From patchwork Tue Apr 23 16:31:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42792 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DF15C4345F for ; Tue, 23 Apr 2024 16:33:13 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.23378.1713889985985368957 for ; Tue, 23 Apr 2024 09:33:06 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3A087339; Tue, 23 Apr 2024 09:33:33 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 915323F7BD; Tue, 23 Apr 2024 09:33:04 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 1/9] arm/trusted-services: Update FFA TEE driver to v2.0.0 Date: Tue, 23 Apr 2024 18:31:57 +0200 Message-ID: <20240423163205.5885-1-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:13 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5586 From: Gyorgy Szing - Update driver version to v2.0.0 - Follow up the name change. The driver has been renamed from arm_ffa_tee to arm_tstee. Signed-off-by: Gyorgy Szing --- documentation/trusted-services.md | 2 +- meta-arm-bsp/documentation/corstone1000/user-guide.rst | 6 +++--- .../arm-ffa-tee_1.1.2.bb => arm-tstee/arm-tstee_2.0.0.bb} | 8 ++++---- .../{arm-ffa-tee => arm-tstee}/files/Makefile | 2 +- meta-arm/recipes-security/trusted-services/libts_git.bb | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) rename meta-arm/recipes-kernel/{arm-ffa-tee/arm-ffa-tee_1.1.2.bb => arm-tstee/arm-tstee_2.0.0.bb} (74%) rename meta-arm/recipes-kernel/{arm-ffa-tee => arm-tstee}/files/Makefile (92%) diff --git a/documentation/trusted-services.md b/documentation/trusted-services.md index 70826f68..a3732713 100644 --- a/documentation/trusted-services.md +++ b/documentation/trusted-services.md @@ -28,7 +28,7 @@ Other steps depend on your machine/platform definition: 1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y` is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. - (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.) + (Please see ` meta-arm/recipes-kernel/arm-tstee`.) For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled. diff --git a/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm-bsp/documentation/corstone1000/user-guide.rst index 06353b5d..073ea213 100644 --- a/meta-arm-bsp/documentation/corstone1000/user-guide.rst +++ b/meta-arm-bsp/documentation/corstone1000/user-guide.rst @@ -1295,19 +1295,19 @@ First, load FF-A TEE kernel module: :: - insmod /lib/modules/*-yocto-standard/updates/arm-ffa-tee.ko + insmod /lib/modules/6.1.32-yocto-standard/extra/arm-tstee.ko Then, check whether the FF-A TEE driver is loaded correctly by using the following command: :: - cat /proc/modules | grep arm_ffa_tee + cat /proc/modules | grep arm_tstee The output should be: :: - arm_ffa_tee - - Live
(O) + arm_tstee 16384 - - Live 0xffffffc000510000 (O) Now, run the PSA API tests in the following order: diff --git a/meta-arm/recipes-kernel/arm-ffa-tee/arm-ffa-tee_1.1.2.bb b/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb similarity index 74% rename from meta-arm/recipes-kernel/arm-ffa-tee/arm-ffa-tee_1.1.2.bb rename to meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb index 5790d00f..44608b1d 100644 --- a/meta-arm/recipes-kernel/arm-ffa-tee/arm-ffa-tee_1.1.2.bb +++ b/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb @@ -10,13 +10,13 @@ SRC_URI = "git://gitlab.arm.com/linux-arm/linux-trusted-services;protocol=https; " S = "${WORKDIR}/git" -# Tag tee-v1.1.2 -SRCREV = "8a81f5d2406f146b15a705d49b256efaa5fa3ba9" +# Tag tee-v2.0.0 +SRCREV = "a2d7349a96c3b3afb44bf1555d53f1c46e45a23d" COMPATIBLE_HOST = "(arm|aarch64).*-linux" -KERNEL_MODULE_AUTOLOAD += "arm-ffa-tee" +KERNEL_MODULE_AUTOLOAD += "arm-tstee" do_install:append() { install -d ${D}${includedir} - install -m 0644 ${S}/uapi/arm_ffa_tee.h ${D}${includedir}/ + install -m 0644 ${S}/uapi/arm_tstee.h ${D}${includedir}/ } diff --git a/meta-arm/recipes-kernel/arm-ffa-tee/files/Makefile b/meta-arm/recipes-kernel/arm-tstee/files/Makefile similarity index 92% rename from meta-arm/recipes-kernel/arm-ffa-tee/files/Makefile rename to meta-arm/recipes-kernel/arm-tstee/files/Makefile index 40a6e474..6d781d15 100644 --- a/meta-arm/recipes-kernel/arm-ffa-tee/files/Makefile +++ b/meta-arm/recipes-kernel/arm-tstee/files/Makefile @@ -1,4 +1,4 @@ -obj-m := arm-ffa-tee.o +obj-m := arm-tstee.o SRC := $(shell pwd) diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb index aafe8516..789bde7c 100644 --- a/meta-arm/recipes-security/trusted-services/libts_git.bb +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -10,8 +10,8 @@ SRC_URI += "file://tee-udev.rules \ OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" -DEPENDS += "arm-ffa-tee arm-ffa-user" -RRECOMMENDS:${PN} += "arm-ffa-tee" +DEPENDS += "arm-tstee arm-ffa-user" +RRECOMMENDS:${PN} += "arm-tstee" # Unix group name for dev/tee* ownership. TEE_GROUP_NAME ?= "teeclnt" From patchwork Tue Apr 23 16:31:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42793 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C388C4345F for ; Tue, 23 Apr 2024 16:33:23 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.23383.1713890000930721272 for ; Tue, 23 Apr 2024 09:33:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 660AB339; Tue, 23 Apr 2024 09:33:48 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 9BFEF3F7BD; Tue, 23 Apr 2024 09:33:19 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 2/9] arm/trusted-services: Update TS to v1.0.0 Date: Tue, 23 Apr 2024 18:31:58 +0200 Message-ID: <20240423163205.5885-2-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5587 From: Gyorgy Szing - Update Trusted Services to v1.0.0. - Update TS "external components" references to fetch the version dictated by the TS repo. - Remove patches merged up-stream. - Update the TS nanopb integration fix (see 210a6ace8325) - Update TS test integration. Signed-off-by: Gyorgy Szing --- documentation/trusted-services.md | 2 +- .../oeqa/runtime/cases/trusted_services.py | 15 +- .../recipes-security/optee/optee-os-ts.inc | 13 +- ...-boot-order-property-to-SP-manifests.patch | 1005 +++++++++++++++++ ...ch-allow-setting-the-cmake-generator.patch | 46 - ...Limit-nanopb-build-to-single-process.patch | 41 - ...ch => 0001-Upgrade-nanopb-to-v0.4.7.patch} | 96 +- .../trusted-services/trusted-services-src.inc | 18 +- .../trusted-services/trusted-services.inc | 20 +- .../ts-psa-api-test-common_git.inc | 2 +- .../trusted-services/ts-sp-common.inc | 12 +- .../trusted-services/ts-sp-spm-test4_git.bb | 6 + .../trusted-services/ts-uuid.inc | 1 + 13 files changed, 1136 insertions(+), 141 deletions(-) create mode 100644 meta-arm/recipes-security/trusted-services/files/0001-Add-boot-order-property-to-SP-manifests.patch delete mode 100644 meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch delete mode 100644 meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch rename meta-arm/recipes-security/trusted-services/files/{nanopb-upgrade.patch => 0001-Upgrade-nanopb-to-v0.4.7.patch} (56%) create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb diff --git a/documentation/trusted-services.md b/documentation/trusted-services.md index a3732713..f672dc2e 100644 --- a/documentation/trusted-services.md +++ b/documentation/trusted-services.md @@ -22,7 +22,7 @@ features for each [Secure Partition][^2] you would like to include: | Protected Storage | ts-storage | | se-proxy | ts-se-proxy | | smm-gateway | ts-smm-gateway | -| spm-test[1-3] | optee-spmc-test | +| spm-test[1-4] | optee-spmc-test | Other steps depend on your machine/platform definition: diff --git a/meta-arm/lib/oeqa/runtime/cases/trusted_services.py b/meta-arm/lib/oeqa/runtime/cases/trusted_services.py index 88298956..bfb42d69 100644 --- a/meta-arm/lib/oeqa/runtime/cases/trusted_services.py +++ b/meta-arm/lib/oeqa/runtime/cases/trusted_services.py @@ -28,9 +28,7 @@ class TrustedServicesTest(OERuntimeTestCase): @OEHasPackage(['ts-psa-crypto-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_03_psa_crypto_api_test(self): - # There are a two expected PSA Crypto tests failures testing features - # TS will not support. - self.run_test_tool('psa-crypto-api-test', expected_status=46) + self.run_test_tool('psa-crypto-api-test') @OEHasPackage(['ts-psa-its-api-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) @@ -53,13 +51,12 @@ class TrustedServicesTest(OERuntimeTestCase): def test_09_ts_service_grp_check(self): # If this test fails, available test groups in ts-service-test have changed and all # tests using the test executable need to be double checked to ensure test group to - # TS SP mapping is still valid. + # TS SP mapping is still valid. test_grp_list="FwuServiceTests PsServiceTests ItsServiceTests AttestationProvisioningTests" test_grp_list+=" AttestationServiceTests CryptoKeyDerivationServicePackedcTests" test_grp_list+=" CryptoMacServicePackedcTests CryptoCipherServicePackedcTests" test_grp_list+=" CryptoHashServicePackedcTests CryptoServicePackedcTests" test_grp_list+=" CryptoServiceProtobufTests CryptoServiceLimitTests" - test_grp_list+=" DiscoveryServiceTests" self.run_test_tool('ts-service-test -lg', expected_output=test_grp_list) @OEHasPackage(['optee-test']) @@ -110,11 +107,3 @@ class TrustedServicesTest(OERuntimeTestCase): "CryptoCipherServicePackedcTests", "CryptoHashServicePackedcTests", \ "CryptoServicePackedcTests", "CryptoServiceProtobufTests CryptoServiceLimitTests"]: self.run_test_tool('ts-service-test -g %s'%grp) - - @OEHasPackage(['ts-service-test']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_16_discovery_service_test(self): - if 'ts-crypto' not in self.tc.td['MACHINE_FEATURES'] and \ - 'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']: - self.skipTest('Crypto SP is not included into OPTEE') - self.run_test_tool('ts-service-test -g DiscoveryServiceTests') diff --git a/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/recipes-security/optee/optee-os-ts.inc index ce5b8b86..c6b806ff 100644 --- a/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -53,9 +53,14 @@ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ # SPM test SPs DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ - ' ts-sp-spm-test1 ts-sp-spm-test2 ts-sp-spm-test3', '' , d)}" + ' ts-sp-spm-test1 ts-sp-spm-test2 \ + ts-sp-spm-test3 ts-sp-spm-test4', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ - ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf \ + ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf \ + ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf \ + ${TS_BIN}/${SPM_TEST4_UUID}.stripped.elf', \ + '', d)}" EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ ' CFG_SPMC_TESTS=y', '' , d)}" @@ -66,4 +71,6 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ ' ${TS_BIN}/${BLOCK_STORAGE_UUID}.stripped.elf', '', d)}" -EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}" +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', \ + ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y \ + SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Add-boot-order-property-to-SP-manifests.patch b/meta-arm/recipes-security/trusted-services/files/0001-Add-boot-order-property-to-SP-manifests.patch new file mode 100644 index 00000000..dc4a4a1b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/files/0001-Add-boot-order-property-to-SP-manifests.patch @@ -0,0 +1,1005 @@ +From b8a6c54f519fce1651bd9d5d43884e62708f825d Mon Sep 17 00:00:00 2001 +From: Gabor Toth +Date: Thu, 14 Mar 2024 11:09:19 +0100 +Subject: [PATCH 1/1] Add boot-order property to SP manifests + +Capture the boot-order in the SP manifest files for each SP to help +portability. The legacy way to set the boot order is integration +system, packaging method and SPMC implementation specific. + +The boot order of SP is dictated by service dependency and relative +boot order of TS SPs should be as follows: + +1 - block-storage +1 - se-proxy (corstone1000-opteesp) +2 - se-proxy (default-opteesp or default-sp) +2 - internal-trusted-storage +3 - protected-storage +4 - crypto +5 - attestation +6 - se-proxy +7 - fwu +8 - smm-gateway + +Signed-off-by: Gabor Toth +Change-Id: I4b93015c68e7261fdc87434a6c7f4ec86965af54 + +Upstream-Status: Backport 7e4babed40dc686ae38d3fe35459e7417717d880 +--- + components/service/spm_test/spm_test.cmake | 1 + + .../attestation/config/default-opteesp/CMakeLists.txt | 2 ++ + .../config/default-opteesp/default_attestation.dts.in | 1 + + deployments/attestation/config/default-sp/CMakeLists.txt | 2 ++ + .../config/default-sp/default_attestation.dts.in | 1 + + .../block-storage/config/cfi-flash-optee/CMakeLists.txt | 2 ++ + .../config/cfi-flash-optee/default_block-storage.dts.in | 1 + + .../block-storage/config/default-opteesp/CMakeLists.txt | 2 ++ + .../config/default-opteesp/default_block-storage.dts.in | 1 + + .../block-storage/config/default-sp/CMakeLists.txt | 2 ++ + .../config/default-sp/default_block-storage.dts.in | 1 + + .../config/edk2-secure-flash-opteesp/CMakeLists.txt | 2 ++ + .../default_block-storage.dts.in | 1 + + .../config/semihosted-opteesp/CMakeLists.txt | 2 ++ + .../semihosted-opteesp/default_block-storage.dts.in | 1 + + deployments/crypto/config/default-opteesp/CMakeLists.txt | 2 ++ + .../crypto/config/default-opteesp/default_crypto.dts.in | 1 + + deployments/crypto/config/default-sp/CMakeLists.txt | 2 ++ + .../crypto/config/default-sp/default_crypto.dts.in | 1 + + .../default_env-test.dts.in | 1 + + .../baremetal-fvp_base_revc-sp/default_env-test.dts.in | 1 + + .../config/n1sdp-opteesp/default_env-test.dts.in | 1 + + deployments/fwu/config/default-opteesp/CMakeLists.txt | 2 ++ + .../fwu/config/default-opteesp/default_fwu.dts.in | 1 + + deployments/fwu/config/default-sp/CMakeLists.txt | 2 ++ + deployments/fwu/config/default-sp/default_fwu.dts.in | 1 + + .../config/default-opteesp/CMakeLists.txt | 2 ++ + .../default_internal-trusted-storage.dts.in | 1 + + .../config/default-sp/CMakeLists.txt | 2 ++ + .../default-sp/default_internal-trusted-storage.dts.in | 1 + + .../config/shared-flash-opteesp/CMakeLists.txt | 2 ++ + .../default_internal-trusted-storage.dts.in | 1 + + .../config/default-opteesp/CMakeLists.txt | 2 ++ + .../default-opteesp/default_protected-storage.dts.in | 1 + + .../protected-storage/config/default-sp/CMakeLists.txt | 2 ++ + .../config/default-sp/default_protected-storage.dts.in | 1 + + .../config/shared-flash-opteesp/CMakeLists.txt | 2 ++ + .../default_protected-storage.dts.in | 1 + + .../se-proxy/config/corstone1000-opteesp/CMakeLists.txt | 2 ++ + .../config/corstone1000-opteesp/default_se-proxy.dts.in | 1 + + .../se-proxy/config/default-opteesp/CMakeLists.txt | 2 ++ + .../config/default-opteesp/default_se-proxy.dts.in | 1 + + deployments/se-proxy/config/default-sp/CMakeLists.txt | 2 ++ + .../se-proxy/config/default-sp/default_se-proxy.dts.in | 1 + + deployments/sfs-demo/opteesp/default_sfs-demo.dts.in | 1 + + deployments/sfs-demo/sp/default_sfs-demo.dts.in | 1 + + .../smm-gateway/config/default-opteesp/CMakeLists.txt | 2 ++ + .../config/default-opteesp/default_smm-gateway.dts.in | 1 + + deployments/smm-gateway/config/default-sp/CMakeLists.txt | 3 +++ + .../config/default-sp/default_smm-gateway.dts.in | 1 + + deployments/spm-test1/opteesp/CMakeLists.txt | 1 + + deployments/spm-test1/opteesp/default_spm_test1.dts.in | 1 + + deployments/spm-test2/opteesp/CMakeLists.txt | 1 + + deployments/spm-test2/opteesp/default_spm_test2.dts.in | 1 + + deployments/spm-test3/opteesp/CMakeLists.txt | 2 ++ + deployments/spm-test3/opteesp/default_spm_test3.dts.in | 1 + + deployments/spm-test4/opteesp/CMakeLists.txt | 1 + + deployments/spm-test4/opteesp/default_spm_test4.dts.in | 1 + + tools/cmake/common/ExportSp.cmake | 9 ++++++++- + 59 files changed, 90 insertions(+), 1 deletion(-) + +diff --git a/components/service/spm_test/spm_test.cmake b/components/service/spm_test/spm_test.cmake +index e8a1ccd48..7cb7e667a 100644 +--- a/components/service/spm_test/spm_test.cmake ++++ b/components/service/spm_test/spm_test.cmake +@@ -70,4 +70,5 @@ export_sp( + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${TS_ROOT}/deployments/spm-test${SP_NUMBER}/opteesp/default_spm_test${SP_NUMBER}.dts.in + JSON_IN ${TS_ROOT}/environments/opteesp/sp_pkg.json.in ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + ) +diff --git a/deployments/attestation/config/default-opteesp/CMakeLists.txt b/deployments/attestation/config/default-opteesp/CMakeLists.txt +index 58ecb3412..7e13465dd 100644 +--- a/deployments/attestation/config/default-opteesp/CMakeLists.txt ++++ b/deployments/attestation/config/default-opteesp/CMakeLists.txt +@@ -23,6 +23,7 @@ target_include_directories(attestation PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "a1baf155-8876-4695-8f7c-54955e8db974") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "5") + set(TRACE_PREFIX "ATT" CACHE STRING "Trace prefix") + + target_include_directories(attestation PRIVATE +@@ -90,6 +91,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "attestation" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_attestation.dts.in +diff --git a/deployments/attestation/config/default-opteesp/default_attestation.dts.in b/deployments/attestation/config/default-opteesp/default_attestation.dts.in +index 3a2ac76c9..e310cc672 100644 +--- a/deployments/attestation/config/default-opteesp/default_attestation.dts.in ++++ b/deployments/attestation/config/default-opteesp/default_attestation.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/attestation/config/default-sp/CMakeLists.txt b/deployments/attestation/config/default-sp/CMakeLists.txt +index cdcbdcd71..43d880546 100644 +--- a/deployments/attestation/config/default-sp/CMakeLists.txt ++++ b/deployments/attestation/config/default-sp/CMakeLists.txt +@@ -28,6 +28,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(TRACE_PREFIX "ATT" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "5") + + #------------------------------------------------------------------------------- + # Default deployment specific configuration +@@ -90,6 +91,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/attestation/config/default-sp/default_attestation.dts.in b/deployments/attestation/config/default-sp/default_attestation.dts.in +index 2e16f7ed9..e8383aec1 100644 +--- a/deployments/attestation/config/default-sp/default_attestation.dts.in ++++ b/deployments/attestation/config/default-sp/default_attestation.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/block-storage/config/cfi-flash-optee/CMakeLists.txt b/deployments/block-storage/config/cfi-flash-optee/CMakeLists.txt +index b6501f25d..53bd07839 100644 +--- a/deployments/block-storage/config/cfi-flash-optee/CMakeLists.txt ++++ b/deployments/block-storage/config/cfi-flash-optee/CMakeLists.txt +@@ -28,6 +28,7 @@ target_include_directories(block-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "63646e80-eb52-462f-ac4f-8cdf3987519c") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "120 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "BLOCK" CACHE STRING "Trace prefix") + + target_include_directories(block-storage PRIVATE +@@ -95,6 +96,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "block-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_block-storage.dts.in +diff --git a/deployments/block-storage/config/cfi-flash-optee/default_block-storage.dts.in b/deployments/block-storage/config/cfi-flash-optee/default_block-storage.dts.in +index 0a97cb53e..287ecb032 100644 +--- a/deployments/block-storage/config/cfi-flash-optee/default_block-storage.dts.in ++++ b/deployments/block-storage/config/cfi-flash-optee/default_block-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/block-storage/config/default-opteesp/CMakeLists.txt b/deployments/block-storage/config/default-opteesp/CMakeLists.txt +index 5592dcd0a..7702492fa 100644 +--- a/deployments/block-storage/config/default-opteesp/CMakeLists.txt ++++ b/deployments/block-storage/config/default-opteesp/CMakeLists.txt +@@ -21,6 +21,7 @@ target_include_directories(block-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "63646e80-eb52-462f-ac4f-8cdf3987519c") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "120 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "BLOCK" CACHE STRING "Trace prefix") + + target_include_directories(block-storage PRIVATE +@@ -73,6 +74,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "block-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_block-storage.dts.in +diff --git a/deployments/block-storage/config/default-opteesp/default_block-storage.dts.in b/deployments/block-storage/config/default-opteesp/default_block-storage.dts.in +index 0a97cb53e..287ecb032 100644 +--- a/deployments/block-storage/config/default-opteesp/default_block-storage.dts.in ++++ b/deployments/block-storage/config/default-opteesp/default_block-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/block-storage/config/default-sp/CMakeLists.txt b/deployments/block-storage/config/default-sp/CMakeLists.txt +index 2241c9c46..2f9c85ca7 100644 +--- a/deployments/block-storage/config/default-sp/CMakeLists.txt ++++ b/deployments/block-storage/config/default-sp/CMakeLists.txt +@@ -26,6 +26,7 @@ set(SP_BIN_UUID_CANON "63646e80-eb52-462f-ac4f-8cdf3987519c") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "120 * 1024" CACHE STRING "SP heap size in bytes") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "BLOCK" CACHE STRING "Trace prefix") + + #------------------------------------------------------------------------------- +@@ -78,6 +79,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/block-storage/config/default-sp/default_block-storage.dts.in b/deployments/block-storage/config/default-sp/default_block-storage.dts.in +index 5d1cf5d08..916925bf3 100644 +--- a/deployments/block-storage/config/default-sp/default_block-storage.dts.in ++++ b/deployments/block-storage/config/default-sp/default_block-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/block-storage/config/edk2-secure-flash-opteesp/CMakeLists.txt b/deployments/block-storage/config/edk2-secure-flash-opteesp/CMakeLists.txt +index 5b8bedf69..bba970cee 100644 +--- a/deployments/block-storage/config/edk2-secure-flash-opteesp/CMakeLists.txt ++++ b/deployments/block-storage/config/edk2-secure-flash-opteesp/CMakeLists.txt +@@ -32,6 +32,7 @@ target_include_directories(block-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "63646e80-eb52-462f-ac4f-8cdf3987519c") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "120 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "BLOCK" CACHE STRING "Trace prefix") + + target_include_directories(block-storage PRIVATE +@@ -96,6 +97,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "block-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_block-storage.dts.in +diff --git a/deployments/block-storage/config/edk2-secure-flash-opteesp/default_block-storage.dts.in b/deployments/block-storage/config/edk2-secure-flash-opteesp/default_block-storage.dts.in +index 0a97cb53e..287ecb032 100644 +--- a/deployments/block-storage/config/edk2-secure-flash-opteesp/default_block-storage.dts.in ++++ b/deployments/block-storage/config/edk2-secure-flash-opteesp/default_block-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/block-storage/config/semihosted-opteesp/CMakeLists.txt b/deployments/block-storage/config/semihosted-opteesp/CMakeLists.txt +index 2be517640..fe7b48dc8 100644 +--- a/deployments/block-storage/config/semihosted-opteesp/CMakeLists.txt ++++ b/deployments/block-storage/config/semihosted-opteesp/CMakeLists.txt +@@ -27,6 +27,7 @@ target_include_directories(block-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "63646e80-eb52-462f-ac4f-8cdf3987519c") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "120 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "BLOCK" CACHE STRING "Trace prefix") + + target_include_directories(block-storage PRIVATE +@@ -92,6 +93,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "block-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_block-storage.dts.in +diff --git a/deployments/block-storage/config/semihosted-opteesp/default_block-storage.dts.in b/deployments/block-storage/config/semihosted-opteesp/default_block-storage.dts.in +index 0a97cb53e..287ecb032 100644 +--- a/deployments/block-storage/config/semihosted-opteesp/default_block-storage.dts.in ++++ b/deployments/block-storage/config/semihosted-opteesp/default_block-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/crypto/config/default-opteesp/CMakeLists.txt b/deployments/crypto/config/default-opteesp/CMakeLists.txt +index 1e4069d66..11e2dfbb3 100644 +--- a/deployments/crypto/config/default-opteesp/CMakeLists.txt ++++ b/deployments/crypto/config/default-opteesp/CMakeLists.txt +@@ -30,6 +30,7 @@ target_include_directories(crypto PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "490 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "4") + set(TRACE_PREFIX "CRYPTO" CACHE STRING "Trace prefix") + + target_include_directories(crypto PRIVATE +@@ -91,6 +92,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "crypto" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_crypto.dts.in +diff --git a/deployments/crypto/config/default-opteesp/default_crypto.dts.in b/deployments/crypto/config/default-opteesp/default_crypto.dts.in +index c9006361d..729dca7f0 100644 +--- a/deployments/crypto/config/default-opteesp/default_crypto.dts.in ++++ b/deployments/crypto/config/default-opteesp/default_crypto.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/crypto/config/default-sp/CMakeLists.txt b/deployments/crypto/config/default-sp/CMakeLists.txt +index 83594c5e2..b32772820 100644 +--- a/deployments/crypto/config/default-sp/CMakeLists.txt ++++ b/deployments/crypto/config/default-sp/CMakeLists.txt +@@ -35,6 +35,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(TRACE_PREFIX "CRYPTO" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "490 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "4") + + #------------------------------------------------------------------------------- + # Components that are specific to deployment in the opteesp environment. +@@ -91,6 +92,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/crypto/config/default-sp/default_crypto.dts.in b/deployments/crypto/config/default-sp/default_crypto.dts.in +index fcc7ce58e..ef63c63a0 100644 +--- a/deployments/crypto/config/default-sp/default_crypto.dts.in ++++ b/deployments/crypto/config/default-sp/default_crypto.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/env-test/config/baremetal-fvp_base_revc-opteesp/default_env-test.dts.in b/deployments/env-test/config/baremetal-fvp_base_revc-opteesp/default_env-test.dts.in +index 9c09689cf..c8c8c38f3 100644 +--- a/deployments/env-test/config/baremetal-fvp_base_revc-opteesp/default_env-test.dts.in ++++ b/deployments/env-test/config/baremetal-fvp_base_revc-opteesp/default_env-test.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/env-test/config/baremetal-fvp_base_revc-sp/default_env-test.dts.in b/deployments/env-test/config/baremetal-fvp_base_revc-sp/default_env-test.dts.in +index 8c741b29c..379eba332 100644 +--- a/deployments/env-test/config/baremetal-fvp_base_revc-sp/default_env-test.dts.in ++++ b/deployments/env-test/config/baremetal-fvp_base_revc-sp/default_env-test.dts.in +@@ -13,6 +13,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + memory-regions { +diff --git a/deployments/env-test/config/n1sdp-opteesp/default_env-test.dts.in b/deployments/env-test/config/n1sdp-opteesp/default_env-test.dts.in +index 9c09689cf..c8c8c38f3 100644 +--- a/deployments/env-test/config/n1sdp-opteesp/default_env-test.dts.in ++++ b/deployments/env-test/config/n1sdp-opteesp/default_env-test.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/fwu/config/default-opteesp/CMakeLists.txt b/deployments/fwu/config/default-opteesp/CMakeLists.txt +index f5087d81e..d19e4293c 100644 +--- a/deployments/fwu/config/default-opteesp/CMakeLists.txt ++++ b/deployments/fwu/config/default-opteesp/CMakeLists.txt +@@ -23,6 +23,7 @@ target_include_directories(fwu PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "6823a838-1b06-470e-9774-0cce8bfb53fd") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "7") + + target_include_directories(fwu PRIVATE + ${CMAKE_CURRENT_LIST_DIR} +@@ -90,6 +91,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "fwu" + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_fwu.dts.in + JSON_IN ${TS_ROOT}/environments/opteesp/sp_pkg.json.in +diff --git a/deployments/fwu/config/default-opteesp/default_fwu.dts.in b/deployments/fwu/config/default-opteesp/default_fwu.dts.in +index 14970d592..d62850fe8 100644 +--- a/deployments/fwu/config/default-opteesp/default_fwu.dts.in ++++ b/deployments/fwu/config/default-opteesp/default_fwu.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/fwu/config/default-sp/CMakeLists.txt b/deployments/fwu/config/default-sp/CMakeLists.txt +index f84ba8f27..9ddc7cc3f 100644 +--- a/deployments/fwu/config/default-sp/CMakeLists.txt ++++ b/deployments/fwu/config/default-sp/CMakeLists.txt +@@ -27,6 +27,7 @@ set(SP_BIN_UUID_CANON "6823a838-1b06-470e-9774-0cce8bfb53fd") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "7") + + #------------------------------------------------------------------------------- + # Configure trace output +@@ -90,6 +91,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/fwu/config/default-sp/default_fwu.dts.in b/deployments/fwu/config/default-sp/default_fwu.dts.in +index 3f1292e1f..a30111a18 100644 +--- a/deployments/fwu/config/default-sp/default_fwu.dts.in ++++ b/deployments/fwu/config/default-sp/default_fwu.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/internal-trusted-storage/config/default-opteesp/CMakeLists.txt b/deployments/internal-trusted-storage/config/default-opteesp/CMakeLists.txt +index 5ae53d7f7..51040bc9b 100644 +--- a/deployments/internal-trusted-storage/config/default-opteesp/CMakeLists.txt ++++ b/deployments/internal-trusted-storage/config/default-opteesp/CMakeLists.txt +@@ -21,6 +21,7 @@ set(SP_BIN_UUID_CANON "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "2") + set(TRACE_PREFIX "ITS" CACHE STRING "Trace prefix") + + target_include_directories(internal-trusted-storage PRIVATE +@@ -74,6 +75,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "internal-trusted-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_internal-trusted-storage.dts.in +diff --git a/deployments/internal-trusted-storage/config/default-opteesp/default_internal-trusted-storage.dts.in b/deployments/internal-trusted-storage/config/default-opteesp/default_internal-trusted-storage.dts.in +index 77d08051c..9c5c8971e 100644 +--- a/deployments/internal-trusted-storage/config/default-opteesp/default_internal-trusted-storage.dts.in ++++ b/deployments/internal-trusted-storage/config/default-opteesp/default_internal-trusted-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/internal-trusted-storage/config/default-sp/CMakeLists.txt b/deployments/internal-trusted-storage/config/default-sp/CMakeLists.txt +index fd54a6389..6e68e57ae 100644 +--- a/deployments/internal-trusted-storage/config/default-sp/CMakeLists.txt ++++ b/deployments/internal-trusted-storage/config/default-sp/CMakeLists.txt +@@ -25,6 +25,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(TRACE_PREFIX "ITS" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "2") + + #------------------------------------------------------------------------------- + # Add components - this deployment uses an infrastructure that provides +@@ -78,6 +79,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/internal-trusted-storage/config/default-sp/default_internal-trusted-storage.dts.in b/deployments/internal-trusted-storage/config/default-sp/default_internal-trusted-storage.dts.in +index bfe55b651..068ecc079 100644 +--- a/deployments/internal-trusted-storage/config/default-sp/default_internal-trusted-storage.dts.in ++++ b/deployments/internal-trusted-storage/config/default-sp/default_internal-trusted-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/internal-trusted-storage/config/shared-flash-opteesp/CMakeLists.txt b/deployments/internal-trusted-storage/config/shared-flash-opteesp/CMakeLists.txt +index 7a0c20966..ab2cf1c25 100644 +--- a/deployments/internal-trusted-storage/config/shared-flash-opteesp/CMakeLists.txt ++++ b/deployments/internal-trusted-storage/config/shared-flash-opteesp/CMakeLists.txt +@@ -21,6 +21,7 @@ set(SP_BIN_UUID_CANON "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "2") + set(TRACE_PREFIX "ITS" CACHE STRING "Trace prefix") + + target_include_directories(internal-trusted-storage PRIVATE +@@ -74,6 +75,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "internal-trusted-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_internal-trusted-storage.dts.in +diff --git a/deployments/internal-trusted-storage/config/shared-flash-opteesp/default_internal-trusted-storage.dts.in b/deployments/internal-trusted-storage/config/shared-flash-opteesp/default_internal-trusted-storage.dts.in +index 77d08051c..9c5c8971e 100644 +--- a/deployments/internal-trusted-storage/config/shared-flash-opteesp/default_internal-trusted-storage.dts.in ++++ b/deployments/internal-trusted-storage/config/shared-flash-opteesp/default_internal-trusted-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/protected-storage/config/default-opteesp/CMakeLists.txt b/deployments/protected-storage/config/default-opteesp/CMakeLists.txt +index 7d6e5a0e6..e1fb3698c 100644 +--- a/deployments/protected-storage/config/default-opteesp/CMakeLists.txt ++++ b/deployments/protected-storage/config/default-opteesp/CMakeLists.txt +@@ -21,6 +21,7 @@ set(SP_BIN_UUID_CANON "751bf801-3dde-4768-a514-0f10aeed1790") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "3") + set(TRACE_PREFIX "PS" CACHE STRING "Trace prefix") + + target_include_directories(protected-storage PRIVATE +@@ -73,6 +74,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "protected-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_protected-storage.dts.in +diff --git a/deployments/protected-storage/config/default-opteesp/default_protected-storage.dts.in b/deployments/protected-storage/config/default-opteesp/default_protected-storage.dts.in +index b305fbbf7..2bc74a40d 100644 +--- a/deployments/protected-storage/config/default-opteesp/default_protected-storage.dts.in ++++ b/deployments/protected-storage/config/default-opteesp/default_protected-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/protected-storage/config/default-sp/CMakeLists.txt b/deployments/protected-storage/config/default-sp/CMakeLists.txt +index 1c85ef120..4ee55b84d 100644 +--- a/deployments/protected-storage/config/default-sp/CMakeLists.txt ++++ b/deployments/protected-storage/config/default-sp/CMakeLists.txt +@@ -25,6 +25,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(TRACE_PREFIX "PS" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "3") + + #------------------------------------------------------------------------------- + # Add components - this deployment uses an infrastructure that provides +@@ -78,6 +79,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/protected-storage/config/default-sp/default_protected-storage.dts.in b/deployments/protected-storage/config/default-sp/default_protected-storage.dts.in +index 38c9b5849..79c001faf 100644 +--- a/deployments/protected-storage/config/default-sp/default_protected-storage.dts.in ++++ b/deployments/protected-storage/config/default-sp/default_protected-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/protected-storage/config/shared-flash-opteesp/CMakeLists.txt b/deployments/protected-storage/config/shared-flash-opteesp/CMakeLists.txt +index 1a3480dce..31724de6a 100644 +--- a/deployments/protected-storage/config/shared-flash-opteesp/CMakeLists.txt ++++ b/deployments/protected-storage/config/shared-flash-opteesp/CMakeLists.txt +@@ -22,6 +22,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "PS" CACHE STRING "Trace prefix") ++set(SP_BOOT_ORDER "3") + + target_include_directories(protected-storage PRIVATE + ${CMAKE_CURRENT_LIST_DIR} +@@ -72,6 +73,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "protected-storage" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_protected-storage.dts.in +diff --git a/deployments/protected-storage/config/shared-flash-opteesp/default_protected-storage.dts.in b/deployments/protected-storage/config/shared-flash-opteesp/default_protected-storage.dts.in +index b305fbbf7..2bc74a40d 100644 +--- a/deployments/protected-storage/config/shared-flash-opteesp/default_protected-storage.dts.in ++++ b/deployments/protected-storage/config/shared-flash-opteesp/default_protected-storage.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/se-proxy/config/corstone1000-opteesp/CMakeLists.txt b/deployments/se-proxy/config/corstone1000-opteesp/CMakeLists.txt +index 2c0da0e97..3e2cef692 100644 +--- a/deployments/se-proxy/config/corstone1000-opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/config/corstone1000-opteesp/CMakeLists.txt +@@ -23,6 +23,7 @@ set(SP_BIN_UUID_CANON "46bb39d1-b4d9-45b5-88ff-040027dab249") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "1") + set(TRACE_PREFIX "SEPROXY" CACHE STRING "Trace prefix") + + target_include_directories(se-proxy PRIVATE +@@ -84,6 +85,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "se-proxy" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_se-proxy.dts.in +diff --git a/deployments/se-proxy/config/corstone1000-opteesp/default_se-proxy.dts.in b/deployments/se-proxy/config/corstone1000-opteesp/default_se-proxy.dts.in +index cc42929d5..d3addedbc 100644 +--- a/deployments/se-proxy/config/corstone1000-opteesp/default_se-proxy.dts.in ++++ b/deployments/se-proxy/config/corstone1000-opteesp/default_se-proxy.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/se-proxy/config/default-opteesp/CMakeLists.txt b/deployments/se-proxy/config/default-opteesp/CMakeLists.txt +index 77ea841d2..a9b1bad17 100644 +--- a/deployments/se-proxy/config/default-opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/config/default-opteesp/CMakeLists.txt +@@ -25,6 +25,7 @@ set(SP_BIN_UUID_CANON "46bb39d1-b4d9-45b5-88ff-040027dab249") + set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++set(SP_BOOT_ORDER "2") + set(TRACE_PREFIX "SEPROXY" CACHE STRING "Trace prefix") + + target_include_directories(se-proxy PRIVATE +@@ -86,6 +87,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "se-proxy" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_se-proxy.dts.in +diff --git a/deployments/se-proxy/config/default-opteesp/default_se-proxy.dts.in b/deployments/se-proxy/config/default-opteesp/default_se-proxy.dts.in +index 902017c35..7c2f038a0 100644 +--- a/deployments/se-proxy/config/default-opteesp/default_se-proxy.dts.in ++++ b/deployments/se-proxy/config/default-opteesp/default_se-proxy.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/se-proxy/config/default-sp/CMakeLists.txt b/deployments/se-proxy/config/default-sp/CMakeLists.txt +index 70d40739d..59780b44d 100644 +--- a/deployments/se-proxy/config/default-sp/CMakeLists.txt ++++ b/deployments/se-proxy/config/default-sp/CMakeLists.txt +@@ -29,6 +29,7 @@ set(SP_FFA_UUID_CANON "${TS_RPC_UUID_CANON}") + set(TRACE_PREFIX "SEPROXY" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++set(SP_BOOT_ORDER "2") + + #------------------------------------------------------------------------------- + # Components that are specific to deployment in the opteesp environment. +@@ -85,6 +86,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/se-proxy/config/default-sp/default_se-proxy.dts.in b/deployments/se-proxy/config/default-sp/default_se-proxy.dts.in +index 3b66f9258..09f0dc129 100644 +--- a/deployments/se-proxy/config/default-sp/default_se-proxy.dts.in ++++ b/deployments/se-proxy/config/default-sp/default_se-proxy.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/sfs-demo/opteesp/default_sfs-demo.dts.in b/deployments/sfs-demo/opteesp/default_sfs-demo.dts.in +index 69c36895e..17d1dece3 100644 +--- a/deployments/sfs-demo/opteesp/default_sfs-demo.dts.in ++++ b/deployments/sfs-demo/opteesp/default_sfs-demo.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/sfs-demo/sp/default_sfs-demo.dts.in b/deployments/sfs-demo/sp/default_sfs-demo.dts.in +index 0ea2844d7..b97b5ffea 100644 +--- a/deployments/sfs-demo/sp/default_sfs-demo.dts.in ++++ b/deployments/sfs-demo/sp/default_sfs-demo.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +index 0ca460601..7becb3999 100644 +--- a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +@@ -22,6 +22,7 @@ add_executable(smm-gateway) + target_include_directories(smm-gateway PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") + set(SP_BIN_UUID_CANON "ed32d533-99e6-4209-9cc0-2d72cdd998a7") + set(SP_FFA_UUID_CANON "${SP_BIN_UUID_CANON}") ++set(SP_BOOT_ORDER "8") + + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SMMGW" CACHE STRING "Trace prefix") +@@ -89,6 +90,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME "smm-gateway" + MK_IN ${TS_ROOT}/environments/opteesp/sp.mk.in + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_smm-gateway.dts.in +diff --git a/deployments/smm-gateway/config/default-opteesp/default_smm-gateway.dts.in b/deployments/smm-gateway/config/default-opteesp/default_smm-gateway.dts.in +index d74c2f3ee..eb5ebf592 100644 +--- a/deployments/smm-gateway/config/default-opteesp/default_smm-gateway.dts.in ++++ b/deployments/smm-gateway/config/default-opteesp/default_smm-gateway.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/smm-gateway/config/default-sp/CMakeLists.txt b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +index 95c572632..e56a8559d 100644 +--- a/deployments/smm-gateway/config/default-sp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +@@ -27,6 +27,8 @@ set(SP_BIN_UUID_CANON "ed32d533-99e6-4209-9cc0-2d72cdd998a7") + set(SP_FFA_UUID_CANON "${SP_BIN_UUID_CANON}") + set(TRACE_PREFIX "SMMGW" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") ++set(SP_BOOT_ORDER "8") ++ + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") + + # Setting the MM communication buffer parameters +@@ -88,6 +90,7 @@ include(${TS_ROOT}/tools/cmake/common/ExportSp.cmake REQUIRED) + export_sp( + SP_FFA_UUID_CANON ${SP_FFA_UUID_CANON} + SP_BIN_UUID_CANON ${SP_BIN_UUID_CANON} ++ SP_BOOT_ORDER ${SP_BOOT_ORDER} + SP_NAME ${SP_NAME} + DTS_IN ${CMAKE_CURRENT_LIST_DIR}/default_${SP_NAME}.dts.in + DTS_MEM_REGIONS ${SP_BIN_UUID_CANON}_memory_regions.dtsi +diff --git a/deployments/smm-gateway/config/default-sp/default_smm-gateway.dts.in b/deployments/smm-gateway/config/default-sp/default_smm-gateway.dts.in +index 9b8988eb1..8e41eb762 100644 +--- a/deployments/smm-gateway/config/default-sp/default_smm-gateway.dts.in ++++ b/deployments/smm-gateway/config/default-sp/default_smm-gateway.dts.in +@@ -15,6 +15,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + +diff --git a/deployments/spm-test1/opteesp/CMakeLists.txt b/deployments/spm-test1/opteesp/CMakeLists.txt +index 4558303ad..26b846ef6 100644 +--- a/deployments/spm-test1/opteesp/CMakeLists.txt ++++ b/deployments/spm-test1/opteesp/CMakeLists.txt +@@ -18,6 +18,7 @@ set(SP_FFA_UUID_CANON "5c9edbc3-7b3a-4367-9f83-7c191ae86a37") + set(SP_NUMBER 1) + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SPM-TEST${SP_NUMBER}" CACHE STRING "Trace prefix") ++set(SP_BOOT_ORDER "0" CACHE STRING "Boot-order.") + + #------------------------------------------------------------------------------- + # Components that are spm-test specific to deployment in the opteesp +diff --git a/deployments/spm-test1/opteesp/default_spm_test1.dts.in b/deployments/spm-test1/opteesp/default_spm_test1.dts.in +index 0cc220798..a672ee19c 100644 +--- a/deployments/spm-test1/opteesp/default_spm_test1.dts.in ++++ b/deployments/spm-test1/opteesp/default_spm_test1.dts.in +@@ -17,6 +17,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AARCH64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/spm-test2/opteesp/CMakeLists.txt b/deployments/spm-test2/opteesp/CMakeLists.txt +index ea82a4ae1..3781567bb 100644 +--- a/deployments/spm-test2/opteesp/CMakeLists.txt ++++ b/deployments/spm-test2/opteesp/CMakeLists.txt +@@ -18,6 +18,7 @@ set(SP_FFA_UUID_CANON "7817164c-c40c-4d1a-867a-9bb2278cf41a") + set(SP_NUMBER 2) + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SPM-TEST${SP_NUMBER}" CACHE STRING "Trace prefix") ++set(SP_BOOT_ORDER "0" CACHE STRING "Boot-order.") + + #------------------------------------------------------------------------------- + # Components that are spm-test specific to deployment in the opteesp +diff --git a/deployments/spm-test2/opteesp/default_spm_test2.dts.in b/deployments/spm-test2/opteesp/default_spm_test2.dts.in +index f75bd9e7e..2364ded72 100644 +--- a/deployments/spm-test2/opteesp/default_spm_test2.dts.in ++++ b/deployments/spm-test2/opteesp/default_spm_test2.dts.in +@@ -17,6 +17,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AARCH64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/spm-test3/opteesp/CMakeLists.txt b/deployments/spm-test3/opteesp/CMakeLists.txt +index c448673d6..7d9ae0b42 100644 +--- a/deployments/spm-test3/opteesp/CMakeLists.txt ++++ b/deployments/spm-test3/opteesp/CMakeLists.txt +@@ -18,6 +18,8 @@ set(SP_FFA_UUID_CANON "23eb0100-e32a-4497-9052-2f11e584afa6") + set(SP_NUMBER 3) + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SPM-TEST${SP_NUMBER}" CACHE STRING "Trace prefix") ++set(SP_BOOT_ORDER "0" CACHE STRING "Boot-order.") ++ + + #------------------------------------------------------------------------------- + # Components that are spm-test specific to deployment in the opteesp +diff --git a/deployments/spm-test3/opteesp/default_spm_test3.dts.in b/deployments/spm-test3/opteesp/default_spm_test3.dts.in +index c3c768fb5..17e9a47b8 100644 +--- a/deployments/spm-test3/opteesp/default_spm_test3.dts.in ++++ b/deployments/spm-test3/opteesp/default_spm_test3.dts.in +@@ -17,6 +17,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AARCH64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/deployments/spm-test4/opteesp/CMakeLists.txt b/deployments/spm-test4/opteesp/CMakeLists.txt +index 4e572ecd2..09cb70944 100644 +--- a/deployments/spm-test4/opteesp/CMakeLists.txt ++++ b/deployments/spm-test4/opteesp/CMakeLists.txt +@@ -18,6 +18,7 @@ set(SP_FFA_UUID_CANON "23eb0100-e32a-4497-9052-2f11e584afa6") + set(SP_NUMBER 4) + set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SPM-TEST${SP_NUMBER}" CACHE STRING "Trace prefix") ++set(SP_BOOT_ORDER "0" CACHE STRING "Boot-order.") + + #------------------------------------------------------------------------------- + # Components that are spm-test specific to deployment in the opteesp +diff --git a/deployments/spm-test4/opteesp/default_spm_test4.dts.in b/deployments/spm-test4/opteesp/default_spm_test4.dts.in +index fffc31f45..ac57dcdfb 100644 +--- a/deployments/spm-test4/opteesp/default_spm_test4.dts.in ++++ b/deployments/spm-test4/opteesp/default_spm_test4.dts.in +@@ -17,6 +17,7 @@ + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AARCH64 */ + xlat-granule = <0>; /* 4KiB */ ++ boot-order = /bits/ 16 <@EXPORT_SP_BOOT_ORDER@>; + messaging-method = <3>; /* Direct messaging only */ + ns-interrupts-action = <2>; /* Non-secure interrupts are signaled */ + elf-format = <1>; +diff --git a/tools/cmake/common/ExportSp.cmake b/tools/cmake/common/ExportSp.cmake +index 78701b933..ceb770046 100644 +--- a/tools/cmake/common/ExportSp.cmake ++++ b/tools/cmake/common/ExportSp.cmake +@@ -15,6 +15,7 @@ include(${CMAKE_CURRENT_LIST_DIR}/Uuid.cmake) + export_sp( + SP_FFA_UUID_CANON + SP_NAME MK_IN <.mk path> ++ SP_BOOT_ORDER + DTS_IN + DTS_MEM_REGIONS + JSON_IN +@@ -29,6 +30,9 @@ include(${CMAKE_CURRENT_LIST_DIR}/Uuid.cmake) + The UUID of the SP binary a canonical string. When not set use the + SP_FFA_UUID_CANON as the SP_BIN_UUID_CANON. + ++ ``SP_BOOT_ORDER`` ++ Boot-order of the SP. 0 will be booted first. ++ + ``SP_NAME`` + The name of the SP. + +@@ -47,7 +51,7 @@ include(${CMAKE_CURRENT_LIST_DIR}/Uuid.cmake) + #]===] + function (export_sp) + set(options) +- set(oneValueArgs SP_FFA_UUID_CANON SP_BIN_UUID_CANON SP_NAME MK_IN DTS_IN DTS_MEM_REGIONS JSON_IN) ++ set(oneValueArgs SP_FFA_UUID_CANON SP_BIN_UUID_CANON SP_BOOT_ORDER SP_NAME MK_IN DTS_IN DTS_MEM_REGIONS JSON_IN) + set(multiValueArgs) + cmake_parse_arguments(EXPORT "${options}" "${oneValueArgs}" + "${multiValueArgs}" ${ARGN} ) +@@ -59,6 +63,9 @@ function (export_sp) + # We use the same UUID for the binary and FF-A if the UUID of the SP binary is not set + set(EXPORT_SP_BIN_UUID_CANON ${EXPORT_SP_FFA_UUID_CANON}) + endif() ++ if(NOT DEFINED EXPORT_SP_BOOT_ORDER) ++ message(FATAL_ERROR "export_sp: mandatory parameter SP_BOOT_ORDER not defined!") ++ endif() + if(NOT DEFINED EXPORT_SP_NAME) + message(FATAL_ERROR "export_sp: mandatory parameter SP_NAME not defined!") + endif() +-- +2.34.1 + diff --git a/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch b/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch deleted file mode 100644 index 6664fd05..00000000 --- a/meta-arm/recipes-security/trusted-services/files/0001-LazyFetch-allow-setting-the-cmake-generator.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e62709f8e6f586ace7975b58b8a1c726d120759f Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Thu, 31 Aug 2023 18:24:50 +0200 -Subject: [PATCH] LazyFetch: allow setting the cmake generator - -Allow configuring the CMake generator used for external components. By -default use the generator the main project is using. -For details see the documentation in tools/cmake/common/LazyFetch.cmake. - -Change-Id: Ie01ea1ae533cf7a40c1f09808de2ad2e83a09db3 -Signed-off-by: Gyorgy Szing - -Upstream-Status: Backport -Signed-off-by: Ross Burton ---- - tools/cmake/common/LazyFetch.cmake | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/tools/cmake/common/LazyFetch.cmake b/tools/cmake/common/LazyFetch.cmake -index 68e790e..7676201 100644 ---- a/tools/cmake/common/LazyFetch.cmake -+++ b/tools/cmake/common/LazyFetch.cmake -@@ -87,11 +87,20 @@ function(LazyFetch_ConfigAndBuild) - "component specific. Pleas refer to the upstream documentation for more information.") - endif() - -+ if(NOT DEFINED ${UC_DEP_NAME}_GENERATOR) -+ if(DEFINED ENV{${UC_DEP_NAME}_GENERATOR}) -+ set(${UC_DEP_NAME}_GENERATOR ENV{${UC_DEP_NAME}_GENERATOR} CACHE STRING "CMake generator used for ${UC_DEP_NAME}.") -+ else() -+ set(${UC_DEP_NAME}_GENERATOR ${CMAKE_GENERATOR} CACHE STRING "CMake generator used for ${UC_DEP_NAME}.") -+ endif() -+ endif() -+ - execute_process(COMMAND - ${CMAKE_COMMAND} -E env "CROSS_COMPILE=${CROSS_COMPILE}" - ${CMAKE_COMMAND} - "-C${CONFIGURED_CACHE_FILE}" - -DCMAKE_BUILD_TYPE=${${UC_DEP_NAME}_BUILD_TYPE} -+ -G${${UC_DEP_NAME}_GENERATOR} - -S ${BUILD_SRC_DIR} - -B ${BUILD_BIN_DIR} - RESULT_VARIABLE --- -2.34.1 - diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch b/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch deleted file mode 100644 index 28e041bc..00000000 --- a/meta-arm/recipes-security/trusted-services/files/0001-Limit-nanopb-build-to-single-process.patch +++ /dev/null @@ -1,41 +0,0 @@ -From aca9f9ae26235e9da2bc9adef49f9f5578f3e1e7 Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Tue, 25 Apr 2023 15:03:46 +0000 -Subject: [PATCH 1/1] Limit nanopb build to single process - -Sometimes in yocto the nanopb build step fails. The reason seems -to be a race condition. This fix disables parallel build as -a workaround. - -Upstream-Status: Inappropriate [yocto specific] - -Signed-off-by: Gyorgy Szing ---- - external/nanopb/nanopb.cmake | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake -index 36465f61..94f8048c 100644 ---- a/external/nanopb/nanopb.cmake -+++ b/external/nanopb/nanopb.cmake -@@ -65,6 +65,8 @@ if(TARGET stdlib::c) - unset_saved_properties(LIBC) - endif() - -+set(_PROCESSOR_COUNT ${PROCESSOR_COUNT}) -+set(PROCESSOR_COUNT 1) - include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) - LazyFetch_MakeAvailable(DEP_NAME nanopb - FETCH_OPTIONS ${GIT_OPTIONS} -@@ -73,6 +75,8 @@ LazyFetch_MakeAvailable(DEP_NAME nanopb - CACHE_FILE "${TS_ROOT}/external/nanopb/nanopb-init-cache.cmake.in" - SOURCE_DIR "${NANOPB_SOURCE_DIR}" - ) -+set(PROCESSOR_COUNT ${_PROCESSOR_COUNT}) -+ - unset(_cmake_fragment) - - if(TARGET stdlib::c) --- -2.34.1 - diff --git a/meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch b/meta-arm/recipes-security/trusted-services/files/0001-Upgrade-nanopb-to-v0.4.7.patch similarity index 56% rename from meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch rename to meta-arm/recipes-security/trusted-services/files/0001-Upgrade-nanopb-to-v0.4.7.patch index 9ae4c6f2..9e81f26d 100644 --- a/meta-arm/recipes-security/trusted-services/files/nanopb-upgrade.patch +++ b/meta-arm/recipes-security/trusted-services/files/0001-Upgrade-nanopb-to-v0.4.7.patch @@ -1,26 +1,33 @@ -From 35d16cdfd51aeca5df70732accc89e250af86b69 Mon Sep 17 00:00:00 2001 +From f3ba58b00ec967970d22dfbd71c406ccb5b2ac78 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 29 Sep 2023 16:21:26 +0100 -Subject: [PATCH] Upgrade nanopb +Subject: [PATCH 1/1] Upgrade nanopb to v4.7.0 -Upgrade the nanopb checkout to 0.4.7 plus some important build fixes, and -change the build/install process to be more reliable. - -This should be upstreamed, but some pieces of this are not upstreamable in their -current state. +Upgrade the nanopb to 0.4.7 and add the following fixes: + - remove the nanopb patch as it has become obsolete. + - stop using the nanopb protoc wrapper when building the generator as + this seems to cause build issues. + - use the new nanopb_PYTHON_INSTDIR_OVERRIDE variable to set the + install location for the generator. Modify TS cmake script to search + the generator in the install content instead of the nanopb source. + - pass discovered python settings to nanopb build using the initial + cache. This speeds up the build and allows easier control of python + discovery for integration systems. Upstream-Status: Pending + Signed-off-by: Ross Burton +Signed-off-by: Gyorgy Szing --- external/nanopb/fix-pyhon-name.patch | 41 ---------------------- - external/nanopb/nanopb-init-cache.cmake.in | 6 +++- - external/nanopb/nanopb.cmake | 7 ++-- - 3 files changed, 8 insertions(+), 46 deletions(-) + external/nanopb/nanopb-init-cache.cmake.in | 9 ++++- + external/nanopb/nanopb.cmake | 34 +++++++++--------- + 3 files changed, 24 insertions(+), 60 deletions(-) delete mode 100644 external/nanopb/fix-pyhon-name.patch diff --git a/external/nanopb/fix-pyhon-name.patch b/external/nanopb/fix-pyhon-name.patch deleted file mode 100644 -index ab0e84c550f4..000000000000 +index ab0e84c5..00000000 --- a/external/nanopb/fix-pyhon-name.patch +++ /dev/null @@ -1,41 +0,0 @@ @@ -66,15 +73,16 @@ index ab0e84c550f4..000000000000 - endforeach() - endif() diff --git a/external/nanopb/nanopb-init-cache.cmake.in b/external/nanopb/nanopb-init-cache.cmake.in -index fb8104d64b26..8df41ddcb5eb 100644 +index fb8104d6..c53b6e5b 100644 --- a/external/nanopb/nanopb-init-cache.cmake.in +++ b/external/nanopb/nanopb-init-cache.cmake.in -@@ -12,11 +12,15 @@ set(BUILD_STATIC_LIBS On CACHE BOOL "") +@@ -12,11 +12,18 @@ set(BUILD_STATIC_LIBS On CACHE BOOL "") set(nanopb_BUILD_RUNTIME On CACHE BOOL "") set(nanopb_BUILD_GENERATOR On CACHE BOOL "") set(nanopb_MSVC_STATIC_RUNTIME Off BOOL "") -set(nanopb_PROTOC_PATH ${CMAKE_SOURCE_DIR}/generator/protoc CACHE STRING "") + ++# Specify location of python binary and avoid discovery. +set(Python_EXECUTABLE "@Python_EXECUTABLE@" CACHE PATH "Location of python3 executable") string(TOUPPER @CMAKE_CROSSCOMPILING@ CMAKE_CROSSCOMPILING) # CMake expects TRUE @@ -82,15 +90,42 @@ index fb8104d64b26..8df41ddcb5eb 100644 set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY CACHE STRING "") endif() ++# Override the install directory of the generator. TS will first look at ++# NEWLIB_INSTALL_DIR (aka. BUILD_INSTALL_DIR), then let cmake do system specific ++# search. +set(nanopb_PYTHON_INSTDIR_OVERRIDE "@BUILD_INSTALL_DIR@/lib/python" CACHE PATH "") -+set(NANOPB_GENERATOR_DIR "@BUILD_INSTALL_DIR@/lib/python" CACHE PATH "") + @_cmake_fragment@ diff --git a/external/nanopb/nanopb.cmake b/external/nanopb/nanopb.cmake -index 36465f612d5d..57cf3d697fdd 100644 +index 36465f61..fa35d971 100644 --- a/external/nanopb/nanopb.cmake +++ b/external/nanopb/nanopb.cmake -@@ -28,7 +28,7 @@ running this module. +@@ -10,17 +10,14 @@ NanoPB integration for cmake + ---------------------------- + + This module will: +- - download nanopb if not available locally +- - build the runtime static library and the generator +- - import the static library to the build +- - define a function to provide access to the generator ++ - use LazyFetch to download nanopb and build the static library and the generator. ++ Usual LazyFetch configuration to use prefetched source or prebuilt binaries apply. ++ - run find_module() to import the static library ++ - run find_executable() import the generator to the build (extend PYTHONPATH) and ++ define a cmake function to provide access to the generator to build nanopb files. + +-Note: the python module created by the generator build will be installed under +-Python_SITELIB ("Third-party platform independent installation directory.") +-This means the build may alter the state of your system. Please use virtualenv. +- +-Note: see requirements.txt for dependencies which need to be installed before +-running this module. ++Note: see requirements.txt for dependencies which need to be installed in the build ++environment to use this module. + + #]===] + +@@ -28,7 +25,7 @@ running this module. set(NANOPB_URL "https://github.com/nanopb/nanopb.git" CACHE STRING "nanopb repository URL") @@ -99,16 +134,34 @@ index 36465f612d5d..57cf3d697fdd 100644 CACHE STRING "nanopb git refspec") set(NANOPB_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/nanopb-src" CACHE PATH "nanopb source-code") -@@ -85,7 +85,7 @@ find_package(Python3 REQUIRED COMPONENTS Interpreter) +@@ -65,6 +62,11 @@ if(TARGET stdlib::c) + unset_saved_properties(LIBC) + endif() + ++# Nanopb build depends on python. Discover python here and pass the result to ++# nanopb build trough the initial cache file. ++find_package(Python3 REQUIRED COMPONENTS Interpreter) ++ ++# Use LazyFetch to manage the external dependency. + include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED) + LazyFetch_MakeAvailable(DEP_NAME nanopb + FETCH_OPTIONS ${GIT_OPTIONS} +@@ -80,12 +82,9 @@ if(TARGET stdlib::c) + endif() - find_file(NANOPB_GENERATOR_PATH + #### Build access to the protobuf compiler +-#TODO: verify protoc dependencies: python3-protobuf +-find_package(Python3 REQUIRED COMPONENTS Interpreter) +- +-find_file(NANOPB_GENERATOR_PATH ++find_program(NANOPB_GENERATOR_PATH NAMES nanopb_generator.py - PATHS ${nanopb_SOURCE_DIR}/generator -+ PATHS ${NANOPB_INSTALL_DIR}/bin ++ HINTS ${NANOPB_INSTALL_DIR}/bin ${NANOPB_INSTALL_DIR}/sbin DOC "nanopb protobuf compiler" NO_DEFAULT_PATH ) -@@ -186,11 +186,10 @@ function(protobuf_generate) +@@ -186,11 +185,10 @@ function(protobuf_generate) target_include_directories(${PARAMS_TGT} PRIVATE ${_OUT_DIR_BASE}) endif() @@ -121,3 +174,6 @@ index 36465f612d5d..57cf3d697fdd 100644 ${Python3_EXECUTABLE} ${NANOPB_GENERATOR_PATH} -I ${PARAMS_BASE_DIR} -D ${_OUT_DIR_BASE} +-- +2.34.1 + diff --git a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc index 20a46219..cf301a14 100644 --- a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc +++ b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -8,13 +8,12 @@ SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https; FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI:append = "\ - file://0001-Limit-nanopb-build-to-single-process.patch \ - file://0001-LazyFetch-allow-setting-the-cmake-generator.patch \ - file://nanopb-upgrade.patch \ + file://0001-Upgrade-nanopb-to-v0.4.7.patch \ + file://0001-Add-boot-order-property-to-SP-manifests.patch \ " -#Latest on 2023 April 28 -SRCREV_trusted-services = "08b3d39471f4914186bd23793dc920e83b0e3197" +# Trusted Services; Tag: v1.0.0 +SRCREV_trusted-services = "808904390eb89294d2371959a7d82dde3851ca6c" LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" S = "${WORKDIR}/git/trusted-services" @@ -25,9 +24,9 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" -# MbedTLS, tag "mbedtls-3.3.0" +# MbedTLS, tag "mbedtls-3.4.0" SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" -SRCREV_mbedtls = "8c89224991adff88d53cd380f42a2baa36f91454" +SRCREV_mbedtls = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" # Nanopb, tag "nanopb-0.4.7" plus some further fixes @@ -74,6 +73,11 @@ do_apply_local_src_patches() { apply_local_src_patches ${S}/external/nanopb ${WORKDIR}/git/nanopb } +do_config:append:() { + # Fine tune MbedTLS configuration for crypto only operation. + sh -c "cd ${WORKDIR}/git/mbedtls; python3 scripts/config.py crypto" +} + # Paths to dependencies required by some TS SPs/tools EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \ -DCPPUTEST_SOURCE_DIR=${WORKDIR}/git/cpputest \ diff --git a/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/recipes-security/trusted-services/trusted-services.inc index b46cd498..c4a6f78c 100644 --- a/meta-arm/recipes-security/trusted-services/trusted-services.inc +++ b/meta-arm/recipes-security/trusted-services/trusted-services.inc @@ -32,7 +32,6 @@ OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/" EXTRA_OECMAKE += '-DLIBGCC_LOCATE_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ -DCROSS_COMPILE="${TARGET_PREFIX}" \ - -DSP_PACKAGING_METHOD="${SP_PACKAGING_METHOD}" \ -DTS_PLATFORM="${TS_PLATFORM}" \ ' export CROSS_COMPILE="${TARGET_PREFIX}" @@ -40,13 +39,18 @@ export CROSS_COMPILE="${TARGET_PREFIX}" # Default TS installation path TS_INSTALL = "/usr/${TS_ENV}" -# Use the Yocto cmake toolchain for arm-linux TS deployments and -# the TS opteesp toolchain for opteesp TS deployments -EXTRA_OECMAKE += "${@oe.utils.conditional('TS_ENV', 'opteesp', \ - '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/${TS_ENV}/default_toolchain_file.cmake', \ - '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake', \ - d)} \ - " +# Use the Yocto cmake toolchain for external components of the arm-linux TS deployments, +# and the TS toolchain for opteesp and sp deployments +def get_ts_toolchain_option(d): + ts_env=d.getVar('TS_ENV') + if ts_env == 'opteesp' or ts_env == 'sp': + return '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/'+ts_env+'/default_toolchain_file.cmake' + if ts_env == 'arm-linux': + return '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake' + bb.error("Unkown value \"%s\" for TS_ENV." % (ts_env)) + return '' + +EXTRA_OECMAKE += "${@get_ts_toolchain_option(d)}" # Paths to pre-built dependencies required by some TS SPs/tools EXTRA_OECMAKE += "-Dlibts_ROOT=${STAGING_DIR_HOST}${TS_INSTALL}/lib/cmake/libts/ \ diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc index c8b4e992..93051bf3 100644 --- a/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc +++ b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -13,7 +13,7 @@ SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protoc file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ " -SRCREV_psatest = "38cb53a4d9e292435ddf7899960b15af62decfbe" +SRCREV_psatest = "74dc6646ff594e131a726a5305aba77bac30eceb" LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" EXTRA_OECMAKE += "-DPSA_ARCH_TESTS_SOURCE_DIR=${WORKDIR}/git/psatest" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 3d756015..5e4cd720 100644 --- a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -1,6 +1,6 @@ # Common part of all Trusted Services SPs recipes -TS_ENV = "opteesp" +TS_ENV ?= "opteesp" require trusted-services.inc require ts-uuid.inc @@ -30,3 +30,13 @@ INSANE_SKIP:${PN}-dev += "ldflags" # Trusted Services SPs do not compile with clang TOOLCHAIN = "gcc" + +# FORTIFY_SOURCE is a glibc feature. Disable it for all SPs as these do not use glibc. +TARGET_CFLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_C_FLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2" + +# Override yoctos default linux specific toolchain file. trusted-services.inc +# will add a proper tooclhain option. +OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake" + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb new file mode 100644 index 00000000..2ee69c1f --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP4" + +SP_INDEX="4" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/recipes-security/trusted-services/ts-uuid.inc index 1eb05d8b..0b2bd85a 100644 --- a/meta-arm/recipes-security/trusted-services/ts-uuid.inc +++ b/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -10,4 +10,5 @@ STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6" +SPM_TEST4_UUID = "423762ed-7772-406f-99d8-0c27da0abbf8" BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c" From patchwork Tue Apr 23 16:31:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42794 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BDCBC04FFE for ; Tue, 23 Apr 2024 16:33:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.23386.1713890008047054543 for ; Tue, 23 Apr 2024 09:33:28 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 93B3E339; Tue, 23 Apr 2024 09:33:55 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id F25BA3F7BD; Tue, 23 Apr 2024 09:33:26 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 3/9] arm/trusted-services: fix MbedTLS build issue Date: Tue, 23 Apr 2024 18:31:59 +0200 Message-ID: <20240423163205.5885-3-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5588 From: Gyorgy Szing MbedTLS fails to build when FORTIFY_SOURCE is enabled and the NWd configuration is used. Disable the compilation option temporary till the root cause can be fund and a proper fix be made. The build only fails when building from yocto. The OP-TEE integration works fine with gcc v13.2_rel1. Signed-off-by: Gyorgy Szing --- meta-arm/recipes-security/trusted-services/ts-demo_git.bb | 4 ++++ .../trusted-services/ts-psa-iat-api-test_git.bb | 3 +++ 2 files changed, 7 insertions(+) diff --git a/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb index 668bde56..a17c1720 100644 --- a/meta-arm/recipes-security/trusted-services/ts-demo_git.bb +++ b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -18,6 +18,10 @@ TOOLCHAIN = "gcc" FILES:${PN} = "${bindir}/ts-demo" +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + do_install:append () { install -d ${D}${bindir} mv ${D}${TS_INSTALL}/bin/ts-demo ${D}${bindir} diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb index e5c662e4..c39554a6 100644 --- a/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb +++ b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb @@ -16,6 +16,9 @@ SRCREV_psaqcbor = "42272e466a8472948bf8fca076d113b81b99f0e0" EXTRA_OECMAKE += "-DPSA_TARGET_QCBOR=${WORKDIR}/git/psaqcbor \ " +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" # Mbedtls 3.1.0 does not compile with clang. # This can be removed after TS updated required mbedtls version From patchwork Tue Apr 23 16:32:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42795 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71940C10F1A for ; Tue, 23 Apr 2024 16:33:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.23267.1713890012164565309 for ; Tue, 23 Apr 2024 09:33:32 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B66D4339; Tue, 23 Apr 2024 09:33:59 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E7A8D3F7BD; Tue, 23 Apr 2024 09:33:30 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 4/9] arm/trusted-services: fix environment handling Date: Tue, 23 Apr 2024 18:32:00 +0200 Message-ID: <20240423163205.5885-4-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5589 The current version of the TS recipes fails to build if the TS environment is not set to opteesp. Change the recipes to allow building the sp environment. This environment targets "generic" secure partitions and produces SPMC agnostic SP binaries which should be able to boot under any FF-A v1.0 compliant SPMC implementation. Signed-off-by: Gyorgy Szing --- documentation/trusted-services.md | 3 ++ .../recipes-security/optee/optee-os-ts.inc | 31 ++++++++++--------- .../trusted-services/trusted-services.inc | 4 +-- .../trusted-services/ts-sp-common.inc | 1 + .../ts-sp-spm-test-common.inc | 3 ++ 5 files changed, 26 insertions(+), 16 deletions(-) diff --git a/documentation/trusted-services.md b/documentation/trusted-services.md index f672dc2e..0359b648 100644 --- a/documentation/trusted-services.md +++ b/documentation/trusted-services.md @@ -44,6 +44,9 @@ Other steps depend on your machine/platform definition: and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. +4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be + set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation. + ## Normal World applications Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes diff --git a/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/recipes-security/optee/optee-os-ts.inc index c6b806ff..a9071abd 100644 --- a/meta-arm/recipes-security/optee/optee-os-ts.inc +++ b/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -6,61 +6,64 @@ # TS SPs UUIDs definitions require recipes-security/trusted-services/ts-uuid.inc -TS_ENV = "opteesp" +TS_ENV ?= "opteesp" TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" +TS_BIN_SPM_TEST= "${RECIPE_SYSROOT}/usr/opteesp/bin" + +SP_EXT = "${@oe.utils.conditional('TS_ENV','opteesp','.stripped.elf','.bin',d)}" # ITS SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ ' ts-sp-its', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ - ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ITS_UUID}${SP_EXT}', '', d)}" # Storage SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ ' ts-sp-storage', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ - ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${STORAGE_UUID}${SP_EXT}', '', d)}" # Crypto SP. DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ ' ts-sp-crypto', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ - ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${CRYPTO_UUID}${SP_EXT}', '', d)}" # Attestation SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ ' ts-sp-attestation', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ - ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ATTESTATION_UUID}${SP_EXT}', '', d)}" # Env-test SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ ' ts-sp-env-test', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ - ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${ENV_TEST_UUID}${SP_EXT}', '', d)}" # SE-Proxy SP DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ ' ts-sp-se-proxy', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ - ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${SE_PROXY_UUID}${SP_EXT}', '', d)}" # SMM Gateway DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ ' ts-sp-smm-gateway', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ - ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${SMM_GATEWAY_UUID}${SP_EXT}', '', d)}" # SPM test SPs DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ ' ts-sp-spm-test1 ts-sp-spm-test2 \ ts-sp-spm-test3 ts-sp-spm-test4', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ - ' ${TS_BIN}/${SPM_TEST1_UUID}.stripped.elf \ - ${TS_BIN}/${SPM_TEST2_UUID}.stripped.elf \ - ${TS_BIN}/${SPM_TEST3_UUID}.stripped.elf \ - ${TS_BIN}/${SPM_TEST4_UUID}.stripped.elf', \ - '', d)}" + ' ${TS_BIN_SPM_TEST}/${SPM_TEST1_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST2_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST3_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST4_UUID}.stripped.elf', \ + '', d)}" EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ ' CFG_SPMC_TESTS=y', '' , d)}" @@ -69,7 +72,7 @@ DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', ' ts-sp-block-storage', '' , d)}" SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ - ' ${TS_BIN}/${BLOCK_STORAGE_UUID}.stripped.elf', '', d)}" + ' ${TS_BIN}/${BLOCK_STORAGE_UUID}${SP_EXT}', '', d)}" EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', \ ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y \ diff --git a/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/recipes-security/trusted-services/trusted-services.inc index c4a6f78c..272e9106 100644 --- a/meta-arm/recipes-security/trusted-services/trusted-services.inc +++ b/meta-arm/recipes-security/trusted-services/trusted-services.inc @@ -23,7 +23,7 @@ TS_PLATFORM ?= "ts/mock" # FIP packaging is not supported yet SP_PACKAGING_METHOD ?= "embedded" -SYSROOT_DIRS += "/usr/opteesp /usr/arm-linux" +SYSROOT_DIRS += "/usr/${TS_ENV} /usr/opteesp /usr/arm-linux" # TS cmake files use find_file() to search through source code and build dirs. # Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails. @@ -54,5 +54,5 @@ EXTRA_OECMAKE += "${@get_ts_toolchain_option(d)}" # Paths to pre-built dependencies required by some TS SPs/tools EXTRA_OECMAKE += "-Dlibts_ROOT=${STAGING_DIR_HOST}${TS_INSTALL}/lib/cmake/libts/ \ - -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}${TS_INSTALL}/newlib \ + -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}/usr/opteesp/newlib \ " diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 5e4cd720..c8b1409c 100644 --- a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -6,6 +6,7 @@ require trusted-services.inc require ts-uuid.inc DEPENDS += "dtc-native ts-newlib" +DEPENDS += "${@oe.utils.conditional('TS_ENV','sp','python3-pyelftools-native','', d)}" FILES:${PN}-dev = "${TS_INSTALL}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc index e357629b..5c0d6865 100644 --- a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -1,5 +1,8 @@ DESCRIPTION = "Trusted Services SPMC test SPs" +# spm test SP only supports opteesp. +TS_ENV = 'opteesp' + require ts-sp-common.inc SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" From patchwork Tue Apr 23 16:32:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42796 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DBE8C4345F for ; Tue, 23 Apr 2024 16:33:43 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.23270.1713890014580472098 for ; Tue, 23 Apr 2024 09:33:34 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 20AF5339; Tue, 23 Apr 2024 09:34:02 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 79D7D3F7BD; Tue, 23 Apr 2024 09:33:33 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 5/9] arm/devtools/fvp-base-a-aem: update the AEM FVP to 11.25.15 Date: Tue, 23 Apr 2024 18:32:01 +0200 Message-ID: <20240423163205.5885-5-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5590 Version v11.25 was released and it fixes measured boot. Update the recipe and integrate the new version. The pattern of the download URL has changed. Add functionality to calculate a new URL fragment from the package version. Signed-off-by: Gyorgy Szing --- ...p-base-a-aem_11.24.11.bb => fvp-base-a-aem_11.25.15.bb} | 4 ++-- meta-arm/recipes-devtools/fvp/fvp-common.inc | 7 +++++++ meta-arm/recipes-devtools/fvp/fvp-envelope.inc | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) rename meta-arm/recipes-devtools/fvp/{fvp-base-a-aem_11.24.11.bb => fvp-base-a-aem_11.25.15.bb} (74%) diff --git a/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.24.11.bb b/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb similarity index 74% rename from meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.24.11.bb rename to meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb index fe89e01f..4dd254a2 100644 --- a/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.24.11.bb +++ b/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://license_terms/license_agreement.txt;md5=1a33828e132ba file://license_terms/third_party_licenses/third_party_licenses.txt;md5=b9005e55057311e41efe02ccfea8ea72 \ file://license_terms/third_party_licenses/arm_license_management_utilities/third_party_licenses.txt;md5=c09526c02e631abb95ad61528892552d" -SRC_URI[fvp-aarch64.sha256sum] = "7a3593dafd3af6897b3a0a68f66701201f8f3e02a3d981ba47494b2f18853648" -SRC_URI[fvp-x86_64.sha256sum] = "0f132334834cbc66889a62dd72057c976d7c7dfcfeec21799e9c78fb2ce24720" +SRC_URI[fvp-aarch64.sha256sum] = "22096fc2267ad776abe0ff32d0d3b870c9fae10036d9c16f4f0fe4a64487a11e" +SRC_URI[fvp-x86_64.sha256sum] = "5f33707a1bdaa96a933b89949f28643110ad80ac9835a75f139c200b64a394dc" MODEL_CODE = "FVP_Base_RevC-2xAEMvA" diff --git a/meta-arm/recipes-devtools/fvp/fvp-common.inc b/meta-arm/recipes-devtools/fvp/fvp-common.inc index a20959b7..29de89f2 100644 --- a/meta-arm/recipes-devtools/fvp/fvp-common.inc +++ b/meta-arm/recipes-devtools/fvp/fvp-common.inc @@ -29,10 +29,17 @@ def get_real_pv(d): pv = d.getVar("PV") return "%s.%s_%s" % tuple(pv.split(".")) +def get_fm_short_pv_url(d): + # FVP versions are like 11.12_43 + pv = d.getVar("PV") + return "FM_%s_%s" % tuple(pv.split("."))[:2] + + # If PV is 1.2.3, VERSION=1.2, BUILD=3, PV_URL=1.2_3. VERSION = "${@oe.utils.trim_version(d.getVar('PV', -1))}" BUILD = "${@d.getVar('PV').split('.')[-1]}" PV_URL = "${@get_real_pv(d)}" +PV_URL_SHORT="${@get_fm_short_pv_url(d)}" # The directory the FVP is installed into FVPDIR = "${libdir}/fvp/${BPN}" diff --git a/meta-arm/recipes-devtools/fvp/fvp-envelope.inc b/meta-arm/recipes-devtools/fvp/fvp-envelope.inc index 1e8bb407..f48d823f 100644 --- a/meta-arm/recipes-devtools/fvp/fvp-envelope.inc +++ b/meta-arm/recipes-devtools/fvp/fvp-envelope.inc @@ -2,7 +2,7 @@ require fvp-common.inc HOMEPAGE = "https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms" -SRC_URI = "https://developer.arm.com/-/media/Files/downloads/ecosystem-models/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" +SRC_URI = "https://developer.arm.com/-/media/Files/downloads/ecosystem-models/${PV_URL_SHORT}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" UPSTREAM_CHECK_URI = "${HOMEPAGE}" UPSTREAM_CHECK_REGEX = "${MODEL_CODE}_(?P(\d+[\.\-_]*)+).tgz" From patchwork Tue Apr 23 16:32:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42797 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75B24C10F1A for ; Tue, 23 Apr 2024 16:33:43 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.23274.1713890016903944020 for ; Tue, 23 Apr 2024 09:33:37 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 71CFB339; Tue, 23 Apr 2024 09:34:04 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D49A93F7BD; Tue, 23 Apr 2024 09:33:35 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 6/9] arm-bsp: enable Trusted Services on the fvp-base platform Date: Tue, 23 Apr 2024 18:32:02 +0200 Message-ID: <20240423163205.5885-6-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5591 Add configuration settings to TF-A, OP-TEE and TS SPs needed to get TS built and run on the fvp-base machine. Signed-off-by: Gyorgy Szing --- .gitlab-ci.yml | 3 +- ci/fvp-base-ts.yml | 22 ++++ meta-arm-bsp/conf/machine/fvp-base.conf | 1 + .../files/fvp-base/optee_spmc_maifest.dts | 116 ++++++++++++++++++ .../trusted-firmware-a-fvp-base.inc | 55 ++++++++- .../linux/linux-arm-platforms.inc | 10 +- .../optee/optee-os-fvp-base.inc | 13 ++ .../optee/optee-os-tadevkit_4.%.bbappend | 1 + .../optee/optee-os_4.%.bbappend | 1 + .../optee/optee-test-fvp-base.inc | 3 + .../optee/optee-test_4.%.bbappend | 1 + .../packagegroup-ts-tests.bbappend | 1 + .../trusted-services/libts_%.bbappend | 4 + .../trusted-services/ts-arm-platforms.inc | 3 + .../trusted-services/ts-newlib_%.bbappend | 1 + .../ts-sp-se-proxy_%.bbappend | 4 + .../ts-sp-smm-gateway_%.bbappend | 4 + .../ts-sp-spm-test1_%.bbappend | 1 + .../ts-sp-spm-test2_%.bbappend | 1 + .../ts-sp-spm-test3_%.bbappend | 1 + .../ts-sp-spm-test4_%.bbappend | 1 + 21 files changed, 239 insertions(+), 8 deletions(-) create mode 100644 ci/fvp-base-ts.yml create mode 100644 meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts create mode 100644 meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc create mode 100644 meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc create mode 100644 meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend create mode 100644 meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend create mode 100644 meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend create mode 100644 meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4f16fcf3..c063adef 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -140,7 +140,8 @@ fvp-base: extends: .build parallel: matrix: - - TESTING: testimage + - TS: [none, fvp-base-ts] + TESTING: testimage - FIRMWARE: edk2 - SYSTEMREADY_FIRMWARE: arm-systemready-firmware diff --git a/ci/fvp-base-ts.yml b/ci/fvp-base-ts.yml new file mode 100644 index 00000000..e2e7ada2 --- /dev/null +++ b/ci/fvp-base-ts.yml @@ -0,0 +1,22 @@ +header: + version: 14 + includes: + - ci/fvp-base.yml + - ci/meta-openembedded.yml + - ci/testimage.yml + +local_conf_header: + trusted_services: | + # Enable the needed test suites + TEST_SUITES = " ping ssh trusted_services" + # Include all Secure Partitions into the image + MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its" + MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test" + MACHINE_FEATURES:append = " ts-block-storage" + # Include TS demo/test tools into image + IMAGE_INSTALL:append = " packagegroup-ts-tests" + # Include TS PSA Arch tests into image + IMAGE_INSTALL:append = " packagegroup-ts-tests-psa" + CORE_IMAGE_EXTRA_INSTALL += "optee-test" + # Set the TS environment + TS_ENV="sp" diff --git a/meta-arm-bsp/conf/machine/fvp-base.conf b/meta-arm-bsp/conf/machine/fvp-base.conf index f621cd8b..17fb5023 100644 --- a/meta-arm-bsp/conf/machine/fvp-base.conf +++ b/meta-arm-bsp/conf/machine/fvp-base.conf @@ -62,3 +62,4 @@ FVP_TERMINALS[bp.terminal_0] ?= "Console" FVP_TERMINALS[bp.terminal_1] ?= "" FVP_TERMINALS[bp.terminal_2] ?= "" FVP_TERMINALS[bp.terminal_3] ?= "" +FVP_CONFIG[bp.secure_memory] ?= "1" \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts new file mode 100644 index 00000000..748da309 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts @@ -0,0 +1,116 @@ +/* SPDX-License-Identifier: BSD-3-Clause */ +/* + * Copyright (c) 2022-2023, Arm Limited. All rights reserved. + */ + + +/* + * The content of the SPMC manifest may depend on integration settings like the + * set of deployed SP. This information lives in the integration system and + * hence this file should be store in meta-arm. This avoids indirect + * dependencies between integration systems using the same file which would + * enforce some from of cooperation. + */ + +/dts-v1/; + +/ { + compatible = "arm,ffa-core-manifest-1.0"; + #address-cells = <2>; + #size-cells = <1>; + + attribute { + spmc_id = <0x8000>; + maj_ver = <0x1>; + min_ver = <0x0>; + exec_state = <0x0>; + load_address = <0x0 0x6000000>; + entrypoint = <0x0 0x6000000>; + binary_size = <0x80000>; + }; + +/* + * This file will be preprocessed by TF-A's build system. If Measured Boot is + * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro + * to the preprocessor arguments. + */ +#if MEASURED_BOOT + tpm_event_log { + compatible = "arm,tpm_event_log"; + tpm_event_log_addr = <0x0 0x0>; + tpm_event_log_size = <0x0>; + tpm_event_log_max_size = <0x0>; + }; +#endif + +/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */ +#ifdef ARM_BL2_SP_LIST_DTS + sp_packages { + compatible = "arm,sp_pkg"; +#if !SPMC_TESTS + block_storage { + uuid = <0x806e6463 0x2f4652eb 0xdf8c4fac 0x9c518739>; + load-address = <0x0 0x7a00000>; + }; + internal_trusted_storage { + uuid = <0x48ef1edc 0xcf4c7ab1 0xcfdf8bac 0x141b71f7>; + load-address = <0x0 0x7a80000>; + }; + + protected_storage_sp { + uuid = <0x01f81b75 0x6847de3d 0x100f14a5 0x9017edae>; + load-address = <0x0 0x7b00000>; + }; + + crypto_sp { + uuid = <0xd552dfd9 0xb24ba216 0x6dd2a49a 0xc0e8843b>; + load-address = <0x0 0x7b80000>; + }; + +#if MEASURED_BOOT + initial_attestation_sp { + uuid = <0x55f1baa1 0x95467688 0x95547c8f 0x74b98d5e>; + load-address = <0x0 0x7c80000>; + }; +#endif + +#if TS_SMM_GATEWAY + smm_gateway { + uuid = <0x33d532ed 0x0942e699 0x722dc09c 0xa798d9cd>; + load-address = <0x0 0x7d00000>; + }; +#endif /* TS_SMM_GATEWAY */ + +#if TS_FW_UPDATE + fwu { + uuid = <0x38a82368 0x0e47061b 0xce0c7497 0xfd53fb8b>; + load-address = <0x0 0x7d80000>; + }; +#endif /* TS_FW_UPDATE */ + +#else /* SPMC_TESTS */ + test_sp1 { + uuid = <0xc3db9e5c 0x67433a7b 0x197c839f 0x376ae81a>; + load-address = <0x0 0x7a00000>; + }; + + test_sp2 { + uuid = <0x4c161778 0x1a4d0cc4 0xb29b7a86 0x1af48c27>; + load-address = <0x0 0x7a20000>; + }; + + test_sp3 { + uuid = <0x0001eb23 0x97442ae3 0x112f5290 0xa6af84e5>; + load-address = <0x0 0x7a40000>; + }; + + test_sp4 { + /* SP binary UUID */ + uuid = <0xed623742 0x6f407277 0x270cd899 0xf8bb0ada>; + load-address = <0x0 0x7a80000>; + }; +#endif /* SPMC_TESTS */ + + }; +#endif /* ARM_BL2_SP_LIST_DTS */ +}; diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc index 5fafe292..4c37f7cb 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc @@ -4,17 +4,62 @@ # Armv8-A Base Platform FVP # -FILESEXTRAPATHS:prepend := "${THISDIR}/files/:" -SRC_URI:append = " file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch" +FILESEXTRAPATHS:prepend := "${THISDIR}/files/:${THISDIR}/files/fvp-base" +SRC_URI:append = " \ + file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch \ + file://optee_spmc_maifest.dts;subdir=git/plat/arm/board/fvp/fdts \ +" + +# OP-TEE SPMC related configuration +SPMC_IS_OPTEE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', '0' \ + if d.getVar('SEL2_SPMC') == '1' else '1', '0', d)}" +# Configure the SPMC manifest file. +TFA_ARM_SPMC_MANIFEST_DTS = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \ + '${S}/plat/arm/board/fvp/fdts/optee_spmc_maifest.dts', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES','arm-ffa', \ + 'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' \ + if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}" + +# Set OP-TEE SPMC specific TF-A config settings +TFA_SPMD_SPM_AT_SEL2 := '0' +TFA_SPD := "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'spmd', \ + d.getVar('TFA_SPD'), d)}" +DEPENDS += " ${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'optee-os', '', d)}" + +# Configure measured boot if the attestation SP is deployed. +TFA_MB_FLAGS += " \ + ARM_ROTPK_LOCATION=devel_rsa \ + EVENT_LOG_LEVEL=20 \ + GENERATE_COT=1 \ + MBOOT_EL_HASH_ALG=sha256 \ + MEASURED_BOOT=1 \ + ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ + TRUSTED_BOARD_BOOT=1 \ +" +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\ + '${TFA_MB_FLAGS}','', d)}" + +# Add OP-TEE as BL32. +BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\ + '${RECIPE_SYSROOT}/${nonarch_base_libdir}/firmware/tee-pager_v2.bin',\ + '', d)}" +EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \ + ' BL32=${BL32}', '', d)}" + +# Generic configuration COMPATIBLE_MACHINE = "fvp-base" TFA_PLATFORM = "fvp" -TFA_DEBUG = "1" -TFA_MBEDTLS = "1" +# Disable debug build if measured boot is enabled. +TFA_DEBUG := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', '0',\ + d.getVar('TFA_DEBUG'), d)}" +# Add mbedtls if measured boot is enabled +TFA_MBEDTLS := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\ + '1', d.getVar('TFA_MBEDTLS'), d)}" TFA_UBOOT ?= "1" TFA_BUILD_TARGET = "bl1 bl2 bl31 dtbs fip" -EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t" +EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t FVP_USE_GIC_DRIVER=FVP_GICV3" # Our fvp-base machine explicitly has v8.4 cores EXTRA_OEMAKE += "ARM_ARCH_MAJOR=8 ARM_ARCH_MINOR=4" diff --git a/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc b/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc index d0df9ce3..eb9e1595 100644 --- a/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc +++ b/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc @@ -49,8 +49,14 @@ KERNEL_FEATURES:corstone1000 = "" # COMPATIBLE_MACHINE:fvp-base = "fvp-base" KMACHINE:fvp-base = "fvp" -FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}" -SRC_URI:append:fvp-base = " file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch" +FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}:${ARMFILESPATHS}" +SRC_URI:append:fvp-base = " \ + file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch \ + file://tee.cfg \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + 'file://no-strict-devmem.cfg', '' , d)} \ +" + # # Juno KMACHINE diff --git a/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc b/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc new file mode 100644 index 00000000..1ef36329 --- /dev/null +++ b/meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc @@ -0,0 +1,13 @@ +COMPATIBLE_MACHINE = "fvp-base" + +OPTEEMACHINE = "vexpress-fvp" +# Enable boot logs +EXTRA_OEMAKE += " CFG_TEE_CORE_LOG_LEVEL=4" + +# default disable latency benchmarks (over all OP-TEE layers) +EXTRA_OEMAKE += " CFG_TEE_BENCHMARK=n" + +# If FF-A is enabled configure to be the SPMC. +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CFG_CORE_HEAP_SIZE=131072 CFG_CORE_SEL1_SPMC=y CFG_DT=y', '' ,d)}" + +EXTRA_OEMAKE += " CFG_ARM_GICV3=y" \ No newline at end of file diff --git a/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend b/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend index e09c4a5e..c9b48be2 100644 --- a/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend +++ b/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend @@ -2,5 +2,6 @@ MACHINE_OPTEE_OS_TADEVKIT_REQUIRE ?= "" MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:n1sdp = "optee-os-n1sdp.inc" +MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:fvp-base = "optee-os-fvp-base.inc" require ${MACHINE_OPTEE_OS_TADEVKIT_REQUIRE} diff --git a/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend b/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend index 788a23ef..919a1523 100644 --- a/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend +++ b/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend @@ -3,5 +3,6 @@ MACHINE_OPTEE_OS_REQUIRE ?= "" MACHINE_OPTEE_OS_REQUIRE:corstone1000 = "optee-os-corstone1000-common.inc" MACHINE_OPTEE_OS_REQUIRE:n1sdp = "optee-os-n1sdp.inc" +MACHINE_OPTEE_OS_REQUIRE:fvp-base = "optee-os-fvp-base.inc" require ${MACHINE_OPTEE_OS_REQUIRE} diff --git a/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc b/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc new file mode 100644 index 00000000..23dead24 --- /dev/null +++ b/meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc @@ -0,0 +1,3 @@ +# fvp-base specific configuration + +COMPATIBLE_MACHINE = "fvp-base" diff --git a/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend b/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend index 05e2abca..249d67f0 100644 --- a/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend +++ b/meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend @@ -2,5 +2,6 @@ MACHINE_OPTEE_TEST_REQUIRE ?= "" MACHINE_OPTEE_TEST_REQUIRE:n1sdp = "optee-os-generic-n1sdp.inc" +MACHINE_OPTEE_TEST_REQUIRE:fvp-base = "optee-test-fvp-base.inc" require ${MACHINE_OPTEE_TEST_REQUIRE} diff --git a/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend b/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend index 20612cb1..35137220 100644 --- a/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend +++ b/meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend @@ -1,2 +1,3 @@ COMPATIBLE_MACHINE:corstone1000 = "corstone1000" COMPATIBLE_MACHINE:n1sdp = "n1sdp" +COMPATIBLE_MACHINE:fvp-base = "fvp-base" diff --git a/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend index 450cfc58..2ae28c89 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend +++ b/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend @@ -3,3 +3,7 @@ require ts-arm-platforms.inc EXTRA_OECMAKE:append:corstone1000 = "-DMM_COMM_BUFFER_ADDRESS=0x81FFF000 \ -DMM_COMM_BUFFER_PAGE_COUNT=1 \ " + +EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS=0x81000000 \ + -DMM_COMM_BUFFER_PAGE_COUNT=8 \ + " diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 80a58056..36f7c9b9 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -15,3 +15,6 @@ SRC_URI:append:corstone1000 = " \ COMPATIBLE_MACHINE:n1sdp = "n1sdp" + +COMPATIBLE_MACHINE:fvp-base = "fvp-base" +TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a" diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend index 7417d9b0..77fb7ae2 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend @@ -6,3 +6,4 @@ SRC_URI:append:corstone1000 = " \ " COMPATIBLE_MACHINE:n1sdp = "n1sdp" +COMPATIBLE_MACHINE:fvp-base = "fvp-base" diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend index 3a1b2d81..31e4ea55 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend @@ -3,3 +3,7 @@ require ts-arm-platforms.inc EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \ -DMM_COMM_BUFFER_PAGE_COUNT="1" \ " + +# Proxy is pointless on fvp-base as there is no dedicated security subsystem. It could be +# deployed configured to have dummy service providers for build testing purposes. +COMPATIBLE_MACHINE:remove:fvp-base = "fvp-base" diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend index 3a1b2d81..f584f81b 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend @@ -3,3 +3,7 @@ require ts-arm-platforms.inc EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \ -DMM_COMM_BUFFER_PAGE_COUNT="1" \ " + +EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81000000" \ + -DMM_COMM_BUFFER_PAGE_COUNT="8" \ + " diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend new file mode 100644 index 00000000..5c9ef210 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend new file mode 100644 index 00000000..5c9ef210 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend new file mode 100644 index 00000000..5c9ef210 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend new file mode 100644 index 00000000..5c9ef210 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend @@ -0,0 +1 @@ +require ts-arm-platforms.inc From patchwork Tue Apr 23 16:32:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42798 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C2E4C41513 for ; Tue, 23 Apr 2024 16:33:43 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.23390.1713890019148569365 for ; Tue, 23 Apr 2024 09:33:39 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AB35CDA7; Tue, 23 Apr 2024 09:34:06 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 0EE353F7BD; Tue, 23 Apr 2024 09:33:37 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Bence Balogh Subject: [PATCH 7/9] arm-bsp/u-boot: corstone1000: update TS RPC protocol Date: Tue, 23 Apr 2024 18:32:03 +0200 Message-ID: <20240423163205.5885-7-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5592 From: Bence Balogh The Trusted Services v1.0 uses new RPC protocol and the message fields in u-boot had to be synchronized. Signed-off-by: Bence Balogh --- .../u-boot/u-boot-corstone1000.inc | 1 + ...-efi-corstone1000-fwu-update-RPC-ABI.patch | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0044-efi-corstone1000-fwu-update-RPC-ABI.patch diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc index b5e53818..43c19b84 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc @@ -61,6 +61,7 @@ SRC_URI:append = " \ file://0043-firmware-psci-Fix-bind_smccc_features-psci-check.patch \ file://0044-corstone1000-set-unique-GUID-for-fvp-and-mps3.patch \ file://0045-Corstone1000-Change-MMCOMM-buffer-location.patch \ + file://0044-efi-corstone1000-fwu-update-RPC-ABI.patch \ " do_configure:append() { diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0044-efi-corstone1000-fwu-update-RPC-ABI.patch b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0044-efi-corstone1000-fwu-update-RPC-ABI.patch new file mode 100644 index 00000000..00fc1f07 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0044-efi-corstone1000-fwu-update-RPC-ABI.patch @@ -0,0 +1,75 @@ +From 7c25404d64ef8efec63c154ce38b0bb38845680f Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Tue, 5 Dec 2023 20:23:55 +0100 +Subject: [PATCH] efi: corstone1000: fwu: update RPC ABI + +The Trusted Services RPC protocol format changed: the +data has to be placed in w3 and the memory handle has +to be placed in w4-w5. + +Signed-off-by: Bence Balogh +Upstream-Status: Pending [Not submitted to upstream yet] +--- + lib/efi_loader/efi_capsule.c | 14 +++++++++++--- + lib/efi_loader/efi_setup.c | 14 +++++++++++--- + 2 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/lib/efi_loader/efi_capsule.c b/lib/efi_loader/efi_capsule.c +index f3326b1f67..1d966e3f26 100644 +--- a/lib/efi_loader/efi_capsule.c ++++ b/lib/efi_loader/efi_capsule.c +@@ -790,12 +790,20 @@ static int __efi_runtime efi_corstone1000_buffer_ready_event(u32 capsule_image_s + } + + /* +- * setting the buffer ready event arguments in register w4: ++ * setting the buffer ready event arguments in register w3: + * - capsule update interface ID (31:16) + * - the buffer ready event ID (15:0) + */ +- msg.data1 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | +- PREP_SEPROXY_EVT(CORSTONE1000_BUFFER_READY_EVT); /* w4 */ ++ msg.data0 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | ++ PREP_SEPROXY_EVT(CORSTONE1000_BUFFER_READY_EVT); /* w3 */ ++ ++ /* ++ * setting the memory handle fields to ++ * FFA_MEM_HANDLE_INVALID (0xFFFF_FFFF_FFFF_FFFF) ++ * to signal that there is no shared memory used ++ */ ++ msg.data1 = 0xFFFFFFFF; /* w4 */ ++ msg.data2 = 0xFFFFFFFF; /* w5 */ + + return ffa_sync_send_receive(dev, CORSTONE1000_SEPROXY_PART_ID, &msg, 0); + } +diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c +index d20568c1c8..c31e74532f 100644 +--- a/lib/efi_loader/efi_setup.c ++++ b/lib/efi_loader/efi_setup.c +@@ -157,12 +157,20 @@ static int efi_corstone1000_uboot_efi_started_event(void) + } + + /* +- * setting the kernel started event arguments: ++ * setting the kernel started event arguments in register w3:: + * setting capsule update interface ID(31:16) + * the kernel started event ID(15:0) + */ +- msg.data1 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | +- PREP_SEPROXY_EVT(CORSTONE1000_UBOOT_EFI_STARTED_EVT); /* w4 */ ++ msg.data0 = PREP_SEPROXY_SVC_ID(CORSTONE1000_SEPROXY_UPDATE_SVC_ID) | ++ PREP_SEPROXY_EVT(CORSTONE1000_UBOOT_EFI_STARTED_EVT); /* w3 */ ++ ++ /* ++ * setting the memory handle fields to ++ * FFA_MEM_HANDLE_INVALID (0xFFFF_FFFF_FFFF_FFFF) ++ * to signal that there is no shared memory used ++ */ ++ msg.data1 = 0xFFFFFFFF; /* w4 */ ++ msg.data2 = 0xFFFFFFFF; /* w5 */ + + return ffa_sync_send_receive(dev, CORSTONE1000_SEPROXY_PART_ID, &msg, 0); + } +-- +2.25.1 + From patchwork Tue Apr 23 16:32:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93B0CC04FFE for ; Tue, 23 Apr 2024 16:33:43 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.23392.1713890021488525654 for ; Tue, 23 Apr 2024 09:33:41 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 01826339; Tue, 23 Apr 2024 09:34:09 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 376133F7BD; Tue, 23 Apr 2024 09:33:40 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing , Bence Balogh Subject: [PATCH 8/9] arm-bsp/trusted-services: rebase corstone1000 patches Date: Tue, 23 Apr 2024 18:32:04 +0200 Message-ID: <20240423163205.5885-8-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5593 From: Gyorgy Szing Signed-off-by: Gyorgy Szing Signed-off-by: Bence Balogh --- ...ub-capsule-update-service-components.patch | 72 +++++++------- ...-in-AEAD-for-psa-arch-test-54-and-58.patch | 39 ++++---- .../0003-FMP-Support-in-Corstone1000.patch | 48 ++++----- .../0004-GetNextVariableName-Fix.patch | 38 +++++--- ...0-add-compile-definitions-for-ECP_DP.patch | 9 +- ...0-Use-the-stateless-platform-service.patch | 40 ++++---- ...0-Initialize-capsule-update-provider.patch | 97 ++++++++++++------- ...rstone1000-fix-synchronization-issue.patch | 42 ++++---- ...0009-plat-corstone1000-fmp-client-id.patch | 19 ++-- 9 files changed, 227 insertions(+), 177 deletions(-) diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch index c1775b79..05999444 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch @@ -1,7 +1,7 @@ -From a965129153a0cca340535fe2cf99dbfef9b557da Mon Sep 17 00:00:00 2001 +From e44a317a5ae283207926311cc71b18c117899c4a Mon Sep 17 00:00:00 2001 From: Julian Hall Date: Tue, 12 Oct 2021 15:45:41 +0100 -Subject: [PATCH 1/6] Add stub capsule update service components +Subject: [PATCH] Add stub capsule update service components To facilitate development of a capsule update service provider, stub components are added to provide a starting point for an @@ -15,7 +15,7 @@ Change-Id: I0d4049bb4de5af7ca80806403301692507085d28 Signed-off-by: Rui Miguel Silva --- .../backend/capsule_update_backend.h | 24 ++++ - .../provider/capsule_update_provider.c | 133 ++++++++++++++++++ + .../provider/capsule_update_provider.c | 135 ++++++++++++++++++ .../provider/capsule_update_provider.h | 51 +++++++ .../capsule_update/provider/component.cmake | 13 ++ .../se-proxy/infra/corstone1000/infra.cmake | 1 + @@ -23,7 +23,7 @@ Signed-off-by: Rui Miguel Silva .../capsule_update/capsule_update_proto.h | 13 ++ protocols/service/capsule_update/opcodes.h | 17 +++ protocols/service/capsule_update/parameters.h | 15 ++ - 9 files changed, 272 insertions(+), 4 deletions(-) + 9 files changed, 274 insertions(+), 4 deletions(-) create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h @@ -34,7 +34,7 @@ Signed-off-by: Rui Miguel Silva diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h new file mode 100644 -index 000000000000..f3144ff1d7d5 +index 00000000..f3144ff1 --- /dev/null +++ b/components/service/capsule_update/backend/capsule_update_backend.h @@ -0,0 +1,24 @@ @@ -64,10 +64,10 @@ index 000000000000..f3144ff1d7d5 +#endif /* CAPSULE_UPDATE_BACKEND_H */ diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c new file mode 100644 -index 000000000000..e133753f8560 +index 00000000..f35c272d --- /dev/null +++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -0,0 +1,133 @@ +@@ -0,0 +1,135 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * @@ -92,8 +92,8 @@ index 000000000000..e133753f8560 +}; + +/* Service request handlers */ -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req); -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req); ++static rpc_status_t update_capsule_handler(void *context, struct rpc_request *req); ++static rpc_status_t boot_confirmed_handler(void *context, struct rpc_request *req); + +/* Handler mapping table for service */ +static const struct service_handler handler_table[] = { @@ -101,21 +101,23 @@ index 000000000000..e133753f8560 + {CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} +}; + -+struct rpc_interface *capsule_update_provider_init( ++struct rpc_service_interface *capsule_update_provider_init( + struct capsule_update_provider *context) +{ -+ struct rpc_interface *rpc_interface = NULL; ++ struct rpc_service_interface *rpc_interface = NULL; ++ const struct rpc_uuid dummy_uuid = { .uuid = { 0 }}; ++ if (!context) ++ return NULL; + -+ if (context) { ++ service_provider_init( ++ &context->base_provider, ++ context, ++ &dummy_uuid, ++ handler_table, ++ sizeof(handler_table)/sizeof(struct service_handler)); + -+ service_provider_init( -+ &context->base_provider, -+ context, -+ handler_table, -+ sizeof(handler_table)/sizeof(struct service_handler)); ++ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); + -+ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); -+ } + + return rpc_interface; +} @@ -125,7 +127,7 @@ index 000000000000..e133753f8560 + (void)context; +} + -+static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) ++static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface *caller) +{ + uint32_t ioctl_id; + psa_handle_t handle; @@ -179,10 +181,10 @@ index 000000000000..e133753f8560 + +} + -+static rpc_status_t update_capsule_handler(void *context, struct call_req *req) ++static rpc_status_t update_capsule_handler(void *context, struct rpc_request *req) +{ + struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; ++ struct rpc_caller_interface *caller = this_instance->client.session->caller; + uint32_t opcode = req->opcode; + rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; + @@ -190,10 +192,10 @@ index 000000000000..e133753f8560 + return rpc_status; +} + -+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req) ++static rpc_status_t boot_confirmed_handler(void *context, struct rpc_request *req) +{ + struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; -+ struct rpc_caller *caller = this_instance->client.caller; ++ struct rpc_caller_interface *caller = this_instance->client.session->caller; + uint32_t opcode = req->opcode; + rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; + @@ -203,7 +205,7 @@ index 000000000000..e133753f8560 +} diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h new file mode 100644 -index 000000000000..3de49854ea90 +index 00000000..71131417 --- /dev/null +++ b/components/service/capsule_update/provider/capsule_update_provider.h @@ -0,0 +1,51 @@ @@ -216,7 +218,7 @@ index 000000000000..3de49854ea90 +#ifndef CAPSULE_UPDATE_PROVIDER_H +#define CAPSULE_UPDATE_PROVIDER_H + -+#include ++#include +#include +#include +#include @@ -240,9 +242,9 @@ index 000000000000..3de49854ea90 + * + * @param[in] context The instance to initialize + * -+ * \return An rpc_interface or NULL on failure ++ * \return An rpc_service_interface or NULL on failure + */ -+struct rpc_interface *capsule_update_provider_init( ++struct rpc_service_interface *capsule_update_provider_init( + struct capsule_update_provider *context); + +/** @@ -260,7 +262,7 @@ index 000000000000..3de49854ea90 +#endif /* CAPSULE_UPDATE_PROVIDER_H */ diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake new file mode 100644 -index 000000000000..1d412eb234d9 +index 00000000..1d412eb2 --- /dev/null +++ b/components/service/capsule_update/provider/component.cmake @@ -0,0 +1,13 @@ @@ -278,7 +280,7 @@ index 000000000000..1d412eb234d9 + "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" + ) diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake -index 4e7e2bd58028..e60b5400617f 100644 +index 4e7e2bd5..e60b5400 100644 --- a/deployments/se-proxy/infra/corstone1000/infra.cmake +++ b/deployments/se-proxy/infra/corstone1000/infra.cmake @@ -21,6 +21,7 @@ add_components(TARGET "se-proxy" @@ -290,7 +292,7 @@ index 4e7e2bd58028..e60b5400617f 100644 ) diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h -index 48908f846990..3d4a7c204785 100644 +index 48908f84..3d4a7c20 100644 --- a/deployments/se-proxy/se_proxy_interfaces.h +++ b/deployments/se-proxy/se_proxy_interfaces.h @@ -8,9 +8,10 @@ @@ -310,7 +312,7 @@ index 48908f846990..3d4a7c204785 100644 #endif /* SE_PROXY_INTERFACES_H */ diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h new file mode 100644 -index 000000000000..8f326cd387fb +index 00000000..8f326cd3 --- /dev/null +++ b/protocols/service/capsule_update/capsule_update_proto.h @@ -0,0 +1,13 @@ @@ -329,7 +331,7 @@ index 000000000000..8f326cd387fb +#endif /* CAPSULE_UPDATE_PROTO_H */ diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h new file mode 100644 -index 000000000000..8185a0902378 +index 00000000..8185a090 --- /dev/null +++ b/protocols/service/capsule_update/opcodes.h @@ -0,0 +1,17 @@ @@ -352,7 +354,7 @@ index 000000000000..8185a0902378 +#endif /* CAPSULE_UPDATE_OPCODES_H */ diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h new file mode 100644 -index 000000000000..285d924186be +index 00000000..285d9241 --- /dev/null +++ b/protocols/service/capsule_update/parameters.h @@ -0,0 +1,15 @@ @@ -372,5 +374,5 @@ index 000000000000..285d924186be + +#endif /* CAPSULE_UPDATE_PARAMETERS_H */ -- -2.40.0 +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch index 3f3800ce..7a2c796e 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch @@ -1,4 +1,4 @@ -From 51a7024967187644011c5043ef0f733cf81b26be Mon Sep 17 00:00:00 2001 +From 1ab4f9dda5d3f6a4828dc3154cf5bf71d6d744d4 Mon Sep 17 00:00:00 2001 From: Satish Kumar Date: Mon, 14 Feb 2022 08:22:25 +0000 Subject: [PATCH 2/6] Fixes in AEAD for psa-arch test 54 and 58. @@ -17,10 +17,10 @@ Signed-off-by: Rui Miguel Silva 6 files changed, 12 insertions(+), 3 deletions(-) diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -index c4ffb20cf7f8..a91f66c14008 100644 +index bf39762b..27ffbc66 100644 --- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont +@@ -314,6 +314,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont size_t req_len = req_fixed_len; *output_length = 0; @@ -29,7 +29,7 @@ index c4ffb20cf7f8..a91f66c14008 100644 /* Mandatory input data parameter */ diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 30aa102da581..130d27295878 100644 +index 30aa102d..130d2729 100644 --- a/components/service/crypto/include/psa/crypto_sizes.h +++ b/components/service/crypto/include/psa/crypto_sizes.h @@ -351,7 +351,7 @@ @@ -42,10 +42,10 @@ index 30aa102da581..130d27295878 100644 /** A sufficient output buffer size for psa_aead_update(). * diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c -index 14a25436b3f6..6b144db821de 100644 +index 696474e8..66aee9e4 100644 --- a/components/service/crypto/provider/extension/aead/aead_provider.c +++ b/components/service/crypto/provider/extension/aead/aead_provider.c -@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) +@@ -280,10 +280,11 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) uint32_t op_handle; const uint8_t *input; size_t input_len; @@ -56,9 +56,9 @@ index 14a25436b3f6..6b144db821de 100644 - &input, &input_len); + &recv_output_size, &input, &input_len); - if (rpc_status == TS_RPC_CALL_ACCEPTED) { + if (rpc_status == RPC_SUCCESS) { -@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) +@@ -297,9 +298,12 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) if (crypto_context) { size_t output_len = 0; @@ -73,30 +73,30 @@ index 14a25436b3f6..6b144db821de 100644 psa_status = psa_aead_update(&crypto_context->op.aead, diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -index bb1a2a97e4b7..0156aaba3fe3 100644 +index 2bf7a015..733d2e75 100644 --- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h @@ -51,6 +51,7 @@ struct aead_provider_serializer { /* Operation: aead_update */ - rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf, + rpc_status_t (*deserialize_aead_update_req)(const struct rpc_buffer *req_buf, uint32_t *op_handle, + uint32_t *output_size, const uint8_t **input, size_t *input_len); - rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf, + rpc_status_t (*serialize_aead_update_resp)(struct rpc_buffer *resp_buf, diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -index 6f00b3e3f6f1..45c739abcbb4 100644 +index 738d5f23..9440a084 100644 --- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf * +@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct rpc_buffer *req_ /* Operation: aead_update */ - static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf, + static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf, uint32_t *op_handle, + uint32_t *output_size, const uint8_t **input, size_t *input_len) { - rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; -@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req + rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY; +@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf memcpy(&recv_msg, req_buf->data, expected_fixed_len); *op_handle = recv_msg.op_handle; @@ -105,7 +105,7 @@ index 6f00b3e3f6f1..45c739abcbb4 100644 tlv_const_iterator_begin(&req_iter, (uint8_t*)req_buf->data + expected_fixed_len, diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h -index 0be266b52403..435fd3b523ce 100644 +index 0be266b5..435fd3b5 100644 --- a/protocols/service/crypto/packed-c/aead.h +++ b/protocols/service/crypto/packed-c/aead.h @@ -98,6 +98,7 @@ enum @@ -117,5 +117,8 @@ index 0be266b52403..435fd3b523ce 100644 /* Variable length input parameter tags */ -- -2.40.0 +2.25.1 + + + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch index 3d743d28..5218d068 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0003-FMP-Support-in-Corstone1000.patch @@ -1,7 +1,7 @@ -From 5c8ac10337ac853d8a82992fb6e1d91b122b99d2 Mon Sep 17 00:00:00 2001 +From 33dae70ae2786cf12070d063ff74cfe0df1f4f50 Mon Sep 17 00:00:00 2001 From: Satish Kumar Date: Fri, 8 Jul 2022 09:48:06 +0100 -Subject: [PATCH 3/6] FMP Support in Corstone1000. +Subject: [PATCH] FMP Support in Corstone1000. The FMP support is used by u-boot to pupolate ESRT information for the kernel. @@ -22,7 +22,7 @@ Signed-off-by: Rui Miguel Silva create mode 100644 components/service/capsule_update/provider/corstone1000_fmp_service.h diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index e133753f8560..991a2235cd73 100644 +index f35c272d..bfeb7301 100644 --- a/components/service/capsule_update/provider/capsule_update_provider.c +++ b/components/service/capsule_update/provider/capsule_update_provider.c @@ -11,6 +11,7 @@ @@ -33,16 +33,16 @@ index e133753f8560..991a2235cd73 100644 #define CAPSULE_UPDATE_REQUEST (0x1) -@@ -47,6 +48,8 @@ struct rpc_interface *capsule_update_provider_init( - rpc_interface = service_provider_get_rpc_interface(&context->base_provider); - } +@@ -49,6 +50,8 @@ struct rpc_service_interface *capsule_update_provider_init( + rpc_interface = service_provider_get_rpc_interface(&context->base_provider); -+ provision_fmp_variables_metadata(context->client.caller); + ++ provision_fmp_variables_metadata(context->client.session->caller); + return rpc_interface; } -@@ -85,6 +88,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -87,6 +90,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * } psa_call(caller,handle, PSA_IPC_CALL, in_vec,IOVEC_LEN(in_vec), NULL, 0); @@ -50,7 +50,7 @@ index e133753f8560..991a2235cd73 100644 break; case KERNEL_STARTED_EVENT: -@@ -99,6 +103,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -101,6 +105,7 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * } psa_call(caller,handle, PSA_IPC_CALL, in_vec,IOVEC_LEN(in_vec), NULL, 0); @@ -59,7 +59,7 @@ index e133753f8560..991a2235cd73 100644 default: EMSG("%s unsupported opcode", __func__); diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake -index 1d412eb234d9..6b0601494938 100644 +index 1d412eb2..6b060149 100644 --- a/components/service/capsule_update/provider/component.cmake +++ b/components/service/capsule_update/provider/component.cmake @@ -10,4 +10,5 @@ endif() @@ -70,7 +70,7 @@ index 1d412eb234d9..6b0601494938 100644 ) diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c new file mode 100644 -index 000000000000..6a7a47a7ed99 +index 00000000..56ce3857 --- /dev/null +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -0,0 +1,307 @@ @@ -155,7 +155,7 @@ index 000000000000..6a7a47a7ed99 + }, +}; + -+static psa_status_t protected_storage_set(struct rpc_caller *caller, ++static psa_status_t protected_storage_set(struct rpc_caller_interface *caller, + psa_storage_uid_t uid, size_t data_length, const void *p_data) +{ + psa_status_t psa_status; @@ -175,7 +175,7 @@ index 000000000000..6a7a47a7ed99 + return psa_status; +} + -+static psa_status_t protected_storage_get(struct rpc_caller *caller, ++static psa_status_t protected_storage_get(struct rpc_caller_interface *caller, + psa_storage_uid_t uid, size_t data_size, void *p_data) +{ + psa_status_t psa_status; @@ -200,7 +200,7 @@ index 000000000000..6a7a47a7ed99 + } + + return psa_status; -+} ++} + +static uint64_t name_hash(EFI_GUID *guid, size_t name_size, + const int16_t *name) @@ -216,7 +216,7 @@ index 000000000000..6a7a47a7ed99 + for (int i = 0; i < 8; ++i) { + + hash = ((hash << 5) + hash) + guid->Data4[i]; -+ } ++ } + + /* Extend to cover name up to but not including null terminator */ + for (int i = 0; i < name_size / sizeof(int16_t); ++i) { @@ -241,7 +241,7 @@ index 000000000000..6a7a47a7ed99 +} + + -+void provision_fmp_variables_metadata(struct rpc_caller *caller) ++void provision_fmp_variables_metadata(struct rpc_caller_interface *caller) +{ + struct variable_metadata metadata; + psa_status_t status; @@ -314,7 +314,7 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+static psa_status_t get_image_info(struct rpc_caller *caller, ++static psa_status_t get_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle) +{ + psa_status_t status; @@ -342,12 +342,12 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+static psa_status_t set_image_info(struct rpc_caller *caller) ++static psa_status_t set_image_info(struct rpc_caller_interface *caller) +{ + psa_status_t status; + + for (int i = 0; i < FMP_VARIABLES_COUNT; i++) { -+ ++ + status = protected_storage_set(caller, + fmp_variables_metadata[i].uid, + fmp_variables_data[i].len, fmp_variables_data[i].base); @@ -364,7 +364,7 @@ index 000000000000..6a7a47a7ed99 + return PSA_SUCCESS; +} + -+void set_fmp_image_info(struct rpc_caller *caller, ++void set_fmp_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle) +{ + psa_status_t status; @@ -383,7 +383,7 @@ index 000000000000..6a7a47a7ed99 +} diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h new file mode 100644 -index 000000000000..95fba2a04d5c +index 00000000..d0023dc0 --- /dev/null +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h @@ -0,0 +1,26 @@ @@ -403,9 +403,9 @@ index 000000000000..95fba2a04d5c +#include +#include + -+void provision_fmp_variables_metadata(struct rpc_caller *caller); ++void provision_fmp_variables_metadata(struct rpc_caller_interface *caller); + -+void set_fmp_image_info(struct rpc_caller *caller, ++void set_fmp_image_info(struct rpc_caller_interface *caller, + psa_handle_t platform_service_handle); + +#ifdef __cplusplus @@ -414,5 +414,5 @@ index 000000000000..95fba2a04d5c + +#endif /* CORSTONE1000_FMP_SERVICE_H */ -- -2.40.0 +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch index ed4e6e27..a8e7f7c9 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0004-GetNextVariableName-Fix.patch @@ -1,33 +1,43 @@ -From 2aa665ad2cb13bc79b645db41686449a47593aab Mon Sep 17 00:00:00 2001 -From: Emekcan -Date: Thu, 3 Nov 2022 17:43:40 +0000 -Subject: [PATCH] smm_gateway: GetNextVariableName Fix +From a0056ea1d994f1ec4da8ccae45abab2d2461f0a2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Thu, 16 Nov 2023 18:14:46 +0000 +Subject: [PATCH 1/1] smm_gateway: GetNextVariableName Fix -GetNextVariableName() should return EFI_BUFFER_TOO_SMALL -when NameSize is smaller than the actual NameSize. It +GetNextVariableName() should return EFI_BUFFER_TOO_SMALL +when requested NameSize is smaller than the actual. It currently returns EFI_BUFFER_OUT_OF_RESOURCES due to setting -max_name_len incorrectly. This fixes max_name_len error by -replacing it with actual NameSize request by u-boot. +max_name_len incorrectly. This change fixes the error by +using clamping the maximum size to the NameSize requested by +the client. Upstream-Status: Pending Signed-off-by: Emekcan Aras +Signed-off-by: Gyorgy Szing --- - .../service/smm_variable/provider/smm_variable_provider.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + .../service/smm_variable/provider/smm_variable_provider.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/components/service/smm_variable/provider/smm_variable_provider.c b/components/service/smm_variable/provider/smm_variable_provider.c -index a9679b7e..6a4b6fa7 100644 +index f1c3c712..7ec49af5 100644 --- a/components/service/smm_variable/provider/smm_variable_provider.c +++ b/components/service/smm_variable/provider/smm_variable_provider.c -@@ -197,7 +197,7 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct call_re +@@ -190,15 +190,13 @@ static rpc_status_t get_next_variable_name_handler(void *context, struct rpc_req + if (resp_buf->size >= param_len) { + + struct rpc_buffer *req_buf = &req->request; +- size_t max_name_len = resp_buf->size - +- SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME_NAME_OFFSET; + + memmove(resp_buf->data, req_buf->data, param_len); + efi_status = uefi_variable_store_get_next_variable_name( &this_instance->variable_store, (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data, - max_name_len, + ((SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME*)resp_buf->data)->NameSize, - &resp_buf->data_len); + &resp_buf->data_length); } else { -- -2.17.1 +2.34.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch index 5d7ab5f5..3e37ba87 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch @@ -1,4 +1,4 @@ -From 041d30bb9cc6857f5ef26ded154ff7126dafaa20 Mon Sep 17 00:00:00 2001 +From 4816a705e7917ee58d3972fefe163189eb412d36 Mon Sep 17 00:00:00 2001 From: Emekcan Aras Date: Fri, 16 Jun 2023 10:47:48 +0100 Subject: [PATCH] plat: corstone1000: add compile definitions for @@ -9,21 +9,20 @@ Without setting this, corstone1000 fails psa-api-crypto-test no 243. Signed-off-by: Emekcan Aras Upstream-Status: Pending - --- platform/providers/arm/corstone1000/platform.cmake | 2 ++ 1 file changed, 2 insertions(+) diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index dbdf1097..e7a295dd 100644 +index a3c4209b..ff044ed7 100644 --- a/platform/providers/arm/corstone1000/platform.cmake +++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -14,3 +14,5 @@ target_compile_definitions(${TGT} PRIVATE +@@ -13,3 +13,5 @@ target_compile_definitions(${TGT} PRIVATE SMM_VARIABLE_INDEX_STORAGE_UID=0x787 SMM_GATEWAY_MAX_UEFI_VARIABLES=100 ) + +add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) -- -2.17.1 +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch index 4e9d5c2e..4381f75e 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-plat-corstone1000-Use-the-stateless-platform-service.patch @@ -1,9 +1,9 @@ -From a71e99045996c57a4f80509ae8b770aa4f73f6c0 Mon Sep 17 00:00:00 2001 +From b07d29440b5ca8d1f3b9a4f03786bb3127930a64 Mon Sep 17 00:00:00 2001 From: Emekcan Aras Date: Sun, 18 Jun 2023 14:38:42 +0100 -Subject: [PATCH] plat: corstone1000: Use the stateless platform service calls - Calls to psa_connect is not needed and psa_call can be called directly with a - pre defined handle. +Subject: [PATCH] plat: corstone1000: Use the stateless platform service + calls Calls to psa_connect is not needed and psa_call can be called directly + with a pre defined handle. Signed-off-by: Satish Kumar Signed-off-by: Mohamed Omar Asaker @@ -18,18 +18,18 @@ Upstream-Status: Inappropriate [Design is to revisted] 4 files changed, 17 insertions(+), 27 deletions(-) diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c -index 991a2235..6809249f 100644 +index bfeb7301..12c552da 100644 --- a/components/service/capsule_update/provider/capsule_update_provider.c +++ b/components/service/capsule_update/provider/capsule_update_provider.c -@@ -61,7 +61,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) - static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -63,7 +63,6 @@ void capsule_update_provider_deinit(struct capsule_update_provider *context) + static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface *caller) { uint32_t ioctl_id; - psa_handle_t handle; rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; struct psa_invec in_vec[] = { -@@ -79,31 +78,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) +@@ -81,31 +80,18 @@ static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller_interface * case CAPSULE_UPDATE_REQUEST: /* Openamp call with IOCTL for firmware update*/ ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; @@ -67,20 +67,20 @@ index 991a2235..6809249f 100644 default: EMSG("%s unsupported opcode", __func__); diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -index 6a7a47a7..d811af9f 100644 +index 56ce3857..bebdf859 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.c +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -238,8 +238,7 @@ static psa_status_t unpack_image_info(void *buffer, uint32_t size) return PSA_SUCCESS; } --static psa_status_t get_image_info(struct rpc_caller *caller, +-static psa_status_t get_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle) -+static psa_status_t get_image_info(struct rpc_caller *caller) ++static psa_status_t get_image_info(struct rpc_caller_interface *caller) { psa_status_t status; psa_handle_t handle; -@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller *caller, +@@ -255,7 +254,7 @@ static psa_status_t get_image_info(struct rpc_caller_interface *caller, memset(image_info_buffer, 0, IMAGE_INFO_BUFFER_SIZE); @@ -89,13 +89,13 @@ index 6a7a47a7..d811af9f 100644 in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); status = unpack_image_info(image_info_buffer, IMAGE_INFO_BUFFER_SIZE); -@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller *caller) +@@ -288,12 +287,11 @@ static psa_status_t set_image_info(struct rpc_caller_interface *caller) return PSA_SUCCESS; } --void set_fmp_image_info(struct rpc_caller *caller, +-void set_fmp_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle) -+void set_fmp_image_info(struct rpc_caller *caller) ++void set_fmp_image_info(struct rpc_caller_interface *caller) { psa_status_t status; @@ -105,16 +105,16 @@ index 6a7a47a7..d811af9f 100644 return; } diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.h b/components/service/capsule_update/provider/corstone1000_fmp_service.h -index 95fba2a0..963223e8 100644 +index d0023dc0..486fa10b 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.h +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.h @@ -16,8 +16,7 @@ extern "C" { - void provision_fmp_variables_metadata(struct rpc_caller *caller); + void provision_fmp_variables_metadata(struct rpc_caller_interface *caller); --void set_fmp_image_info(struct rpc_caller *caller, +-void set_fmp_image_info(struct rpc_caller_interface *caller, - psa_handle_t platform_service_handle); -+void set_fmp_image_info(struct rpc_caller *caller); ++void set_fmp_image_info(struct rpc_caller_interface *caller); #ifdef __cplusplus } /* extern "C" */ @@ -137,5 +137,5 @@ index 5aaa659d..fc3a4fb0 100644 #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) -- -2.17.1 +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch index 3e6f606c..5f06cb51 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0007-plat-corstone1000-Initialize-capsule-update-provider.patch @@ -1,6 +1,6 @@ -From b5b31064959665f4cc616733be3d989ae4356636 Mon Sep 17 00:00:00 2001 -From: Emekcan Aras -Date: Sun, 18 Jun 2023 16:05:27 +0100 +From c304d5b2e4319542b33abbd43b06a694d6895628 Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Wed, 29 Nov 2023 15:40:21 +0100 Subject: [PATCH] plat: corstone1000: Initialize capsule update provider Initializes the capsule update service provider in se-proxy-sp.c deployment @@ -10,69 +10,98 @@ Signed-off-by: Emekcan Aras Upstream-Status: Inappropriate [Design is to revisted] --- - deployments/se-proxy/env/commonsp/se_proxy_sp.c | 3 +++ - .../infra/corstone1000/service_proxy_factory.c | 17 +++++++++++++++++ - .../se-proxy/infra/service_proxy_factory.h | 1 + - 3 files changed, 21 insertions(+) + .../se-proxy/env/commonsp/se_proxy_sp.c | 14 +++++++++- + .../corstone1000/service_proxy_factory.c | 28 +++++++++++++++++++ + .../se-proxy/infra/service_proxy_factory.h | 1 + + 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -index 45fcb385..dc2a9d49 100644 +index 155e9486..a0eb03b6 100644 --- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c +++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) +@@ -39,7 +39,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) + goto fatal_error; + } + +- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 4, 16); ++ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 5, 16); + if (rpc_status != RPC_SUCCESS) { + EMSG("Failed to initialize RPC endpoint: %d", rpc_status); + goto fatal_error; +@@ -94,6 +94,18 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) + goto fatal_error; } - rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); + rpc_iface = capsule_update_proxy_create(); -+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); ++ if (!rpc_iface) { ++ EMSG("Failed to create Capsule Update proxy"); ++ goto fatal_error; ++ } ++ ++ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, rpc_iface); ++ if (rpc_status != RPC_SUCCESS) { ++ EMSG("Failed to add service to RPC endpoint: %d", rpc_status); ++ goto fatal_error; ++ } + /* End of boot phase */ result = sp_msg_wait(&req_msg); if (result != SP_RESULT_OK) { diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index bacab1de..32d88c97 100644 +index 6885f928..bbab80e5 100644 --- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c +++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -14,6 +14,7 @@ +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include #include #include - #include -+#include + #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" +@@ -129,3 +130,30 @@ struct rpc_service_interface *its_proxy_create(void) - /* backends */ - #include -@@ -94,3 +95,19 @@ struct rpc_interface *its_proxy_create(void) - - return secure_storage_provider_init(&its_provider, backend); + return secure_storage_provider_init(&its_provider, backend, &its_uuid); } + -+struct rpc_interface *capsule_update_proxy_create(void) ++struct rpc_service_interface *capsule_update_proxy_create(void) +{ + static struct capsule_update_provider capsule_update_provider; -+ static struct rpc_caller *capsule_update_caller; ++ static struct secure_storage_ipc capsule_update_backend; ++ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; ++ ++ /* Static objects for proxy instance */ ++ static struct rpc_caller_interface psa_ipc = { 0 }; ++ static struct rpc_caller_session rpc_session = { 0 }; + -+ capsule_update_caller = psa_ipc_caller_init(&psa_ipc); ++ rpc_status = psa_ipc_caller_init(&psa_ipc); ++ if (rpc_status != RPC_SUCCESS) ++ return NULL; + -+ if (!capsule_update_caller) -+ return NULL; ++ rpc_status = rpc_caller_session_open(&rpc_session, &psa_ipc, &dummy_uuid, 0, 0); ++ if (rpc_status != RPC_SUCCESS) ++ return NULL; + -+ capsule_update_provider.client.caller = capsule_update_caller; ++ ++ capsule_update_provider.client.session = &rpc_session; ++ capsule_update_provider.client.rpc_status = RPC_SUCCESS; ++ capsule_update_provider.client.service_info.supported_encodings = 0; ++ capsule_update_provider.client.service_info.max_payload = 4096; + + return capsule_update_provider_init(&capsule_update_provider); +} -+ diff --git a/deployments/se-proxy/infra/service_proxy_factory.h b/deployments/se-proxy/infra/service_proxy_factory.h -index 298d407a..02aa7fe2 100644 +index caaea79e..b981754b 100644 --- a/deployments/se-proxy/infra/service_proxy_factory.h +++ b/deployments/se-proxy/infra/service_proxy_factory.h -@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); - struct rpc_interface *crypto_proxy_create(void); - struct rpc_interface *ps_proxy_create(void); - struct rpc_interface *its_proxy_create(void); -+struct rpc_interface *capsule_update_proxy_create(void); +@@ -17,6 +17,7 @@ struct rpc_service_interface *attest_proxy_create(void); + struct rpc_service_interface *crypto_proxy_create(void); + struct rpc_service_interface *ps_proxy_create(void); + struct rpc_service_interface *its_proxy_create(void); ++struct rpc_service_interface *capsule_update_proxy_create(void); #ifdef __cplusplus } -- -2.17.1 +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch index 5d8f7318..7df00974 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-platform-corstone1000-fix-synchronization-issue.patch @@ -1,7 +1,8 @@ -From 06c3e612cb0927d783f115077d83ed97841c5668 Mon Sep 17 00:00:00 2001 +From e8f0a013acc02c82c9193f6ab7970e80fb0f961e Mon Sep 17 00:00:00 2001 From: Emekcan Aras Date: Tue, 14 Nov 2023 14:43:44 +0000 -Subject: [PATCH] plat: corstone1000: fix synchronization issue on openamp notification +Subject: [PATCH] plat: corstone1000: fix synchronization issue on openamp + notification This fixes a race that is observed rarely in the FVP. It occurs in FVP when Secure Enclave sends the notication ack in openamp, and then reset the access @@ -20,22 +21,22 @@ Upstream-Status: Pending [Not submitted to upstream yet] 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/components/messaging/openamp/sp/openamp_mhu.c b/components/messaging/openamp/sp/openamp_mhu.c -index bafba3e3..0700b8b9 100644 +index bafba3e37..e96de6059 100644 --- a/components/messaging/openamp/sp/openamp_mhu.c +++ b/components/messaging/openamp/sp/openamp_mhu.c @@ -85,7 +85,7 @@ int openamp_mhu_notify_peer(struct openamp_messenger *openamp) - struct mhu_v2_x_dev_t *tx_dev; - enum mhu_v2_x_error_t ret; - struct openamp_mhu *mhu; + struct mhu_v2_x_dev_t *tx_dev; + enum mhu_v2_x_error_t ret; + struct openamp_mhu *mhu; - uint32_t access_ready; + uint32_t access_ready,val; - - if (!openamp->transport) { - EMSG("openamp: mhu: notify transport not initialized"); + + if (!openamp->transport) { + EMSG("openamp: mhu: notify transport not initialized"); @@ -116,6 +116,13 @@ int openamp_mhu_notify_peer(struct openamp_messenger *openamp) - return -EPROTO; - } - + return -EPROTO; + } + + do { + ret = mhu_v2_x_channel_poll(tx_dev, MHU_V_2_NOTIFY_CHANNEL, &val); + if (ret != MHU_V_2_X_ERR_NONE) { @@ -43,17 +44,17 @@ index bafba3e3..0700b8b9 100644 + } + } while (val != 0); + - ret = mhu_v2_x_reset_access_request(tx_dev); - if (ret != MHU_V_2_X_ERR_NONE) { - EMSG("openamp: mhu: failed reset access request"); + ret = mhu_v2_x_reset_access_request(tx_dev); + if (ret != MHU_V_2_X_ERR_NONE) { + EMSG("openamp: mhu: failed reset access request"); diff --git a/platform/drivers/arm/mhu_driver/mhu_v2.h b/platform/drivers/arm/mhu_driver/mhu_v2.h -index 26b3a5d6..2b4d6fcb 100644 +index 26b3a5d63..2b4d6fcb6 100644 --- a/platform/drivers/arm/mhu_driver/mhu_v2.h +++ b/platform/drivers/arm/mhu_driver/mhu_v2.h @@ -384,6 +384,24 @@ enum mhu_v2_x_error_t mhu_v2_x_interrupt_clear( enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( const struct mhu_v2_x_dev_t *dev, uint32_t *channel); - + + +/** + * \brief Polls sender channel status. @@ -76,11 +77,11 @@ index 26b3a5d6..2b4d6fcb 100644 } #endif diff --git a/platform/drivers/arm/mhu_driver/mhu_v2_x.c b/platform/drivers/arm/mhu_driver/mhu_v2_x.c -index d7e70efa..022e287a 100644 +index d7e70efaa..022e287a1 100644 --- a/platform/drivers/arm/mhu_driver/mhu_v2_x.c +++ b/platform/drivers/arm/mhu_driver/mhu_v2_x.c @@ -600,3 +600,20 @@ enum mhu_v2_x_error_t mhu_v2_1_get_ch_interrupt_num( - + return MHU_V_2_X_ERR_GENERAL; } + @@ -100,6 +101,7 @@ index d7e70efa..022e287a 100644 + return MHU_V_2_X_ERR_INVALID_ARG; + } +} --- +-- 2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch index 2fb91f62..837fcd85 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0009-plat-corstone1000-fmp-client-id.patch @@ -1,6 +1,6 @@ -From 52d962239207bd06827c18d0ed21abdc2002337f Mon Sep 17 00:00:00 2001 -From: emeara01 -Date: Thu, 7 Mar 2024 10:24:42 +0000 +From 8aef83efaa03f92b35ab68bc6da2bd26722eedfd Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Fri, 5 Apr 2024 17:31:03 +0200 Subject: [PATCH] plat: corstone1000: add client_id for FMP service Corstone1000 uses trusted-firmware-m as secure enclave software component. Due @@ -11,11 +11,11 @@ accessed by u-boot via smm-gateway-sp. Signed-off-by: emeara01 Upstream-Status: Inappropriate [Design is to revisted] --- - .../capsule_update/provider/corstone1000_fmp_service.c | 5 ++++--- + .../capsule_update/provider/corstone1000_fmp_service.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/service/capsule_update/provider/corstone1000_fmp_service.c b/components/service/capsule_update/provider/corstone1000_fmp_service.c -index d811af9f..354d025f 100644 +index bebdf859f..1b4813d62 100644 --- a/components/service/capsule_update/provider/corstone1000_fmp_service.c +++ b/components/service/capsule_update/provider/corstone1000_fmp_service.c @@ -33,6 +33,7 @@ @@ -26,7 +26,7 @@ index d811af9f..354d025f 100644 static struct variable_metadata fmp_variables_metadata[FMP_VARIABLES_COUNT] = { { -@@ -91,7 +92,7 @@ static psa_status_t protected_storage_set(struct rpc_caller *caller, +@@ -91,7 +92,7 @@ static psa_status_t protected_storage_set(struct rpc_caller_interface *caller, { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, }; @@ -35,7 +35,7 @@ index d811af9f..354d025f 100644 in_vec, IOVEC_LEN(in_vec), NULL, 0); if (psa_status < 0) EMSG("ipc_set: psa_call failed: %d", psa_status); -@@ -114,7 +115,7 @@ static psa_status_t protected_storage_get(struct rpc_caller *caller, +@@ -114,7 +115,7 @@ static psa_status_t protected_storage_get(struct rpc_caller_interface *caller, { .base = psa_ptr_to_u32(p_data), .len = data_size }, }; @@ -43,3 +43,8 @@ index d811af9f..354d025f 100644 + psa_status = psa_call_client_id(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, SMM_GW_SP_ID, TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); + +-- +2.25.1 + + From patchwork Tue Apr 23 16:32:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 42800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82CA1C4345F for ; Tue, 23 Apr 2024 16:33:53 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.23276.1713890024230611087 for ; Tue, 23 Apr 2024 09:33:44 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 986A3339; Tue, 23 Apr 2024 09:34:11 -0700 (PDT) Received: from FWLNXWH7M5.arm.com (unknown [10.57.21.110]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id EF1D63F7BD; Tue, 23 Apr 2024 09:33:42 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Bence Balogh Subject: [PATCH 9/9] arm-bsp/trusted-services:cs1000: fix deployments Date: Tue, 23 Apr 2024 18:32:05 +0200 Message-ID: <20240423163205.5885-9-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.1 In-Reply-To: <20240423163205.5885-1-gyorgy.szing@arm.com> References: <20240423163205.5885-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Apr 2024 16:33:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5594 From: Bence Balogh - The Secure Enclave Proxy Secure Partition fails at psa_call() because wrong parameter was passed. - The SMM Gateway initialization failed because a malloc() returned a NULL pointer. The SMM_GATEWAY_MAX_UEFI_VARIABLES had to be decreased to avoid this. - Increase shared memory buffer size and add buildtime check - Use __packed for the variable_metadata struct Signed-off-by: Bence Balogh --- ...rease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch | 30 ++++ .../0011-Fix-psa_ipc-service-s-psa_call.patch | 37 +++++ ...session-SHM-size-build-time-configur.patch | 52 +++++++ ...ession-SHM-size-for-Corstone-1000-SM.patch | 144 ++++++++++++++++++ ...ked-for-the-variable_metadata-struct.patch | 34 +++++ .../trusted-services/ts-arm-platforms.inc | 5 + 6 files changed, 302 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Decrease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-psa_ipc-service-s-psa_call.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Make-RPC-caller-session-SHM-size-build-time-configur.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Set-RPC-caller-session-SHM-size-for-Corstone-1000-SM.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Use-__packed-for-the-variable_metadata-struct.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Decrease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Decrease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch new file mode 100644 index 00000000..e302b74b --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Decrease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch @@ -0,0 +1,30 @@ +From e1ef7c537c09972d981e09d4dbcc98e50c7d2b04 Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Tue, 28 Nov 2023 15:32:39 +0100 +Subject: [PATCH 8/9] Decrease SMM_GATEWAY_MAX_UEFI_VARIABLES + +This fixes the SMM gateway initialization error that was caused +by a malloc fault in Corstone-1000. + +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27857] +Signed-off-by: Bence Balogh +--- + platform/providers/arm/corstone1000/platform.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index ff044ed7..d16cde3f 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -11,7 +11,7 @@ include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) + + target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 +- SMM_GATEWAY_MAX_UEFI_VARIABLES=100 ++ SMM_GATEWAY_MAX_UEFI_VARIABLES=80 + ) + + add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-psa_ipc-service-s-psa_call.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-psa_ipc-service-s-psa_call.patch new file mode 100644 index 00000000..25e272f8 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Fix-psa_ipc-service-s-psa_call.patch @@ -0,0 +1,37 @@ +From b216cb0740b6e0107509145cadd0671fda62e89c Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Tue, 28 Nov 2023 15:33:12 +0100 +Subject: [PATCH 9/9] Fix psa_ipc service's psa_call + +The wrong parameter was passed to the psa_ipc_phys_to_virt() +function which resulted in faulty behavior. + +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27858] +Signed-off-by: Bence Balogh +--- + components/rpc/psa_ipc/service_psa_ipc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/components/rpc/psa_ipc/service_psa_ipc.c b/components/rpc/psa_ipc/service_psa_ipc.c +index 36c8e367..4bf86716 100644 +--- a/components/rpc/psa_ipc/service_psa_ipc.c ++++ b/components/rpc/psa_ipc/service_psa_ipc.c +@@ -176,13 +176,13 @@ static psa_status_t __psa_call(struct rpc_caller_interface *caller, psa_handle_t + if (!resp_msg || !out_len || resp_msg->reply != PSA_SUCCESS) + goto caller_end; + +- out_vec_param = (struct psa_outvec *)psa_ipc_phys_to_virt(caller, ++ out_vec_param = (struct psa_outvec *)psa_ipc_phys_to_virt(caller->context, + psa_u32_to_ptr(resp_msg->params.out_vec)); + + for (i = 0; i < resp_msg->params.out_len; i++) { + out_vec[i].len = out_vec_param[i].len; + unaligned_memcpy(psa_u32_to_ptr(out_vec[i].base), +- psa_ipc_phys_to_virt(caller, ++ psa_ipc_phys_to_virt(caller->context, + psa_u32_to_ptr(out_vec_param[i].base)), + out_vec[i].len); + } +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Make-RPC-caller-session-SHM-size-build-time-configur.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Make-RPC-caller-session-SHM-size-build-time-configur.patch new file mode 100644 index 00000000..7eb7814a --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Make-RPC-caller-session-SHM-size-build-time-configur.patch @@ -0,0 +1,52 @@ +From 40e6b48971bbbd37edf693a8a70b76e4551fda82 Mon Sep 17 00:00:00 2001 +From: Imre Kis +Date: Wed, 21 Feb 2024 14:24:43 +0100 +Subject: [PATCH 03/12] Make RPC caller session SHM size build-time + configurable + +Introduce RPC_CALLER_SESSION_SHARED_MEMORY_SIZE macro allow setting the +RPC caller session shared memory size from the build system. This only +affects RPC caller sessions created by spffa_service_context. + +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27864] +Signed-off-by: Imre Kis +Signed-off-by: Bence Balogh +--- + .../service/locator/sp/ffa/spffa_service_context.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/components/service/locator/sp/ffa/spffa_service_context.c b/components/service/locator/sp/ffa/spffa_service_context.c +index 0c1616fc..4ddc53af 100644 +--- a/components/service/locator/sp/ffa/spffa_service_context.c ++++ b/components/service/locator/sp/ffa/spffa_service_context.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -10,6 +10,10 @@ + #include + #include + ++#ifndef RPC_CALLER_SESSION_SHARED_MEMORY_SIZE ++#define RPC_CALLER_SESSION_SHARED_MEMORY_SIZE (4096) ++#endif /* RPC_CALLER_SESSION_SHARED_MEMORY_SIZE */ ++ + /* Concrete service_context methods */ + static struct rpc_caller_session *sp_ts_service_context_open(void *context); + static void sp_ts_service_context_close(void *context, struct rpc_caller_session *session); +@@ -52,7 +56,8 @@ static struct rpc_caller_session *sp_ts_service_context_open(void *context) + return NULL; + + rpc_status = rpc_caller_session_find_and_open(session, &this_context->caller, +- &this_context->service_uuid, 4096); ++ &this_context->service_uuid, ++ RPC_CALLER_SESSION_SHARED_MEMORY_SIZE); + if (rpc_status != RPC_SUCCESS) { + free(session); + return NULL; +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Set-RPC-caller-session-SHM-size-for-Corstone-1000-SM.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Set-RPC-caller-session-SHM-size-for-Corstone-1000-SM.patch new file mode 100644 index 00000000..1510246f --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0013-Set-RPC-caller-session-SHM-size-for-Corstone-1000-SM.patch @@ -0,0 +1,144 @@ +From ca3a9e31a560d630cf20286eb30d63ddafc0a05a Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Mon, 26 Feb 2024 14:47:25 +0100 +Subject: [PATCH] Set RPC caller session SHM size for Corstone 1000 SMMGW + +Set RPC caller session shared memory size so it fits the UEFI variable +index. Validate if SMM_GATEWAY_MAX_UEFI_VARIABLES * [descriptor size] +would fit into the shared memory size. Also align the heap size +accordingly. + +Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/27865] +Signed-off-by: Imre Kis +Signed-off-by: Bence Balogh +--- + .../config/default-opteesp/CMakeLists.txt | 32 +++++++++++++++---- + .../config/default-sp/CMakeLists.txt | 31 ++++++++++++++---- + .../providers/arm/corstone1000/platform.cmake | 4 ++- + 3 files changed, 52 insertions(+), 15 deletions(-) + +diff --git a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +index 7becb3999..897a8dabd 100644 +--- a/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-opteesp/CMakeLists.txt +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -24,7 +24,30 @@ set(SP_BIN_UUID_CANON "ed32d533-99e6-4209-9cc0-2d72cdd998a7") + set(SP_FFA_UUID_CANON "${SP_BIN_UUID_CANON}") + set(SP_BOOT_ORDER "8") + +-set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "SP heap size in bytes") ++#------------------------------------------------------------------------------- ++# Set target platform to provide drivers needed by the deployment ++# ++#------------------------------------------------------------------------------- ++add_platform(TARGET "smm-gateway") ++ ++# SMM variable and RPC caller settings ++set(SMM_GATEWAY_MAX_UEFI_VARIABLES 40 CACHE STRING "Maximum UEFI variable count") ++set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 8192 CACHE STRING "RPC caller buffer size in SMMGW") ++ ++# Validating settings ++# The UEFI variable index entry size is 168 bytes ++math(EXPR SHM_MIN "${SMM_GATEWAY_MAX_UEFI_VARIABLES} * 168") ++ ++if (${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE} LESS ${SHM_MIN}) ++ message(FATAL_ERROR "The RPC SHM size must be at least 168 * [max UEFI variable count]") ++endif() ++ ++target_compile_definitions("smm-gateway" PRIVATE ++ RPC_CALLER_SESSION_SHARED_MEMORY_SIZE=${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE} ++ SMM_GATEWAY_MAX_UEFI_VARIABLES=${SMM_GATEWAY_MAX_UEFI_VARIABLES} ++) ++ ++set(SP_HEAP_SIZE "16 * 1024 + ${SMM_GATEWAY_MAX_UEFI_VARIABLES} * 168 + ${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE}" CACHE STRING "SP heap size in bytes") + set(TRACE_PREFIX "SMMGW" CACHE STRING "Trace prefix") + + # Setting the MM communication buffer parameters +@@ -50,11 +73,6 @@ include(../../env/commonsp/smm_gateway_sp.cmake REQUIRED) + include(../../infra/psa-varstore.cmake REQUIRED) + include(../../smm-gateway.cmake REQUIRED) + +-#------------------------------------------------------------------------------- +-# Set target platform to provide drivers needed by the deployment +-# +-#------------------------------------------------------------------------------- +-add_platform(TARGET "smm-gateway") + + #------------------------------------------------------------------------------- + # Deployment specific build options +diff --git a/deployments/smm-gateway/config/default-sp/CMakeLists.txt b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +index e56a8559d..d3a96b0c6 100644 +--- a/deployments/smm-gateway/config/default-sp/CMakeLists.txt ++++ b/deployments/smm-gateway/config/default-sp/CMakeLists.txt +@@ -29,7 +29,30 @@ set(TRACE_PREFIX "SMMGW" CACHE STRING "Trace prefix") + set(SP_STACK_SIZE "64 * 1024" CACHE STRING "Stack size") + set(SP_BOOT_ORDER "8") + +-set(SP_HEAP_SIZE "32 * 1024" CACHE STRING "Heap size") ++#------------------------------------------------------------------------------- ++# Set target platform to provide drivers needed by the deployment ++# ++#------------------------------------------------------------------------------- ++add_platform(TARGET "smm-gateway") ++ ++# SMM variable and RPC caller settings ++set(SMM_GATEWAY_MAX_UEFI_VARIABLES 40 CACHE STRING "Maximum UEFI variable count") ++set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 8192 CACHE STRING "RPC caller buffer size in SMMGW") ++ ++# Validating settings ++# The UEFI variable index entry size is 168 bytes ++math(EXPR SHM_MIN "${SMM_GATEWAY_MAX_UEFI_VARIABLES} * 168") ++ ++if (${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE} LESS ${SHM_MIN}) ++ message(FATAL_ERROR "The RPC SHM size must be at least 168 * [max UEFI variable count]") ++endif() ++ ++target_compile_definitions("smm-gateway" PRIVATE ++ RPC_CALLER_SESSION_SHARED_MEMORY_SIZE=${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE} ++ SMM_GATEWAY_MAX_UEFI_VARIABLES=${SMM_GATEWAY_MAX_UEFI_VARIABLES} ++) ++ ++set(SP_HEAP_SIZE "16 * 1024 + ${SMM_GATEWAY_MAX_UEFI_VARIABLES} * 168 + ${SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE}" CACHE STRING "SP heap size in bytes") + + # Setting the MM communication buffer parameters + set(MM_COMM_BUFFER_ADDRESS "0x00000008 0x81000000" CACHE STRING "Address of MM communicte buffer in 64 bit DTS format") +@@ -49,12 +72,6 @@ include(../../env/commonsp/smm_gateway_sp.cmake REQUIRED) + include(../../infra/psa-varstore.cmake REQUIRED) + include(../../smm-gateway.cmake REQUIRED) + +-#------------------------------------------------------------------------------- +-# Set target platform to provide drivers needed by the deployment +-# +-#------------------------------------------------------------------------------- +-add_platform(TARGET "smm-gateway") +- + #------------------------------------------------------------------------------- + # Deployment specific build options + #------------------------------------------------------------------------------- +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index d16cde3f4..fd93d6f7e 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -9,9 +9,11 @@ + # include MHU driver + include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) + ++set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") ++set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 16384 CACHE STRING "RPC caller buffer size in SMMGW") ++ + target_compile_definitions(${TGT} PRIVATE + SMM_VARIABLE_INDEX_STORAGE_UID=0x787 +- SMM_GATEWAY_MAX_UEFI_VARIABLES=80 + ) + + add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +-- +2.25.1 + + diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Use-__packed-for-the-variable_metadata-struct.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Use-__packed-for-the-variable_metadata-struct.patch new file mode 100644 index 00000000..019b54a9 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0014-Use-__packed-for-the-variable_metadata-struct.patch @@ -0,0 +1,34 @@ +From 8290755eb2b6aaa857b2dca74494290c64d46fb3 Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Mon, 26 Feb 2024 16:41:03 +0100 +Subject: [PATCH] Use __packed for the variable_metadata struct + +This is only a temporary fix so the buffer limit in TF-M +doesn't need to be changed. With the __packed attribute, the +struct's size is 100 bytes instead of 104 bytes. +The struct will be changed in later upstream commits so this +change won't be needed, and the RSS_COMMS implementation +will be able to handle that. + +Upstream-Status: Inappropriate +[Won't be needed after newer upstream version] +--- + components/service/smm_variable/backend/variable_index.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/service/smm_variable/backend/variable_index.h b/components/service/smm_variable/backend/variable_index.h +index 2f0197da..e82039ac 100644 +--- a/components/service/smm_variable/backend/variable_index.h ++++ b/components/service/smm_variable/backend/variable_index.h +@@ -29,7 +29,7 @@ extern "C" { + * + * Holds metadata associated with stored variable. + */ +-struct variable_metadata ++struct __packed variable_metadata + { + EFI_GUID guid; + size_t name_size; +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc index 36f7c9b9..9bace889 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc @@ -11,6 +11,11 @@ SRC_URI:append:corstone1000 = " \ file://0007-plat-corstone1000-Initialize-capsule-update-provider.patch \ file://0008-platform-corstone1000-fix-synchronization-issue.patch \ file://0009-plat-corstone1000-fmp-client-id.patch \ + file://0010-Decrease-SMM_GATEWAY_MAX_UEFI_VARIABLES.patch \ + file://0011-Fix-psa_ipc-service-s-psa_call.patch \ + file://0012-Make-RPC-caller-session-SHM-size-build-time-configur.patch \ + file://0013-Set-RPC-caller-session-SHM-size-for-Corstone-1000-SM.patch \ + file://0014-Use-__packed-for-the-variable_metadata-struct.patch \ "