Merge "feat(fiptool): add ability to build statically" into integration
diff --git a/changelog.yaml b/changelog.yaml
index cdbedbb..7e75832 100644
--- a/changelog.yaml
+++ b/changelog.yaml
@@ -709,8 +709,11 @@
- title: TRNG
scope: trng
- - title: ERRATA_ABI
- scope: errata_abi
+ - title: ERRATA ABI
+ scope: errata-abi
+
+ deprecated:
+ - errata_abi
- title: Libraries
diff --git a/docs/design/cpu-specific-build-macros.rst b/docs/design/cpu-specific-build-macros.rst
index d1bf0d3..bf04558 100644
--- a/docs/design/cpu-specific-build-macros.rst
+++ b/docs/design/cpu-specific-build-macros.rst
@@ -523,11 +523,27 @@
For Neoverse V2, the following errata build flags are defined :
+- ``ERRATA_V2_2331132``: This applies errata 2331132 workaround to Neoverse-V2
+ CPU. This needs to be enabled for revisions r0p0, r0p1 and r0p2. It is still
+ open.
+
- ``ERRATA_V2_2719103``: This applies errata 2719103 workaround to Neoverse-V2
CPU, this affects system configurations that do not use and ARM interconnect
IP. This needs to be enabled for revisions r0p0 and r0p1. It has been fixed
in r0p2.
+- ``ERRATA_V2_2719105``: This applies errata 2719105 workaround to Neoverse-V2
+ CPU. This needs to be enabled for revisions r0p0 and r0p1. It is fixed in
+ r0p2.
+
+- ``ERRATA_V2_2743011``: This applies errata 2743011 workaround to Neoverse-V2
+ CPU. This needs to be enabled for revisions r0p0 and r0p1. It is fixed in
+ r0p2.
+
+- ``ERRATA_V2_2779510``: This applies errata 2779510 workaround to Neoverse-V2
+ CPU. This needs to be enabled for revisions r0p0 and r0p1. It is fixed in
+ r0p2.
+
- ``ERRATA_V2_2801372``: This applies errata 2801372 workaround to Neoverse-V2
CPU, this affects all configurations. This needs to be enabled for revisions
r0p0 and r0p1. It has been fixed in r0p2.
diff --git a/docs/design/trusted-board-boot.rst b/docs/design/trusted-board-boot.rst
index 46177d7..fed202a 100644
--- a/docs/design/trusted-board-boot.rst
+++ b/docs/design/trusted-board-boot.rst
@@ -216,10 +216,11 @@
The ``cert_create`` tool is built and runs on the host machine as part of the
TF-A build process when ``GENERATE_COT=1``. It takes the boot loader images
-and keys as inputs (keys must be in PEM format) and generates the
-certificates (in DER format) required to establish the CoT. New keys can be
-generated by the tool in case they are not provided. The certificates are then
-passed as inputs to the ``fiptool`` utility for creating the FIP.
+and keys as inputs and generates the certificates (in DER format) required to
+establish the CoT. The input keys must either be a file in PEM format or a
+PKCS11 URI in case a HSM is used. New keys can be generated by the tool in
+case they are not provided. The certificates are then passed as inputs to
+the ``fiptool`` utility for creating the FIP.
The certificates are also stored individually in the output build directory.
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 2c018c3..1da2738 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -80,9 +80,9 @@
BL31 image for the ``fip`` target. In this case, the BL31 in TF-A will not
be built.
-- ``BL31_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the BL31 private key in PEM format. If ``SAVE_KEYS=1``,
- this file name will be used to save the key.
+- ``BL31_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a
+ file that contains the BL31 private key in PEM format or a PKCS11 URI. If
+ ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
- ``BL32``: This is an optional build option which specifies the path to
BL32 image for the ``fip`` target. In this case, the BL32 in TF-A will not
@@ -94,16 +94,16 @@
- ``BL32_EXTRA2``: This is an optional build option which specifies the path to
Trusted OS Extra2 image for the ``fip`` target.
-- ``BL32_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the BL32 private key in PEM format. If ``SAVE_KEYS=1``,
- this file name will be used to save the key.
+- ``BL32_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a
+ file that contains the BL32 private key in PEM format or a PKCS11 URI. If
+ ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
- ``BL33``: Path to BL33 image in the host file system. This is mandatory for
``fip`` target in case TF-A BL2 is used.
-- ``BL33_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the BL33 private key in PEM format. If ``SAVE_KEYS=1``,
- this file name will be used to save the key.
+- ``BL33_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a
+ file that contains the BL33 private key in PEM format or a PKCS11 URI. If
+ ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
- ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication
and ARMv8.5 Branch Target Identification support for TF-A BL images themselves.
@@ -749,8 +749,9 @@
MARCH_DIRECTIVE := -march=armv8.5-a
- ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
- specifies the file that contains the Non-Trusted World private key in PEM
- format. If ``SAVE_KEYS=1``, this file name will be used to save the key.
+ specifies a file that contains the Non-Trusted World private key in PEM
+ format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and it
+ will be used to save the key.
- ``NS_BL2U``: Path to NS_BL2U image in the host file system. This image is
optional. It is only needed if the platform makefile specifies that it
@@ -827,10 +828,10 @@
instead of the BL1 entrypoint. It can take the value 0 (CPU reset to BL1
entrypoint) or 1 (CPU reset to SP_MIN entrypoint). The default value is 0.
-- ``ROT_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the ROT private key in PEM format and enforces public key
- hash generation. If ``SAVE_KEYS=1``, this
- file name will be used to save the key.
+- ``ROT_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a
+ file that contains the ROT private key in PEM format or a PKCS11 URI and
+ enforces public key hash generation. If ``SAVE_KEYS=1``, only a file is
+ accepted and it will be used to save the key.
- ``SAVE_KEYS``: This option is used when ``GENERATE_COT=1``. It tells the
certificate generation tool to save the keys used to establish the Chain of
@@ -840,9 +841,9 @@
If a SCP_BL2 image is present then this option must be passed for the ``fip``
target.
-- ``SCP_BL2_KEY``: This option is used when ``GENERATE_COT=1``. It specifies the
- file that contains the SCP_BL2 private key in PEM format. If ``SAVE_KEYS=1``,
- this file name will be used to save the key.
+- ``SCP_BL2_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a
+ file that contains the SCP_BL2 private key in PEM format or a PKCS11 URI.
+ If ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
- ``SCP_BL2U``: Path to SCP_BL2U image in the host file system. This image is
optional. It is only needed if the platform makefile specifies that it
@@ -959,8 +960,9 @@
already exist in disk, they will be overwritten without further notice.
- ``TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
- specifies the file that contains the Trusted World private key in PEM
- format. If ``SAVE_KEYS=1``, this file name will be used to save the key.
+ specifies a file that contains the Trusted World private key in PEM
+ format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and
+ it will be used to save the key.
- ``TSP_INIT_ASYNC``: Choose BL32 initialization method as asynchronous or
synchronous, (see "Initializing a BL32 Image" section in
diff --git a/drivers/st/ddr/stm32mp1_ram.c b/drivers/st/ddr/stm32mp1_ram.c
index b510c8f..c96fa04 100644
--- a/drivers/st/ddr/stm32mp1_ram.c
+++ b/drivers/st/ddr/stm32mp1_ram.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018-2022, STMicroelectronics - All Rights Reserved
+ * Copyright (C) 2018-2023, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
*/
@@ -56,7 +56,8 @@
int ret;
struct stm32mp_ddr_config config;
int node;
- uint32_t uret;
+ uintptr_t uret;
+ size_t retsize;
void *fdt;
const struct stm32mp_ddr_param param[] = {
@@ -106,26 +107,28 @@
}
uret = stm32mp_ddr_test_data_bus();
- if (uret != 0U) {
- ERROR("DDR data bus test: can't access memory @ 0x%x\n",
+ if (uret != 0UL) {
+ ERROR("DDR data bus test: can't access memory @ 0x%lx\n",
uret);
panic();
}
uret = stm32mp_ddr_test_addr_bus(config.info.size);
- if (uret != 0U) {
- ERROR("DDR addr bus test: can't access memory @ 0x%x\n",
+ if (uret != 0UL) {
+ ERROR("DDR addr bus test: can't access memory @ 0x%lx\n",
uret);
panic();
}
- uret = stm32mp_ddr_check_size();
- if (uret < config.info.size) {
- ERROR("DDR size: 0x%x does not match DT config: 0x%x\n",
- uret, config.info.size);
+ retsize = stm32mp_ddr_check_size();
+ if (retsize < config.info.size) {
+ ERROR("DDR size: 0x%zx does not match DT config: 0x%zx\n",
+ retsize, config.info.size);
panic();
}
+ INFO("Memory size = 0x%zx (%zu MB)\n", retsize, retsize / (1024U * 1024U));
+
if (stm32mp_unmap_ddr() != 0) {
panic();
}
diff --git a/drivers/st/ddr/stm32mp_ddr_test.c b/drivers/st/ddr/stm32mp_ddr_test.c
index 6733cc6..0f6aff1 100644
--- a/drivers/st/ddr/stm32mp_ddr_test.c
+++ b/drivers/st/ddr/stm32mp_ddr_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2022, STMicroelectronics - All Rights Reserved
+ * Copyright (C) 2022-2023, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -18,19 +18,19 @@
* Note that the previous content is restored after test.
* Returns 0 if success, and address value else.
******************************************************************************/
-uint32_t stm32mp_ddr_test_rw_access(void)
+uintptr_t stm32mp_ddr_test_rw_access(void)
{
uint32_t saved_value = mmio_read_32(STM32MP_DDR_BASE);
mmio_write_32(STM32MP_DDR_BASE, DDR_PATTERN);
if (mmio_read_32(STM32MP_DDR_BASE) != DDR_PATTERN) {
- return (uint32_t)STM32MP_DDR_BASE;
+ return STM32MP_DDR_BASE;
}
mmio_write_32(STM32MP_DDR_BASE, saved_value);
- return 0U;
+ return 0UL;
}
/*******************************************************************************
@@ -41,7 +41,7 @@
* File: memtest.c - This source code belongs to Public Domain.
* Returns 0 if success, and address value else.
******************************************************************************/
-uint32_t stm32mp_ddr_test_data_bus(void)
+uintptr_t stm32mp_ddr_test_data_bus(void)
{
uint32_t pattern;
@@ -49,11 +49,11 @@
mmio_write_32(STM32MP_DDR_BASE, pattern);
if (mmio_read_32(STM32MP_DDR_BASE) != pattern) {
- return (uint32_t)STM32MP_DDR_BASE;
+ return STM32MP_DDR_BASE;
}
}
- return 0;
+ return 0UL;
}
/*******************************************************************************
@@ -65,38 +65,34 @@
* size: size in bytes of the DDR memory device.
* Returns 0 if success, and address value else.
******************************************************************************/
-uint32_t stm32mp_ddr_test_addr_bus(uint64_t size)
+uintptr_t stm32mp_ddr_test_addr_bus(size_t size)
{
- uint64_t addressmask = size - 1U;
- uint64_t offset;
- uint64_t testoffset = 0U;
+ size_t addressmask = size - 1U;
+ size_t offset;
+ size_t testoffset = 0U;
/* Write the default pattern at each of the power-of-two offsets. */
for (offset = sizeof(uint32_t); (offset & addressmask) != 0U;
offset <<= 1U) {
- mmio_write_32(STM32MP_DDR_BASE + (uint32_t)offset,
- DDR_PATTERN);
+ mmio_write_32(STM32MP_DDR_BASE + offset, DDR_PATTERN);
}
/* Check for address bits stuck high. */
- mmio_write_32(STM32MP_DDR_BASE + (uint32_t)testoffset,
- DDR_ANTIPATTERN);
+ mmio_write_32(STM32MP_DDR_BASE + testoffset, DDR_ANTIPATTERN);
for (offset = sizeof(uint32_t); (offset & addressmask) != 0U;
offset <<= 1U) {
- if (mmio_read_32(STM32MP_DDR_BASE + (uint32_t)offset) !=
- DDR_PATTERN) {
- return (uint32_t)(STM32MP_DDR_BASE + offset);
+ if (mmio_read_32(STM32MP_DDR_BASE + offset) != DDR_PATTERN) {
+ return STM32MP_DDR_BASE + offset;
}
}
- mmio_write_32(STM32MP_DDR_BASE + (uint32_t)testoffset, DDR_PATTERN);
+ mmio_write_32(STM32MP_DDR_BASE + testoffset, DDR_PATTERN);
/* Check for address bits stuck low or shorted. */
for (testoffset = sizeof(uint32_t); (testoffset & addressmask) != 0U;
testoffset <<= 1U) {
- mmio_write_32(STM32MP_DDR_BASE + (uint32_t)testoffset,
- DDR_ANTIPATTERN);
+ mmio_write_32(STM32MP_DDR_BASE + testoffset, DDR_ANTIPATTERN);
if (mmio_read_32(STM32MP_DDR_BASE) != DDR_PATTERN) {
return STM32MP_DDR_BASE;
@@ -104,18 +100,16 @@
for (offset = sizeof(uint32_t); (offset & addressmask) != 0U;
offset <<= 1) {
- if ((mmio_read_32(STM32MP_DDR_BASE +
- (uint32_t)offset) != DDR_PATTERN) &&
+ if ((mmio_read_32(STM32MP_DDR_BASE + offset) != DDR_PATTERN) &&
(offset != testoffset)) {
- return (uint32_t)(STM32MP_DDR_BASE + offset);
+ return STM32MP_DDR_BASE + offset;
}
}
- mmio_write_32(STM32MP_DDR_BASE + (uint32_t)testoffset,
- DDR_PATTERN);
+ mmio_write_32(STM32MP_DDR_BASE + testoffset, DDR_PATTERN);
}
- return 0U;
+ return 0UL;
}
/*******************************************************************************
@@ -125,9 +119,9 @@
* restore its content.
* Returns DDR computed size.
******************************************************************************/
-uint32_t stm32mp_ddr_check_size(void)
+size_t stm32mp_ddr_check_size(void)
{
- uint32_t offset = sizeof(uint32_t);
+ size_t offset = sizeof(uint32_t);
mmio_write_32(STM32MP_DDR_BASE, DDR_PATTERN);
@@ -142,7 +136,5 @@
offset <<= 1U;
}
- INFO("Memory size = 0x%x (%u MB)\n", offset, offset / (1024U * 1024U));
-
return offset;
}
diff --git a/drivers/st/ddr/stm32mp_ram.c b/drivers/st/ddr/stm32mp_ram.c
index 0804568..28dc17d 100644
--- a/drivers/st/ddr/stm32mp_ram.c
+++ b/drivers/st/ddr/stm32mp_ram.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2022, STMicroelectronics - All Rights Reserved
+ * Copyright (C) 2022-2023, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -23,8 +23,8 @@
VERBOSE("%s: no st,mem-speed\n", __func__);
return -EINVAL;
}
- ret = fdt_read_uint32(fdt, node, "st,mem-size", &info->size);
- if (ret < 0) {
+ info->size = dt_get_ddr_size();
+ if (info->size == 0U) {
VERBOSE("%s: no st,mem-size\n", __func__);
return -EINVAL;
}
diff --git a/drivers/ufs/ufs.c b/drivers/ufs/ufs.c
index 5ba5eb0..19f894f 100644
--- a/drivers/ufs/ufs.c
+++ b/drivers/ufs/ufs.c
@@ -609,7 +609,7 @@
UTRIACR_IATOVAL(0xFF);
mmio_write_32(ufs_params.reg_base + UTRIACR, data);
/* send request */
- mmio_setbits_32(ufs_params.reg_base + UTRLDBR, 1 << slot);
+ mmio_setbits_32(ufs_params.reg_base + UTRLDBR, 1U << slot);
}
static int ufs_check_resp(utp_utrd_t *utrd, int trans_type, unsigned int timeout_ms)
diff --git a/include/drivers/st/stm32mp_ddr.h b/include/drivers/st/stm32mp_ddr.h
index 1efca42..4535e3c 100644
--- a/include/drivers/st/stm32mp_ddr.h
+++ b/include/drivers/st/stm32mp_ddr.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2022, STMicroelectronics - All Rights Reserved
+ * Copyright (C) 2022-2023, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
*/
@@ -53,8 +53,8 @@
struct stm32mp_ddr_info {
const char *name;
- uint32_t speed; /* in kHZ */
- uint32_t size; /* Memory size in byte = col * row * width */
+ uint32_t speed; /* in kHz */
+ size_t size; /* Memory size in byte = col * row * width */
};
#define TIMEOUT_US_1S 1000000U
diff --git a/include/drivers/st/stm32mp_ddr_test.h b/include/drivers/st/stm32mp_ddr_test.h
index 34e522a..cef5b48 100644
--- a/include/drivers/st/stm32mp_ddr_test.h
+++ b/include/drivers/st/stm32mp_ddr_test.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2022, STMicroelectronics - All Rights Reserved
+ * Copyright (C) 2022-2023, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -9,9 +9,9 @@
#include <stdint.h>
-uint32_t stm32mp_ddr_test_rw_access(void);
-uint32_t stm32mp_ddr_test_data_bus(void);
-uint32_t stm32mp_ddr_test_addr_bus(uint64_t size);
-uint32_t stm32mp_ddr_check_size(void);
+uintptr_t stm32mp_ddr_test_rw_access(void);
+uintptr_t stm32mp_ddr_test_data_bus(void);
+uintptr_t stm32mp_ddr_test_addr_bus(size_t size);
+size_t stm32mp_ddr_check_size(void);
#endif /* STM32MP_DDR_TEST_H */
diff --git a/include/lib/cpus/aarch64/neoverse_v2.h b/include/lib/cpus/aarch64/neoverse_v2.h
index efb960e..68c1558 100644
--- a/include/lib/cpus/aarch64/neoverse_v2.h
+++ b/include/lib/cpus/aarch64/neoverse_v2.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -23,4 +23,31 @@
#define NEOVERSE_V2_CPUPWRCTLR_EL1 S3_0_C15_C2_7
#define NEOVERSE_V2_CPUPWRCTLR_EL1_CORE_PWRDN_BIT U(1)
+/*******************************************************************************
+ * CPU Extended Control register 2 specific definitions.
+ ******************************************************************************/
+#define NEOVERSE_V2_CPUECTLR2_EL1 S3_0_C15_C1_5
+#define NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_CNSRV ULL(9)
+#define NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_LSB U(11)
+#define NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_WIDTH U(4)
+
+/*******************************************************************************
+ * CPU Auxiliary Control register 2 specific definitions.
+ ******************************************************************************/
+#define NEOVERSE_V2_CPUACTLR2_EL1 S3_0_C15_C1_1
+#define NEOVERSE_V2_CPUACTLR2_EL1_BIT_0 (ULL(1) << 0)
+
+/*******************************************************************************
+ * CPU Auxiliary Control register 3 specific definitions.
+ ******************************************************************************/
+#define NEOVERSE_V2_CPUACTLR3_EL1 S3_0_C15_C1_2
+#define NEOVERSE_V2_CPUACTLR3_EL1_BIT_47 (ULL(1) << 47)
+
+/*******************************************************************************
+ * CPU Auxiliary Control register 5 specific definitions.
+ ******************************************************************************/
+#define NEOVERSE_V2_CPUACTLR5_EL1 S3_0_C15_C8_0
+#define NEOVERSE_V2_CPUACTLR5_EL1_BIT_56 (ULL(1) << 56)
+#define NEOVERSE_V2_CPUACTLR5_EL1_BIT_55 (ULL(1) << 55)
+
#endif /* NEOVERSE_V2_H */
diff --git a/lib/cpus/aarch64/cortex_a78_ae.S b/lib/cpus/aarch64/cortex_a78_ae.S
index 9f729c1..94f6465 100644
--- a/lib/cpus/aarch64/cortex_a78_ae.S
+++ b/lib/cpus/aarch64/cortex_a78_ae.S
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2019-2023, Arm Limited. All rights reserved.
- * Copyright (c) 2021-2022, NVIDIA Corporation. All rights reserved.
+ * Copyright (c) 2021-2023, NVIDIA Corporation. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -23,7 +23,7 @@
#endif /* WORKAROUND_CVE_2022_23960 */
workaround_reset_start cortex_a78_ae, ERRATUM(1941500), ERRATA_A78_AE_1941500
- sysreg_bit_clear CORTEX_A78_AE_CPUECTLR_EL1, CORTEX_A78_AE_CPUECTLR_EL1_BIT_8
+ sysreg_bit_set CORTEX_A78_AE_CPUECTLR_EL1, CORTEX_A78_AE_CPUECTLR_EL1_BIT_8
workaround_reset_end cortex_a78_ae, ERRATUM(1941500)
check_erratum_ls cortex_a78_ae, ERRATUM(1941500), CPU_REV(0, 1)
diff --git a/lib/cpus/aarch64/neoverse_v2.S b/lib/cpus/aarch64/neoverse_v2.S
index 36ae4de..bfd088d 100644
--- a/lib/cpus/aarch64/neoverse_v2.S
+++ b/lib/cpus/aarch64/neoverse_v2.S
@@ -22,6 +22,32 @@
#error "Neoverse V2 supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
+workaround_reset_start neoverse_v2, ERRATUM(2331132), ERRATA_V2_2331132
+ sysreg_bitfield_insert NEOVERSE_V2_CPUECTLR2_EL1, NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_CNSRV, \
+ NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_LSB, NEOVERSE_V2_CPUECTLR2_EL1_PF_MODE_WIDTH
+workaround_reset_end neoverse_v2, ERRATUM(2331132)
+
+check_erratum_ls neoverse_v2, ERRATUM(2331132), CPU_REV(0, 2)
+
+workaround_reset_start neoverse_v2, ERRATUM(2719105), ERRATA_V2_2719105
+ sysreg_bit_set NEOVERSE_V2_CPUACTLR2_EL1, NEOVERSE_V2_CPUACTLR2_EL1_BIT_0
+workaround_reset_end neoverse_v2, ERRATUM(2719105)
+
+check_erratum_ls neoverse_v2, ERRATUM(2719105), CPU_REV(0, 1)
+
+workaround_reset_start neoverse_v2, ERRATUM(2743011), ERRATA_V2_2743011
+ sysreg_bit_set NEOVERSE_V2_CPUACTLR5_EL1, NEOVERSE_V2_CPUACTLR5_EL1_BIT_55
+ sysreg_bit_clear NEOVERSE_V2_CPUACTLR5_EL1, NEOVERSE_V2_CPUACTLR5_EL1_BIT_56
+workaround_reset_end neoverse_v2, ERRATUM(2743011)
+
+check_erratum_ls neoverse_v2, ERRATUM(2743011), CPU_REV(0, 1)
+
+workaround_reset_start neoverse_v2, ERRATUM(2779510), ERRATA_V2_2779510
+ sysreg_bit_set NEOVERSE_V2_CPUACTLR3_EL1, NEOVERSE_V2_CPUACTLR3_EL1_BIT_47
+workaround_reset_end neoverse_v2, ERRATUM(2779510)
+
+check_erratum_ls neoverse_v2, ERRATUM(2779510), CPU_REV(0, 1)
+
workaround_runtime_start neoverse_v2, ERRATUM(2801372), ERRATA_V2_2801372
/* dsb before isb of power down sequence */
dsb sy
diff --git a/lib/cpus/cpu-ops.mk b/lib/cpus/cpu-ops.mk
index 0d8f4d4..77cc41e 100644
--- a/lib/cpus/cpu-ops.mk
+++ b/lib/cpus/cpu-ops.mk
@@ -794,10 +794,26 @@
# Cortex-A510 cpu and is fixed in r1p3.
CPU_FLAG_LIST += ERRATA_A510_2684597
+# Flag to apply erratum 2331132 workaround during reset. This erratum applies
+# to revisions r0p0, r0p1 and r0p2. It is still open.
+CPU_FLAG_LIST += ERRATA_V2_2331132
+
# Flag to apply erratum 2719103 workaround for non-arm interconnect ip. This
# erratum applies to revisions r0p0, rop1. Fixed in r0p2.
CPU_FLAG_LIST += ERRATA_V2_2719103
+# Flag to apply erratum 2719105 workaround during reset. This erratum applies
+# to revisions r0p0 and r0p1. It is fixed in r0p2.
+CPU_FLAG_LIST += ERRATA_V2_2719105
+
+# Flag to apply erratum 2743011 workaround during reset. This erratum applies
+# to revisions r0p0 and r0p1. It is fixed in r0p2.
+CPU_FLAG_LIST += ERRATA_V2_2743011
+
+# Flag to apply erratum 2779510 workaround during reset. This erratum applies
+# to revisions r0p0 and r0p1. It is fixed in r0p2.
+CPU_FLAG_LIST += ERRATA_V2_2779510
+
# Flag to apply erratum 2801372 workaround for all configurations.
# This erratum applies to revisions r0p0, r0p1. Fixed in r0p2.
CPU_FLAG_LIST += ERRATA_V2_2801372
diff --git a/plat/arm/board/corstone1000/platform.mk b/plat/arm/board/corstone1000/platform.mk
index 3edffe0..dcd0df8 100644
--- a/plat/arm/board/corstone1000/platform.mk
+++ b/plat/arm/board/corstone1000/platform.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -43,6 +43,7 @@
plat/arm/board/corstone1000/common/corstone1000_err.c \
plat/arm/board/corstone1000/common/corstone1000_trusted_boot.c \
lib/utils/mem_region.c \
+ lib/cpus/aarch64/cpu_helpers.S \
plat/arm/board/corstone1000/common/corstone1000_helpers.S \
plat/arm/board/corstone1000/common/corstone1000_plat.c \
plat/arm/board/corstone1000/common/corstone1000_bl2_mem_params_desc.c \
diff --git a/services/std_svc/errata_abi/errata_abi_main.c b/services/std_svc/errata_abi/errata_abi_main.c
index 8fee6ac..ca66396 100644
--- a/services/std_svc/errata_abi/errata_abi_main.c
+++ b/services/std_svc/errata_abi/errata_abi_main.c
@@ -310,7 +310,7 @@
[1] = {2008768, 0x00, 0x20, ERRATA_A710_2008768},
[2] = {2017096, 0x00, 0x20, ERRATA_A710_2017096},
[3] = {2055002, 0x10, 0x20, ERRATA_A710_2055002},
- [4] = {2058056, 0x00, 0x10, ERRATA_A710_2058056},
+ [4] = {2058056, 0x00, 0x20, ERRATA_A710_2058056},
[5] = {2081180, 0x00, 0x20, ERRATA_A710_2081180},
[6] = {2083908, 0x20, 0x20, ERRATA_A710_2083908},
[7] = {2136059, 0x00, 0x20, ERRATA_A710_2136059},
@@ -322,7 +322,8 @@
[13] = {2371105, 0x00, 0x20, ERRATA_A710_2371105},
[14] = {2701952, 0x00, 0x21, ERRATA_A710_2701952, \
ERRATA_NON_ARM_INTERCONNECT},
- [15] = {2768515, 0x00, 0x21, ERRATA_A710_2768515}
+ [15] = {2768515, 0x00, 0x21, ERRATA_A710_2768515},
+ [16 ... ERRATA_LIST_END] = UNDEF_ERRATA,
}
},
#endif /* CORTEX_A710_H_INC */
@@ -400,10 +401,14 @@
{
.cpu_partnumber = NEOVERSE_V2_MIDR,
.cpu_errata_list = {
- [0] = {2719103, 0x00, 0x01, ERRATA_V2_2719103, \
+ [0] = {2331132, 0x00, 0x02, ERRATA_V2_2331132},
+ [1] = {2719103, 0x00, 0x01, ERRATA_V2_2719103, \
ERRATA_NON_ARM_INTERCONNECT},
- [1] = {2801372, 0x00, 0x01, ERRATA_V2_2801372},
- [2 ... ERRATA_LIST_END] = UNDEF_ERRATA,
+ [2] = {2719105, 0x00, 0x01, ERRATA_V2_2719105},
+ [3] = {2743011, 0x00, 0x01, ERRATA_V2_2743011},
+ [4] = {2779510, 0x00, 0x01, ERRATA_V2_2779510},
+ [5] = {2801372, 0x00, 0x01, ERRATA_V2_2801372},
+ [6 ... ERRATA_LIST_END] = UNDEF_ERRATA,
}
},
#endif /* NEOVERSE_V2_H_INC */
diff --git a/tools/cert_create/src/cca/cot.c b/tools/cert_create/src/cca/cot.c
index e39b036..372d908 100644
--- a/tools/cert_create/src/cca/cot.c
+++ b/tools/cert_create/src/cca/cot.c
@@ -414,35 +414,35 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[SWD_ROT_KEY] = {
.id = SWD_ROT_KEY,
.opt = "swd-rot-key",
- .help_msg = "Secure World Root of Trust key",
+ .help_msg = "Secure World Root of Trust key file or PKCS11 URI",
.desc = "Secure World Root of Trust key"
},
[CORE_SWD_KEY] = {
.id = CORE_SWD_KEY,
.opt = "core-swd-key",
- .help_msg = "Core Secure World key",
+ .help_msg = "Core Secure World key file or PKCS11 URI",
.desc = "Core Secure World key"
},
[PROT_KEY] = {
.id = PROT_KEY,
.opt = "prot-key",
- .help_msg = "Platform Root of Trust key",
+ .help_msg = "Platform Root of Trust key file or PKCS11 URI",
.desc = "Platform Root of Trust key"
},
[PLAT_KEY] = {
.id = PLAT_KEY,
.opt = "plat-key",
- .help_msg = "Platform key",
+ .help_msg = "Platform key file or PKCS11 URI",
.desc = "Platform key"
},
};
diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
index 4dd4cf0..81a7d75 100644
--- a/tools/cert_create/src/dualroot/cot.c
+++ b/tools/cert_create/src/dualroot/cot.c
@@ -540,42 +540,42 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[TRUSTED_WORLD_KEY] = {
.id = TRUSTED_WORLD_KEY,
.opt = "trusted-world-key",
- .help_msg = "Trusted World key (input/output file)",
+ .help_msg = "Trusted World key file or PKCS11 URI",
.desc = "Trusted World key"
},
[SCP_FW_CONTENT_CERT_KEY] = {
.id = SCP_FW_CONTENT_CERT_KEY,
.opt = "scp-fw-key",
- .help_msg = "SCP Firmware Content Certificate key (input/output file)",
+ .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI",
.desc = "SCP Firmware Content Certificate key"
},
[SOC_FW_CONTENT_CERT_KEY] = {
.id = SOC_FW_CONTENT_CERT_KEY,
.opt = "soc-fw-key",
- .help_msg = "SoC Firmware Content Certificate key (input/output file)",
+ .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI",
.desc = "SoC Firmware Content Certificate key"
},
[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "tos-fw-key",
- .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+ .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI",
.desc = "Trusted OS Firmware Content Certificate key"
},
[PROT_KEY] = {
.id = PROT_KEY,
.opt = "prot-key",
- .help_msg = "Platform Root of Trust key",
+ .help_msg = "Platform Root of Trust key file or PKCS11 URI",
.desc = "Platform Root of Trust key"
},
};
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index 27ec979..32229d1 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -9,7 +9,11 @@
#include <stdlib.h>
#include <string.h>
+/* Suppress OpenSSL engine deprecation warnings */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <openssl/conf.h>
+#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -189,30 +193,69 @@
return 0;
}
+static EVP_PKEY *key_load_pkcs11(const char *uri)
+{
+ char *key_pass;
+ EVP_PKEY *pkey;
+ ENGINE *e;
+
+ ENGINE_load_builtin_engines();
+ e = ENGINE_by_id("pkcs11");
+ if (!e) {
+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n");
+ return NULL;
+ }
+
+ if (!ENGINE_init(e)) {
+ fprintf(stderr, "Cannot ENGINE_init\n");
+ goto err;
+ }
+
+ key_pass = getenv("PKCS11_PIN");
+ if (key_pass) {
+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n");
+ goto err;
+ }
+ }
+
+ pkey = ENGINE_load_private_key(e, uri, NULL, NULL);
+ if (pkey)
+ return pkey;
+err:
+ ENGINE_free(e);
+ return NULL;
+
+}
+
int key_load(key_t *key, unsigned int *err_code)
{
FILE *fp;
- EVP_PKEY *k;
if (key->fn) {
- /* Load key from file */
- fp = fopen(key->fn, "r");
- if (fp) {
- k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
- fclose(fp);
- if (k) {
- *err_code = KEY_ERR_NONE;
- return 1;
+ if (!strncmp(key->fn, "pkcs11:", 7)) {
+ /* Load key through pkcs11 */
+ key->key = key_load_pkcs11(key->fn);
+ } else {
+ /* Load key from file */
+ fp = fopen(key->fn, "r");
+ if (fp) {
+ key->key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
+ fclose(fp);
} else {
- ERROR("Cannot load key from %s\n", key->fn);
- *err_code = KEY_ERR_LOAD;
+ WARN("Cannot open file %s\n", key->fn);
+ *err_code = KEY_ERR_OPEN;
}
+ }
+ if (key->key) {
+ *err_code = KEY_ERR_NONE;
+ return 1;
} else {
- WARN("Cannot open file %s\n", key->fn);
- *err_code = KEY_ERR_OPEN;
+ ERROR("Cannot load key from %s\n", key->fn);
+ *err_code = KEY_ERR_LOAD;
}
} else {
- VERBOSE("Key filename not specified\n");
+ VERBOSE("Key not specified\n");
*err_code = KEY_ERR_FILENAME;
}
@@ -224,6 +267,10 @@
FILE *fp;
if (key->fn) {
+ if (!strncmp(key->fn, "pkcs11:", 7)) {
+ ERROR("PKCS11 URI provided instead of a file");
+ return 0;
+ }
fp = fopen(key->fn, "w");
if (fp) {
PEM_write_PrivateKey(fp, key->key,
diff --git a/tools/cert_create/src/tbbr/tbb_key.c b/tools/cert_create/src/tbbr/tbb_key.c
index a81f0e4..5b84b6e 100644
--- a/tools/cert_create/src/tbbr/tbb_key.c
+++ b/tools/cert_create/src/tbbr/tbb_key.c
@@ -15,43 +15,43 @@
[ROT_KEY] = {
.id = ROT_KEY,
.opt = "rot-key",
- .help_msg = "Root Of Trust key (input/output file)",
+ .help_msg = "Root Of Trust key file or PKCS11 URI",
.desc = "Root Of Trust key"
},
[TRUSTED_WORLD_KEY] = {
.id = TRUSTED_WORLD_KEY,
.opt = "trusted-world-key",
- .help_msg = "Trusted World key (input/output file)",
+ .help_msg = "Trusted World key file or PKCS11 URI",
.desc = "Trusted World key"
},
[NON_TRUSTED_WORLD_KEY] = {
.id = NON_TRUSTED_WORLD_KEY,
.opt = "non-trusted-world-key",
- .help_msg = "Non Trusted World key (input/output file)",
+ .help_msg = "Non Trusted World key file or PKCS11 URI",
.desc = "Non Trusted World key"
},
[SCP_FW_CONTENT_CERT_KEY] = {
.id = SCP_FW_CONTENT_CERT_KEY,
.opt = "scp-fw-key",
- .help_msg = "SCP Firmware Content Certificate key (input/output file)",
+ .help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI",
.desc = "SCP Firmware Content Certificate key"
},
[SOC_FW_CONTENT_CERT_KEY] = {
.id = SOC_FW_CONTENT_CERT_KEY,
.opt = "soc-fw-key",
- .help_msg = "SoC Firmware Content Certificate key (input/output file)",
+ .help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI",
.desc = "SoC Firmware Content Certificate key"
},
[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
.opt = "tos-fw-key",
- .help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+ .help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI",
.desc = "Trusted OS Firmware Content Certificate key"
},
[NON_TRUSTED_FW_CONTENT_CERT_KEY] = {
.id = NON_TRUSTED_FW_CONTENT_CERT_KEY,
.opt = "nt-fw-key",
- .help_msg = "Non Trusted Firmware Content Certificate key (input/output file)",
+ .help_msg = "Non Trusted Firmware Content Certificate key file or PKCS11 URI",
.desc = "Non Trusted Firmware Content Certificate key"
}
};