diff options
Diffstat (limited to 'meta-arm/meta-arm-bsp')
6 files changed, 253 insertions, 4 deletions
diff --git a/meta-arm/meta-arm-bsp/documentation/requirements.txt b/meta-arm/meta-arm-bsp/documentation/requirements.txt index b82e5e071a..6b4e3bb22d 100644 --- a/meta-arm/meta-arm-bsp/documentation/requirements.txt +++ b/meta-arm/meta-arm-bsp/documentation/requirements.txt @@ -6,7 +6,6 @@ jinja2==3.1.1 # Required to build the documentation -sphinx==4.5.0 -sphinx_rtd_theme==1.0.0 -sphinx-copybutton==0.5.0 +sphinx~=5.0 +sphinx_rtd_theme~=2.0.0 docutils==0.17.1 diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch new file mode 100644 index 0000000000..341d28028a --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/0001-corstone1000-skip-tftf-tests.patch @@ -0,0 +1,33 @@ +From 27300daa2397c89e13aa648db30aa5c6acb06bcc Mon Sep 17 00:00:00 2001 +From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +Date: Fri, 2 Feb 2024 11:58:33 +0000 +Subject: [PATCH] corstone1000: skip tftf tests + +Skip some tests for platform corstone1000 which make the tftf tests +hanged when use with optee v3.22 + +Upstream-Status: Pending +Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> +--- + plat/arm/corstone1000/tests_to_skip.txt | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/plat/arm/corstone1000/tests_to_skip.txt b/plat/arm/corstone1000/tests_to_skip.txt +index fdab230..c5eaac0 100644 +--- a/plat/arm/corstone1000/tests_to_skip.txt ++++ b/plat/arm/corstone1000/tests_to_skip.txt +@@ -13,3 +13,11 @@ Timer framework Validation/Verify the timer interrupt generation + CPU Hotplug/CPU hotplug + PSCI CPU Suspend + PSCI STAT/for valid composite state CPU suspend ++FF-A Direct messaging/FF-A Request SP-to-SP direct messaging ++FF-A Direct messaging/FF-A Request SP-to-SP direct messaging deadlock ++FF-A Memory Sharing/Share Memory with Secure World ++FF-A Memory Sharing/Request Donate Memory SP-to-SP ++FF-A Memory Sharing/Request Share Memory SP-to-VM ++SIMD,SVE Registers context/Check that SIMD registers context is preserved ++FF-A Interrupt/Test NS interrupts ++SMMUv3 tests +-- +2.34.1 + diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend index 074bc683f1..d047a1eb5e 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend @@ -1,6 +1,14 @@ # Machine specific TFAs +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + COMPATIBLE_MACHINE:corstone1000 = "corstone1000" SRCREV:corstone1000 = "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67" +EXTRA_OEMAKE:append:corstone1000 = " DEBUG=0" +EXTRA_OEMAKE:append:corstone1000 = " LOG_LEVEL=30" +TFTF_MODE:corstone1000 = "release" +SRC_URI:append:corstone1000 = " \ + file://0001-corstone1000-skip-tftf-tests.patch \ + " COMPATIBLE_MACHINE:n1sdp = "n1sdp" diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb index ed3b349950..160ada6732 100644 --- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb +++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb @@ -19,6 +19,9 @@ EXTRA_OEMAKE += "USE_NVM=0" EXTRA_OEMAKE += "SHELL_COLOR=1" EXTRA_OEMAKE += "DEBUG=1" +# Modify mode based on debug or release mode +TFTF_MODE ?= "debug" + # Platform must be set for each machine TFA_PLATFORM ?= "invalid" @@ -45,7 +48,7 @@ SYSROOT_DIRS += "/firmware" do_install() { install -d -m 755 ${D}/firmware - install -m 0644 ${B}/${TFA_PLATFORM}/debug/tftf.bin ${D}/firmware/tftf.bin + install -m 0644 ${B}/${TFA_PLATFORM}/${TFTF_MODE}/tftf.bin ${D}/firmware/tftf.bin } do_deploy() { diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch new file mode 100644 index 0000000000..d95954fa1d --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.22.0/0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch @@ -0,0 +1,205 @@ +From d75c42ff2847b090d5b1f11c49067cd41fcc2734 Mon Sep 17 00:00:00 2001 +From: Loic Poulain <loic.poulain@linaro.org> +Date: Tue, 31 Oct 2023 11:07:00 +0100 +Subject: [PATCH] ta: pkcs11: Improve PIN counter handling robustness + +Make sure PIN check attempt is saved persistently before continuing with +the actual PIN verification, improving counter and flags coherency in +case of subsequent failure with persistent saving. + +Signed-off-by: Loic Poulain <loic.poulain@linaro.org> +Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com> +Acked-by: Jerome Forissier <jerome.forissier@linaro.org> +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/6445/commits/0a74733d9437d94a5b4b2db6c40c5755cabc5393] +--- + ta/pkcs11/src/pkcs11_token.c | 126 +++++++++++++++++------------------ + 1 file changed, 62 insertions(+), 64 deletions(-) + +diff --git a/ta/pkcs11/src/pkcs11_token.c b/ta/pkcs11/src/pkcs11_token.c +index ab0fc291e..c5271e449 100644 +--- a/ta/pkcs11/src/pkcs11_token.c ++++ b/ta/pkcs11/src/pkcs11_token.c +@@ -1132,117 +1132,115 @@ static enum pkcs11_rc check_so_pin(struct pkcs11_session *session, + uint8_t *pin, size_t pin_size) + { + struct ck_token *token = session->token; ++ struct token_persistent_main *db = token->db_main; + enum pkcs11_rc rc = PKCS11_CKR_OK; + +- assert(token->db_main->flags & PKCS11_CKFT_TOKEN_INITIALIZED); ++ assert(db->flags & PKCS11_CKFT_TOKEN_INITIALIZED); + + if (IS_ENABLED(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) && +- token->db_main->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) ++ db->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) + return verify_identity_auth(token, PKCS11_CKU_SO); + +- if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED) ++ if (db->flags & PKCS11_CKFT_SO_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + +- rc = verify_pin(PKCS11_CKU_SO, pin, pin_size, +- token->db_main->so_pin_salt, +- token->db_main->so_pin_hash); +- if (rc) { +- unsigned int pin_count = 0; ++ /* ++ * Preset the counter and flags conservatively in the database so that ++ * the tentative is saved whatever happens next. ++ */ ++ db->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW; ++ db->so_pin_count++; + +- if (rc != PKCS11_CKR_PIN_INCORRECT) +- return rc; ++ if (db->so_pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) ++ db->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY; ++ else if (db->so_pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX) ++ db->flags |= PKCS11_CKFT_SO_PIN_LOCKED; + +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW; +- token->db_main->so_pin_count++; +- +- pin_count = token->db_main->so_pin_count; +- if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY; +- if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX) +- token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED; +- +- update_persistent_db(token); ++ update_persistent_db(token); + +- if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED) ++ rc = verify_pin(PKCS11_CKU_SO, pin, pin_size, ++ db->so_pin_salt, ++ db->so_pin_hash); ++ if (rc == PKCS11_CKR_PIN_INCORRECT) { ++ if (db->flags & PKCS11_CKFT_SO_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + + return PKCS11_CKR_PIN_INCORRECT; + } + +- if (token->db_main->so_pin_count) { +- token->db_main->so_pin_count = 0; ++ if (rc) ++ db->so_pin_count--; ++ else ++ db->so_pin_count = 0; + +- update_persistent_db(token); ++ db->flags &= ~PKCS11_CKFT_SO_PIN_LOCKED; ++ if (db->so_pin_count < PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1) { ++ db->flags &= ~PKCS11_CKFT_SO_PIN_FINAL_TRY; ++ if (!db->so_pin_count) ++ db->flags &= ~PKCS11_CKFT_SO_PIN_COUNT_LOW; + } + +- if (token->db_main->flags & (PKCS11_CKFT_SO_PIN_COUNT_LOW | +- PKCS11_CKFT_SO_PIN_FINAL_TRY)) { +- token->db_main->flags &= ~(PKCS11_CKFT_SO_PIN_COUNT_LOW | +- PKCS11_CKFT_SO_PIN_FINAL_TRY); +- +- update_persistent_db(token); +- } ++ update_persistent_db(token); + +- return PKCS11_CKR_OK; ++ return rc; + } + + static enum pkcs11_rc check_user_pin(struct pkcs11_session *session, + uint8_t *pin, size_t pin_size) + { + struct ck_token *token = session->token; ++ struct token_persistent_main *db = token->db_main; + enum pkcs11_rc rc = PKCS11_CKR_OK; + + if (IS_ENABLED(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) && +- token->db_main->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) ++ db->flags & PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH) + return verify_identity_auth(token, PKCS11_CKU_USER); + +- if (!token->db_main->user_pin_salt) ++ if (!db->user_pin_salt) + return PKCS11_CKR_USER_PIN_NOT_INITIALIZED; + +- if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED) ++ if (db->flags & PKCS11_CKFT_USER_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + +- rc = verify_pin(PKCS11_CKU_USER, pin, pin_size, +- token->db_main->user_pin_salt, +- token->db_main->user_pin_hash); +- if (rc) { +- unsigned int pin_count = 0; +- +- if (rc != PKCS11_CKR_PIN_INCORRECT) +- return rc; +- +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW; +- token->db_main->user_pin_count++; ++ /* ++ * Preset the counter and flags conservatively in the database so that ++ * the tentative is saved whatever happens next. ++ */ ++ db->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW; ++ db->user_pin_count++; + +- pin_count = token->db_main->user_pin_count; +- if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY; +- if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX) +- token->db_main->flags |= PKCS11_CKFT_USER_PIN_LOCKED; ++ if (db->user_pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) ++ db->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY; ++ else if (db->user_pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX) ++ db->flags |= PKCS11_CKFT_USER_PIN_LOCKED; + +- update_persistent_db(token); ++ update_persistent_db(token); + +- if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED) ++ rc = verify_pin(PKCS11_CKU_USER, pin, pin_size, ++ db->user_pin_salt, ++ db->user_pin_hash); ++ if (rc == PKCS11_CKR_PIN_INCORRECT) { ++ if (db->flags & PKCS11_CKFT_USER_PIN_LOCKED) + return PKCS11_CKR_PIN_LOCKED; + + return PKCS11_CKR_PIN_INCORRECT; + } + +- if (token->db_main->user_pin_count) { +- token->db_main->user_pin_count = 0; ++ if (rc) ++ db->user_pin_count--; ++ else ++ db->user_pin_count = 0; + +- update_persistent_db(token); ++ db->flags &= ~PKCS11_CKFT_USER_PIN_LOCKED; ++ if (db->user_pin_count < PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1) { ++ db->flags &= ~PKCS11_CKFT_USER_PIN_FINAL_TRY; ++ if (!db->user_pin_count) ++ db->flags &= ~PKCS11_CKFT_USER_PIN_COUNT_LOW; + } + +- if (token->db_main->flags & (PKCS11_CKFT_USER_PIN_COUNT_LOW | +- PKCS11_CKFT_USER_PIN_FINAL_TRY)) { +- token->db_main->flags &= ~(PKCS11_CKFT_USER_PIN_COUNT_LOW | +- PKCS11_CKFT_USER_PIN_FINAL_TRY); +- +- update_persistent_db(token); +- } ++ update_persistent_db(token); + +- return PKCS11_CKR_OK; ++ return rc; + } + + enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, +-- +2.25.1 + + diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb index e12201920e..16a193c386 100644 --- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb +++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.22.0.bb @@ -10,4 +10,5 @@ SRC_URI += " \ file://0002-core-Define-section-attributes-for-clang.patch \ file://0003-optee-enable-clang-support.patch \ file://0004-core-link-add-no-warn-rwx-segments.patch \ + file://0005-ta-pkcs11-Improve-PIN-counter-handling-robustness.patch \ " |