTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-crypto', 'Crypto SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_15_crypto_service_tests(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + for grp in ["CryptoKeyDerivationServicePackedcTests", "CryptoMacServicePackedcTests", \ + "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ + "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_16_discovery_service_test(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g DiscoveryServiceTests') diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch new file mode 100644 index 0000000000..50a57d6179 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch @@ -0,0 +1,67 @@ +From e1cbb35ad4655fe13ccb89247c81e850f6392c92 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Mon, 13 Mar 2023 21:15:59 +0100 +Subject: Add spmc_manifest for qemu + +This version only supports embedded packaging. + +Upstream-Status: Inappropriate [other] + - The SPMC manifest is integration specific and should live at an + integration spcific place. The manifest file is processed by TF-A + and I am adding the patch to TF-A to keep things simple. + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + plat/qemu/fdts/optee_spmc_manifest.dts | 40 ++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 plat/qemu/fdts/optee_spmc_manifest.dts + +diff --git a/plat/qemu/fdts/optee_spmc_manifest.dts b/plat/qemu/fdts/optee_spmc_manifest.dts +new file mode 100644 +index 000000000..ae2ae3d95 +--- /dev/null ++++ b/plat/qemu/fdts/optee_spmc_manifest.dts +@@ -0,0 +1,40 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* ++ * Copyright (c) 2023, Arm Limited. All rights reserved. ++ */ ++ ++/dts-v1/; ++ ++/ { ++ compatible = "arm,ffa-core-manifest-1.0"; ++ #address-cells = <2>; ++ #size-cells = <1>; ++ ++ attribute { ++ spmc_id = <0x8000>; ++ maj_ver = <0x1>; ++ min_ver = <0x0>; ++ exec_state = <0x0>; ++ load_address = <0x0 0x0e100000>; ++ entrypoint = <0x0 0x0e100000>; ++ binary_size = <0x80000>; ++ }; ++ ++/* ++ * This file will be preprocessed by TF-A's build system. If Measured Boot is ++ * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro ++ * to the preprocessor arguments. ++ */ ++#if MEASURED_BOOT ++ tpm_event_log { ++ compatible = "arm,tpm_event_log"; ++ tpm_event_log_addr = <0x0 0x0>; ++ tpm_event_log_size = <0x0>; ++ }; ++#endif ++ ++/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ ++#ifdef ARM_BL2_SP_LIST_DTS ++ #error "FIP SP load addresses configuration is missing. ++#endif ++}; +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch new file mode 100644 index 0000000000..7c851fd041 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch @@ -0,0 +1,263 @@ +From d215b0c08e51192baab96d75beaeacf3abf8724e Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Fri, 18 Nov 2022 15:40:04 +0100 +Subject: feat(qemu): update abi between spmd and spmc + +Updates the ABI between SPMD and the SPMC at S-EL1 so that the hard +coded SPMC manifest can be replaced by a proper manifest via TOS FW +Config. TOS FW Config is provided via QEMU_TOS_FW_CONFIG_DTS as a DTS +file when building. The DTS is turned into a DTB which is added to the +FIP. + +Note that this is an incompatible change and requires corresponding +change in OP-TEE ("core: sel1 spmc: boot abi update"). + +Upstream-Status: Accepted + +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +Change-Id: Ibabe78ef50a24f775492854ce5ac54e4d471e369 +--- + plat/qemu/common/qemu_bl2_mem_params_desc.c | 18 +++++++++++- + plat/qemu/common/qemu_bl2_setup.c | 32 +++++++++++++-------- + plat/qemu/common/qemu_io_storage.c | 16 ++++++++++- + plat/qemu/common/qemu_spmd_manifest.c | 31 -------------------- + plat/qemu/qemu/include/platform_def.h | 3 ++ + plat/qemu/qemu/platform.mk | 12 +++++++- + 6 files changed, 66 insertions(+), 46 deletions(-) + delete mode 100644 plat/qemu/common/qemu_spmd_manifest.c + +diff --git a/plat/qemu/common/qemu_bl2_mem_params_desc.c b/plat/qemu/common/qemu_bl2_mem_params_desc.c +index 5af3a2264..8d8047c92 100644 +--- a/plat/qemu/common/qemu_bl2_mem_params_desc.c ++++ b/plat/qemu/common/qemu_bl2_mem_params_desc.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -122,6 +122,22 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { + #endif + .next_handoff_image_id = INVALID_IMAGE_ID, + }, ++ ++#if defined(SPD_spmd) ++ /* Fill TOS_FW_CONFIG related information */ ++ { ++ .image_id = TOS_FW_CONFIG_ID, ++ SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY, ++ VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE), ++ SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY, ++ VERSION_2, image_info_t, 0), ++ .image_info.image_base = TOS_FW_CONFIG_BASE, ++ .image_info.image_max_size = TOS_FW_CONFIG_LIMIT - ++ TOS_FW_CONFIG_BASE, ++ .next_handoff_image_id = INVALID_IMAGE_ID, ++ }, ++#endif ++ + # endif /* QEMU_LOAD_BL32 */ + + /* Fill BL33 related information */ +diff --git a/plat/qemu/common/qemu_bl2_setup.c b/plat/qemu/common/qemu_bl2_setup.c +index 2c0da15b9..6afa3a44d 100644 +--- a/plat/qemu/common/qemu_bl2_setup.c ++++ b/plat/qemu/common/qemu_bl2_setup.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -149,8 +149,7 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + bl_mem_params_node_t *paged_mem_params = NULL; + #endif + #if defined(SPD_spmd) +- unsigned int mode_rw = MODE_RW_64; +- uint64_t pagable_part = 0; ++ bl_mem_params_node_t *bl32_mem_params = NULL; + #endif + + assert(bl_mem_params); +@@ -170,17 +169,18 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + if (err != 0) { + WARN("OPTEE header parse error.\n"); + } +-#if defined(SPD_spmd) +- mode_rw = bl_mem_params->ep_info.args.arg0; +- pagable_part = bl_mem_params->ep_info.args.arg1; +-#endif + #endif + +-#if defined(SPD_spmd) +- bl_mem_params->ep_info.args.arg0 = ARM_PRELOADED_DTB_BASE; +- bl_mem_params->ep_info.args.arg1 = pagable_part; +- bl_mem_params->ep_info.args.arg2 = mode_rw; +- bl_mem_params->ep_info.args.arg3 = 0; ++#if defined(SPMC_OPTEE) ++ /* ++ * Explicit zeroes to unused registers since they may have ++ * been populated by parse_optee_header() above. ++ * ++ * OP-TEE expects system DTB in x2 and TOS_FW_CONFIG in x0, ++ * the latter is filled in below for TOS_FW_CONFIG_ID and ++ * applies to any other SPMC too. ++ */ ++ bl_mem_params->ep_info.args.arg2 = ARM_PRELOADED_DTB_BASE; + #elif defined(SPD_opteed) + /* + * OP-TEE expect to receive DTB address in x2. +@@ -224,6 +224,14 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + + bl_mem_params->ep_info.spsr = qemu_get_spsr_for_bl33_entry(); + break; ++#if defined(SPD_spmd) ++ case TOS_FW_CONFIG_ID: ++ /* An SPMC expects TOS_FW_CONFIG in x0/r0 */ ++ bl32_mem_params = get_bl_mem_params_node(BL32_IMAGE_ID); ++ bl32_mem_params->ep_info.args.arg0 = ++ bl_mem_params->image_info.image_base; ++ break; ++#endif + default: + /* Do nothing in default case */ + break; +diff --git a/plat/qemu/common/qemu_io_storage.c b/plat/qemu/common/qemu_io_storage.c +index 1107e443f..e2d4932c0 100644 +--- a/plat/qemu/common/qemu_io_storage.c ++++ b/plat/qemu/common/qemu_io_storage.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -24,6 +24,7 @@ + #define BL2_IMAGE_NAME "bl2.bin" + #define BL31_IMAGE_NAME "bl31.bin" + #define BL32_IMAGE_NAME "bl32.bin" ++#define TOS_FW_CONFIG_NAME "tos_fw_config.dtb" + #define BL32_EXTRA1_IMAGE_NAME "bl32_extra1.bin" + #define BL32_EXTRA2_IMAGE_NAME "bl32_extra2.bin" + #define BL33_IMAGE_NAME "bl33.bin" +@@ -78,6 +79,10 @@ static const io_uuid_spec_t bl32_extra2_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, + }; + ++static const io_uuid_spec_t tos_fw_config_uuid_spec = { ++ .uuid = UUID_TOS_FW_CONFIG, ++}; ++ + static const io_uuid_spec_t bl33_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, + }; +@@ -137,6 +142,10 @@ static const io_file_spec_t sh_file_spec[] = { + .path = BL32_EXTRA2_IMAGE_NAME, + .mode = FOPEN_MODE_RB + }, ++ [TOS_FW_CONFIG_ID] = { ++ .path = TOS_FW_CONFIG_NAME, ++ .mode = FOPEN_MODE_RB ++ }, + [BL33_IMAGE_ID] = { + .path = BL33_IMAGE_NAME, + .mode = FOPEN_MODE_RB +@@ -252,6 +261,11 @@ static const struct plat_io_policy policies[] = { + open_fip + }, + #endif ++ [TOS_FW_CONFIG_ID] = { ++ &fip_dev_handle, ++ (uintptr_t)&tos_fw_config_uuid_spec, ++ open_fip ++ }, + [BL33_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl33_uuid_spec, +diff --git a/plat/qemu/common/qemu_spmd_manifest.c b/plat/qemu/common/qemu_spmd_manifest.c +deleted file mode 100644 +index fd46e2675..000000000 +--- a/plat/qemu/common/qemu_spmd_manifest.c ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* +- * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- */ +- +-#include <assert.h> +- +-#include <services/spm_core_manifest.h> +- +-#include <plat/common/platform.h> +-#include <platform_def.h> +- +-int plat_spm_core_manifest_load(spmc_manifest_attribute_t *manifest, +- const void *pm_addr) +-{ +- entry_point_info_t *ep_info = bl31_plat_get_next_image_ep_info(SECURE); +- +- assert(ep_info != NULL); +- assert(manifest != NULL); +- +- manifest->major_version = 1; +- manifest->minor_version = 0; +- manifest->exec_state = ep_info->args.arg2; +- manifest->load_address = BL32_BASE; +- manifest->entrypoint = BL32_BASE; +- manifest->binary_size = BL32_LIMIT - BL32_BASE; +- manifest->spmc_id = 0x8000; +- +- return 0; +-} +diff --git a/plat/qemu/qemu/include/platform_def.h b/plat/qemu/qemu/include/platform_def.h +index c9ed6409f..5c3239cb8 100644 +--- a/plat/qemu/qemu/include/platform_def.h ++++ b/plat/qemu/qemu/include/platform_def.h +@@ -118,6 +118,9 @@ + #define BL_RAM_BASE (SHARED_RAM_BASE + SHARED_RAM_SIZE) + #define BL_RAM_SIZE (SEC_SRAM_SIZE - SHARED_RAM_SIZE) + ++#define TOS_FW_CONFIG_BASE BL_RAM_BASE ++#define TOS_FW_CONFIG_LIMIT (TOS_FW_CONFIG_BASE + PAGE_SIZE) ++ + /* + * BL1 specific defines. + * +diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk +index 6becc32fa..02493025a 100644 +--- a/plat/qemu/qemu/platform.mk ++++ b/plat/qemu/qemu/platform.mk +@@ -212,7 +212,10 @@ BL31_SOURCES += lib/cpus/aarch64/aem_generic.S \ + ${QEMU_GIC_SOURCES} + + ifeq (${SPD},spmd) +-BL31_SOURCES += plat/qemu/common/qemu_spmd_manifest.c ++BL31_SOURCES += plat/common/plat_spmd_manifest.c \ ++ common/uuid.c \ ++ ${LIBFDT_SRCS} \ ++ ${FDT_WRAPPERS_SOURCES} + endif + endif + +@@ -233,6 +236,13 @@ $(eval $(call TOOL_ADD_IMG,bl32_extra2,--tos-fw-extra2)) + endif + endif + ++ifneq ($(QEMU_TOS_FW_CONFIG_DTS),) ++FDT_SOURCES += ${QEMU_TOS_FW_CONFIG_DTS} ++QEMU_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/$(notdir $(basename ${QEMU_TOS_FW_CONFIG_DTS})).dtb ++# Add the TOS_FW_CONFIG to FIP ++$(eval $(call TOOL_ADD_PAYLOAD,${QEMU_TOS_FW_CONFIG},--tos-fw-config,${QEMU_TOS_FW_CONFIG})) ++endif ++ + SEPARATE_CODE_AND_RODATA := 1 + ENABLE_STACK_PROTECTOR := 0 + ifneq ($(ENABLE_STACK_PROTECTOR), 0) +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 6cf55d69cd..e58a090229 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -47,7 +47,10 @@ EXTRA_OEMAKE:append:arm:qemuall = " \ BL32_RAM_LOCATION=tdram \ AARCH32_SP=optee \ " - +# When using OP-TEE SPMC specify the SPMC manifest file. +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ + 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" + do_compile:append:qemuarm64-secureboot() { # Create a secure flash image for booting AArch64 Qemu. See: # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb index 3a5006e53d..5830339c42 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb @@ -5,6 +5,12 @@ SRCREV_tfa = "9881bb93a3bc0a3ea37e9f093e09ab4b360a9e48" SRC_URI += "file://rwx-segments.patch" +# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. +SRC_URI:append:qemuarm64-secureboot = " \ + file://add-spmc_manifest-for-qemu.patch \ + file://feat-qemu-update-abi-between-spmd-and-spmc.patch \ + " + LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" # mbed TLS v2.28.2 diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb index 1261fa413b..726a65bb9a 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb +++ b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb @@ -18,10 +18,16 @@ COMPATIBLE_HOST = "(arm|aarch64).*-linux" KERNEL_MODULE_AUTOLOAD += "arm-ffa-user" KERNEL_MODULE_PROBECONF += "arm-ffa-user" -# This debugfs driver is used only by uefi-test for testing SmmGW SP -# UUIDs = SMM Gateway SP -FFA-USER-UUID-LIST ?= "ed32d533-99e6-4209-9cc0-2d72cdd998a7" -module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA-USER-UUID-LIST}" +# SMM Gateway SP +UUID_LIST = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'ed32d533-99e6-4209-9cc0-2d72cdd998a7', '' , d)}" +# SPMC Tests SPs +UUID_LIST:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ',5c9edbc3-7b3a-4367-9f83-7c191ae86a37,7817164c-c40c-4d1a-867a-9bb2278cf41a,23eb0100-e32a-4497-9052-2f11e584afa6', '' , d)}" + +FFA_USER_UUID_LIST ?= "${@d.getVar('UUID_LIST').strip(',')}" + +module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA_USER_UUID_LIST}" do_install:append() { install -d ${D}${includedir} diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg new file mode 100644 index 0000000000..84e0dd71ca --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt-tweaks.cfg @@ -0,0 +1,4 @@ +# These configurations have a dependency on !PREEMPT_RT. Set them to `n` to +# avoid complain when do_kernel_configcheck. +CONFIG_LEDS_TRIGGER_CPU=n +CONFIG_TRANSPARENT_HUGEPAGE=n diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc new file mode 100644 index 0000000000..ae97c2e2a3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/generic-arm64-kmeta/generic-arm64-preempt-rt.scc @@ -0,0 +1,7 @@ +define KMACHINE generic-arm64 +define KTYPE preempt-rt +define KARCH arm64 + +kconf hardware generic-arm64-preempt-rt-tweaks.cfg +include ktypes/preempt-rt/preempt-rt.scc +include features/bluetooth/bluetooth.scc diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index 883ed2ca66..0a42ce4a5d 100644 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -1,11 +1,5 @@ ARMFILESPATHS := "${THISDIR}/files:" -FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" -SRC_URI:append:aarch64 = " \ - file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ - file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ - " - COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64" FILESEXTRAPATHS:prepend:generic-arm64 = "${ARMFILESPATHS}" SRC_URI:append:generic-arm64 = " \ diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-rt_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend new file mode 100644 index 0000000000..e6d50a4bc4 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_6.1%.bbappend @@ -0,0 +1,6 @@ + +FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" +SRC_URI:append:aarch64 = " \ + file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ + file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch new file mode 100644 index 0000000000..4313a829ac --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch @@ -0,0 +1,91 @@ +From 11f4ea86579bc1a58e4adde2849326f4213694f2 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Mon, 21 Nov 2022 18:17:33 +0100 +Subject: core: arm: S-EL1 SPMC: boot ABI update + +Updates the boot ABI for S-EL1 SPMC to align better with other SPMCs, +like Hafnium, but also with the non-FF-A configuration. + +Register usage: +X0 - TOS FW config [1] address, if not NULL +X2 - System DTB, if not NULL + +Adds check in the default get_aslr_seed() to see if the system DTB is +present before trying to read kaslr-seed from secure-chosen. + +Note that this is an incompatible change and requires corresponding +change in TF-A ("feat(qemu): update abi between spmd and spmc") [2]. + +[1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware configuration + file. Used by Trusted OS (BL32), that is, OP-TEE in this case +Link: [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=25ae7ad1878244f78206cc7c91f7bdbd267331a1 + +Upstream-Status: Accepted + +Acked-by: Etienne Carriere <etienne.carriere@linaro.org> +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + core/arch/arm/kernel/boot.c | 8 +++++++- + core/arch/arm/kernel/entry_a64.S | 17 ++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index dd34173e8..e02c02b60 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1502,11 +1502,17 @@ struct ns_entry_context *boot_core_hpen(void) + #if defined(CFG_DT) + unsigned long __weak get_aslr_seed(void *fdt) + { +- int rc = fdt_check_header(fdt); ++ int rc = 0; + const uint64_t *seed = NULL; + int offs = 0; + int len = 0; + ++ if (!fdt) { ++ DMSG("No fdt"); ++ goto err; ++ } ++ ++ rc = fdt_check_header(fdt); + if (rc) { + DMSG("Bad fdt: %d", rc); + goto err; +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 4c6e9d75c..047ae1f25 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -143,21 +143,20 @@ + .endm + + FUNC _start , : +-#if defined(CFG_CORE_SEL1_SPMC) + /* +- * With OP-TEE as SPMC at S-EL1 the SPMD (SPD_spmd) in TF-A passes +- * the DTB in x0, pagaeble part in x1 and the rest of the registers +- * are unused ++ * If CFG_CORE_FFA is enabled, then x0 if non-NULL holds the TOS FW ++ * config [1] address, else x0 if non-NULL holds the pagable part ++ * address. ++ * ++ * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware ++ * configuration file. Used by Trusted OS (BL32), that is, OP-TEE ++ * here. + */ +- mov x19, x1 /* Save pagable part */ +- mov x20, x0 /* Save DT address */ +-#else +- mov x19, x0 /* Save pagable part address */ ++ mov x19, x0 + #if defined(CFG_DT_ADDR) + ldr x20, =CFG_DT_ADDR + #else + mov x20, x2 /* Save DT address */ +-#endif + #endif + + adr x0, reset_vect_table +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch new file mode 100644 index 0000000000..add39076fd --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch @@ -0,0 +1,249 @@ +From 84f4ef4c4f2f45e2f54597f1afe80d8f8396cc57 Mon Sep 17 00:00:00 2001 +From: Balint Dobszay <balint.dobszay@arm.com> +Date: Fri, 10 Feb 2023 11:07:27 +0100 +Subject: core: ffa: add TOS_FW_CONFIG handling + +At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but +currently only the HW_CONFIG address is saved, the other one is dropped. +This commit adds functionality to save the TOS_FW_CONFIG too, so we can +retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use +case, because the SPMC manifest is passed in this DT. + +Upstream-Status: Accepted + +Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Balint Dobszay <balint.dobszay@arm.com> +--- + core/arch/arm/kernel/boot.c | 60 ++++++++++++++++++++++- + core/arch/arm/kernel/entry_a32.S | 3 +- + core/arch/arm/kernel/entry_a64.S | 13 ++++- + core/arch/arm/kernel/link_dummies_paged.c | 4 +- + core/arch/arm/kernel/secure_partition.c | 2 +- + core/include/kernel/boot.h | 7 ++- + 6 files changed, 81 insertions(+), 8 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index e02c02b60..98e13c072 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2015-2022, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + + #include <arm.h> +@@ -83,6 +84,9 @@ struct dt_descriptor { + }; + + static struct dt_descriptor external_dt __nex_bss; ++#ifdef CFG_CORE_SEL1_SPMC ++static struct dt_descriptor tos_fw_config_dt __nex_bss; ++#endif + #endif + + #ifdef CFG_SECONDARY_INIT_CNTFRQ +@@ -1224,6 +1228,54 @@ static struct core_mmu_phys_mem *get_nsec_memory(void *fdt __unused, + #endif /*CFG_CORE_DYN_SHM*/ + #endif /*!CFG_DT*/ + ++#if defined(CFG_CORE_SEL1_SPMC) && defined(CFG_DT) ++void *get_tos_fw_config_dt(void) ++{ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return NULL; ++ ++ assert(cpu_mmu_enabled()); ++ ++ return tos_fw_config_dt.blob; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa) ++{ ++ struct dt_descriptor *dt = &tos_fw_config_dt; ++ void *fdt = NULL; ++ int ret = 0; ++ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return; ++ ++ if (!pa) ++ panic("No TOS_FW_CONFIG DT found"); ++ ++ fdt = core_mmu_add_mapping(MEM_AREA_EXT_DT, pa, CFG_DTB_MAX_SIZE); ++ if (!fdt) ++ panic("Failed to map TOS_FW_CONFIG DT"); ++ ++ dt->blob = fdt; ++ ++ ret = fdt_open_into(fdt, fdt, CFG_DTB_MAX_SIZE); ++ if (ret < 0) { ++ EMSG("Invalid Device Tree at %#lx: error %d", pa, ret); ++ panic(); ++ } ++ ++ IMSG("TOS_FW_CONFIG DT found"); ++} ++#else ++void *get_tos_fw_config_dt(void) ++{ ++ return NULL; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa __unused) ++{ ++} ++#endif /*CFG_CORE_SEL1_SPMC && CFG_DT*/ ++ + #ifdef CFG_CORE_DYN_SHM + static void discover_nsec_memory(void) + { +@@ -1361,10 +1413,16 @@ static bool cpu_nmfi_enabled(void) + * Note: this function is weak just to make it possible to exclude it from + * the unpaged area. + */ +-void __weak boot_init_primary_late(unsigned long fdt) ++void __weak boot_init_primary_late(unsigned long fdt, ++ unsigned long tos_fw_config) + { + init_external_dt(fdt); ++ init_tos_fw_config_dt(tos_fw_config); ++#ifdef CFG_CORE_SEL1_SPMC ++ tpm_map_log_area(get_tos_fw_config_dt()); ++#else + tpm_map_log_area(get_external_dt()); ++#endif + discover_nsec_memory(); + update_external_dt(); + configure_console_from_dt(); +diff --git a/core/arch/arm/kernel/entry_a32.S b/core/arch/arm/kernel/entry_a32.S +index 0f14ca2f6..3758fd8b7 100644 +--- a/core/arch/arm/kernel/entry_a32.S ++++ b/core/arch/arm/kernel/entry_a32.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2014, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <arm32_macros.S> +@@ -560,6 +560,7 @@ shadow_stack_access_ok: + str r0, [r8, #THREAD_CORE_LOCAL_FLAGS] + #endif + mov r0, r6 /* DT address */ ++ mov r1, #0 /* unused */ + bl boot_init_primary_late + #ifndef CFG_VIRTUALIZATION + mov r0, #THREAD_CLF_TMP +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 047ae1f25..fa76437fb 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2022, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <platform_config.h> +@@ -320,7 +320,11 @@ clear_nex_bss: + bl core_mmu_set_default_prtn_tbl + #endif + ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x0, xzr /* pager not used */ ++#else + mov x0, x19 /* pagable part address */ ++#endif + mov x1, #-1 + bl boot_init_primary_early + +@@ -337,7 +341,12 @@ clear_nex_bss: + mov x22, x0 + str wzr, [x22, #THREAD_CORE_LOCAL_FLAGS] + #endif +- mov x0, x20 /* DT address */ ++ mov x0, x20 /* DT address also known as HW_CONFIG */ ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x1, x19 /* TOS_FW_CONFIG DT address */ ++#else ++ mov x1, xzr /* unused */ ++#endif + bl boot_init_primary_late + #ifdef CFG_CORE_PAUTH + init_pauth_per_cpu +diff --git a/core/arch/arm/kernel/link_dummies_paged.c b/core/arch/arm/kernel/link_dummies_paged.c +index 3b8287e06..023a5f3f5 100644 +--- a/core/arch/arm/kernel/link_dummies_paged.c ++++ b/core/arch/arm/kernel/link_dummies_paged.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2017-2021, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + #include <compiler.h> + #include <initcall.h> +@@ -27,7 +28,8 @@ void __section(".text.dummy.call_finalcalls") call_finalcalls(void) + } + + void __section(".text.dummy.boot_init_primary_late") +-boot_init_primary_late(unsigned long fdt __unused) ++boot_init_primary_late(unsigned long fdt __unused, ++ unsigned long tos_fw_config __unused) + { + } + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b1..d386f1e4d 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -1212,7 +1212,7 @@ static TEE_Result fip_sp_map_all(void) + int subnode = 0; + int root = 0; + +- fdt = get_external_dt(); ++ fdt = get_tos_fw_config_dt(); + if (!fdt) { + EMSG("No SPMC manifest found"); + return TEE_ERROR_GENERIC; +diff --git a/core/include/kernel/boot.h b/core/include/kernel/boot.h +index 260854473..941e093b2 100644 +--- a/core/include/kernel/boot.h ++++ b/core/include/kernel/boot.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2020, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + #ifndef __KERNEL_BOOT_H + #define __KERNEL_BOOT_H +@@ -46,7 +46,7 @@ extern const struct core_mmu_config boot_mmu_config; + /* @nsec_entry is unused if using CFG_WITH_ARM_TRUSTED_FW */ + void boot_init_primary_early(unsigned long pageable_part, + unsigned long nsec_entry); +-void boot_init_primary_late(unsigned long fdt); ++void boot_init_primary_late(unsigned long fdt, unsigned long tos_fw_config); + void boot_init_memtag(void); + + void __panic_at_smc_return(void) __noreturn; +@@ -103,6 +103,9 @@ void *get_embedded_dt(void); + /* Returns external DTB if present, otherwise NULL */ + void *get_external_dt(void); + ++/* Returns TOS_FW_CONFIG DTB if present, otherwise NULL */ ++void *get_tos_fw_config_dt(void); ++ + /* + * get_aslr_seed() - return a random seed for core ASLR + * @fdt: Pointer to a device tree if CFG_DT_ADDR=y +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch new file mode 100644 index 0000000000..a0377abafe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch @@ -0,0 +1,279 @@ +From f4b4f5bccc1be9a709008cc8e6107302745796c8 Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 18 Apr 2023 16:41:51 +0200 +Subject: [PATCH] core: spmc: handle non-secure interrupts + +Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure +interrupts and for resuming to the secure world. If a secure partition +is preempted by a non-secure interrupt OP-TEE saves the SP's state and +sends an FFA_INTERRUPT to the normal world. After handling the interrupt +the normal world should send an FFA_RUN to OP-TEE so it can continue +running the SP. +If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the +non-secure interrupts are signaled by the existing +OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of +FFA_INTERRUPT. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I577ebe86d416ee494963216a66a3bfc8206921b4 + +--- + core/arch/arm/include/ffa.h | 2 +- + .../arch/arm/include/kernel/spmc_sp_handler.h | 11 +++++++ + core/arch/arm/kernel/secure_partition.c | 17 ++++++++++ + core/arch/arm/kernel/spmc_sp_handler.c | 26 ++++++++++++++++ + core/arch/arm/kernel/thread.c | 7 +++++ + core/arch/arm/kernel/thread_spmc.c | 31 ++++++++++++++++++- + core/arch/arm/kernel/thread_spmc_a64.S | 30 ++++++++++++++++++ + 7 files changed, 122 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/include/ffa.h b/core/arch/arm/include/ffa.h +index 5a19fb0c..b3d1d354 100644 +--- a/core/arch/arm/include/ffa.h ++++ b/core/arch/arm/include/ffa.h +@@ -50,7 +50,7 @@ + #define FFA_ID_GET U(0x84000069) + #define FFA_MSG_WAIT U(0x8400006B) + #define FFA_MSG_YIELD U(0x8400006C) +-#define FFA_MSG_RUN U(0x8400006D) ++#define FFA_RUN U(0x8400006D) + #define FFA_MSG_SEND U(0x8400006E) + #define FFA_MSG_SEND_DIRECT_REQ_32 U(0x8400006F) + #define FFA_MSG_SEND_DIRECT_REQ_64 U(0xC400006F) +diff --git a/core/arch/arm/include/kernel/spmc_sp_handler.h b/core/arch/arm/include/kernel/spmc_sp_handler.h +index f5bda7bf..30c1e469 100644 +--- a/core/arch/arm/include/kernel/spmc_sp_handler.h ++++ b/core/arch/arm/include/kernel/spmc_sp_handler.h +@@ -25,6 +25,8 @@ void spmc_sp_start_thread(struct thread_smc_args *args); + int spmc_sp_add_share(struct ffa_rxtx *rxtx, + size_t blen, uint64_t *global_handle, + struct sp_session *owner_sp); ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess); ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id); + #else + static inline void spmc_sp_start_thread(struct thread_smc_args *args __unused) + { +@@ -37,6 +39,15 @@ static inline int spmc_sp_add_share(struct ffa_rxtx *rxtx __unused, + { + return FFA_NOT_SUPPORTED; + } ++ ++static inline void spmc_sp_set_to_preempted(struct ts_session *ts_sess __unused) ++{ ++} ++ ++static inline int spmc_sp_resume_from_preempted(uint16_t endpoint_id __unused) ++{ ++ return FFA_NOT_SUPPORTED; ++} + #endif + + #endif /* __KERNEL_SPMC_SP_HANDLER_H */ +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b..6e351e43 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -999,6 +999,8 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; ++ uint32_t thread_id = THREAD_ID_INVALID; ++ uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; + +@@ -1011,8 +1013,23 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); + + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); ++ ++ /* ++ * Store endpoint ID and thread ID in rpc_target_info. This will be used ++ * as w1 in FFA_INTERRUPT in case of a NWd interrupt. ++ */ ++ rpc_target_info = thread_get_tsd()->rpc_target_info; ++ thread_id = thread_get_id(); ++ assert((thread_id & ~0xffff) == 0); ++ thread_get_tsd()->rpc_target_info = (sp_s->endpoint_id << 16) | ++ (thread_id & 0xffff); ++ + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); ++ + sp_regs->cpsr = cpsr; ++ /* Restore rpc_target_info */ ++ thread_get_tsd()->rpc_target_info = rpc_target_info; ++ + thread_unmask_exceptions(exceptions); + + thread_user_clear_vfp(&ctx->uctx); +diff --git a/core/arch/arm/kernel/spmc_sp_handler.c b/core/arch/arm/kernel/spmc_sp_handler.c +index 5d3326fc..f4c7ff81 100644 +--- a/core/arch/arm/kernel/spmc_sp_handler.c ++++ b/core/arch/arm/kernel/spmc_sp_handler.c +@@ -366,6 +366,32 @@ cleanup: + return res; + } + ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess) ++{ ++ if (ts_sess && is_sp_ctx(ts_sess->ctx)) { ++ struct sp_session *sp_sess = to_sp_session(ts_sess); ++ ++ assert(sp_sess->state == sp_busy); ++ ++ sp_sess->state = sp_preempted; ++ } ++} ++ ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id) ++{ ++ struct sp_session *sp_sess = sp_get_session(endpoint_id); ++ ++ if (!sp_sess) ++ return FFA_INVALID_PARAMETERS; ++ ++ if (sp_sess->state != sp_preempted) ++ return FFA_DENIED; ++ ++ sp_sess->state = sp_busy; ++ ++ return FFA_OK; ++} ++ + static bool check_rxtx(struct ffa_rxtx *rxtx) + { + return rxtx && rxtx->rx && rxtx->tx && rxtx->size > 0; +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 1e7f9f96..8cd4dc96 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -531,6 +531,13 @@ int thread_state_suspend(uint32_t flags, uint32_t cpsr, vaddr_t pc) + core_mmu_set_user_map(NULL); + } + ++ if (IS_ENABLED(CFG_SECURE_PARTITION)) { ++ struct ts_session *ts_sess = ++ TAILQ_FIRST(&threads[ct].tsd.sess_stack); ++ ++ spmc_sp_set_to_preempted(ts_sess); ++ } ++ + l->curr_thread = THREAD_ID_INVALID; + + if (IS_ENABLED(CFG_VIRTUALIZATION)) +diff --git a/core/arch/arm/kernel/thread_spmc.c b/core/arch/arm/kernel/thread_spmc.c +index 3b4ac0b4..bc4e7687 100644 +--- a/core/arch/arm/kernel/thread_spmc.c ++++ b/core/arch/arm/kernel/thread_spmc.c +@@ -45,7 +45,7 @@ struct mem_frag_state { + #endif + + /* Initialized in spmc_init() below */ +-static uint16_t my_endpoint_id; ++uint16_t my_endpoint_id; + + /* + * If struct ffa_rxtx::size is 0 RX/TX buffers are not mapped or initialized. +@@ -437,6 +437,32 @@ out: + FFA_PARAM_MBZ, FFA_PARAM_MBZ); + cpu_spin_unlock(&rxtx->spinlock); + } ++ ++static void spmc_handle_run(struct thread_smc_args *args) ++{ ++ uint16_t endpoint = (args->a1 >> 16) & 0xffff; ++ uint16_t thread_id = (args->a1 & 0xffff); ++ uint32_t rc = 0; ++ ++ if (endpoint != my_endpoint_id) { ++ /* ++ * The endpoint should be an SP, try to resume the SP from ++ * preempted into busy state. ++ */ ++ rc = spmc_sp_resume_from_preempted(endpoint); ++ if (rc) ++ goto out; ++ } ++ ++ thread_resume_from_rpc(thread_id, 0, 0, 0, 0); ++ ++ /* thread_resume_from_rpc return only of the thread_id is invalid */ ++ rc = FFA_INVALID_PARAMETERS; ++ ++out: ++ spmc_set_args(args, FFA_ERROR, FFA_PARAM_MBZ, rc, FFA_PARAM_MBZ, ++ FFA_PARAM_MBZ, FFA_PARAM_MBZ); ++} + #endif /*CFG_CORE_SEL1_SPMC*/ + + static void handle_yielding_call(struct thread_smc_args *args) +@@ -970,6 +996,9 @@ void thread_spmc_msg_recv(struct thread_smc_args *args) + case FFA_PARTITION_INFO_GET: + spmc_handle_partition_info_get(args, &nw_rxtx); + break; ++ case FFA_RUN: ++ spmc_handle_run(args); ++ break; + #endif /*CFG_CORE_SEL1_SPMC*/ + case FFA_INTERRUPT: + itr_core_handler(); +diff --git a/core/arch/arm/kernel/thread_spmc_a64.S b/core/arch/arm/kernel/thread_spmc_a64.S +index 21cb6251..7297005a 100644 +--- a/core/arch/arm/kernel/thread_spmc_a64.S ++++ b/core/arch/arm/kernel/thread_spmc_a64.S +@@ -14,6 +14,20 @@ + #include <kernel/thread.h> + #include <optee_ffa.h> + ++#if CFG_SECURE_PARTITION ++LOCAL_FUNC thread_ffa_interrupt , : ++ mov_imm x0, FFA_INTERRUPT /* FID */ ++ /* X1: Endpoint/vCPU IDs is set by caller */ ++ mov x2, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x3, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x4, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x5, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x6, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x7, #FFA_PARAM_MBZ /* Param MBZ */ ++ b .ffa_msg_loop ++END_FUNC thread_ffa_msg_wait ++#endif /* CFG_SECURE_PARTITION */ ++ + FUNC thread_ffa_msg_wait , : + mov_imm x0, FFA_MSG_WAIT /* FID */ + mov x1, #FFA_TARGET_INFO_MBZ /* Target info MBZ */ +@@ -171,6 +185,14 @@ END_FUNC thread_rpc + * The current thread as indicated by @thread_index has just been + * suspended. The job here is just to inform normal world the thread id to + * resume when returning. ++ * If the active FF-A endpoint is OP-TEE (or a TA) then an this function send an ++ * OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message to the normal world via the ++ * FFA_MSG_SEND_DIRECT_RESP interface. This is handled by the OP-TEE ++ * driver in Linux so it can schedule task to the thread. ++ * If the active endpoint is an SP the function sends an FFA_INTERRUPT. This is ++ * handled by the FF-A driver and after taking care of the NWd interrupts it ++ * returns via an FFA_RUN call. ++ * The active endpoint is determined by the upper 16 bits of rpc_target_info. + */ + FUNC thread_foreign_intr_exit , : + /* load threads[w0].tsd.rpc_target_info into w1 */ +@@ -178,6 +200,14 @@ FUNC thread_foreign_intr_exit , : + adr_l x2, threads + madd x1, x1, x0, x2 + ldr w1, [x1, #THREAD_CTX_TSD_RPC_TARGET_INFO] ++#if CFG_SECURE_PARTITION ++ adr_l x2, my_endpoint_id ++ ldrh w2, [x2] ++ lsr w3, w1, #16 ++ cmp w2, w3 ++ /* (threads[w0].tsd.rpc_target_info >> 16) != my_endpoint_id */ ++ bne thread_ffa_interrupt ++#endif /* CFG_SECURE_PARTITION */ + mov x2, #FFA_PARAM_MBZ + mov w3, #FFA_PARAM_MBZ + mov w4, #OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch new file mode 100644 index 0000000000..32e560689f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch @@ -0,0 +1,150 @@ +From cad33cffb5be17fc0654aaf03c4d5227ae682e7a Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 25 Apr 2023 14:19:14 +0200 +Subject: [PATCH] core: spmc: configure SP's NS interrupt action based on + the manifest + +Used mandatory ns-interrupts-action SP manifest property to configure +signaled or queued non-secure interrupt handling. + +Upstream-Status: Pending + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I843e69e5dbb9613ecd8b95654e8ca1730a594ca6 +--- + .../arm/include/kernel/secure_partition.h | 2 + + core/arch/arm/kernel/secure_partition.c | 66 +++++++++++++++++-- + 2 files changed, 63 insertions(+), 5 deletions(-) + +diff --git a/core/arch/arm/include/kernel/secure_partition.h b/core/arch/arm/include/kernel/secure_partition.h +index 290750936..3bf339d3c 100644 +--- a/core/arch/arm/include/kernel/secure_partition.h ++++ b/core/arch/arm/include/kernel/secure_partition.h +@@ -43,6 +43,8 @@ struct sp_session { + unsigned int spinlock; + const void *fdt; + bool is_initialized; ++ uint32_t ns_interrupts_action; ++ uint32_t ns_interrupts_action_inherited; + TAILQ_ENTRY(sp_session) link; + }; + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 52365553b..e54069c17 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -46,6 +46,10 @@ + SP_MANIFEST_ATTR_WRITE | \ + SP_MANIFEST_ATTR_EXEC) + ++#define SP_MANIFEST_NS_INT_QUEUED (0x0) ++#define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1) ++#define SP_MANIFEST_NS_INT_SIGNALED (0x2) ++ + #define SP_PKG_HEADER_MAGIC (0x474b5053) + #define SP_PKG_HEADER_VERSION_V1 (0x1) + #define SP_PKG_HEADER_VERSION_V2 (0x2) +@@ -907,6 +911,30 @@ static TEE_Result sp_init_uuid(const TEE_UUID *uuid, const void * const fdt) + return res; + DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id); + ++ res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action", ++ &sess->ns_interrupts_action); ++ ++ if (res) { ++ EMSG("Mandatory property is missing: ns-interrupts-action"); ++ return res; ++ } ++ ++ switch (sess->ns_interrupts_action) { ++ case SP_MANIFEST_NS_INT_QUEUED: ++ case SP_MANIFEST_NS_INT_SIGNALED: ++ /* OK */ ++ break; ++ ++ case SP_MANIFEST_NS_INT_MANAGED_EXIT: ++ EMSG("Managed exit is not implemented"); ++ return TEE_ERROR_NOT_IMPLEMENTED; ++ ++ default: ++ EMSG("Invalid ns-interrupts-action value: %d", ++ sess->ns_interrupts_action); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ + return TEE_SUCCESS; + } + +@@ -989,17 +1017,45 @@ TEE_Result sp_enter(struct thread_smc_args *args, struct sp_session *sp) + return res; + } + ++/* ++ * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive ++ * active on NS interrupt than the callee, the callee must inherit the caller's ++ * configuration. ++ * Each SP's own NS action setting is stored in ns_interrupts_action. The ++ * effective action will be MIN([self action], [caller's action]) which is ++ * stored in the ns_interrupts_action_inherited field. ++ */ ++static void sp_cpsr_configure_foreing_interrupts(struct sp_session *s, ++ struct ts_session *caller, ++ uint64_t *cpsr) ++{ ++ if (caller) { ++ struct sp_session *caller_sp = to_sp_session(caller); ++ ++ s->ns_interrupts_action_inherited = ++ MIN(caller_sp->ns_interrupts_action_inherited, ++ s->ns_interrupts_action); ++ } else { ++ s->ns_interrupts_action_inherited = s->ns_interrupts_action; ++ } ++ ++ if (s->ns_interrupts_action_inherited == SP_MANIFEST_NS_INT_QUEUED) ++ *cpsr |= (THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++ else ++ *cpsr &= ~(THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++} ++ + static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + uint32_t cmd __unused) + { + struct sp_ctx *ctx = to_sp_ctx(s->ctx); + TEE_Result res = TEE_SUCCESS; + uint32_t exceptions = 0; +- uint64_t cpsr = 0; + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; + uint32_t thread_id = THREAD_ID_INVALID; ++ struct ts_session *caller = NULL; + uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; +@@ -1009,11 +1065,12 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs = &ctx->sp_regs; + ts_push_current_session(s); + +- cpsr = sp_regs->cpsr; +- sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); +- + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); + ++ /* Enable/disable foreign interrupts in CPSR/SPSR */ ++ caller = ts_get_calling_session(); ++ sp_cpsr_configure_foreing_interrupts(sp_s, caller, &sp_regs->cpsr); ++ + /* + * Store endpoint ID and thread ID in rpc_target_info. This will be used + * as w1 in FFA_INTERRUPT in case of a NWd interrupt. +@@ -1026,7 +1083,6 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); + +- sp_regs->cpsr = cpsr; + /* Restore rpc_target_info */ + thread_get_tsd()->rpc_target_info = rpc_target_info; + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend new file mode 100644 index 0000000000..a9732e4c9c --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend @@ -0,0 +1,4 @@ +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc new file mode 100644 index 0000000000..4dffc46da3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc @@ -0,0 +1,54 @@ +# Include Trusted Services SPs accordingly to defined machine features + +# Please notice that OPTEE will load SPs in the order listed in this file. +# If an SP requires another SP to be already loaded it must be listed lower. + +# TS SPs UUIDs definitions +require recipes-security/trusted-services/ts-uuid.inc + +TS_ENV = "opteesp" +TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" + +# ITS SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ts-sp-its', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + +# Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ts-sp-storage', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + +# Crypto SP. +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ts-sp-crypto', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + +# Attestation SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ts-sp-attestation', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + +# Env-test SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ts-sp-env-test', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + +# SE-Proxy SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ts-sp-se-proxy', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + +# SMM Gateway +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ts-sp-smm-gateway', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc index 73b8c14f7c..057dde25cf 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -51,4 +51,12 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +# SPM test SPs +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend new file mode 100644 index 0000000000..2ff1b83497 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require optee-os-ts-3.18.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend index 09650b9a7a..09650b9a7a 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb index 5f4b066ae3..2fdfbb5a88 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb @@ -7,4 +7,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3.20.0:" SRCREV = "8e74d47616a20eaa23ca692f4bbbf917a236ed94" SRC_URI:append = " \ file://0004-core-Define-section-attributes-for-clang.patch \ + file://0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch \ + file://0006-core-ffa-add-TOS_FW_CONFIG-handling.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch new file mode 100644 index 0000000000..e889f74051 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch @@ -0,0 +1,39 @@ +From 7e15470f3dd45c844f0e0901f0c85c46a0882b8b Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:23:45 +0100 +Subject: [PATCH 1/2] Update arm_ffa_user driver dependency + +Updating arm-ffa-user to v5.0.1 to get the following changes: + - move to 64 bit direct messages + - add Linux Kernel v6.1 compatibility +The motivation is to update x-test to depend on the same driver +version as TS uefi-test and thus to enable running these in a single +configuration. +Note: arm_ffa_user.h was copied from: + - URL:https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git + - SHA:18e3be71f65a405dfb5d97603ae71b3c11759861 + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/include/uapi/linux/arm_ffa_user.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/host/xtest/include/uapi/linux/arm_ffa_user.h b/host/xtest/include/uapi/linux/arm_ffa_user.h +index 9ef0be3..0acde4f 100644 +--- a/host/xtest/include/uapi/linux/arm_ffa_user.h ++++ b/host/xtest/include/uapi/linux/arm_ffa_user.h +@@ -33,7 +33,7 @@ struct ffa_ioctl_ep_desc { + * @dst_id: [in] 16-bit ID of destination endpoint. + */ + struct ffa_ioctl_msg_args { +- __u32 args[5]; ++ __u64 args[5]; + __u16 dst_id; + }; + #define FFA_IOC_MSG_SEND _IOWR(FFA_IOC_MAGIC, FFA_IOC_BASE + 1, \ +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch new file mode 100644 index 0000000000..d333e860a7 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch @@ -0,0 +1,163 @@ +From 6734d14cc249af37705129de7874533df9535cd3 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:25:58 +0100 +Subject: [PATCH 2/2] ffa_spmc: Add arm_ffa_user driver compatibility check + +Check the version of the arm_ffa_user Kernel Driver and fail with a +meaningful message if incompatible driver is detected. + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/ffa_spmc_1000.c | 68 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 61 insertions(+), 7 deletions(-) + +diff --git a/host/xtest/ffa_spmc_1000.c b/host/xtest/ffa_spmc_1000.c +index 15f4a46..1839d03 100644 +--- a/host/xtest/ffa_spmc_1000.c ++++ b/host/xtest/ffa_spmc_1000.c +@@ -1,11 +1,12 @@ + // SPDX-License-Identifier: BSD-3-Clause + /* +- * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + */ + #include <fcntl.h> + #include <ffa.h> + #include <stdio.h> + #include <string.h> ++#include <errno.h> + #include <sys/ioctl.h> + #include <unistd.h> + #include "include/uapi/linux/arm_ffa_user.h" +@@ -17,6 +18,10 @@ + #define INCORRECT_ENDPOINT_ID 0xffff + #define NORMAL_WORLD_ENDPOINT_ID 0 + ++#define FFA_USER_REQ_VER_MAJOR 5 ++#define FFA_USER_REQ_VER_MINOR 0 ++#define FFA_USER_REQ_VER_PATCH 1 ++ + /* Get the 32 least significant bits of a handle.*/ + #define MEM_SHARE_HANDLE_LOW(x) ((x) & 0xffffffff) + /* Get the 32 most significant bits of a handle.*/ +@@ -62,6 +67,50 @@ static struct ffa_ioctl_ep_desc test_endpoint3 = { + .uuid_ptr = (uint64_t)test_endpoint3_uuid, + }; + ++static bool check_ffa_user_version(void) ++{ ++ FILE *f = NULL; ++ int ver_major = -1; ++ int ver_minor = -1; ++ int ver_patch = -1; ++ int scan_cnt = 0; ++ ++ f = fopen("/sys/module/arm_ffa_user/version", "r"); ++ if (f) { ++ scan_cnt = fscanf(f, "%d.%d.%d", ++ &ver_major, &ver_minor, &ver_patch); ++ fclose(f); ++ if (scan_cnt != 3) { ++ printf("error: failed to parse arm_ffa_user version\n"); ++ return false; ++ } ++ } else { ++ printf("error: failed to read arm_ffa_user module info - %s\n", ++ strerror(errno)); ++ return false; ++ } ++ ++ if (ver_major != FFA_USER_REQ_VER_MAJOR) ++ goto err; ++ ++ if (ver_minor < FFA_USER_REQ_VER_MINOR) ++ goto err; ++ ++ if (ver_minor == FFA_USER_REQ_VER_MINOR) ++ if (ver_patch < FFA_USER_REQ_VER_PATCH) ++ goto err; ++ ++ return true; ++ ++err: ++ printf("error: Incompatible arm_ffa_user driver detected."); ++ printf("Found v%d.%d.%d wanted >= v%d.%d.%d)\n", ++ ver_major, ver_minor, ver_patch, FFA_USER_REQ_VER_MAJOR, ++ FFA_USER_REQ_VER_MINOR, FFA_USER_REQ_VER_PATCH); ++ ++ return false; ++} ++ + static void close_debugfs(void) + { + int err = 0; +@@ -76,6 +125,9 @@ static void close_debugfs(void) + + static bool init_sp_xtest(ADBG_Case_t *c) + { ++ if (!check_ffa_user_version()) ++ return false; ++ + if (ffa_fd < 0) { + ffa_fd = open(FFA_DRIVER_FS_PATH, O_RDWR); + if (ffa_fd < 0) { +@@ -83,6 +135,7 @@ static bool init_sp_xtest(ADBG_Case_t *c) + return false; + } + } ++ + return true; + } + +@@ -99,7 +152,7 @@ static uint16_t get_endpoint_id(uint64_t endp) + struct ffa_ioctl_ep_desc sid = { .uuid_ptr = endp }; + + /* Get ID of destination SP based on UUID */ +- if(ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) ++ if (ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) + return INCORRECT_ENDPOINT_ID; + + return sid.id; +@@ -213,14 +266,15 @@ static int set_up_mem(struct ffa_ioctl_ep_desc *endp, + rc = share_mem(endpoint, handle); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + +- if (!ADBG_EXPECT_TRUE(c, handle != NULL)) +- return TEEC_ERROR_GENERIC; ++ if (!ADBG_EXPECT_NOT_NULL(c, handle)) ++ return TEEC_ERROR_GENERIC; + + /* SP will retrieve the memory region. */ + memset(args, 0, sizeof(*args)); + args->dst_id = endpoint; + args->args[MEM_SHARE_HANDLE_LOW_INDEX] = MEM_SHARE_HANDLE_LOW(*handle); +- args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = MEM_SHARE_HANDLE_HIGH(*handle); ++ args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = ++ MEM_SHARE_HANDLE_HIGH(*handle); + args->args[MEM_SHARE_HANDLE_ENDPOINT_INDEX] = NORMAL_WORLD_ENDPOINT_ID; + + rc = start_sp_test(endpoint, EP_RETRIEVE, args); +@@ -254,7 +308,7 @@ static void xtest_ffa_spmc_test_1002(ADBG_Case_t *c) + rc = start_sp_test(endpoint1_id, EP_TEST_SP, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK)) +- goto out; ++ goto out; + + /* Set up memory and have the SP retrieve it. */ + Do_ADBG_BeginSubCase(c, "Test memory set-up"); +@@ -469,7 +523,7 @@ static void xtest_ffa_spmc_test_1005(ADBG_Case_t *c) + memset(&args, 0, sizeof(args)); + args.args[1] = endpoint2; + args.args[2] = endpoint3; +- rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI,&args); ++ rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK); + +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend new file mode 100644 index 0000000000..c052774c62 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend @@ -0,0 +1,7 @@ +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb index 95452b6a0d..50f5afe718 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb @@ -1,6 +1,8 @@ require optee-test.inc SRC_URI:append = " \ + file://Update-arm_ffa_user-driver-dependency.patch \ + file://ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch \ file://musl-workaround.patch \ " SRCREV = "5db8ab4c733d5b2f4afac3e9aef0a26634c4b444" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch new file mode 100644 index 0000000000..28e041bce6 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch @@ -0,0 +1,41 @@ +From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Tue, 25 Apr 2023 15:03:46 +0000 +Subject: [PATCH 1/1] Limit nanopb build to single process + +Sometimes in yocto the nanopb build step fails. The reason seems +to be a race condition. This fix disables parallel build as +a workaround. + +Upstream-Status: Inappropriate [yocto specific] + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + external/nanopb/nanopb.cmake | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake +index 36465f61..94f8048c 100644 +--- a/external/nanopb/nanopb.cmake ++++ b/external/nanopb/nanopb.cmake +@@ -65,6 +65,8 @@ if(TARGET stdlib::c) + unset_saved_properties(LIBC) + endif() + ++set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) ++set(PROCESSOR_COUNT 1) + include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) + LazyFetch_MakeAvailable(DEP_NAME nanopb + FETCH_OPTIONS ${GIT_OPTIONS} +@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb + CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" + SOURCE_DIR "${NANOPB_SOURCE_DIR}" + ) ++set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) ++ + unset(_cmake_fragment) + + if(TARGET stdlib::c) +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index dc295506bb..2bb4a8a11f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -5,8 +5,14 @@ LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=integration;name=trusted-services;destsuffix=git/trusted-services \ " -#latest on 12.10.22. -SRCREV_trusted-services = "3d4956770f89eb9ae0a73257901ae6277c078da6" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Limit-nanopb-build-to-single-process.patch \ +" + +#Latest on 2023 April 28 +SRCREV="08b3d39471f4914186bd23793dc920e83b0e3197" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -17,14 +23,14 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.1.0" +# MbedTLS, tag "mbedtls-3.3.0" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "d65aeb37349ad1a50e0f6c9b694d4b5290d60e49" +SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -# Nanopb, tag "nanopb-0.4.6" +# Nanopb, tag "nanopb-0.4.2" SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" -SRCREV_nanopb = "afc499f9a410fc9bbf6c9c48cdd8d8b199d49eb4" +SRCREV_nanopb = "df0e92f474f9cca704fe2b31483f0b4d1b1715a4" LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" # qcbor, tag "v1.0.0" @@ -54,15 +60,12 @@ LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e14135 # TS ships patches for external dependencies that needs to be applied apply_ts_patches() { - for p in ${S}/external/qcbor/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/qcbor < ${p} || true - done - for p in ${S}/external/t_cose/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/tcose < ${p} || true - done - for p in ${S}/external/CppUTest/*.patch; do - patch -p1 -d ${WORKDIR}/git/cpputest < ${p} - done + ( cd ${WORKDIR}/git/qcbor; git stash; git branch -f bf_am; git am ${S}/external/qcbor/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/tcose; git stash; git branch -f bf_am; git am ${S}/external/t_cose/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/mbedtls; git stash; git branch -f bf_am; git am ${S}/external/MbedTLS/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/cpputest; git stash; git apply ${S}/external/CppUTest/*.patch ) + ( cd ${WORKDIR}/git/dtc; git stash; git apply ${S}/external/libfdt/*.patch ) + ( cd ${WORKDIR}/git/nanopb; git stash; git apply ${S}/external/nanopb/*.patch ) } do_patch[postfuncs] += "apply_ts_patches" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index a9f7b65f09..668bde568f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -6,6 +6,7 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" DEPENDS += "libts" RDEPENDS:${PN} += "libts" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb index 408c7d3c24..24a724a4fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -22,9 +22,7 @@ OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" # TS ships a patch that needs to be applied to newlib apply_ts_patch() { - for p in ${S}/external/newlib/*.patch; do - patch -p1 -d ${WORKDIR}/git/newlib < ${p} - done + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) } do_patch[postfuncs] += "apply_ts_patch" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index 41cb0c08bc..8a7b0e5ca2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -4,6 +4,8 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + DEPENDS += "libts" RDEPENDS:${PN} += "libts" @@ -11,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "451aa087a40d02c7d04778235014c5619d126471" +SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "\ diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb index eef05fe3a9..6cddfb03e0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services attestation service provider" require ts-sp-common.inc SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 75ddab37d1..3d756015a0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -17,8 +17,8 @@ do_install:append() { dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} # We do not need libs and headers - rm -r --one-file-system ${D}${TS_INSTALL}/lib - rm -r --one-file-system ${D}${TS_INSTALL}/include + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include } # Use Yocto debug prefix maps for compiling assembler. diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb index 77a28557cb..867e4a8179 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services crypto service provider" require ts-sp-common.inc SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" -DEPENDS += "python3-protobuf-native" +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" -OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb index 040fd4d159..5551a4deba 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb @@ -6,5 +6,6 @@ require ts-sp-common.inc COMPATIBLE_MACHINE ?= "invalid" SP_UUID = "${ENV_TEST_UUID}" +TS_SP_ENVTEST_CONFIG ?= "baremetal-fvp_base_revc" -OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/env-test/config/${TS_SP_ENVTEST_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb index 4eb5dc5e5c..5472dbdae3 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services internal secure storage service provider" require ts-sp-common.inc SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb index b9246418e9..26781434fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services proxy service providers" require ts-sp-common.inc SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" DEPENDS += "python3-protobuf-native" -OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb index 06ca6bd116..752f7fe708 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services service provider for UEFI SMM services" require ts-sp-common.inc SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 0000000000..e357629b0f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,7 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 0000000000..4cbb970b27 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 0000000000..e6fb822b80 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 0000000000..ad3ee76ebe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb index c893754650..5b2f47b3f6 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services secure storage service provider" require ts-sp-common.inc SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 7a39f733e8..c18ec5d7f8 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -7,3 +7,6 @@ ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6"
\ No newline at end of file |