diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-06-09 09:26:37 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-06-09 16:54:07 +0300 |
commit | b542dec15d5efd10eecb485af0629315876cebfc (patch) | |
tree | 26eb105e1f714c796400b7260f83ad0993fb31a0 /meta-arm/meta-arm | |
parent | b023dabbf394356c51f7b61e458c2e9828c06175 (diff) | |
download | openbmc-b542dec15d5efd10eecb485af0629315876cebfc.tar.xz |
subtree updates
meta-raspberrypi: 9240ea91ca..8e07f0d328:
DOLE Olivier (1):
rpi-config: U-Boot requires "enable_uart=1" to operate correctly.
Florin Sarbu (1):
udev-rules-rpi: Use 99-com.rules directly from upstream
meta-openembedded: 829dcb63f0..def4759e95:
Alex Kiernan (1):
ostree: Add soup3 PACKAGECONFIG, rename soup to soup2
Alexander Mohr (1):
dlt-daemon: apply rename of genivi to covesa
Armin Kuster (1):
wireshark: Update to a supported version 4.0.x
Bartosz Golaszewski (97):
python3-snagboot: new recipe
libgpiod: add myself as maintainer
python3-pyparted: add missing run-time dependencies
python3-send2trash: add missing run-time dependencies
python3-mock: cleanup RDEPENDS
python3-mock: add missing run-time dependencies
python3-cson: fix run-time dependencies
python3-ldap: don't use PYTHON_PN
python3-ldap: add missing run-time dependencies
python3-pyrad: add missing run-time dependencies
python3-html2text: add missing run-time dependencies
python3-parse: don't use PYTHON_PN and improve coding style
python3-parse: add missing run-time dependencies
python3-meld3: add missing run-time dependencies
python3-pyiface: add missing run-time dependencies
python3-mpmath: add missing run-time dependencies
python3-uswid: add missing run-time dependencies
python3-xmlrunner: add missing run-time dependencies
python3-editor: add missing run-time dependencies
python3-pykwalify: don't use PYTHON_PN and improve coding style
python3-pykwalify: add missing run-time dependencies
python3-iperf: add missing run-time dependencies
python3-sdnotify: add missing run-time dependencies
python3-service-identity: add missing run-time dependencies
python3-sqlsoup: add missing run-time dependencies
python3-sqlalchemy: don't use PYTHON_PN and improve coding style
python3-sqlalchemy: add missing run-time dependencies
python3-pure-eval: add missing run-time dependencies
python3-stack-data: fix coding style
python3-stack-data: add missing run-time dependencies
python3-sympy: add missing run-time dependencies
python3-thrift: don't use PYTHON_PN and improve coding style
python3-thrift: add missing run-time dependencies
python3-tomlkit: add missing run-time dependencies
python3-tornado: drop ${PN} from RDEPENDS
python3-tornado: fix coding style
python3-tornado: remove the testing submodule from FILES:${PN}-test
python3-tornado: add missing run-time dependencies
python3-trustme: add missing run-time dependencies
python3-twofish: add missing run-time dependencies
python3-txws: add missing run-time dependencies
python3-web3: add missing run-time dependencies
python3-uefi-firmware: add missing run-time dependencies
python3-websockets: fix coding style
python3-websockets: add missing run-time dependencies
python3-xlrd: fix coding style
python3-xlrd: add missing run-time dependencies
python3-versiontools: add missing run-time dependencies
python3-typeguard: add missing run-time dependencies
python3-process-tests: add missing run-time dependencies
python3-pyatspi: add missing run-time dependencies
python3-pydantic: don't use PYTHON_PN and improve coding style
python3-pydantic: add missing run-time dependencies
python3-python-vlc: add missing run-time dependencies
python3-redis: fix coding style
python3-redis: add missing run-time dependencies
python3-raven: add missing run-time dependencies
python3-pypng: new package
python3-qrcode: add missing run-time dependencies
python3-pyusb: fix run-time dependencies
python3-pytest-mock: add missing run-time dependencies
python3-pyroute2: fix coding style
python3-fcntl: add missing run-time dependencies
python3-pyproject-metadata: add missing run-time dependencies
python3-pyproj: don't use PYTHON_PN
python3-pyproj: drop unnecessary run-time dependency
python3-pyproj: add missing run-time dependencies
python3-classes: new package
python3-pylyrics: add missing run-time dependencies
python3-pyjwt: stop using PYTHON_PN
python3-pyjwt: add missing run-time dependencies
python3-javaobj-py3: add missing run-time dependencies
python3-pyjks: stop using PYTHON_PN
python3-pyjks: fix run-time dependencies
python3-pyexpect: add missing run-time dependencies
python3-pynetlinux: fix relative imports
python3-pynetlinux: add missing run-time dependencies
python3-pickleshare: add missing run-time dependencies
python3-petact: add missing run-time dependencies
python3-pefile: add missing run-time dependencies
python3-jsonpath-rw: add missing run-time dependencies
python3-jsonrpcclient: add missing run-time dependencies
python3-jstyleson: add missing run-time dependencies
python3-kconfiglib: add missing run-time dependencies
python3-libevdev: add missing run-time dependencies
python3-linux-procfs: add missing run-time dependencies
python3-lockfile: add missing run-time dependencies
python3-msm: fix coding style
python3-lazy: new recipe
python3-msm: add missing run-time dependencies
python3-netaddr: stop using PYTHON_PN
python3-netaddr: add missing run-time dependencies
python3-ninja-syntax: new package
python3-ninja: add missing run-time dependencies
python3-nmap: add missing run-time dependencies
python3-oslash: add missing run-time dependencies
python3-padaos: add missing run-time dependencies
Christophe Vu-Brugier (1):
switchtec-user: add new recipe
Geoff Parker (1):
python3-platformdirs: add nativesdk to BBCLASSEXTEND
Ivan Maidanski (1):
bdwgc: upgrade 8.2.2 -> 8.2.4
Johannes Kauffmann (2):
open62541: update to v1.3.6
open62541: build optimized binary
Khem Raj (21):
ipvsadm: Pass build environment cflags to compiler
orrery: Pass OE provided cflags
libleak: Upgrade to 0.3.6
zeroconf: Pass cflags from environment
lshw: Pass OE cflags via RPM_OPT_FLAGS
ruli: Pass cflags to makefile
gnome-online-accounts: Replace filename with basename
rdma-core: Use target path for systemctl
monkey: Remove buildpaths from generated mk_env.h
minio: Ignore from world builds
libcppkafka: Remove RECIPE_SYSROOT from packageconfig .pc file
doxygen: Do not generate #line directive with flex/bison
gattlib: Upgrade to latest tip of trunk
ettercap: Do not generate #line directives with bison/flex
zfs: Add a patch to fix aarch64 build with gcc13
zfs: Upgrade to 2.1.11
zfs: Fix build with aarch64
zfs: Fix build on musl
ctapi-common: Use archives.fedoraproject.org to fetch srpm
Revert "libgpiod: modify test 'gpioset: toggle (continuous)'"
meta-python-ptest-fast-image: Do not run python3-pytest-mock ptests
Lei Maohui (1):
dovecot: Fix install conflict when enable multilib.
Marek Vasut (1):
v4l-utils: Update 1.23.0+9431e4b2 -> 1.24.1
Markus Volk (4):
iwd: update 2.4 -> 2.5
gnome-control-center: upgrade 44.1 -> 44.2
mutter: upgrade 44.1 -> 44.2
gnome-shell: upgrade 44.1 -> 44.2
Martin Jansa (1):
switchtec-user: fix installed-vs-shipped with multilib
Niko Mauno (2):
contrib: oe-stylize: Fix ambiguous variable names
contrib: oe-stylize: Use Python3 explicitly
Peter Marko (1):
nss: ignore CVE-2022-3479
Petr Gotthard (4):
blueman: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
firewalld: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
system-config-printer: fix REQUIRED_DISTRO_FEATURES gobject-introspection-data
firewalld: upgrade 1.2.0 -> 1.3.2
Wang Mingyu (40):
ctags: upgrade 6.0.20230521.0 -> 6.0.20230528.0
eog: upgrade 44.1 -> 44.2
nautilus: upgrade 44.1 -> 44.2
evolution-data-server: upgrade 3.48.1 -> 3.48.2
flatbuffers: upgrade 23.1.4 -> 23.3.56
python3-asgiref: upgrade 3.7.1 -> 3.7.2
python3-cachetools: upgrade 5.3.0 -> 5.3.1
python3-coverage: upgrade 7.2.6 -> 7.2.7
python3-croniter: upgrade 1.3.14 -> 1.3.15
python3-deprecated: upgrade 1.2.13 -> 1.2.14
python3-google-api-python-client: upgrade 2.86.0 -> 2.87.0
python3-google-auth: upgrade 2.18.1 -> 2.19.0
python3-imageio: upgrade 2.29.0 -> 2.30.0
python3-license-expression: upgrade 30.1.0 -> 30.1.1
python3-lru-dict: upgrade 1.1.8 -> 1.2.0
python3-paramiko: upgrade 3.1.0 -> 3.2.0
python3-pint: upgrade 0.21 -> 0.22
python3-protobuf: upgrade 4.23.1 -> 4.23.2
python3-xlsxwriter: upgrade 3.1.1 -> 3.1.2
xterm: upgrade 380 -> 381
python3-zeroconf: upgrade 0.62.0 -> 0.63.0
dnf-plugin-tui: modify suffix of spdx file.
evolution-data-server: upgrade 3.48.2 -> 3.48.3
samba: upgrade 4.18.2 -> 4.18.3
ctags: upgrade 6.0.20230528.0 -> 6.0.20230604.0
tree: upgrade 2.1.0 -> 2.1.1
xrdb: upgrade 1.2.1 -> 1.2.2
xterm: upgrade 381 -> 382
xwd: upgrade 1.0.8 -> 1.0.9
libnet-dns-perl: upgrade 1.38 -> 1.39
pamela: upgrade 1.0.0 -> 1.1.0
python3-cachecontrol: upgrade 0.12.12 -> 0.13.0
python3-google-api-python-client: upgrade 2.87.0 -> 2.88.0
python3-google-auth: upgrade 2.19.0 -> 2.19.1
python3-nocaselist: upgrade 1.1.1 -> 2.0.0
python3-pymodbus: upgrade 3.2.2 -> 3.3.0
python3-regex: upgrade 2023.5.5 -> 2023.6.3
python3-rich: upgrade 13.3.5 -> 13.4.1
python3-sentry-sdk: upgrade 1.24.0 -> 1.25.0
ntp: upgrade 4.2.8p15 -> 4.2.8p16
poky: 76494f2b66..00f3d58064:
Alex Kiernan (1):
rust: Upgrade 1.69.0 -> 1.70.0
Alexander Kanavin (5):
maintaines.inc: unassign Richard Weinberger from erofs-utils entry
maintainers.inc: unassign Andreas Müller from itstool entry
maintainers.inc: unassign Pascal Bach from cmake entry
maintainers.inc: correct unassigned entries (> was missing)
maintainers.inc: correct Carlos Rafael Giani's email address
Andrej Valek (1):
busybox: 1.36.0 -> 1.36.1
Anuj Mittal (3):
gstreamer1.0: upgrade 1.22.2 -> 1.22.3
stress-ng: upgrade 0.15.07 -> 0.15.08
glib-networking: upgrade 2.74.0 -> 2.76.0
Bruce Ashfield (10):
linux-yocto/6.1: update to v6.1.26
linux-yocto/6.1: update to v6.1.27
linux-yocto-dev: bump to v6.4+
kernel: don't force PAHOLE=false
linux-yocto: move build / debug dependencies to .inc
linux-yocto/6.1: update to v6.1.28
linux-yocto/6.1: update to v6.1.29
linux-yocto/6.1: update to v6.1.30
linux-yocto/6.1: update to v6.1.31
linux-yocto/6.1: update to v6.1.32
Chen Qi (4):
libsdl2: disable SDL's own ccache
cmake.bbclass: do not search host paths for find_program()
Revert "libsdl2: disable SDL's own ccache"
qemurunner.py: fix error message about qmp
Daniel Ammann (1):
overview-manual: concepts.rst: Fix a typo
Denys Dmytriyenko (1):
bitbake.conf: Add SRCPV to BB_HASH_CODEPARSER_VALS
Dmitry Baryshkov (1):
openssl: fix building on riscv32
Frieder Paape (1):
image_types: Fix reproducible builds for initramfs and UKI img
Jialing Zhang (1):
linuxloader/initramfs: Add support for loongarch64
Joshua Watt (7):
bitbake: server: Fix crash when checking lock file
bitbake: runqueue: Pass hashfn in taskdep data
classes/create-spdx-2.2: Use hashfn from BB_TASKDEPDATA instead of MACHINE
classes/create-spdx-2.2: Respect PKG for providers
classes/create-spdx-2.2: Fix build time dependency calculations
classes/create-spdx-2.2: Fix runtime dependency calculations
classes/create-spdx-2.2: Make license errors fatal
Khem Raj (2):
gcc: Upgrade to 13.1.1
perf: Make built-in libtraceevent plugins cohabit with external libtraceevent
Lee Chee Yang (4):
release-notes-4.2: update known issues and Repositories/Downloads
migration-guides: add release-notes for 4.1.4
migration-guides: add release notes for 4.0.10
migration-guides: add release notes for 4.2.1
Louis Rannou (1):
spdx: Fix license parsing
Marc Ferland (1):
connman: fix warning by specifying runstatedir at configure time
Markus Volk (4):
ell: upgrade 0.56 -> 0.57
python3: add libxcrypt-native dependency
ruby: add libxcrypt-native dependency
shadow: add libxcrypt-native dependency
Martin Jansa (2):
connman: backport a fix for build with pppd-2.5.0
selftest: wic.py respect IMAGE_LINK_NAME
Mauro Queiros (1):
pybootchartgui: show elapsed time for each task
Michael Halstead (2):
uninative: Upgrade to 3.10 to support gcc 13
uninative: Upgrade to 4.0 to include latest gcc 13.1.1
Michael Opdenacker (19):
migration-guides: release-notes-4.2: add doc improvement highlights
migration-guides: release-notes-4.3: add stub section for documentation changes
releases.svg: update according to latest release
ref-manual: improve description of kernel-fitimage variables
ref-manual: document uboot-sign class and variables
ref-manual: improve documentation for kernel-devicetree class
migration-guides: update 4.3 release notes
releases.svg: fix and explain duration of Hardknott 3.3
conf.py: add macro for Mitre CVE links
migration-guides: use new cve_mitre macro
migration-guides: release-notes-4.0.4.rst: fix typo
alsa-lib: upgrade 1.2.8 -> 1.2.9
alsa-ucm-conf: upgrade 1.2.8 -> 1.2.9
psplash: enable fullscreen and disable startup-msg
alsa-utils: upgrade 1.2.8 -> 1.2.9
ref-manual: document SPLASH variable
manuals: document SPLASH_IMAGES variable
bitbake: bitbake-user-manual: update releases.rst
bitbake: bitbake-user-manual: document "network" task flag
Ming Liu (1):
kernel.bbclass: introduce KERNEL_LOCALVERSION
Natasha Bailey (1):
tiff: backport a fix for CVE-2023-2731
Peter Kjellerstedt (1):
manuals: kernel-dev: Use protocol=https in a SRC_URI example
Petr Kubizňák (1):
ref-manual: document devicetree class variables
Richard Purdie (18):
glib: Fix ptest race issue
Revert "python3/ruby/shadow: Revert add libxcrypt-native dependency"
Revert "sqlite3: Whitelist CVE-2022-21227"
glib-2.0: Update ptest fix to upstream backport
meta-world-pkgdata: Fix for create-spdx
selftest/license: Exclude from world
create-spdx-2-2: Fix packagedata usage to work with SDK packages
create-spdx-2.2: Add missing variable exclusions
layer.conf: Add missing dependency exclusion
selftest/incompatible_lic: Ensure create_sdpx isn't used with the tests
oeqa/selftest/sstatetests: Add easier debug option
oeqa/selftest/wic: Fix host contamination issue
v86d: Improve kernel dependency
sstatesig: Drop SPDX special casing
packagegroup: Handle SPDX signature issues
poky: Enable spdx manifests by default
build-appliance-image: Update to master head revision
selftest/reproducible: Allow native/cross reuse in test
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Robert Joslyn (1):
curl: Update from 8.1.0 to 8.1.1
Ross Burton (11):
avahi: remove redundant gobject-introspection DEPENDS
base: add ability to provide further details when using LICENSE_FLAGS
ninja: ignore CVE-2021-4336, wrong ninja
vulkan-samples: fix build on 32-bit platforms
gtk+3: upgrade 3.24.37 -> 3.24.38
piglit: upgrade to latest revision
pkgconf: upgrade 1.9.4 -> 1.9.5
ghostscript: upgrade to 10.01.1
git: upgrade to 2.39.3
binutils: fix CVE-2023-1972
cve-extra-exclusions: add more linux-yocto CVE ignores
Sanjay Chitroda (1):
sqlite3: Whitelist CVE-2022-21227
Sudip Mukherjee (1):
apt: Upgrade to v2.6.1
Tim Orling (1):
openssl: upgrade 3.1.0 -> 3.1.1
Tom Isaacson (1):
sdk-manual: fix Makefile example
Trevor Gamblin (6):
bind: upgrade 9.18.13 -> 9.18.14
pciutils: upgrade 3.9.0 -> 3.10.0
vim: upgrade 9.0.1527 -> 9.0.1592
python_hatchling: remove empty python sysroot dirs
python3-webcolors: upgrade 1.12 -> 1.13
python3-poetry-core: upgrade 1.5.2 -> 1.6.1
Ulrich Ölmann (1):
ref-manual: classes.rst: fix typo
Victor Kamensky (1):
systemtap: upgrade 4.8 -> 4.9
Wang Mingyu (34):
babeltrace2: upgrade 2.0.4 -> 2.0.5
curl: upgrade 8.1.1 -> 8.1.2
dos2unix: upgrade 7.4.4 -> 7.5.0
enchant2: upgrade 2.3.4 -> 2.5.0
fribidi: upgrade 1.0.12 -> 1.0.13
libdnf: upgrade 0.70.0 -> 0.70.1
libmicrohttpd: upgrade 0.9.76 -> 0.9.77
libxft: upgrade 2.3.7 -> 2.3.8
libxpm: upgrade 3.5.15 -> 3.5.16
mobile-broadband-provider-info: upgrade 20221107 -> 20230416
bind: upgrade 9.18.14 -> 9.18.15
ccache: upgrade 4.8 -> 4.8.1
libcap: upgrade 2.68 -> 2.69
libuv: upgrade 1.44.2 -> 1.45.0
python3-pip: upgrade 23.0.1 -> 23.1.2
python3-psutil: upgrade 5.9.4 -> 5.9.5
python3-ruamel-yaml: upgrade 0.17.21 -> 0.17.31
python3-sphinx: upgrade 6.1.3 -> 7.0.1
orc: upgrade 0.4.33 -> 0.4.34
python3-cython: upgrade 0.29.34 -> 0.29.35
python3-dbusmock: upgrade 0.28.7 -> 0.29.0
python3-hatch-fancy-pypi-readme: upgrade 22.8.0 -> 23.1.0
python3-hypothesis: upgrade 6.71.0 -> 6.75.7
python3-numpy: upgrade 1.24.2 -> 1.24.3
python3-pycryptodome: upgrade 3.17 -> 3.18.0
python3-pycryptodomex: upgrade 3.17 -> 3.18.0
python3-requests: upgrade 2.30.0 -> 2.31.0
python3-setuptools-rust: upgrade 1.5.2 -> 1.6.0
python3-sphinx-rtd-theme: upgrade 1.2.0 -> 1.2.1
python3-trove-classifiers: upgrade 2023.5.2 -> 2023.5.24
python3-typing-extensions: upgrade 4.5.0 -> 4.6.2
repo: upgrade 2.32 -> 2.34.1
sysklogd: upgrade 2.4.4 -> 2.5.0
xdpyinfo: upgrade 1.3.3 -> 1.3.4
Xiangyu Chen (1):
sysstat: Fix CVE-2023-33204
schitrod=cisco.com@lists.openembedded.org (1):
Revert "sqlite3: update CVE_PRODUCT"
meta-arm: 5cbe3041be..3fcafa3a94:
Adam Johnston (1):
CI: Platform specific Trusted Services config
Anton Antonov (1):
arm/oeqa: Make ts-service-test config match selected SPs
Claus Stovgaard (1):
arm-toolchain/gcc: Workaround for missing libcrypt
Emekcan Aras (1):
arm-bsp/u-boot: corstone1000: enable PSCI reset
Gyorgy Szing (11):
arm/trusted-services: update TS version
optee-os: remove v3.18 pin of OP-TEE on qemuarm64-secureboot
optee-os: Add support for TOS_FW_CONFIG on qemu
arm/trusted-firmware-a: Add TOS_FW_CONFIG handling for quemu
optee-test: backport SWd ABI compatibility changes
optee-os: enable SPMC test
arm/oeqa: enable OP-TEE SPMC tests
trusted-services: update documentation
arm/trusted-services: disable psa-iat on qemuarm64-secureboot
arm/trusted-services: fix nanopb build error
optee-os: unblock NWd interrupts
Jon Mason (9):
CI: move FVP license auto-accept to fvp.yml
CI/corstone: remove debug-tweaks usage
arm/qemuarm-secureboot: add musl testing
arm/linux-yocto: remove 5.15 bbappend
Revert "arm-bsp/tc1: re-enable signed kernel image"
arm/linux-yocto: remove unused 5.15 patches and inc file
arm-bsp/optee: Remove unreferenced patches
CI: add debug yml file for ease of use
arm/linux-yocto: add gcc 13 gimple backport patch
Mikko Rapeli (1):
scp-firmware: remove -fcanon-prefix-map
Ross Burton (3):
kas: remove obsolete armcompiler LICENSE_FLAGS_ACCEPTED
arm/fvp: add LICENSE_FLAGS_DETAILS
arm/trusted-firmware-a: look for LTS releases when looking for releases
Rui Miguel Silva (3):
arm-bsp/trusted-services:corstone1000: remove already merged patches
arm-bsp/trusted-services: remove merged patches for corstone1000
arm-bps/corstone1000: setup trusted service proxy configuration
meta-security: 5c2379f4bc..180dac9aec:
Andrew Geissler (1):
ibmswtpm2: update to 164-2020-192.1
Mikko Rapeli (4):
linux-yocto: support tpm and tpm2 on all architectures
linux-yocto: remove tpm_x86.cfg
parsec-service: fix build error
parsec-tool: fix build error
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I7e7960123b241d099e5ace7c36bb5836bdac6aad
Diffstat (limited to 'meta-arm/meta-arm')
49 files changed, 1645 insertions, 240 deletions
diff --git a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf index 7277817ddf..55c4cab457 100644 --- a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,6 +23,3 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" - -PREFERRED_VERSION_optee-os ?= "3.18.%" - diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index a5f9376062..882989561d 100644 --- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -3,25 +3,23 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotInDataVar class TrustedServicesTest(OERuntimeTestCase): - def run_test_tool(self, cmd, expected_status=0 ): + def run_test_tool(self, cmd, expected_status=0, expected_output=None ): """ Run a test utility """ status, output = self.target.run(cmd) self.assertEqual(status, expected_status, msg='\n'.join([cmd, output])) + if expected_output is not None: + self.assertEqual(output, expected_output, msg='\n'.join([cmd, output])) @OEHasPackage(['ts-demo']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_00_ts_demo(self): self.run_test_tool('ts-demo') - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_01_ts_service_test(self): - self.run_test_tool('ts-service-test') - @OEHasPackage(['ts-uefi-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_02_ts_uefi_test(self): @@ -30,7 +28,8 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a few expected PSA Crypto tests failing + # There are a two expected PSA Crypto tests failures testing features + # TS will not support. self.run_test_tool('psa-crypto-api-test', expected_status=46) @OEHasPackage(['ts-psa-its-api-test']) @@ -48,3 +47,74 @@ class TrustedServicesTest(OERuntimeTestCase): @OETestDepends(['ssh.SSHTest.test_ssh']) def test_06_psa_iat_api_test(self): self.run_test_tool('psa-iat-api-test') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_09_ts_service_grp_check(self): + # If this test fails, available test groups in ts-service-test have changed and all + # tests using the test executable need to be double checked to ensure test group to + # TS SP mapping is still valid. + test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" + test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" + test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" + test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" + test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" + test_grp_list+=" DiscoveryServiceTests" + self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) + + @OEHasPackage(['optee-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'optee-spmc-test', 'SPMC Test SPs are not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_07_spmc_test(self): + self.run_test_tool('xtest -t ffa_spmc') + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-fwu', 'FWU SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_10_fwu_service_tests(self): + self.run_test_tool('ts-service-test -g FwuServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_11_ps_service_tests(self): + if 'ts-storage' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g PsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_12_its_service_tests(self): + if 'ts-its' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Internal Storage SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g ItsServiceTests') + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_14_attestation_service_tests(self): + if 'ts-attestation' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Attestation SP is not included into OPTEE') + for grp in ["AttestationProvisioningTests", "AttestationServiceTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-crypto', 'Crypto SP is not included') + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_15_crypto_service_tests(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + for grp in ["CryptoKeyDerivationServicePackedcTests", "CryptoMacServicePackedcTests", \ + "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ + "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: + self.run_test_tool('ts-service-test -g %s'%grp) + + @OEHasPackage(['ts-service-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_16_discovery_service_test(self): + if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ + 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: + self.skipTest('Crypto SP is not included into OPTEE') + self.run_test_tool('ts-service-test -g DiscoveryServiceTests') diff --git a/meta-arm/meta-arm/recipes-bsp/scp-firmware/scp-firmware_2.11.0.bb b/meta-arm/meta-arm/recipes-bsp/scp-firmware/scp-firmware_2.11.0.bb index 30705f6eff..0bbd88c0af 100644 --- a/meta-arm/meta-arm/recipes-bsp/scp-firmware/scp-firmware_2.11.0.bb +++ b/meta-arm/meta-arm/recipes-bsp/scp-firmware/scp-firmware_2.11.0.bb @@ -29,6 +29,9 @@ DEPENDS = "virtual/arm-none-eabi-gcc-native \ # For now we only build with GCC, so stop meta-clang trying to get involved TOOLCHAIN = "gcc" +# remove once arm-none-eabi-gcc updates to 13 or newer like poky +DEBUG_PREFIX_MAP:remove = "-fcanon-prefix-map" + inherit deploy B = "${WORKDIR}/build" diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch new file mode 100644 index 0000000000..50a57d6179 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/add-spmc_manifest-for-qemu.patch @@ -0,0 +1,67 @@ +From e1cbb35ad4655fe13ccb89247c81e850f6392c92 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Mon, 13 Mar 2023 21:15:59 +0100 +Subject: Add spmc_manifest for qemu + +This version only supports embedded packaging. + +Upstream-Status: Inappropriate [other] + - The SPMC manifest is integration specific and should live at an + integration spcific place. The manifest file is processed by TF-A + and I am adding the patch to TF-A to keep things simple. + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + plat/qemu/fdts/optee_spmc_manifest.dts | 40 ++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 plat/qemu/fdts/optee_spmc_manifest.dts + +diff --git a/plat/qemu/fdts/optee_spmc_manifest.dts b/plat/qemu/fdts/optee_spmc_manifest.dts +new file mode 100644 +index 000000000..ae2ae3d95 +--- /dev/null ++++ b/plat/qemu/fdts/optee_spmc_manifest.dts +@@ -0,0 +1,40 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++/* ++ * Copyright (c) 2023, Arm Limited. All rights reserved. ++ */ ++ ++/dts-v1/; ++ ++/ { ++ compatible = "arm,ffa-core-manifest-1.0"; ++ #address-cells = <2>; ++ #size-cells = <1>; ++ ++ attribute { ++ spmc_id = <0x8000>; ++ maj_ver = <0x1>; ++ min_ver = <0x0>; ++ exec_state = <0x0>; ++ load_address = <0x0 0x0e100000>; ++ entrypoint = <0x0 0x0e100000>; ++ binary_size = <0x80000>; ++ }; ++ ++/* ++ * This file will be preprocessed by TF-A's build system. If Measured Boot is ++ * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro ++ * to the preprocessor arguments. ++ */ ++#if MEASURED_BOOT ++ tpm_event_log { ++ compatible = "arm,tpm_event_log"; ++ tpm_event_log_addr = <0x0 0x0>; ++ tpm_event_log_size = <0x0>; ++ }; ++#endif ++ ++/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ ++#ifdef ARM_BL2_SP_LIST_DTS ++ #error "FIP SP load addresses configuration is missing. ++#endif ++}; +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch new file mode 100644 index 0000000000..7c851fd041 --- /dev/null +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/feat-qemu-update-abi-between-spmd-and-spmc.patch @@ -0,0 +1,263 @@ +From d215b0c08e51192baab96d75beaeacf3abf8724e Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Fri, 18 Nov 2022 15:40:04 +0100 +Subject: feat(qemu): update abi between spmd and spmc + +Updates the ABI between SPMD and the SPMC at S-EL1 so that the hard +coded SPMC manifest can be replaced by a proper manifest via TOS FW +Config. TOS FW Config is provided via QEMU_TOS_FW_CONFIG_DTS as a DTS +file when building. The DTS is turned into a DTB which is added to the +FIP. + +Note that this is an incompatible change and requires corresponding +change in OP-TEE ("core: sel1 spmc: boot abi update"). + +Upstream-Status: Accepted + +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +Change-Id: Ibabe78ef50a24f775492854ce5ac54e4d471e369 +--- + plat/qemu/common/qemu_bl2_mem_params_desc.c | 18 +++++++++++- + plat/qemu/common/qemu_bl2_setup.c | 32 +++++++++++++-------- + plat/qemu/common/qemu_io_storage.c | 16 ++++++++++- + plat/qemu/common/qemu_spmd_manifest.c | 31 -------------------- + plat/qemu/qemu/include/platform_def.h | 3 ++ + plat/qemu/qemu/platform.mk | 12 +++++++- + 6 files changed, 66 insertions(+), 46 deletions(-) + delete mode 100644 plat/qemu/common/qemu_spmd_manifest.c + +diff --git a/plat/qemu/common/qemu_bl2_mem_params_desc.c b/plat/qemu/common/qemu_bl2_mem_params_desc.c +index 5af3a2264..8d8047c92 100644 +--- a/plat/qemu/common/qemu_bl2_mem_params_desc.c ++++ b/plat/qemu/common/qemu_bl2_mem_params_desc.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -122,6 +122,22 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { + #endif + .next_handoff_image_id = INVALID_IMAGE_ID, + }, ++ ++#if defined(SPD_spmd) ++ /* Fill TOS_FW_CONFIG related information */ ++ { ++ .image_id = TOS_FW_CONFIG_ID, ++ SET_STATIC_PARAM_HEAD(ep_info, PARAM_IMAGE_BINARY, ++ VERSION_2, entry_point_info_t, SECURE | NON_EXECUTABLE), ++ SET_STATIC_PARAM_HEAD(image_info, PARAM_IMAGE_BINARY, ++ VERSION_2, image_info_t, 0), ++ .image_info.image_base = TOS_FW_CONFIG_BASE, ++ .image_info.image_max_size = TOS_FW_CONFIG_LIMIT - ++ TOS_FW_CONFIG_BASE, ++ .next_handoff_image_id = INVALID_IMAGE_ID, ++ }, ++#endif ++ + # endif /* QEMU_LOAD_BL32 */ + + /* Fill BL33 related information */ +diff --git a/plat/qemu/common/qemu_bl2_setup.c b/plat/qemu/common/qemu_bl2_setup.c +index 2c0da15b9..6afa3a44d 100644 +--- a/plat/qemu/common/qemu_bl2_setup.c ++++ b/plat/qemu/common/qemu_bl2_setup.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -149,8 +149,7 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + bl_mem_params_node_t *paged_mem_params = NULL; + #endif + #if defined(SPD_spmd) +- unsigned int mode_rw = MODE_RW_64; +- uint64_t pagable_part = 0; ++ bl_mem_params_node_t *bl32_mem_params = NULL; + #endif + + assert(bl_mem_params); +@@ -170,17 +169,18 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + if (err != 0) { + WARN("OPTEE header parse error.\n"); + } +-#if defined(SPD_spmd) +- mode_rw = bl_mem_params->ep_info.args.arg0; +- pagable_part = bl_mem_params->ep_info.args.arg1; +-#endif + #endif + +-#if defined(SPD_spmd) +- bl_mem_params->ep_info.args.arg0 = ARM_PRELOADED_DTB_BASE; +- bl_mem_params->ep_info.args.arg1 = pagable_part; +- bl_mem_params->ep_info.args.arg2 = mode_rw; +- bl_mem_params->ep_info.args.arg3 = 0; ++#if defined(SPMC_OPTEE) ++ /* ++ * Explicit zeroes to unused registers since they may have ++ * been populated by parse_optee_header() above. ++ * ++ * OP-TEE expects system DTB in x2 and TOS_FW_CONFIG in x0, ++ * the latter is filled in below for TOS_FW_CONFIG_ID and ++ * applies to any other SPMC too. ++ */ ++ bl_mem_params->ep_info.args.arg2 = ARM_PRELOADED_DTB_BASE; + #elif defined(SPD_opteed) + /* + * OP-TEE expect to receive DTB address in x2. +@@ -224,6 +224,14 @@ static int qemu_bl2_handle_post_image_load(unsigned int image_id) + + bl_mem_params->ep_info.spsr = qemu_get_spsr_for_bl33_entry(); + break; ++#if defined(SPD_spmd) ++ case TOS_FW_CONFIG_ID: ++ /* An SPMC expects TOS_FW_CONFIG in x0/r0 */ ++ bl32_mem_params = get_bl_mem_params_node(BL32_IMAGE_ID); ++ bl32_mem_params->ep_info.args.arg0 = ++ bl_mem_params->image_info.image_base; ++ break; ++#endif + default: + /* Do nothing in default case */ + break; +diff --git a/plat/qemu/common/qemu_io_storage.c b/plat/qemu/common/qemu_io_storage.c +index 1107e443f..e2d4932c0 100644 +--- a/plat/qemu/common/qemu_io_storage.c ++++ b/plat/qemu/common/qemu_io_storage.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. ++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -24,6 +24,7 @@ + #define BL2_IMAGE_NAME "bl2.bin" + #define BL31_IMAGE_NAME "bl31.bin" + #define BL32_IMAGE_NAME "bl32.bin" ++#define TOS_FW_CONFIG_NAME "tos_fw_config.dtb" + #define BL32_EXTRA1_IMAGE_NAME "bl32_extra1.bin" + #define BL32_EXTRA2_IMAGE_NAME "bl32_extra2.bin" + #define BL33_IMAGE_NAME "bl33.bin" +@@ -78,6 +79,10 @@ static const io_uuid_spec_t bl32_extra2_uuid_spec = { + .uuid = UUID_SECURE_PAYLOAD_BL32_EXTRA2, + }; + ++static const io_uuid_spec_t tos_fw_config_uuid_spec = { ++ .uuid = UUID_TOS_FW_CONFIG, ++}; ++ + static const io_uuid_spec_t bl33_uuid_spec = { + .uuid = UUID_NON_TRUSTED_FIRMWARE_BL33, + }; +@@ -137,6 +142,10 @@ static const io_file_spec_t sh_file_spec[] = { + .path = BL32_EXTRA2_IMAGE_NAME, + .mode = FOPEN_MODE_RB + }, ++ [TOS_FW_CONFIG_ID] = { ++ .path = TOS_FW_CONFIG_NAME, ++ .mode = FOPEN_MODE_RB ++ }, + [BL33_IMAGE_ID] = { + .path = BL33_IMAGE_NAME, + .mode = FOPEN_MODE_RB +@@ -252,6 +261,11 @@ static const struct plat_io_policy policies[] = { + open_fip + }, + #endif ++ [TOS_FW_CONFIG_ID] = { ++ &fip_dev_handle, ++ (uintptr_t)&tos_fw_config_uuid_spec, ++ open_fip ++ }, + [BL33_IMAGE_ID] = { + &fip_dev_handle, + (uintptr_t)&bl33_uuid_spec, +diff --git a/plat/qemu/common/qemu_spmd_manifest.c b/plat/qemu/common/qemu_spmd_manifest.c +deleted file mode 100644 +index fd46e2675..000000000 +--- a/plat/qemu/common/qemu_spmd_manifest.c ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* +- * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. +- * +- * SPDX-License-Identifier: BSD-3-Clause +- */ +- +-#include <assert.h> +- +-#include <services/spm_core_manifest.h> +- +-#include <plat/common/platform.h> +-#include <platform_def.h> +- +-int plat_spm_core_manifest_load(spmc_manifest_attribute_t *manifest, +- const void *pm_addr) +-{ +- entry_point_info_t *ep_info = bl31_plat_get_next_image_ep_info(SECURE); +- +- assert(ep_info != NULL); +- assert(manifest != NULL); +- +- manifest->major_version = 1; +- manifest->minor_version = 0; +- manifest->exec_state = ep_info->args.arg2; +- manifest->load_address = BL32_BASE; +- manifest->entrypoint = BL32_BASE; +- manifest->binary_size = BL32_LIMIT - BL32_BASE; +- manifest->spmc_id = 0x8000; +- +- return 0; +-} +diff --git a/plat/qemu/qemu/include/platform_def.h b/plat/qemu/qemu/include/platform_def.h +index c9ed6409f..5c3239cb8 100644 +--- a/plat/qemu/qemu/include/platform_def.h ++++ b/plat/qemu/qemu/include/platform_def.h +@@ -118,6 +118,9 @@ + #define BL_RAM_BASE (SHARED_RAM_BASE + SHARED_RAM_SIZE) + #define BL_RAM_SIZE (SEC_SRAM_SIZE - SHARED_RAM_SIZE) + ++#define TOS_FW_CONFIG_BASE BL_RAM_BASE ++#define TOS_FW_CONFIG_LIMIT (TOS_FW_CONFIG_BASE + PAGE_SIZE) ++ + /* + * BL1 specific defines. + * +diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk +index 6becc32fa..02493025a 100644 +--- a/plat/qemu/qemu/platform.mk ++++ b/plat/qemu/qemu/platform.mk +@@ -212,7 +212,10 @@ BL31_SOURCES += lib/cpus/aarch64/aem_generic.S \ + ${QEMU_GIC_SOURCES} + + ifeq (${SPD},spmd) +-BL31_SOURCES += plat/qemu/common/qemu_spmd_manifest.c ++BL31_SOURCES += plat/common/plat_spmd_manifest.c \ ++ common/uuid.c \ ++ ${LIBFDT_SRCS} \ ++ ${FDT_WRAPPERS_SOURCES} + endif + endif + +@@ -233,6 +236,13 @@ $(eval $(call TOOL_ADD_IMG,bl32_extra2,--tos-fw-extra2)) + endif + endif + ++ifneq ($(QEMU_TOS_FW_CONFIG_DTS),) ++FDT_SOURCES += ${QEMU_TOS_FW_CONFIG_DTS} ++QEMU_TOS_FW_CONFIG := ${BUILD_PLAT}/fdts/$(notdir $(basename ${QEMU_TOS_FW_CONFIG_DTS})).dtb ++# Add the TOS_FW_CONFIG to FIP ++$(eval $(call TOOL_ADD_PAYLOAD,${QEMU_TOS_FW_CONFIG},--tos-fw-config,${QEMU_TOS_FW_CONFIG})) ++endif ++ + SEPARATE_CODE_AND_RODATA := 1 + ENABLE_STACK_PROTECTOR := 0 + ifneq ($(ENABLE_STACK_PROTECTOR), 0) +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc index b0533a1e10..4d3b0badb7 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc @@ -9,7 +9,7 @@ SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmwa SRCBRANCH = "master" SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};name=tfa;branch=${SRCBRANCH}" -UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$" +UPSTREAM_CHECK_GITTAGREGEX = "^(lts-)?v(?P<pver>\d+(\.\d+)+)$" SRCREV_FORMAT = "tfa" diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 6cf55d69cd..e58a090229 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -47,7 +47,10 @@ EXTRA_OEMAKE:append:arm:qemuall = " \ BL32_RAM_LOCATION=tdram \ AARCH32_SP=optee \ " - +# When using OP-TEE SPMC specify the SPMC manifest file. +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ + 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" + do_compile:append:qemuarm64-secureboot() { # Create a secure flash image for booting AArch64 Qemu. See: # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb index 3a5006e53d..5830339c42 100644 --- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb +++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.0.bb @@ -5,6 +5,12 @@ SRCREV_tfa = "9881bb93a3bc0a3ea37e9f093e09ab4b360a9e48" SRC_URI += "file://rwx-segments.patch" +# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. +SRC_URI:append:qemuarm64-secureboot = " \ + file://add-spmc_manifest-for-qemu.patch \ + file://feat-qemu-update-abi-between-spmd-and-spmc.patch \ + " + LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" # mbed TLS v2.28.2 diff --git a/meta-arm/meta-arm/recipes-devtools/fiptool/files/ssl.patch b/meta-arm/meta-arm/recipes-devtools/fiptool/files/ssl.patch deleted file mode 100644 index cdabd1b70e..0000000000 --- a/meta-arm/meta-arm/recipes-devtools/fiptool/files/ssl.patch +++ /dev/null @@ -1,52 +0,0 @@ -fiptool: respect OPENSSL_DIR - -fiptool links to libcrypto, so as with the other tools it should respect -OPENSSL_DIR for include/library paths. - -Upstream-Status: Submitted -Signed-off-by: Ross Burton <ross.burton@arm.com> - -diff --git a/Makefile b/Makefile -index ec6f88585..2d3b9fc26 100644 ---- a/Makefile -+++ b/Makefile -@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME} - - ${FIPTOOL}: FORCE - ifdef UNIX_MK -- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH} -+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH} - else - # Clear the MAKEFLAGS as we do not want - # to pass the gnumake flags to nmake. -diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile -index 11d2e7b0b..7c2a08379 100644 ---- a/tools/fiptool/Makefile -+++ b/tools/fiptool/Makefile -@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT} - PROJECT := $(notdir ${FIPTOOL}) - OBJECTS := fiptool.o tbbr_config.o - V ?= 0 -+OPENSSL_DIR := /usr -+ - - override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700 - HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99 -@@ -20,7 +22,7 @@ ifeq (${DEBUG},1) - else - HOSTCCFLAGS += -O2 - endif --LDLIBS := -lcrypto -+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto - - ifeq (${V},0) - Q := @ -@@ -28,7 +30,7 @@ else - Q := - endif - --INCLUDE_PATHS := -I../../include/tools_share -+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include - - HOSTCC ?= gcc - diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc index dd02a7c988..ea3ef678c5 100644 --- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc +++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc @@ -3,6 +3,7 @@ HOMEPAGE = "https://developer.arm.com/tools-and-software/simulation-models/fixed # FVP has an End User License Agreement. Add Arm-FVP-EULA to your # LICENSE_FLAGS_ACCEPTED if you agree to these terms. LICENSE_FLAGS = "Arm-FVP-EULA" +LICENSE_FLAGS_DETAILS[Arm-FVP-EULA] = "https://developer.arm.com/downloads/-/arm-ecosystem-fvps/eula" LICENSE = "Proprietary & Apache-2.0 & Python-2.0 & GPL-3.0-with-GCC-exception & Zlib & NCSA & LGPL-2.0-or-later & MIT & BSD-3-Clause" diff --git a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb index 1261fa413b..726a65bb9a 100644 --- a/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb +++ b/meta-arm/meta-arm/recipes-kernel/arm-ffa-user/arm-ffa-user_5.0.1.bb @@ -18,10 +18,16 @@ COMPATIBLE_HOST = "(arm|aarch64).*-linux" KERNEL_MODULE_AUTOLOAD += "arm-ffa-user" KERNEL_MODULE_PROBECONF += "arm-ffa-user" -# This debugfs driver is used only by uefi-test for testing SmmGW SP -# UUIDs = SMM Gateway SP -FFA-USER-UUID-LIST ?= "ed32d533-99e6-4209-9cc0-2d72cdd998a7" -module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA-USER-UUID-LIST}" +# SMM Gateway SP +UUID_LIST = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'ed32d533-99e6-4209-9cc0-2d72cdd998a7', '' , d)}" +# SPMC Tests SPs +UUID_LIST:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ',5c9edbc3-7b3a-4367-9f83-7c191ae86a37,7817164c-c40c-4d1a-867a-9bb2278cf41a,23eb0100-e32a-4497-9052-2f11e584afa6', '' , d)}" + +FFA_USER_UUID_LIST ?= "${@d.getVar('UUID_LIST').strip(',')}" + +module_conf_arm-ffa-user = "options arm-ffa-user uuid_str_list=${FFA_USER_UUID_LIST}" do_install:append() { install -d ${D}${includedir} diff --git a/meta-arm/meta-arm/recipes-kernel/linux/arm-ffa-5.15.inc b/meta-arm/meta-arm/recipes-kernel/linux/arm-ffa-5.15.inc deleted file mode 100644 index bc66efbfe3..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/arm-ffa-5.15.inc +++ /dev/null @@ -1,5 +0,0 @@ -# Include a backport kernel patch for TEE driver - -SRC_URI:append = " \ - file://Add-sec_world_id-to-struct-tee_shm.patch \ - " diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/aarch64/0001-gcc-plugins-Reorganize-gimple-includes-for-GCC-13.patch b/meta-arm/meta-arm/recipes-kernel/linux/files/aarch64/0001-gcc-plugins-Reorganize-gimple-includes-for-GCC-13.patch new file mode 100644 index 0000000000..e4d8936fd7 --- /dev/null +++ b/meta-arm/meta-arm/recipes-kernel/linux/files/aarch64/0001-gcc-plugins-Reorganize-gimple-includes-for-GCC-13.patch @@ -0,0 +1,47 @@ +From e6a71160cc145e18ab45195abf89884112e02dfb Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Wed, 18 Jan 2023 12:21:35 -0800 +Subject: [PATCH] gcc-plugins: Reorganize gimple includes for GCC 13 + +The gimple-iterator.h header must be included before gimple-fold.h +starting with GCC 13. Reorganize gimple headers to work for all GCC +versions. + +Reported-by: Palmer Dabbelt <palmer@rivosinc.com> +Acked-by: Palmer Dabbelt <palmer@rivosinc.com> +Link: https://lore.kernel.org/all/20230113173033.4380-1-palmer@rivosinc.com/ +Cc: linux-hardening@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> + +Upstream-Status: Backport +Signed-off-by: Jon Mason <jon.mason@arm.com> + +--- + scripts/gcc-plugins/gcc-common.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 9a1895747b15..84c730da36dd 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -71,7 +71,9 @@ + #include "varasm.h" + #include "stor-layout.h" + #include "internal-fn.h" ++#include "gimple.h" + #include "gimple-expr.h" ++#include "gimple-iterator.h" + #include "gimple-fold.h" + #include "context.h" + #include "tree-ssa-alias.h" +@@ -85,10 +87,8 @@ + #include "tree-eh.h" + #include "stmt.h" + #include "gimplify.h" +-#include "gimple.h" + #include "tree-phinodes.h" + #include "tree-cfg.h" +-#include "gimple-iterator.h" + #include "gimple-ssa.h" + #include "ssa-iterators.h" + diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index 883ed2ca66..3f2c83fd62 100644 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -4,6 +4,7 @@ FILESEXTRAPATHS:prepend:aarch64 = "${ARMFILESPATHS}" SRC_URI:append:aarch64 = " \ file://0001-Revert-arm64-defconfig-Enable-Tegra-MGBE-driver.patch \ file://0002-Revert-arm64-defconfig-Add-Nuvoton-NPCM-family-suppo.patch \ + file://0001-gcc-plugins-Reorganize-gimple-includes-for-GCC-13.patch \ " COMPATIBLE_MACHINE:generic-arm64 = "generic-arm64" diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/Add-sec_world_id-to-struct-tee_shm.patch b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/Add-sec_world_id-to-struct-tee_shm.patch deleted file mode 100644 index 8f54b308d6..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/Add-sec_world_id-to-struct-tee_shm.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9028b2463c1ea96f51c3ba53e2479346019ff6ad Mon Sep 17 00:00:00 2001 -From: Jens Wiklander <jens.wiklander@linaro.org> -Date: Thu, 25 Mar 2021 15:08:44 +0100 -Subject: [PATCH] tee: add sec_world_id to struct tee_shm - -Adds sec_world_id to struct tee_shm which describes a shared memory -object. sec_world_id can be used by a driver to store an id assigned by -secure world. - -Reviewed-by: Sumit Garg <sumit.garg@linaro.org> -Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> - -Upstream-Status: Submitted [https://github.com/torvalds/linux/commit/9028b2463c1ea96f51c3ba53e2479346019ff6ad] -Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> - ---- - include/linux/tee_drv.h | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h -index 3ebfea0781f100..a1f03461369bd9 100644 ---- a/include/linux/tee_drv.h -+++ b/include/linux/tee_drv.h -@@ -197,7 +197,11 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, - * @num_pages: number of locked pages - * @dmabuf: dmabuf used to for exporting to user space - * @flags: defined by TEE_SHM_* in tee_drv.h -- * @id: unique id of a shared memory object on this device -+ * @id: unique id of a shared memory object on this device, shared -+ * with user space -+ * @sec_world_id: -+ * secure world assigned id of this shared memory object, not -+ * used by all drivers - * - * This pool is only supposed to be accessed directly from the TEE - * subsystem and from drivers that implements their own shm pool manager. -@@ -213,6 +217,7 @@ struct tee_shm { - struct dma_buf *dmabuf; - u32 flags; - int id; -+ u64 sec_world_id; - }; - - /** diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/skip-unavailable-memory.patch b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/skip-unavailable-memory.patch deleted file mode 100644 index d157ef70df..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-5.15/skip-unavailable-memory.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 7bfeda1c9224270af97adf799ce0b5a4292bceb6 Mon Sep 17 00:00:00 2001 -From: Andre Przywara <andre.przywara@arm.com> -Date: Tue, 17 May 2022 11:14:10 +0100 -Subject: [PATCH] of/fdt: Ignore disabled memory nodes - -When we boot a machine using a devicetree, the generic DT code goes -through all nodes with a 'device_type = "memory"' property, and collects -all memory banks mentioned there. However it does not check for the -status property, so any nodes which are explicitly "disabled" will still -be added as a memblock. -This ends up badly for QEMU, when booting with secure firmware on -arm/arm64 machines, because QEMU adds a node describing secure-only -memory: -=================== - secram@e000000 { - secure-status = "okay"; - status = "disabled"; - reg = <0x00 0xe000000 0x00 0x1000000>; - device_type = "memory"; - }; -=================== - -The kernel will eventually use that memory block (which is located below -the main DRAM bank), but accesses to that will be answered with an -SError: -=================== -[ 0.000000] Internal error: synchronous external abort: 96000050 [#1] PREEMPT SMP -[ 0.000000] Modules linked in: -[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc6-00014-g10c8acb8b679 #524 -[ 0.000000] Hardware name: linux,dummy-virt (DT) -[ 0.000000] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) -[ 0.000000] pc : new_slab+0x190/0x340 -[ 0.000000] lr : new_slab+0x184/0x340 -[ 0.000000] sp : ffff80000a4b3d10 -.... -================== -The actual crash location and call stack will be somewhat random, and -depend on the specific allocation of that physical memory range. - -As the DT spec[1] explicitly mentions standard properties, add a simple -check to skip over disabled memory nodes, so that we only use memory -that is meant for non-secure code to use. - -That fixes booting a QEMU arm64 VM with EL3 enabled ("secure=on"), when -not using UEFI. In this case the QEMU generated DT will be handed on -to the kernel, which will see the secram node. -This issue is reproducible when using TF-A together with U-Boot as -firmware, then booting with the "booti" command. - -When using U-Boot as an UEFI provider, the code there [2] explicitly -filters for disabled nodes when generating the UEFI memory map, so we -are safe. -EDK/2 only reads the first bank of the first DT memory node [3] to learn -about memory, so we got lucky there. - -[1] https://github.com/devicetree-org/devicetree-specification/blob/main/source/chapter3-devicenodes.rst#memory-node (after the table) -[2] https://source.denx.de/u-boot/u-boot/-/blob/master/lib/fdtdec.c#L1061-1063 -[3] https://github.com/tianocore/edk2/blob/master/ArmVirtPkg/PrePi/FdtParser.c - -Reported-by: Ross Burton <ross.burton@arm.com> -Signed-off-by: Andre Przywara <andre.przywara@arm.com> - -Upstream-Status: Submitted [https://lore.kernel.org/linux-arm-kernel/20220517101410.3493781-1-andre.przywara@arm.com/T/#u] -Signed-off-by: Ross Burton <ross.burton@arm.com> - ---- - drivers/of/fdt.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c -index 59a7a9ee58ef..5439c899fe04 100644 ---- a/drivers/of/fdt.c -+++ b/drivers/of/fdt.c -@@ -1102,6 +1102,9 @@ int __init early_init_dt_scan_memory(unsigned long node, const char *uname, - if (type == NULL || strcmp(type, "memory") != 0) - return 0; - -+ if (!of_fdt_device_is_available(initial_boot_params, node)) -+ return 0; -+ - reg = of_get_flat_dt_prop(node, "linux,usable-memory", &l); - if (reg == NULL) - reg = of_get_flat_dt_prop(node, "reg", &l); --- -2.25.1 diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_5.15%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_5.15%.bbappend deleted file mode 100644 index 9a18dd8a4b..0000000000 --- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto_5.15%.bbappend +++ /dev/null @@ -1,8 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}-5.15:" - -SRC_URI:append:qemuarm64-secureboot = " \ - file://skip-unavailable-memory.patch \ - " - -FFA_TEE_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-5.15.inc', '' , d)}" -require ${FFA_TEE_INCLUDE} diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch new file mode 100644 index 0000000000..4313a829ac --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch @@ -0,0 +1,91 @@ +From 11f4ea86579bc1a58e4adde2849326f4213694f2 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Mon, 21 Nov 2022 18:17:33 +0100 +Subject: core: arm: S-EL1 SPMC: boot ABI update + +Updates the boot ABI for S-EL1 SPMC to align better with other SPMCs, +like Hafnium, but also with the non-FF-A configuration. + +Register usage: +X0 - TOS FW config [1] address, if not NULL +X2 - System DTB, if not NULL + +Adds check in the default get_aslr_seed() to see if the system DTB is +present before trying to read kaslr-seed from secure-chosen. + +Note that this is an incompatible change and requires corresponding +change in TF-A ("feat(qemu): update abi between spmd and spmc") [2]. + +[1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware configuration + file. Used by Trusted OS (BL32), that is, OP-TEE in this case +Link: [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=25ae7ad1878244f78206cc7c91f7bdbd267331a1 + +Upstream-Status: Accepted + +Acked-by: Etienne Carriere <etienne.carriere@linaro.org> +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + core/arch/arm/kernel/boot.c | 8 +++++++- + core/arch/arm/kernel/entry_a64.S | 17 ++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index dd34173e8..e02c02b60 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1502,11 +1502,17 @@ struct ns_entry_context *boot_core_hpen(void) + #if defined(CFG_DT) + unsigned long __weak get_aslr_seed(void *fdt) + { +- int rc = fdt_check_header(fdt); ++ int rc = 0; + const uint64_t *seed = NULL; + int offs = 0; + int len = 0; + ++ if (!fdt) { ++ DMSG("No fdt"); ++ goto err; ++ } ++ ++ rc = fdt_check_header(fdt); + if (rc) { + DMSG("Bad fdt: %d", rc); + goto err; +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 4c6e9d75c..047ae1f25 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -143,21 +143,20 @@ + .endm + + FUNC _start , : +-#if defined(CFG_CORE_SEL1_SPMC) + /* +- * With OP-TEE as SPMC at S-EL1 the SPMD (SPD_spmd) in TF-A passes +- * the DTB in x0, pagaeble part in x1 and the rest of the registers +- * are unused ++ * If CFG_CORE_FFA is enabled, then x0 if non-NULL holds the TOS FW ++ * config [1] address, else x0 if non-NULL holds the pagable part ++ * address. ++ * ++ * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware ++ * configuration file. Used by Trusted OS (BL32), that is, OP-TEE ++ * here. + */ +- mov x19, x1 /* Save pagable part */ +- mov x20, x0 /* Save DT address */ +-#else +- mov x19, x0 /* Save pagable part address */ ++ mov x19, x0 + #if defined(CFG_DT_ADDR) + ldr x20, =CFG_DT_ADDR + #else + mov x20, x2 /* Save DT address */ +-#endif + #endif + + adr x0, reset_vect_table +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch new file mode 100644 index 0000000000..add39076fd --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch @@ -0,0 +1,249 @@ +From 84f4ef4c4f2f45e2f54597f1afe80d8f8396cc57 Mon Sep 17 00:00:00 2001 +From: Balint Dobszay <balint.dobszay@arm.com> +Date: Fri, 10 Feb 2023 11:07:27 +0100 +Subject: core: ffa: add TOS_FW_CONFIG handling + +At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but +currently only the HW_CONFIG address is saved, the other one is dropped. +This commit adds functionality to save the TOS_FW_CONFIG too, so we can +retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use +case, because the SPMC manifest is passed in this DT. + +Upstream-Status: Accepted + +Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Balint Dobszay <balint.dobszay@arm.com> +--- + core/arch/arm/kernel/boot.c | 60 ++++++++++++++++++++++- + core/arch/arm/kernel/entry_a32.S | 3 +- + core/arch/arm/kernel/entry_a64.S | 13 ++++- + core/arch/arm/kernel/link_dummies_paged.c | 4 +- + core/arch/arm/kernel/secure_partition.c | 2 +- + core/include/kernel/boot.h | 7 ++- + 6 files changed, 81 insertions(+), 8 deletions(-) + +diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c +index e02c02b60..98e13c072 100644 +--- a/core/arch/arm/kernel/boot.c ++++ b/core/arch/arm/kernel/boot.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2015-2022, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + + #include <arm.h> +@@ -83,6 +84,9 @@ struct dt_descriptor { + }; + + static struct dt_descriptor external_dt __nex_bss; ++#ifdef CFG_CORE_SEL1_SPMC ++static struct dt_descriptor tos_fw_config_dt __nex_bss; ++#endif + #endif + + #ifdef CFG_SECONDARY_INIT_CNTFRQ +@@ -1224,6 +1228,54 @@ static struct core_mmu_phys_mem *get_nsec_memory(void *fdt __unused, + #endif /*CFG_CORE_DYN_SHM*/ + #endif /*!CFG_DT*/ + ++#if defined(CFG_CORE_SEL1_SPMC) && defined(CFG_DT) ++void *get_tos_fw_config_dt(void) ++{ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return NULL; ++ ++ assert(cpu_mmu_enabled()); ++ ++ return tos_fw_config_dt.blob; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa) ++{ ++ struct dt_descriptor *dt = &tos_fw_config_dt; ++ void *fdt = NULL; ++ int ret = 0; ++ ++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) ++ return; ++ ++ if (!pa) ++ panic("No TOS_FW_CONFIG DT found"); ++ ++ fdt = core_mmu_add_mapping(MEM_AREA_EXT_DT, pa, CFG_DTB_MAX_SIZE); ++ if (!fdt) ++ panic("Failed to map TOS_FW_CONFIG DT"); ++ ++ dt->blob = fdt; ++ ++ ret = fdt_open_into(fdt, fdt, CFG_DTB_MAX_SIZE); ++ if (ret < 0) { ++ EMSG("Invalid Device Tree at %#lx: error %d", pa, ret); ++ panic(); ++ } ++ ++ IMSG("TOS_FW_CONFIG DT found"); ++} ++#else ++void *get_tos_fw_config_dt(void) ++{ ++ return NULL; ++} ++ ++static void init_tos_fw_config_dt(unsigned long pa __unused) ++{ ++} ++#endif /*CFG_CORE_SEL1_SPMC && CFG_DT*/ ++ + #ifdef CFG_CORE_DYN_SHM + static void discover_nsec_memory(void) + { +@@ -1361,10 +1413,16 @@ static bool cpu_nmfi_enabled(void) + * Note: this function is weak just to make it possible to exclude it from + * the unpaged area. + */ +-void __weak boot_init_primary_late(unsigned long fdt) ++void __weak boot_init_primary_late(unsigned long fdt, ++ unsigned long tos_fw_config) + { + init_external_dt(fdt); ++ init_tos_fw_config_dt(tos_fw_config); ++#ifdef CFG_CORE_SEL1_SPMC ++ tpm_map_log_area(get_tos_fw_config_dt()); ++#else + tpm_map_log_area(get_external_dt()); ++#endif + discover_nsec_memory(); + update_external_dt(); + configure_console_from_dt(); +diff --git a/core/arch/arm/kernel/entry_a32.S b/core/arch/arm/kernel/entry_a32.S +index 0f14ca2f6..3758fd8b7 100644 +--- a/core/arch/arm/kernel/entry_a32.S ++++ b/core/arch/arm/kernel/entry_a32.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2014, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <arm32_macros.S> +@@ -560,6 +560,7 @@ shadow_stack_access_ok: + str r0, [r8, #THREAD_CORE_LOCAL_FLAGS] + #endif + mov r0, r6 /* DT address */ ++ mov r1, #0 /* unused */ + bl boot_init_primary_late + #ifndef CFG_VIRTUALIZATION + mov r0, #THREAD_CLF_TMP +diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S +index 047ae1f25..fa76437fb 100644 +--- a/core/arch/arm/kernel/entry_a64.S ++++ b/core/arch/arm/kernel/entry_a64.S +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2022, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + + #include <platform_config.h> +@@ -320,7 +320,11 @@ clear_nex_bss: + bl core_mmu_set_default_prtn_tbl + #endif + ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x0, xzr /* pager not used */ ++#else + mov x0, x19 /* pagable part address */ ++#endif + mov x1, #-1 + bl boot_init_primary_early + +@@ -337,7 +341,12 @@ clear_nex_bss: + mov x22, x0 + str wzr, [x22, #THREAD_CORE_LOCAL_FLAGS] + #endif +- mov x0, x20 /* DT address */ ++ mov x0, x20 /* DT address also known as HW_CONFIG */ ++#ifdef CFG_CORE_SEL1_SPMC ++ mov x1, x19 /* TOS_FW_CONFIG DT address */ ++#else ++ mov x1, xzr /* unused */ ++#endif + bl boot_init_primary_late + #ifdef CFG_CORE_PAUTH + init_pauth_per_cpu +diff --git a/core/arch/arm/kernel/link_dummies_paged.c b/core/arch/arm/kernel/link_dummies_paged.c +index 3b8287e06..023a5f3f5 100644 +--- a/core/arch/arm/kernel/link_dummies_paged.c ++++ b/core/arch/arm/kernel/link_dummies_paged.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-2-Clause + /* + * Copyright (c) 2017-2021, Linaro Limited ++ * Copyright (c) 2023, Arm Limited + */ + #include <compiler.h> + #include <initcall.h> +@@ -27,7 +28,8 @@ void __section(".text.dummy.call_finalcalls") call_finalcalls(void) + } + + void __section(".text.dummy.boot_init_primary_late") +-boot_init_primary_late(unsigned long fdt __unused) ++boot_init_primary_late(unsigned long fdt __unused, ++ unsigned long tos_fw_config __unused) + { + } + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b1..d386f1e4d 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -1212,7 +1212,7 @@ static TEE_Result fip_sp_map_all(void) + int subnode = 0; + int root = 0; + +- fdt = get_external_dt(); ++ fdt = get_tos_fw_config_dt(); + if (!fdt) { + EMSG("No SPMC manifest found"); + return TEE_ERROR_GENERIC; +diff --git a/core/include/kernel/boot.h b/core/include/kernel/boot.h +index 260854473..941e093b2 100644 +--- a/core/include/kernel/boot.h ++++ b/core/include/kernel/boot.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ + /* + * Copyright (c) 2015-2020, Linaro Limited +- * Copyright (c) 2021, Arm Limited ++ * Copyright (c) 2021-2023, Arm Limited + */ + #ifndef __KERNEL_BOOT_H + #define __KERNEL_BOOT_H +@@ -46,7 +46,7 @@ extern const struct core_mmu_config boot_mmu_config; + /* @nsec_entry is unused if using CFG_WITH_ARM_TRUSTED_FW */ + void boot_init_primary_early(unsigned long pageable_part, + unsigned long nsec_entry); +-void boot_init_primary_late(unsigned long fdt); ++void boot_init_primary_late(unsigned long fdt, unsigned long tos_fw_config); + void boot_init_memtag(void); + + void __panic_at_smc_return(void) __noreturn; +@@ -103,6 +103,9 @@ void *get_embedded_dt(void); + /* Returns external DTB if present, otherwise NULL */ + void *get_external_dt(void); + ++/* Returns TOS_FW_CONFIG DTB if present, otherwise NULL */ ++void *get_tos_fw_config_dt(void); ++ + /* + * get_aslr_seed() - return a random seed for core ASLR + * @fdt: Pointer to a device tree if CFG_DT_ADDR=y +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch new file mode 100644 index 0000000000..28d1f03c18 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch @@ -0,0 +1,279 @@ +From f4b4f5bccc1be9a709008cc8e6107302745796c8 Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 18 Apr 2023 16:41:51 +0200 +Subject: [PATCH] core: spmc: handle non-secure interrupts + +Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure +interrupts and for resuming to the secure world. If a secure partition +is preempted by a non-secure interrupt OP-TEE saves the SP's state and +sends an FFA_INTERRUPT to the normal world. After handling the interrupt +the normal world should send an FFA_RUN to OP-TEE so it can continue +running the SP. +If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the +non-secure interrupts are signaled by the existing +OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of +FFA_INTERRUPT. + +Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/6002] + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I577ebe86d416ee494963216a66a3bfc8206921b4 + +--- + core/arch/arm/include/ffa.h | 2 +- + .../arch/arm/include/kernel/spmc_sp_handler.h | 11 +++++++ + core/arch/arm/kernel/secure_partition.c | 17 ++++++++++ + core/arch/arm/kernel/spmc_sp_handler.c | 26 ++++++++++++++++ + core/arch/arm/kernel/thread.c | 7 +++++ + core/arch/arm/kernel/thread_spmc.c | 31 ++++++++++++++++++- + core/arch/arm/kernel/thread_spmc_a64.S | 30 ++++++++++++++++++ + 7 files changed, 122 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/include/ffa.h b/core/arch/arm/include/ffa.h +index 5a19fb0c..b3d1d354 100644 +--- a/core/arch/arm/include/ffa.h ++++ b/core/arch/arm/include/ffa.h +@@ -50,7 +50,7 @@ + #define FFA_ID_GET U(0x84000069) + #define FFA_MSG_WAIT U(0x8400006B) + #define FFA_MSG_YIELD U(0x8400006C) +-#define FFA_MSG_RUN U(0x8400006D) ++#define FFA_RUN U(0x8400006D) + #define FFA_MSG_SEND U(0x8400006E) + #define FFA_MSG_SEND_DIRECT_REQ_32 U(0x8400006F) + #define FFA_MSG_SEND_DIRECT_REQ_64 U(0xC400006F) +diff --git a/core/arch/arm/include/kernel/spmc_sp_handler.h b/core/arch/arm/include/kernel/spmc_sp_handler.h +index f5bda7bf..30c1e469 100644 +--- a/core/arch/arm/include/kernel/spmc_sp_handler.h ++++ b/core/arch/arm/include/kernel/spmc_sp_handler.h +@@ -25,6 +25,8 @@ void spmc_sp_start_thread(struct thread_smc_args *args); + int spmc_sp_add_share(struct ffa_rxtx *rxtx, + size_t blen, uint64_t *global_handle, + struct sp_session *owner_sp); ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess); ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id); + #else + static inline void spmc_sp_start_thread(struct thread_smc_args *args __unused) + { +@@ -37,6 +39,15 @@ static inline int spmc_sp_add_share(struct ffa_rxtx *rxtx __unused, + { + return FFA_NOT_SUPPORTED; + } ++ ++static inline void spmc_sp_set_to_preempted(struct ts_session *ts_sess __unused) ++{ ++} ++ ++static inline int spmc_sp_resume_from_preempted(uint16_t endpoint_id __unused) ++{ ++ return FFA_NOT_SUPPORTED; ++} + #endif + + #endif /* __KERNEL_SPMC_SP_HANDLER_H */ +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 1d36e90b..6e351e43 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -999,6 +999,8 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; ++ uint32_t thread_id = THREAD_ID_INVALID; ++ uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; + +@@ -1011,8 +1013,23 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); + + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); ++ ++ /* ++ * Store endpoint ID and thread ID in rpc_target_info. This will be used ++ * as w1 in FFA_INTERRUPT in case of a NWd interrupt. ++ */ ++ rpc_target_info = thread_get_tsd()->rpc_target_info; ++ thread_id = thread_get_id(); ++ assert((thread_id & ~0xffff) == 0); ++ thread_get_tsd()->rpc_target_info = (sp_s->endpoint_id << 16) | ++ (thread_id & 0xffff); ++ + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); ++ + sp_regs->cpsr = cpsr; ++ /* Restore rpc_target_info */ ++ thread_get_tsd()->rpc_target_info = rpc_target_info; ++ + thread_unmask_exceptions(exceptions); + + thread_user_clear_vfp(&ctx->uctx); +diff --git a/core/arch/arm/kernel/spmc_sp_handler.c b/core/arch/arm/kernel/spmc_sp_handler.c +index 5d3326fc..f4c7ff81 100644 +--- a/core/arch/arm/kernel/spmc_sp_handler.c ++++ b/core/arch/arm/kernel/spmc_sp_handler.c +@@ -366,6 +366,32 @@ cleanup: + return res; + } + ++void spmc_sp_set_to_preempted(struct ts_session *ts_sess) ++{ ++ if (ts_sess && is_sp_ctx(ts_sess->ctx)) { ++ struct sp_session *sp_sess = to_sp_session(ts_sess); ++ ++ assert(sp_sess->state == sp_busy); ++ ++ sp_sess->state = sp_preempted; ++ } ++} ++ ++int spmc_sp_resume_from_preempted(uint16_t endpoint_id) ++{ ++ struct sp_session *sp_sess = sp_get_session(endpoint_id); ++ ++ if (!sp_sess) ++ return FFA_INVALID_PARAMETERS; ++ ++ if (sp_sess->state != sp_preempted) ++ return FFA_DENIED; ++ ++ sp_sess->state = sp_busy; ++ ++ return FFA_OK; ++} ++ + static bool check_rxtx(struct ffa_rxtx *rxtx) + { + return rxtx && rxtx->rx && rxtx->tx && rxtx->size > 0; +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 1e7f9f96..8cd4dc96 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -531,6 +531,13 @@ int thread_state_suspend(uint32_t flags, uint32_t cpsr, vaddr_t pc) + core_mmu_set_user_map(NULL); + } + ++ if (IS_ENABLED(CFG_SECURE_PARTITION)) { ++ struct ts_session *ts_sess = ++ TAILQ_FIRST(&threads[ct].tsd.sess_stack); ++ ++ spmc_sp_set_to_preempted(ts_sess); ++ } ++ + l->curr_thread = THREAD_ID_INVALID; + + if (IS_ENABLED(CFG_VIRTUALIZATION)) +diff --git a/core/arch/arm/kernel/thread_spmc.c b/core/arch/arm/kernel/thread_spmc.c +index 3b4ac0b4..bc4e7687 100644 +--- a/core/arch/arm/kernel/thread_spmc.c ++++ b/core/arch/arm/kernel/thread_spmc.c +@@ -45,7 +45,7 @@ struct mem_frag_state { + #endif + + /* Initialized in spmc_init() below */ +-static uint16_t my_endpoint_id; ++uint16_t my_endpoint_id; + + /* + * If struct ffa_rxtx::size is 0 RX/TX buffers are not mapped or initialized. +@@ -437,6 +437,32 @@ out: + FFA_PARAM_MBZ, FFA_PARAM_MBZ); + cpu_spin_unlock(&rxtx->spinlock); + } ++ ++static void spmc_handle_run(struct thread_smc_args *args) ++{ ++ uint16_t endpoint = (args->a1 >> 16) & 0xffff; ++ uint16_t thread_id = (args->a1 & 0xffff); ++ uint32_t rc = 0; ++ ++ if (endpoint != my_endpoint_id) { ++ /* ++ * The endpoint should be an SP, try to resume the SP from ++ * preempted into busy state. ++ */ ++ rc = spmc_sp_resume_from_preempted(endpoint); ++ if (rc) ++ goto out; ++ } ++ ++ thread_resume_from_rpc(thread_id, 0, 0, 0, 0); ++ ++ /* thread_resume_from_rpc return only of the thread_id is invalid */ ++ rc = FFA_INVALID_PARAMETERS; ++ ++out: ++ spmc_set_args(args, FFA_ERROR, FFA_PARAM_MBZ, rc, FFA_PARAM_MBZ, ++ FFA_PARAM_MBZ, FFA_PARAM_MBZ); ++} + #endif /*CFG_CORE_SEL1_SPMC*/ + + static void handle_yielding_call(struct thread_smc_args *args) +@@ -970,6 +996,9 @@ void thread_spmc_msg_recv(struct thread_smc_args *args) + case FFA_PARTITION_INFO_GET: + spmc_handle_partition_info_get(args, &nw_rxtx); + break; ++ case FFA_RUN: ++ spmc_handle_run(args); ++ break; + #endif /*CFG_CORE_SEL1_SPMC*/ + case FFA_INTERRUPT: + itr_core_handler(); +diff --git a/core/arch/arm/kernel/thread_spmc_a64.S b/core/arch/arm/kernel/thread_spmc_a64.S +index 21cb6251..7297005a 100644 +--- a/core/arch/arm/kernel/thread_spmc_a64.S ++++ b/core/arch/arm/kernel/thread_spmc_a64.S +@@ -14,6 +14,20 @@ + #include <kernel/thread.h> + #include <optee_ffa.h> + ++#if CFG_SECURE_PARTITION ++LOCAL_FUNC thread_ffa_interrupt , : ++ mov_imm x0, FFA_INTERRUPT /* FID */ ++ /* X1: Endpoint/vCPU IDs is set by caller */ ++ mov x2, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x3, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x4, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x5, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x6, #FFA_PARAM_MBZ /* Param MBZ */ ++ mov x7, #FFA_PARAM_MBZ /* Param MBZ */ ++ b .ffa_msg_loop ++END_FUNC thread_ffa_msg_wait ++#endif /* CFG_SECURE_PARTITION */ ++ + FUNC thread_ffa_msg_wait , : + mov_imm x0, FFA_MSG_WAIT /* FID */ + mov x1, #FFA_TARGET_INFO_MBZ /* Target info MBZ */ +@@ -171,6 +185,14 @@ END_FUNC thread_rpc + * The current thread as indicated by @thread_index has just been + * suspended. The job here is just to inform normal world the thread id to + * resume when returning. ++ * If the active FF-A endpoint is OP-TEE (or a TA) then an this function send an ++ * OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message to the normal world via the ++ * FFA_MSG_SEND_DIRECT_RESP interface. This is handled by the OP-TEE ++ * driver in Linux so it can schedule task to the thread. ++ * If the active endpoint is an SP the function sends an FFA_INTERRUPT. This is ++ * handled by the FF-A driver and after taking care of the NWd interrupts it ++ * returns via an FFA_RUN call. ++ * The active endpoint is determined by the upper 16 bits of rpc_target_info. + */ + FUNC thread_foreign_intr_exit , : + /* load threads[w0].tsd.rpc_target_info into w1 */ +@@ -178,6 +200,14 @@ FUNC thread_foreign_intr_exit , : + adr_l x2, threads + madd x1, x1, x0, x2 + ldr w1, [x1, #THREAD_CTX_TSD_RPC_TARGET_INFO] ++#if CFG_SECURE_PARTITION ++ adr_l x2, my_endpoint_id ++ ldrh w2, [x2] ++ lsr w3, w1, #16 ++ cmp w2, w3 ++ /* (threads[w0].tsd.rpc_target_info >> 16) != my_endpoint_id */ ++ bne thread_ffa_interrupt ++#endif /* CFG_SECURE_PARTITION */ + mov x2, #FFA_PARAM_MBZ + mov w3, #FFA_PARAM_MBZ + mov w4, #OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch new file mode 100644 index 0000000000..6b502d7885 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch @@ -0,0 +1,150 @@ +From cad33cffb5be17fc0654aaf03c4d5227ae682e7a Mon Sep 17 00:00:00 2001 +From: Imre Kis <imre.kis@arm.com> +Date: Tue, 25 Apr 2023 14:19:14 +0200 +Subject: [PATCH] core: spmc: configure SP's NS interrupt action based on + the manifest + +Used mandatory ns-interrupts-action SP manifest property to configure +signaled or queued non-secure interrupt handling. + +Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/6002] + +Signed-off-by: Imre Kis <imre.kis@arm.com> +Change-Id: I843e69e5dbb9613ecd8b95654e8ca1730a594ca6 +--- + .../arm/include/kernel/secure_partition.h | 2 + + core/arch/arm/kernel/secure_partition.c | 66 +++++++++++++++++-- + 2 files changed, 63 insertions(+), 5 deletions(-) + +diff --git a/core/arch/arm/include/kernel/secure_partition.h b/core/arch/arm/include/kernel/secure_partition.h +index 290750936..3bf339d3c 100644 +--- a/core/arch/arm/include/kernel/secure_partition.h ++++ b/core/arch/arm/include/kernel/secure_partition.h +@@ -43,6 +43,8 @@ struct sp_session { + unsigned int spinlock; + const void *fdt; + bool is_initialized; ++ uint32_t ns_interrupts_action; ++ uint32_t ns_interrupts_action_inherited; + TAILQ_ENTRY(sp_session) link; + }; + +diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c +index 52365553b..e54069c17 100644 +--- a/core/arch/arm/kernel/secure_partition.c ++++ b/core/arch/arm/kernel/secure_partition.c +@@ -46,6 +46,10 @@ + SP_MANIFEST_ATTR_WRITE | \ + SP_MANIFEST_ATTR_EXEC) + ++#define SP_MANIFEST_NS_INT_QUEUED (0x0) ++#define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1) ++#define SP_MANIFEST_NS_INT_SIGNALED (0x2) ++ + #define SP_PKG_HEADER_MAGIC (0x474b5053) + #define SP_PKG_HEADER_VERSION_V1 (0x1) + #define SP_PKG_HEADER_VERSION_V2 (0x2) +@@ -907,6 +911,30 @@ static TEE_Result sp_init_uuid(const TEE_UUID *uuid, const void * const fdt) + return res; + DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id); + ++ res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action", ++ &sess->ns_interrupts_action); ++ ++ if (res) { ++ EMSG("Mandatory property is missing: ns-interrupts-action"); ++ return res; ++ } ++ ++ switch (sess->ns_interrupts_action) { ++ case SP_MANIFEST_NS_INT_QUEUED: ++ case SP_MANIFEST_NS_INT_SIGNALED: ++ /* OK */ ++ break; ++ ++ case SP_MANIFEST_NS_INT_MANAGED_EXIT: ++ EMSG("Managed exit is not implemented"); ++ return TEE_ERROR_NOT_IMPLEMENTED; ++ ++ default: ++ EMSG("Invalid ns-interrupts-action value: %d", ++ sess->ns_interrupts_action); ++ return TEE_ERROR_BAD_PARAMETERS; ++ } ++ + return TEE_SUCCESS; + } + +@@ -989,17 +1017,45 @@ TEE_Result sp_enter(struct thread_smc_args *args, struct sp_session *sp) + return res; + } + ++/* ++ * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive ++ * active on NS interrupt than the callee, the callee must inherit the caller's ++ * configuration. ++ * Each SP's own NS action setting is stored in ns_interrupts_action. The ++ * effective action will be MIN([self action], [caller's action]) which is ++ * stored in the ns_interrupts_action_inherited field. ++ */ ++static void sp_cpsr_configure_foreing_interrupts(struct sp_session *s, ++ struct ts_session *caller, ++ uint64_t *cpsr) ++{ ++ if (caller) { ++ struct sp_session *caller_sp = to_sp_session(caller); ++ ++ s->ns_interrupts_action_inherited = ++ MIN(caller_sp->ns_interrupts_action_inherited, ++ s->ns_interrupts_action); ++ } else { ++ s->ns_interrupts_action_inherited = s->ns_interrupts_action; ++ } ++ ++ if (s->ns_interrupts_action_inherited == SP_MANIFEST_NS_INT_QUEUED) ++ *cpsr |= (THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++ else ++ *cpsr &= ~(THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT); ++} ++ + static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + uint32_t cmd __unused) + { + struct sp_ctx *ctx = to_sp_ctx(s->ctx); + TEE_Result res = TEE_SUCCESS; + uint32_t exceptions = 0; +- uint64_t cpsr = 0; + struct sp_session *sp_s = to_sp_session(s); + struct ts_session *sess = NULL; + struct thread_ctx_regs *sp_regs = NULL; + uint32_t thread_id = THREAD_ID_INVALID; ++ struct ts_session *caller = NULL; + uint32_t rpc_target_info = 0; + uint32_t panicked = false; + uint32_t panic_code = 0; +@@ -1009,11 +1065,12 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + sp_regs = &ctx->sp_regs; + ts_push_current_session(s); + +- cpsr = sp_regs->cpsr; +- sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT); +- + exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); + ++ /* Enable/disable foreign interrupts in CPSR/SPSR */ ++ caller = ts_get_calling_session(); ++ sp_cpsr_configure_foreing_interrupts(sp_s, caller, &sp_regs->cpsr); ++ + /* + * Store endpoint ID and thread ID in rpc_target_info. This will be used + * as w1 in FFA_INTERRUPT in case of a NWd interrupt. +@@ -1026,7 +1083,6 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, + + __thread_enter_user_mode(sp_regs, &panicked, &panic_code); + +- sp_regs->cpsr = cpsr; + /* Restore rpc_target_info */ + thread_get_tsd()->rpc_target_info = rpc_target_info; + +-- +2.17.1 diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend new file mode 100644 index 0000000000..a9732e4c9c --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.2%.bbappend @@ -0,0 +1,4 @@ +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc new file mode 100644 index 0000000000..4dffc46da3 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts-3.18.inc @@ -0,0 +1,54 @@ +# Include Trusted Services SPs accordingly to defined machine features + +# Please notice that OPTEE will load SPs in the order listed in this file. +# If an SP requires another SP to be already loaded it must be listed lower. + +# TS SPs UUIDs definitions +require recipes-security/trusted-services/ts-uuid.inc + +TS_ENV = "opteesp" +TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" + +# ITS SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ts-sp-its', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + +# Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ts-sp-storage', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + +# Crypto SP. +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ts-sp-crypto', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + +# Attestation SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ts-sp-attestation', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + +# Env-test SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ts-sp-env-test', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + +# SE-Proxy SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ts-sp-se-proxy', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + +# SMM Gateway +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ts-sp-smm-gateway', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc index 73b8c14f7c..057dde25cf 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -51,4 +51,12 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +# SPM test SPs +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend new file mode 100644 index 0000000000..2ff1b83497 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.1%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require optee-os-ts-3.18.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend index 09650b9a7a..09650b9a7a 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_%.bbappend +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.2%.bbappend diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb index 5f4b066ae3..2d4d6d6dac 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.20.0.bb @@ -7,4 +7,9 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3.20.0:" SRCREV = "8e74d47616a20eaa23ca692f4bbbf917a236ed94" SRC_URI:append = " \ file://0004-core-Define-section-attributes-for-clang.patch \ + file://0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch \ + file://0006-core-ffa-add-TOS_FW_CONFIG-handling.patch \ + file://0007-core-spmc-handle-non-secure-interrupts.patch \ + file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \ " +EXTRA_OEMAKE += " CFG_MAP_EXT_DT_SECURE=y" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch new file mode 100644 index 0000000000..e889f74051 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch @@ -0,0 +1,39 @@ +From 7e15470f3dd45c844f0e0901f0c85c46a0882b8b Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:23:45 +0100 +Subject: [PATCH 1/2] Update arm_ffa_user driver dependency + +Updating arm-ffa-user to v5.0.1 to get the following changes: + - move to 64 bit direct messages + - add Linux Kernel v6.1 compatibility +The motivation is to update x-test to depend on the same driver +version as TS uefi-test and thus to enable running these in a single +configuration. +Note: arm_ffa_user.h was copied from: + - URL:https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git + - SHA:18e3be71f65a405dfb5d97603ae71b3c11759861 + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/include/uapi/linux/arm_ffa_user.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/host/xtest/include/uapi/linux/arm_ffa_user.h b/host/xtest/include/uapi/linux/arm_ffa_user.h +index 9ef0be3..0acde4f 100644 +--- a/host/xtest/include/uapi/linux/arm_ffa_user.h ++++ b/host/xtest/include/uapi/linux/arm_ffa_user.h +@@ -33,7 +33,7 @@ struct ffa_ioctl_ep_desc { + * @dst_id: [in] 16-bit ID of destination endpoint. + */ + struct ffa_ioctl_msg_args { +- __u32 args[5]; ++ __u64 args[5]; + __u16 dst_id; + }; + #define FFA_IOC_MSG_SEND _IOWR(FFA_IOC_MAGIC, FFA_IOC_BASE + 1, \ +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch new file mode 100644 index 0000000000..d333e860a7 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch @@ -0,0 +1,163 @@ +From 6734d14cc249af37705129de7874533df9535cd3 Mon Sep 17 00:00:00 2001 +From: Gabor Toth <gabor.toth2@arm.com> +Date: Fri, 3 Mar 2023 12:25:58 +0100 +Subject: [PATCH 2/2] ffa_spmc: Add arm_ffa_user driver compatibility check + +Check the version of the arm_ffa_user Kernel Driver and fail with a +meaningful message if incompatible driver is detected. + +Upstream-Status: Backport + +Signed-off-by: Gabor Toth <gabor.toth2@arm.com> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +--- + host/xtest/ffa_spmc_1000.c | 68 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 61 insertions(+), 7 deletions(-) + +diff --git a/host/xtest/ffa_spmc_1000.c b/host/xtest/ffa_spmc_1000.c +index 15f4a46..1839d03 100644 +--- a/host/xtest/ffa_spmc_1000.c ++++ b/host/xtest/ffa_spmc_1000.c +@@ -1,11 +1,12 @@ + // SPDX-License-Identifier: BSD-3-Clause + /* +- * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + */ + #include <fcntl.h> + #include <ffa.h> + #include <stdio.h> + #include <string.h> ++#include <errno.h> + #include <sys/ioctl.h> + #include <unistd.h> + #include "include/uapi/linux/arm_ffa_user.h" +@@ -17,6 +18,10 @@ + #define INCORRECT_ENDPOINT_ID 0xffff + #define NORMAL_WORLD_ENDPOINT_ID 0 + ++#define FFA_USER_REQ_VER_MAJOR 5 ++#define FFA_USER_REQ_VER_MINOR 0 ++#define FFA_USER_REQ_VER_PATCH 1 ++ + /* Get the 32 least significant bits of a handle.*/ + #define MEM_SHARE_HANDLE_LOW(x) ((x) & 0xffffffff) + /* Get the 32 most significant bits of a handle.*/ +@@ -62,6 +67,50 @@ static struct ffa_ioctl_ep_desc test_endpoint3 = { + .uuid_ptr = (uint64_t)test_endpoint3_uuid, + }; + ++static bool check_ffa_user_version(void) ++{ ++ FILE *f = NULL; ++ int ver_major = -1; ++ int ver_minor = -1; ++ int ver_patch = -1; ++ int scan_cnt = 0; ++ ++ f = fopen("/sys/module/arm_ffa_user/version", "r"); ++ if (f) { ++ scan_cnt = fscanf(f, "%d.%d.%d", ++ &ver_major, &ver_minor, &ver_patch); ++ fclose(f); ++ if (scan_cnt != 3) { ++ printf("error: failed to parse arm_ffa_user version\n"); ++ return false; ++ } ++ } else { ++ printf("error: failed to read arm_ffa_user module info - %s\n", ++ strerror(errno)); ++ return false; ++ } ++ ++ if (ver_major != FFA_USER_REQ_VER_MAJOR) ++ goto err; ++ ++ if (ver_minor < FFA_USER_REQ_VER_MINOR) ++ goto err; ++ ++ if (ver_minor == FFA_USER_REQ_VER_MINOR) ++ if (ver_patch < FFA_USER_REQ_VER_PATCH) ++ goto err; ++ ++ return true; ++ ++err: ++ printf("error: Incompatible arm_ffa_user driver detected."); ++ printf("Found v%d.%d.%d wanted >= v%d.%d.%d)\n", ++ ver_major, ver_minor, ver_patch, FFA_USER_REQ_VER_MAJOR, ++ FFA_USER_REQ_VER_MINOR, FFA_USER_REQ_VER_PATCH); ++ ++ return false; ++} ++ + static void close_debugfs(void) + { + int err = 0; +@@ -76,6 +125,9 @@ static void close_debugfs(void) + + static bool init_sp_xtest(ADBG_Case_t *c) + { ++ if (!check_ffa_user_version()) ++ return false; ++ + if (ffa_fd < 0) { + ffa_fd = open(FFA_DRIVER_FS_PATH, O_RDWR); + if (ffa_fd < 0) { +@@ -83,6 +135,7 @@ static bool init_sp_xtest(ADBG_Case_t *c) + return false; + } + } ++ + return true; + } + +@@ -99,7 +152,7 @@ static uint16_t get_endpoint_id(uint64_t endp) + struct ffa_ioctl_ep_desc sid = { .uuid_ptr = endp }; + + /* Get ID of destination SP based on UUID */ +- if(ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) ++ if (ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid)) + return INCORRECT_ENDPOINT_ID; + + return sid.id; +@@ -213,14 +266,15 @@ static int set_up_mem(struct ffa_ioctl_ep_desc *endp, + rc = share_mem(endpoint, handle); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + +- if (!ADBG_EXPECT_TRUE(c, handle != NULL)) +- return TEEC_ERROR_GENERIC; ++ if (!ADBG_EXPECT_NOT_NULL(c, handle)) ++ return TEEC_ERROR_GENERIC; + + /* SP will retrieve the memory region. */ + memset(args, 0, sizeof(*args)); + args->dst_id = endpoint; + args->args[MEM_SHARE_HANDLE_LOW_INDEX] = MEM_SHARE_HANDLE_LOW(*handle); +- args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = MEM_SHARE_HANDLE_HIGH(*handle); ++ args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = ++ MEM_SHARE_HANDLE_HIGH(*handle); + args->args[MEM_SHARE_HANDLE_ENDPOINT_INDEX] = NORMAL_WORLD_ENDPOINT_ID; + + rc = start_sp_test(endpoint, EP_RETRIEVE, args); +@@ -254,7 +308,7 @@ static void xtest_ffa_spmc_test_1002(ADBG_Case_t *c) + rc = start_sp_test(endpoint1_id, EP_TEST_SP, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK)) +- goto out; ++ goto out; + + /* Set up memory and have the SP retrieve it. */ + Do_ADBG_BeginSubCase(c, "Test memory set-up"); +@@ -469,7 +523,7 @@ static void xtest_ffa_spmc_test_1005(ADBG_Case_t *c) + memset(&args, 0, sizeof(args)); + args.args[1] = endpoint2; + args.args[2] = endpoint3; +- rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI,&args); ++ rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI, &args); + ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0); + ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK); + +-- +2.39.1.windows.1 + diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend new file mode 100644 index 0000000000..c052774c62 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.2%.bbappend @@ -0,0 +1,7 @@ +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb index 95452b6a0d..50f5afe718 100644 --- a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb +++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.20.0.bb @@ -1,6 +1,8 @@ require optee-test.inc SRC_URI:append = " \ + file://Update-arm_ffa_user-driver-dependency.patch \ + file://ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch \ file://musl-workaround.patch \ " SRCREV = "5db8ab4c733d5b2f4afac3e9aef0a26634c4b444" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch new file mode 100644 index 0000000000..28e041bce6 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch @@ -0,0 +1,41 @@ +From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <Gyorgy.Szing@arm.com> +Date: Tue, 25 Apr 2023 15:03:46 +0000 +Subject: [PATCH 1/1] Limit nanopb build to single process + +Sometimes in yocto the nanopb build step fails. The reason seems +to be a race condition. This fix disables parallel build as +a workaround. + +Upstream-Status: Inappropriate [yocto specific] + +Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> +--- + external/nanopb/nanopb.cmake | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake +index 36465f61..94f8048c 100644 +--- a/external/nanopb/nanopb.cmake ++++ b/external/nanopb/nanopb.cmake +@@ -65,6 +65,8 @@ if(TARGET stdlib::c) + unset_saved_properties(LIBC) + endif() + ++set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) ++set(PROCESSOR_COUNT 1) + include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) + LazyFetch_MakeAvailable(DEP_NAME nanopb + FETCH_OPTIONS ${GIT_OPTIONS} +@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb + CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" + SOURCE_DIR "${NANOPB_SOURCE_DIR}" + ) ++set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) ++ + unset(_cmake_fragment) + + if(TARGET stdlib::c) +-- +2.34.1 + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index dc295506bb..2bb4a8a11f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -5,8 +5,14 @@ LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=integration;name=trusted-services;destsuffix=git/trusted-services \ " -#latest on 12.10.22. -SRCREV_trusted-services = "3d4956770f89eb9ae0a73257901ae6277c078da6" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Limit-nanopb-build-to-single-process.patch \ +" + +#Latest on 2023 April 28 +SRCREV="08b3d39471f4914186bd23793dc920e83b0e3197" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -17,14 +23,14 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.1.0" +# MbedTLS, tag "mbedtls-3.3.0" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "d65aeb37349ad1a50e0f6c9b694d4b5290d60e49" +SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -# Nanopb, tag "nanopb-0.4.6" +# Nanopb, tag "nanopb-0.4.2" SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" -SRCREV_nanopb = "afc499f9a410fc9bbf6c9c48cdd8d8b199d49eb4" +SRCREV_nanopb = "df0e92f474f9cca704fe2b31483f0b4d1b1715a4" LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" # qcbor, tag "v1.0.0" @@ -54,15 +60,12 @@ LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e14135 # TS ships patches for external dependencies that needs to be applied apply_ts_patches() { - for p in ${S}/external/qcbor/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/qcbor < ${p} || true - done - for p in ${S}/external/t_cose/*.patch; do - patch -p1 -N -d ${WORKDIR}/git/tcose < ${p} || true - done - for p in ${S}/external/CppUTest/*.patch; do - patch -p1 -d ${WORKDIR}/git/cpputest < ${p} - done + ( cd ${WORKDIR}/git/qcbor; git stash; git branch -f bf_am; git am ${S}/external/qcbor/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/tcose; git stash; git branch -f bf_am; git am ${S}/external/t_cose/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/mbedtls; git stash; git branch -f bf_am; git am ${S}/external/MbedTLS/*.patch; git reset bf_am ) + ( cd ${WORKDIR}/git/cpputest; git stash; git apply ${S}/external/CppUTest/*.patch ) + ( cd ${WORKDIR}/git/dtc; git stash; git apply ${S}/external/libfdt/*.patch ) + ( cd ${WORKDIR}/git/nanopb; git stash; git apply ${S}/external/nanopb/*.patch ) } do_patch[postfuncs] += "apply_ts_patches" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index a9f7b65f09..668bde568f 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -6,6 +6,7 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" DEPENDS += "libts" RDEPENDS:${PN} += "libts" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb index 408c7d3c24..24a724a4fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -22,9 +22,7 @@ OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" # TS ships a patch that needs to be applied to newlib apply_ts_patch() { - for p in ${S}/external/newlib/*.patch; do - patch -p1 -d ${WORKDIR}/git/newlib < ${p} - done + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) } do_patch[postfuncs] += "apply_ts_patch" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index 41cb0c08bc..8a7b0e5ca2 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -4,6 +4,8 @@ TS_ENV = "arm-linux" require trusted-services.inc +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + DEPENDS += "libts" RDEPENDS:${PN} += "libts" @@ -11,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "451aa087a40d02c7d04778235014c5619d126471" +SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "\ diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb index eef05fe3a9..6cddfb03e0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services attestation service provider" require ts-sp-common.inc SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 75ddab37d1..3d756015a0 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -17,8 +17,8 @@ do_install:append() { dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} # We do not need libs and headers - rm -r --one-file-system ${D}${TS_INSTALL}/lib - rm -r --one-file-system ${D}${TS_INSTALL}/include + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include } # Use Yocto debug prefix maps for compiling assembler. diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb index 77a28557cb..867e4a8179 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services crypto service provider" require ts-sp-common.inc SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" -DEPENDS += "python3-protobuf-native" +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" -OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb index 040fd4d159..5551a4deba 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb @@ -6,5 +6,6 @@ require ts-sp-common.inc COMPATIBLE_MACHINE ?= "invalid" SP_UUID = "${ENV_TEST_UUID}" +TS_SP_ENVTEST_CONFIG ?= "baremetal-fvp_base_revc" -OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/env-test/config/${TS_SP_ENVTEST_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb index 4eb5dc5e5c..5472dbdae3 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services internal secure storage service provider" require ts-sp-common.inc SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb index b9246418e9..26781434fd 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -3,7 +3,8 @@ DESCRIPTION = "Trusted Services proxy service providers" require ts-sp-common.inc SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" DEPENDS += "python3-protobuf-native" -OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb index 06ca6bd116..752f7fe708 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services service provider for UEFI SMM services" require ts-sp-common.inc SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 0000000000..e357629b0f --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,7 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 0000000000..4cbb970b27 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 0000000000..e6fb822b80 --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 0000000000..ad3ee76ebe --- /dev/null +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb index c893754650..5b2f47b3f6 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -3,5 +3,6 @@ DESCRIPTION = "Trusted Services secure storage service provider" require ts-sp-common.inc SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" -OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}" +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 7a39f733e8..c18ec5d7f8 100644 --- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -7,3 +7,6 @@ ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6"
\ No newline at end of file |