Merge "build: use `ar` over `gcc-ar`" into integration
diff --git a/.ctags b/.ctags
new file mode 100644
index 0000000..5e608e4
--- /dev/null
+++ b/.ctags
@@ -0,0 +1,4 @@
+--regex-Asm=/^func[ \t]+([a-zA-Z_0-9]+)$/\1/l,function/
+--regex-Asm=/^.*\.macro[ \t]+([a-zA-Z_0-9]+)$/\1/m,macro/
+--regex-Asm=/^vector_entry[ \t]+([a-zA-Z_0-9]+)$/\1/l,function/
+--regex-Asm=/^.equ[ \t]+([a-zA-Z_0-9]+),/\1/l,name/
diff --git a/bl31/bl31.mk b/bl31/bl31.mk
index 7dc71a2..336ad2b 100644
--- a/bl31/bl31.mk
+++ b/bl31/bl31.mk
@@ -111,6 +111,10 @@
 BL31_SOURCES		+=	lib/extensions/fgt/fgt2.c
 endif
 
+ifneq (${ENABLE_FEAT_TCR2},0)
+BL31_SOURCES		+=	lib/extensions/tcr/tcr2.c
+endif
+
 ifeq (${ENABLE_MPMM},1)
 BL31_SOURCES		+=	${MPMM_SOURCES}
 endif
diff --git a/changelog.yaml b/changelog.yaml
index dbbff99..d073a84 100644
--- a/changelog.yaml
+++ b/changelog.yaml
@@ -1405,6 +1405,7 @@
           - git-hooks
 
   - title: Tools
+    scope: tools
 
     subsections:
       - title: STM32 Image
diff --git a/common/fdt_fixup.c b/common/fdt_fixup.c
index 1bad74f..59b7543 100644
--- a/common/fdt_fixup.c
+++ b/common/fdt_fixup.c
@@ -197,6 +197,7 @@
 			    uintptr_t base, size_t size)
 {
 	int offs = fdt_path_offset(dtb, "/reserved-memory");
+	int node;
 	uint32_t addresses[4];
 	int ac, sc;
 	unsigned int idx = 0;
@@ -213,6 +214,24 @@
 		fdt_setprop(dtb, offs, "ranges", NULL, 0);
 	}
 
+	/* Check for existing regions */
+	fdt_for_each_subnode(node, dtb, offs) {
+		uintptr_t c_base;
+		size_t c_size;
+		int ret;
+
+		ret = fdt_get_reg_props_by_index(dtb, node, 0, &c_base, &c_size);
+		/* Ignore illegal subnodes */
+		if (ret != 0) {
+			continue;
+		}
+
+		/* existing region entirely contains the new region */
+		if (base >= c_base && (base + size) <= (c_base + c_size)) {
+			return 0;
+		}
+	}
+
 	if (ac > 1) {
 		addresses[idx] = cpu_to_fdt32(HIGH_BITS(base));
 		idx++;
diff --git a/docs/components/cot-binding.rst b/docs/components/cot-binding.rst
index 1d31e3d..5d9acdf 100644
--- a/docs/components/cot-binding.rst
+++ b/docs/components/cot-binding.rst
@@ -108,7 +108,7 @@
                      Usage:
 
                      This property provides the Object ID of public key
-                     provided in the certificate which the help of which
+                     provided in the certificate with the help of which
                      public key information can be extracted.
 
                      Value type: <string>
@@ -122,7 +122,7 @@
                      Usage:
 
                      This property provides the Object ID of hash provided in
-                     the certificate which the help of which hash information
+                     the certificate with the help of which hash information
                      can be extracted.
 
                      Value type: <string>
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 55ab935..e925e14 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -118,6 +118,14 @@
     TF_MBEDTLS_HASH_ALG_ID	:=	TF_MBEDTLS_SHA256
 endif
 
+ifeq (${MBOOT_EL_HASH_ALG}, sha256)
+    $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA256))
+else ifeq (${MBOOT_EL_HASH_ALG}, sha384)
+    $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA384))
+else ifeq (${MBOOT_EL_HASH_ALG}, sha512)
+    $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+endif
+
 ifeq (${TF_MBEDTLS_KEY_ALG},ecdsa)
     TF_MBEDTLS_KEY_ALG_ID	:=	TF_MBEDTLS_ECDSA
 else ifeq (${TF_MBEDTLS_KEY_ALG},rsa)
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/mbedtls_config-3.h
index 37a9288..6ed9397 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config-3.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config-3.h
@@ -73,23 +73,17 @@
 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
 #endif
 
-/* The library does not currently support enabling SHA-256 without SHA-224. */
-#define MBEDTLS_SHA224_C
-#define MBEDTLS_SHA256_C
-/*
- * If either Trusted Boot or Measured Boot require a stronger algorithm than
- * SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384
- * support when enabling SHA-512.
- */
-#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
-#define MBEDTLS_SHA384_C
-#define	MBEDTLS_SHA512_C
-#else
-   /* TBB uses SHA-256, what about measured boot? */
-#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
+/* Enable hash algorithms based on TBB or Measured Boot */
+#if (TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA256) || defined(TF_MBEDTLS_MBOOT_USE_SHA256)
+    #define MBEDTLS_SHA256_C
 #endif
+
+#if (TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA384) || defined(TF_MBEDTLS_MBOOT_USE_SHA384)
+    #define MBEDTLS_SHA384_C
+#endif
+
+#if (TF_MBEDTLS_HASH_ALG_ID == TF_MBEDTLS_SHA512) || defined(TF_MBEDTLS_MBOOT_USE_SHA512)
+    #define MBEDTLS_SHA512_C
 #endif
 
 #define MBEDTLS_VERSION_C
@@ -104,7 +98,9 @@
 #endif
 
 /* MPI / BIGNUM options */
-#define MBEDTLS_MPI_WINDOW_SIZE			2
+
+/* Note: Lower numbers trade longer execution time for less RAM allocation */
+#define MBEDTLS_MPI_WINDOW_SIZE			1
 
 #if TF_MBEDTLS_USE_RSA
 #if TF_MBEDTLS_KEY_SIZE <= 2048
diff --git a/include/lib/extensions/tcr2.h b/include/lib/extensions/tcr2.h
new file mode 100644
index 0000000..08a2b08
--- /dev/null
+++ b/include/lib/extensions/tcr2.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TCR2_H
+#define TCR2_H
+
+#include <context.h>
+
+#if ENABLE_FEAT_TCR2
+void tcr2_enable(cpu_context_t *ctx);
+void tcr2_disable(cpu_context_t *ctx);
+#else
+static inline void tcr2_enable(cpu_context_t *ctx)
+{
+}
+static inline void tcr2_disable(cpu_context_t *ctx)
+{
+}
+#endif /* ENABLE_FEAT_TCR2 */
+
+#endif /* TCR2_H */
diff --git a/lib/el3_runtime/aarch64/context_mgmt.c b/lib/el3_runtime/aarch64/context_mgmt.c
index 6f3b51a..218ad11 100644
--- a/lib/el3_runtime/aarch64/context_mgmt.c
+++ b/lib/el3_runtime/aarch64/context_mgmt.c
@@ -34,6 +34,7 @@
 #include <lib/extensions/spe.h>
 #include <lib/extensions/sve.h>
 #include <lib/extensions/sys_reg_trace.h>
+#include <lib/extensions/tcr2.h>
 #include <lib/extensions/trbe.h>
 #include <lib/extensions/trf.h>
 #include <lib/utils.h>
@@ -1538,28 +1539,37 @@
 *********************************************************************************/
 void cm_handle_asymmetric_features(void)
 {
-#if ENABLE_SPE_FOR_NS == FEAT_STATE_CHECK_ASYMMETRIC
-	cpu_context_t *spe_ctx = cm_get_context(NON_SECURE);
+	cpu_context_t *ctx __maybe_unused = cm_get_context(NON_SECURE);
 
-	assert(spe_ctx != NULL);
+	assert(ctx != NULL);
 
+#if ENABLE_SPE_FOR_NS == FEAT_STATE_CHECK_ASYMMETRIC
 	if (is_feat_spe_supported()) {
-		spe_enable(spe_ctx);
+		spe_enable(ctx);
 	} else {
-		spe_disable(spe_ctx);
+		spe_disable(ctx);
 	}
 #endif
-#if ERRATA_A520_2938996 || ERRATA_X4_2726228
-	cpu_context_t *trbe_ctx = cm_get_context(NON_SECURE);
-
-	assert(trbe_ctx != NULL);
 
+#if ERRATA_A520_2938996 || ERRATA_X4_2726228
 	if (check_if_affected_core() == ERRATA_APPLIES) {
 		if (is_feat_trbe_supported()) {
-			trbe_disable(trbe_ctx);
+			trbe_disable(ctx);
 		}
 	}
 #endif
+
+#if ENABLE_FEAT_TCR2 == FEAT_STATE_CHECK_ASYMMETRIC
+	el3_state_t *el3_state = get_el3state_ctx(ctx);
+	u_register_t spsr = read_ctx_reg(el3_state, CTX_SPSR_EL3);
+
+	if (is_feat_tcr2_supported() && (GET_RW(spsr) == MODE_RW_64)) {
+		tcr2_enable(ctx);
+	} else {
+		tcr2_disable(ctx);
+	}
+#endif
+
 }
 #endif
 
diff --git a/lib/extensions/tcr/tcr2.c b/lib/extensions/tcr/tcr2.c
new file mode 100644
index 0000000..70bc5f8
--- /dev/null
+++ b/lib/extensions/tcr/tcr2.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch.h>
+#include <arch_features.h>
+#include <arch_helpers.h>
+#include <lib/extensions/tcr2.h>
+
+void tcr2_enable(cpu_context_t *ctx)
+{
+	u_register_t reg;
+	el3_state_t *state;
+
+	state = get_el3state_ctx(ctx);
+
+	/* Set the TCR2EN bit in SCR_EL3 to enable access to TCR2_EL1,
+	 * and TCR2_EL2 registers .
+	 */
+
+	reg = read_ctx_reg(state, CTX_SCR_EL3);
+	reg |= SCR_TCR2EN_BIT;
+	write_ctx_reg(state, CTX_SCR_EL3, reg);
+}
+
+void tcr2_disable(cpu_context_t *ctx)
+{
+	u_register_t reg;
+	el3_state_t *state;
+
+	state = get_el3state_ctx(ctx);
+
+	/* Clear the TCR2EN bit in SCR_EL3 to disable access to TCR2_EL1,
+	 * and TCR2_EL2 registers .
+	 */
+
+	reg = read_ctx_reg(state, CTX_SCR_EL3);
+	reg &= ~SCR_TCR2EN_BIT;
+	write_ctx_reg(state, CTX_SCR_EL3, reg);
+}
diff --git a/plat/amd/versal2/platform.mk b/plat/amd/versal2/platform.mk
index c07fc36..1c977a3 100644
--- a/plat/amd/versal2/platform.mk
+++ b/plat/amd/versal2/platform.mk
@@ -116,6 +116,7 @@
 				plat/xilinx/common/versal.c			\
 				${PLAT_PATH}/bl31_setup.c			\
 				common/fdt_fixup.c				\
+				common/fdt_wrappers.c				\
 				${LIBFDT_SRCS}					\
 				${PLAT_PATH}/sip_svc_setup.c			\
 				${PLAT_PATH}/gicv3.c
diff --git a/plat/arm/board/tc/platform.mk b/plat/arm/board/tc/platform.mk
index 217b2c9..3ef25de 100644
--- a/plat/arm/board/tc/platform.mk
+++ b/plat/arm/board/tc/platform.mk
@@ -36,8 +36,9 @@
 ENABLE_AMU_AUXILIARY_COUNTERS	:=	1
 ENABLE_MPMM			:=	1
 ENABLE_MPMM_FCONF		:=	1
-ENABLE_FEAT_MTE2	        :=	2
+ENABLE_FEAT_MTE2		:=	2
 ENABLE_SPE_FOR_NS		:=	3
+ENABLE_FEAT_TCR2		:=	3
 
 CTX_INCLUDE_AARCH32_REGS	:=	0
 
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 3c4ad64..660a3a5 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -432,10 +432,6 @@
     $(info Including ${MEASURED_BOOT_MK})
     include ${MEASURED_BOOT_MK}
 
-    ifneq (${MBOOT_EL_HASH_ALG}, sha256)
-        $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
-    endif
-
     ifeq (${MEASURED_BOOT},1)
          BL1_SOURCES		+= 	${EVENT_LOG_SOURCES}
          BL2_SOURCES		+= 	${EVENT_LOG_SOURCES}
diff --git a/plat/imx/imx8m/imx8mm/platform.mk b/plat/imx/imx8m/imx8mm/platform.mk
index f0cdb3e..d1c1259 100644
--- a/plat/imx/imx8m/imx8mm/platform.mk
+++ b/plat/imx/imx8m/imx8mm/platform.mk
@@ -188,10 +188,6 @@
     $(info Including ${MEASURED_BOOT_MK})
     include ${MEASURED_BOOT_MK}
 
-ifneq (${MBOOT_EL_HASH_ALG}, sha256)
-    $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
-endif
-
 BL2_SOURCES		+=	plat/imx/imx8m/imx8m_measured_boot.c	\
 				plat/imx/imx8m/imx8m_dyn_cfg_helpers.c	\
 				${EVENT_LOG_SOURCES}
diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk
index 066554a..cf1b3a8 100644
--- a/plat/qemu/qemu/platform.mk
+++ b/plat/qemu/qemu/platform.mk
@@ -96,10 +96,6 @@
     $(info Including ${MEASURED_BOOT_MK})
     include ${MEASURED_BOOT_MK}
 
-    ifneq (${MBOOT_EL_HASH_ALG}, sha256)
-        $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
-    endif
-
     BL2_SOURCES		+=	plat/qemu/qemu/qemu_measured_boot.c	\
 				plat/qemu/qemu/qemu_helpers.c		\
 				${EVENT_LOG_SOURCES}
diff --git a/plat/rpi/rpi4/platform.mk b/plat/rpi/rpi4/platform.mk
index cbfa6f2..c39a587 100644
--- a/plat/rpi/rpi4/platform.mk
+++ b/plat/rpi/rpi4/platform.mk
@@ -31,6 +31,7 @@
 				plat/common/plat_psci_common.c		\
 				plat/rpi/common/rpi3_topology.c		\
 				common/fdt_fixup.c			\
+				common/fdt_wrappers.c			\
 				${LIBFDT_SRCS}				\
 				${GICV2_SOURCES}
 
diff --git a/plat/st/stm32mp2/bl2_plat_setup.c b/plat/st/stm32mp2/bl2_plat_setup.c
index 96ac68b..edada72 100644
--- a/plat/st/stm32mp2/bl2_plat_setup.c
+++ b/plat/st/stm32mp2/bl2_plat_setup.c
@@ -179,11 +179,6 @@
 
 	configure_mmu();
 
-	/* Prevent corruption of preloaded Device Tree */
-	mmap_add_dynamic_region(DTB_BASE, DTB_BASE,
-				DTB_LIMIT - DTB_BASE,
-				MT_RO_DATA | MT_SECURE);
-
 	if (dt_open_and_check(STM32MP_DTB_BASE) < 0) {
 		panic();
 	}
@@ -258,7 +253,10 @@
 				FW_CONFIG_ID);
 		fconf_populate("FW_CONFIG", STM32MP_FW_CONFIG_BASE);
 
-		mmap_remove_dynamic_region(DTB_BASE, DTB_LIMIT - DTB_BASE);
+		/*
+		 * After this step, the BL2 device tree area will be overwritten
+		 * with BL31 binary, no other data should be read from BL2 DT.
+		 */
 
 		break;
 
diff --git a/plat/st/stm32mp2/include/platform_def.h b/plat/st/stm32mp2/include/platform_def.h
index 2f7570d..0f22a93 100644
--- a/plat/st/stm32mp2/include/platform_def.h
+++ b/plat/st/stm32mp2/include/platform_def.h
@@ -81,13 +81,6 @@
 #define BL33_BASE			STM32MP_BL33_BASE
 
 /*******************************************************************************
- * DTB specific defines.
- ******************************************************************************/
-#define DTB_BASE			STM32MP_DTB_BASE
-#define DTB_LIMIT			(STM32MP_DTB_BASE + \
-					 STM32MP_DTB_SIZE)
-
-/*******************************************************************************
  * Platform specific page table and MMU setup constants
  ******************************************************************************/
 #define PLAT_PHY_ADDR_SPACE_SIZE	(ULL(1) << 33)
diff --git a/plat/xilinx/common/pm_service/pm_ipi.c b/plat/xilinx/common/pm_service/pm_ipi.c
index 205877c..425fdcb 100644
--- a/plat/xilinx/common/pm_service/pm_ipi.c
+++ b/plat/xilinx/common/pm_service/pm_ipi.c
@@ -164,10 +164,13 @@
  *
  */
 static enum pm_ret_status pm_ipi_buff_read(const struct pm_proc *proc,
-					   uint32_t value[PAYLOAD_ARG_CNT])
+					   uint32_t *value, size_t count)
 {
 	size_t i;
 	enum pm_ret_status ret;
+#if IPI_CRC_CHECK
+	uint32_t crc;
+#endif
 	uintptr_t buffer_base = proc->ipi->buffer_base +
 				IPI_BUFFER_TARGET_REMOTE_OFFSET +
 				IPI_BUFFER_RESP_OFFSET;
@@ -179,21 +182,20 @@
 	 * buf-2: unused
 	 * buf-3: unused
 	 */
-	for (i = 0; i < PAYLOAD_ARG_CNT; i++) {
-		value[i] = mmio_read_32(buffer_base + (i * PAYLOAD_ARG_SIZE));
+	for (i = 0U; i < count; i++) {
+		value[i] = mmio_read_32(buffer_base + ((i + 1U) * PAYLOAD_ARG_SIZE));
 	}
 
-	ret = value[0];
+	ret = mmio_read_32(buffer_base);
 #if IPI_CRC_CHECK
-	if (value[PAYLOAD_CRC_POS] !=
-			calculate_crc(value, IPI_W0_TO_W6_SIZE)) {
-		NOTICE("ERROR in CRC response payload value:0x%x\n",
-					value[PAYLOAD_CRC_POS]);
+	crc = mmio_read_32(buffer_base + (PAYLOAD_CRC_POS * PAYLOAD_ARG_SIZE));
+	if (crc != calculate_crc((uint32_t *)buffer_base, IPI_W0_TO_W6_SIZE)) {
+		NOTICE("ERROR in CRC response payload value:0x%x\n", crc);
 		ret = PM_RET_ERROR_INVALID_CRC;
 		/* Payload data is invalid as CRC validation failed
 		 * Clear the payload to avoid leakage of data to upper layers
 		 */
-		memset(value, 0, PAYLOAD_ARG_CNT);
+		memset(value, 0, count);
 	}
 #endif
 
@@ -216,9 +218,7 @@
 {
 	size_t i;
 #if IPI_CRC_CHECK
-	uint32_t *payload_ptr = value;
-	size_t j;
-	unsigned int response_payload[PAYLOAD_ARG_CNT] = {0};
+	uint32_t crc;
 #endif
 	uintptr_t buffer_base = IPI_BUFFER_REMOTE_BASE +
 				IPI_BUFFER_TARGET_LOCAL_OFFSET +
@@ -230,24 +230,17 @@
 	}
 
 	for (i = 0; i < count; i++) {
-		*value = mmio_read_32(buffer_base + (i * PAYLOAD_ARG_SIZE));
-		value++;
+		value[i] = mmio_read_32(buffer_base + (i * PAYLOAD_ARG_SIZE));
 	}
 #if IPI_CRC_CHECK
-	for (j = 0; j < PAYLOAD_ARG_CNT; j++) {
-		response_payload[j] = mmio_read_32(buffer_base +
-						(j * PAYLOAD_ARG_SIZE));
-	}
-
-	if (response_payload[PAYLOAD_CRC_POS] !=
-			calculate_crc(response_payload, IPI_W0_TO_W6_SIZE)) {
-		NOTICE("ERROR in CRC response payload value:0x%x\n",
-					response_payload[PAYLOAD_CRC_POS]);
+	crc = mmio_read_32(buffer_base + (PAYLOAD_CRC_POS * PAYLOAD_ARG_SIZE));
+	if (crc != calculate_crc((uint32_t *)buffer_base, IPI_W0_TO_W6_SIZE)) {
+		NOTICE("ERROR in CRC response payload value:0x%x\n", crc);
 		ret = PM_RET_ERROR_INVALID_CRC;
 		/* Payload data is invalid as CRC validation failed
 		 * Clear the payload to avoid leakage of data to upper layers
 		 */
-		memset(payload_ptr, 0, count);
+		memset(value, 0, count);
 	}
 #endif
 	return ret;
@@ -271,7 +264,6 @@
 				    uint32_t *value, size_t count)
 {
 	enum pm_ret_status ret;
-	uint32_t i, ret_payload[PAYLOAD_ARG_CNT] = {0U};
 
 	pm_ipi_lock_get();
 
@@ -280,12 +272,7 @@
 		goto unlock;
 	}
 
-	ret = ERROR_CODE_MASK & (pm_ipi_buff_read(proc, ret_payload));
-
-	for (i = 1U; i <= count; i++) {
-		*value = ret_payload[i];
-		value++;
-	}
+	ret = ERROR_CODE_MASK & (pm_ipi_buff_read(proc, value, count));
 
 unlock:
 	pm_ipi_lock_release();
diff --git a/services/std_svc/drtm/drtm_main.c b/services/std_svc/drtm/drtm_main.c
index b9c83fa..53afb17 100644
--- a/services/std_svc/drtm/drtm_main.c
+++ b/services/std_svc/drtm/drtm_main.c
@@ -808,12 +808,12 @@
 
 	case ARM_DRTM_SVC_GET_ERROR:
 		INFO("DRTM service handler: get error\n");
-		drtm_get_error(handle);
+		return drtm_get_error(handle);
 		break;	/* not reached */
 
 	case ARM_DRTM_SVC_SET_ERROR:
 		INFO("DRTM service handler: set error\n");
-		drtm_set_error(x1, handle);
+		return drtm_set_error(x1, handle);
 		break;	/* not reached */
 
 	case ARM_DRTM_SVC_SET_TCB_HASH:
diff --git a/services/std_svc/drtm/drtm_remediation.c b/services/std_svc/drtm/drtm_remediation.c
index 696b4ea..81d27ec 100644
--- a/services/std_svc/drtm/drtm_remediation.c
+++ b/services/std_svc/drtm/drtm_remediation.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024 Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier:    BSD-3-Clause
  *
@@ -21,7 +21,7 @@
 	rc = plat_set_drtm_error(x1);
 
 	if (rc != 0) {
-		SMC_RET1(ctx, INTERNAL_ERROR);
+		SMC_RET1(ctx, NOT_FOUND);
 	}
 
 	SMC_RET1(ctx, SUCCESS);
@@ -35,7 +35,7 @@
 	rc = plat_get_drtm_error(&error_code);
 
 	if (rc != 0) {
-		SMC_RET1(ctx, INTERNAL_ERROR);
+		SMC_RET1(ctx, NOT_FOUND);
 	}
 
 	SMC_RET2(ctx, SUCCESS, error_code);
diff --git a/services/std_svc/spmd/spmd_main.c b/services/std_svc/spmd/spmd_main.c
index 0a246f3..3953b24 100644
--- a/services/std_svc/spmd/spmd_main.c
+++ b/services/std_svc/spmd/spmd_main.c
@@ -809,19 +809,6 @@
 		&& (ffa_endpoint_source(ep) == spmc_attrs.spmc_id));
 }
 
-/******************************************************************************
- * spmd_handle_spmc_message
- *****************************************************************************/
-static int spmd_handle_spmc_message(unsigned long long msg,
-		unsigned long long parm1, unsigned long long parm2,
-		unsigned long long parm3, unsigned long long parm4)
-{
-	VERBOSE("%s %llx %llx %llx %llx %llx\n", __func__,
-		msg, parm1, parm2, parm3, parm4);
-
-	return -EINVAL;
-}
-
 /*******************************************************************************
  * This function forwards FF-A SMCs to either the main SPMD handler or the
  * SPMC at EL3, depending on the origin security state, if enabled.
@@ -1123,6 +1110,7 @@
 
 	case FFA_MSG_SEND_DIRECT_REQ_SMC32:
 	case FFA_MSG_SEND_DIRECT_REQ_SMC64:
+	case FFA_MSG_SEND_DIRECT_REQ2_SMC64:
 		/*
 		 * Regardless of secure_origin, SPMD logical partitions cannot
 		 * handle direct messages. They can only initiate direct
@@ -1156,35 +1144,8 @@
 			}
 		}
 		if (secure_origin && spmd_is_spmc_message(x1)) {
-			ret = spmd_handle_spmc_message(x3, x4,
-				SMC_GET_GP(handle, CTX_GPREG_X5),
-				SMC_GET_GP(handle, CTX_GPREG_X6),
-				SMC_GET_GP(handle, CTX_GPREG_X7));
-
-			SMC_RET8(handle, FFA_SUCCESS_SMC32,
-				FFA_TARGET_INFO_MBZ, ret,
-				FFA_PARAM_MBZ, FFA_PARAM_MBZ,
-				FFA_PARAM_MBZ, FFA_PARAM_MBZ,
-				FFA_PARAM_MBZ);
-		} else {
-			/* Forward direct message to the other world */
-			return spmd_smc_forward(smc_fid, secure_origin,
-						x1, x2, x3, x4, cookie,
-						handle, flags);
-		}
-		break; /* Not reached */
-
-	case FFA_MSG_SEND_DIRECT_REQ2_SMC64:
-		if (!secure_origin) {
-			/* Validate source endpoint is non-secure for non-secure caller. */
-			if (ffa_is_secure_world_id(ffa_endpoint_source(x1))) {
 				return spmd_ffa_error_return(handle,
-						FFA_ERROR_INVALID_PARAMETER);
-			}
-		}
-		/* FFA_MSG_SEND_DIRECT_REQ2 not used for framework messages. */
-		if (secure_origin && spmd_is_spmc_message(x1)) {
-			return spmd_ffa_error_return(handle, FFA_ERROR_INVALID_PARAMETER);
+						FFA_ERROR_DENIED);
 		} else {
 			/* Forward direct message to the other world */
 			return spmd_smc_forward(smc_fid, secure_origin,
@@ -1195,6 +1156,7 @@
 
 	case FFA_MSG_SEND_DIRECT_RESP_SMC32:
 	case FFA_MSG_SEND_DIRECT_RESP_SMC64:
+	case FFA_MSG_SEND_DIRECT_RESP2_SMC64:
 		if (secure_origin && (spmd_is_spmc_message(x1) ||
 		    is_spmd_logical_sp_dir_req_in_progress(ctx))) {
 			spmd_spm_core_sync_exit(0ULL);
@@ -1205,12 +1167,6 @@
 						handle, flags);
 		}
 		break; /* Not reached */
-	case FFA_MSG_SEND_DIRECT_RESP2_SMC64:
-		/* Forward direct message to the other world */
-		return spmd_smc_forward(smc_fid, secure_origin,
-					x1, x2, x3, x4, cookie,
-					handle, flags);
-		break; /* Not reached */
 	case FFA_RX_RELEASE:
 	case FFA_RXTX_MAP_SMC32:
 	case FFA_RXTX_MAP_SMC64:
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index e0ecdae..f7adfab 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -65,35 +65,35 @@
 	const char *desc;	/* Key description (debug purposes) */
 	char *fn;		/* Filename to load/store the key */
 	EVP_PKEY *key;		/* Key container */
-} key_t;
+} cert_key_t;
 
 /* Exported API */
 int key_init(void);
-key_t *key_get_by_opt(const char *opt);
+cert_key_t *key_get_by_opt(const char *opt);
 #if !USING_OPENSSL3
-int key_new(key_t *key);
+int key_new(cert_key_t *key);
 #endif
-int key_create(key_t *key, int type, int key_bits);
-unsigned int key_load(key_t *key);
-int key_store(key_t *key);
+int key_create(cert_key_t *key, int type, int key_bits);
+unsigned int key_load(cert_key_t *key);
+int key_store(cert_key_t *key);
 void key_cleanup(void);
 
 /* Macro to register the keys used in the CoT */
 #define REGISTER_KEYS(_keys) \
-	key_t *def_keys = &_keys[0]; \
+	cert_key_t *def_keys = &_keys[0]; \
 	const unsigned int num_def_keys = sizeof(_keys)/sizeof(_keys[0])
 
 /* Macro to register the platform defined keys used in the CoT */
 #define PLAT_REGISTER_KEYS(_pdef_keys) \
-	key_t *pdef_keys = &_pdef_keys[0]; \
+	cert_key_t *pdef_keys = &_pdef_keys[0]; \
 	const unsigned int num_pdef_keys = sizeof(_pdef_keys)/sizeof(_pdef_keys[0])
 
 /* Exported variables */
-extern key_t *def_keys;
+extern cert_key_t *def_keys;
 extern const unsigned int num_def_keys;
-extern key_t *pdef_keys;
+extern cert_key_t *pdef_keys;
 extern const unsigned int num_pdef_keys;
 
-extern key_t *keys;
+extern cert_key_t *keys;
 extern unsigned int num_keys;
 #endif /* KEY_H */
diff --git a/tools/cert_create/src/cca/cot.c b/tools/cert_create/src/cca/cot.c
index 372d908..658b81c 100644
--- a/tools/cert_create/src/cca/cot.c
+++ b/tools/cert_create/src/cca/cot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -410,7 +410,7 @@
 REGISTER_EXTENSIONS(cot_ext);
 
 /* Keys used to establish the chain of trust. */
-static key_t cot_keys[] = {
+static cert_key_t cot_keys[] = {
 	[ROT_KEY] = {
 		.id = ROT_KEY,
 		.opt = "rot-key",
diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
index 81a7d75..d2c15bf 100644
--- a/tools/cert_create/src/dualroot/cot.c
+++ b/tools/cert_create/src/dualroot/cot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -536,7 +536,7 @@
 
 
 /* Keys used to establish the chain of trust. */
-static key_t cot_keys[] = {
+static cert_key_t cot_keys[] = {
 	[ROT_KEY] = {
 		.id = ROT_KEY,
 		.opt = "rot-key",
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index f6ceeda..190c096 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -26,14 +26,14 @@
 
 #define MAX_FILENAME_LEN		1024
 
-key_t *keys;
+cert_key_t *keys;
 unsigned int num_keys;
 
 #if !USING_OPENSSL3
 /*
  * Create a new key container
  */
-int key_new(key_t *key)
+int key_new(cert_key_t *key)
 {
 	/* Create key pair container */
 	key->key = EVP_PKEY_new();
@@ -45,7 +45,7 @@
 }
 #endif
 
-static int key_create_rsa(key_t *key, int key_bits)
+static int key_create_rsa(cert_key_t *key, int key_bits)
 {
 #if USING_OPENSSL3
 	EVP_PKEY *rsa = EVP_RSA_gen(key_bits);
@@ -99,7 +99,7 @@
 
 #ifndef OPENSSL_NO_EC
 #if USING_OPENSSL3
-static int key_create_ecdsa(key_t *key, int key_bits, const char *curve)
+static int key_create_ecdsa(cert_key_t *key, int key_bits, const char *curve)
 {
 	EVP_PKEY *ec = EVP_EC_gen(curve);
 	if (ec == NULL) {
@@ -111,7 +111,7 @@
 	return 1;
 }
 
-static int key_create_ecdsa_nist(key_t *key, int key_bits)
+static int key_create_ecdsa_nist(cert_key_t *key, int key_bits)
 {
 	if (key_bits == 384) {
 		return key_create_ecdsa(key, key_bits, "secp384r1");
@@ -121,17 +121,17 @@
 	}
 }
 
-static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+static int key_create_ecdsa_brainpool_r(cert_key_t *key, int key_bits)
 {
 	return key_create_ecdsa(key, key_bits, "brainpoolP256r1");
 }
 
-static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+static int key_create_ecdsa_brainpool_t(cert_key_t *key, int key_bits)
 {
 	return key_create_ecdsa(key, key_bits, "brainpoolP256t1");
 }
 #else
-static int key_create_ecdsa(key_t *key, int key_bits, const int curve_id)
+static int key_create_ecdsa(cert_key_t *key, int key_bits, const int curve_id)
 {
 	EC_KEY *ec;
 
@@ -158,7 +158,7 @@
 	return 0;
 }
 
-static int key_create_ecdsa_nist(key_t *key, int key_bits)
+static int key_create_ecdsa_nist(cert_key_t *key, int key_bits)
 {
 	if (key_bits == 384) {
 		return key_create_ecdsa(key, key_bits, NID_secp384r1);
@@ -169,12 +169,12 @@
 }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-static int key_create_ecdsa_brainpool_r(key_t *key, int key_bits)
+static int key_create_ecdsa_brainpool_r(cert_key_t *key, int key_bits)
 {
 	return key_create_ecdsa(key, key_bits, NID_brainpoolP256r1);
 }
 
-static int key_create_ecdsa_brainpool_t(key_t *key, int key_bits)
+static int key_create_ecdsa_brainpool_t(cert_key_t *key, int key_bits)
 {
 	return key_create_ecdsa(key, key_bits, NID_brainpoolP256t1);
 }
@@ -182,7 +182,7 @@
 #endif /* USING_OPENSSL3 */
 #endif /* OPENSSL_NO_EC */
 
-typedef int (*key_create_fn_t)(key_t *key, int key_bits);
+typedef int (*key_create_fn_t)(cert_key_t *key, int key_bits);
 static const key_create_fn_t key_create_fn[KEY_ALG_MAX_NUM] = {
 	[KEY_ALG_RSA] = key_create_rsa,
 #ifndef OPENSSL_NO_EC
@@ -194,7 +194,7 @@
 #endif /* OPENSSL_NO_EC */
 };
 
-int key_create(key_t *key, int type, int key_bits)
+int key_create(cert_key_t *key, int type, int key_bits)
 {
 	if (type >= KEY_ALG_MAX_NUM) {
 		printf("Invalid key type\n");
@@ -243,7 +243,7 @@
 
 }
 
-unsigned int key_load(key_t *key)
+unsigned int key_load(cert_key_t *key)
 {
 	if (key->fn == NULL) {
 		VERBOSE("Key not specified\n");
@@ -273,7 +273,7 @@
 	return KEY_ERR_NONE;
 }
 
-int key_store(key_t *key)
+int key_store(cert_key_t *key)
 {
 	FILE *fp;
 
@@ -301,7 +301,7 @@
 int key_init(void)
 {
 	cmd_opt_t cmd_opt;
-	key_t *key;
+	cert_key_t *key;
 	unsigned int i;
 
 	keys = malloc((num_def_keys * sizeof(def_keys[0]))
@@ -341,9 +341,9 @@
 	return 0;
 }
 
-key_t *key_get_by_opt(const char *opt)
+cert_key_t *key_get_by_opt(const char *opt)
 {
-	key_t *key;
+	cert_key_t *key;
 	unsigned int i;
 
 	/* Sequential search. This is not a performance concern since the number
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index edc2d68..aa21206 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -4,6 +4,8 @@
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
+#define _POSIX_C_SOURCE 200809L
+
 #include <assert.h>
 #include <ctype.h>
 #include <getopt.h>
@@ -69,16 +71,6 @@
 static const char build_msg[] = "Built : " __TIME__ ", " __DATE__;
 static const char platform_msg[] = PLAT_MSG;
 
-static char *strdup(const char *str)
-{
-	int n = strlen(str) + 1;
-	char *dup = malloc(n);
-	if (dup) {
-		strcpy(dup, str);
-	}
-	return dup;
-}
-
 static const char *key_algs_str[] = {
 	[KEY_ALG_RSA] = "rsa",
 #ifndef OPENSSL_NO_EC
@@ -178,7 +170,7 @@
 {
 	cert_t *cert;
 	ext_t *ext;
-	key_t *key;
+	cert_key_t *key;
 	int i, j;
 	bool valid_size;
 
@@ -303,7 +295,7 @@
 	STACK_OF(X509_EXTENSION) * sk;
 	X509_EXTENSION *cert_ext = NULL;
 	ext_t *ext;
-	key_t *key;
+	cert_key_t *key;
 	cert_t *cert;
 	FILE *file;
 	int i, j, ext_nid, nvctr;
diff --git a/tools/cert_create/src/tbbr/tbb_key.c b/tools/cert_create/src/tbbr/tbb_key.c
index 5b84b6e..3d99067 100644
--- a/tools/cert_create/src/tbbr/tbb_key.c
+++ b/tools/cert_create/src/tbbr/tbb_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -11,7 +11,7 @@
  *
  * The order of the keys must follow the enumeration specified in tbb_key.h
  */
-static key_t tbb_keys[] = {
+static cert_key_t tbb_keys[] = {
 	[ROT_KEY] = {
 		.id = ROT_KEY,
 		.opt = "rot-key",
diff --git a/tools/fiptool/fiptool.c b/tools/fiptool/fiptool.c
index 6c566ef..27119a1 100644
--- a/tools/fiptool/fiptool.c
+++ b/tools/fiptool/fiptool.c
@@ -1,12 +1,13 @@
 /*
- * Copyright (c) 2016-2023, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
-#ifndef _MSC_VER
+#ifdef __linux__
 #include <sys/mount.h>
 #endif
+
 #include <sys/types.h>
 #include <sys/stat.h>
 
diff --git a/tools/nxp/cert_create_helper/src/pdef_tbb_key.c b/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
index cf2ebda..cd48866 100644
--- a/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
+++ b/tools/nxp/cert_create_helper/src/pdef_tbb_key.c
@@ -6,7 +6,7 @@
 
 #include <pdef_tbb_key.h>
 
-static key_t pdef_tbb_keys[] = {
+static cert_key_t pdef_tbb_keys[] = {
 	[DDR_FW_CONTENT_KEY - DDR_FW_CONTENT_KEY] = {
 		.id = DDR_FW_CONTENT_KEY,
 		.opt = "ddr-fw-key",