- TF-A - lists.trustedfirmware.org

SMC to intentionally trigger a panic in TF-A

by Julius Werner

Hi Soby et. al., I'd like to implement a small new feature and ask some guidance for how to go about it: Chrome OS has the ability to automatically collect crash reports from runtime crashes in Trusted Firmware, and we would like to set up automated tests to ensure this feature stays working. In order to do this we need a way for the non-secure OS to intentionally trigger a panic in EL3. The obvious solution would be to implement a new SMC for that. (It's common for operating systems to have similar facilities, e.g. Linux can force a kernel panic by writing 'c' into /proc/sysrq-trigger.) My main question is: where should I get an SMC function ID for this? This is not a silicon or OEM specific feature, so the SiP Service Calls and OEM Service Calls ID ranges seem inappropriate (or do you think it would make sense to treat Google or Chrome OS as the "OEM" here, even though that's not quite accurate?). There are ranges for Trusted Applications and the Trusted OS but unfortunately none for the normal world OS. Is this something that would make sense to allocate under Standard Service Calls? Could you just find an ID for me to use there or does everything in that range need a big specification document written by Arm? Thanks, Julius

5 years, 9 months

1
0
0 0

Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Alexei Fedorov

Hi Marek The patch is available at https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1789 Regards. Alexei ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Joanna Farley via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 19 August 2019 11:41 To: Marek <marek.bykowski(a)gmail.com> Cc: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Subject: Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching Hi Marek, Changes are in review so hopefully soon. Joanna On 19/08/2019, 10:56, "TF-A on behalf of Marek via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: Hi Dan, Are there any time estimates when the fix should be in? Thanks, Marek On Sat, 10 Aug 2019 at 22:46, Marek via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Thank you Dan for checking this out. Looking forward into the fix. > > Marek > > On Thu, 8 Aug 2019 at 17:52, Dan Handley via TF-A > <tf-a(a)lists.trustedfirmware.org> wrote: > > > > Hi Marek > > > > Thanks for pointing this out. Typically we expect any timing sensitive secure operations to be implemented at Secure-EL1 or lower, which the current code does protect. However, you are correct that all secure world code including EL3 should not expose timing information. A fix is in progress to address this. > > > > Regards > > > > Dan. > > > > > -----Original Message----- > > > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Marek > > > Bykowski via TF-A > > > Sent: 03 August 2019 07:37 > > > To: tf-a(a)lists.trustedfirmware.org; David Cunado <David.Cunado(a)arm.com> > > > Subject: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the > > > PMCR_EL0 across world switching > > > > > > Hi David/ATF Support, > > > > > > An excerpt from the commit message to CVE-2017-15031 is "Additionally, > > > PMCR_EL0 is added to the list of registers that are saved and restored during > > > a world switch." > > > > > > My question is why it is only being saved/restored across the world switch > > > and not during a "normal" SMC call? When I do modify the > > > PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter > > > counts during the smc call and does expose secure world timing information to > > > NonSecure in that matter. > > > > > > Thanks, > > > Marek > > > -- > > > TF-A mailing list > > > TF-A(a)lists.trustedfirmware.org > > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > -- > Slán, > Marek > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- Slán, Marek -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 9 months

1
0
0 0

Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Joanna Farley

Hi Marek, Changes are in review so hopefully soon. Joanna On 19/08/2019, 10:56, "TF-A on behalf of Marek via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: Hi Dan, Are there any time estimates when the fix should be in? Thanks, Marek On Sat, 10 Aug 2019 at 22:46, Marek via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Thank you Dan for checking this out. Looking forward into the fix. > > Marek > > On Thu, 8 Aug 2019 at 17:52, Dan Handley via TF-A > <tf-a(a)lists.trustedfirmware.org> wrote: > > > > Hi Marek > > > > Thanks for pointing this out. Typically we expect any timing sensitive secure operations to be implemented at Secure-EL1 or lower, which the current code does protect. However, you are correct that all secure world code including EL3 should not expose timing information. A fix is in progress to address this. > > > > Regards > > > > Dan. > > > > > -----Original Message----- > > > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Marek > > > Bykowski via TF-A > > > Sent: 03 August 2019 07:37 > > > To: tf-a(a)lists.trustedfirmware.org; David Cunado <David.Cunado(a)arm.com> > > > Subject: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the > > > PMCR_EL0 across world switching > > > > > > Hi David/ATF Support, > > > > > > An excerpt from the commit message to CVE-2017-15031 is "Additionally, > > > PMCR_EL0 is added to the list of registers that are saved and restored during > > > a world switch." > > > > > > My question is why it is only being saved/restored across the world switch > > > and not during a "normal" SMC call? When I do modify the > > > PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter > > > counts during the smc call and does expose secure world timing information to > > > NonSecure in that matter. > > > > > > Thanks, > > > Marek > > > -- > > > TF-A mailing list > > > TF-A(a)lists.trustedfirmware.org > > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > -- > Slán, > Marek > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- Slán, Marek -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 9 months

1
0
0 0

Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Marek

Hi Dan, Are there any time estimates when the fix should be in? Thanks, Marek On Sat, 10 Aug 2019 at 22:46, Marek via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Thank you Dan for checking this out. Looking forward into the fix. > > Marek > > On Thu, 8 Aug 2019 at 17:52, Dan Handley via TF-A > <tf-a(a)lists.trustedfirmware.org> wrote: > > > > Hi Marek > > > > Thanks for pointing this out. Typically we expect any timing sensitive secure operations to be implemented at Secure-EL1 or lower, which the current code does protect. However, you are correct that all secure world code including EL3 should not expose timing information. A fix is in progress to address this. > > > > Regards > > > > Dan. > > > > > -----Original Message----- > > > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Marek > > > Bykowski via TF-A > > > Sent: 03 August 2019 07:37 > > > To: tf-a(a)lists.trustedfirmware.org; David Cunado <David.Cunado(a)arm.com> > > > Subject: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the > > > PMCR_EL0 across world switching > > > > > > Hi David/ATF Support, > > > > > > An excerpt from the commit message to CVE-2017-15031 is "Additionally, > > > PMCR_EL0 is added to the list of registers that are saved and restored during > > > a world switch." > > > > > > My question is why it is only being saved/restored across the world switch > > > and not during a "normal" SMC call? When I do modify the > > > PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter > > > counts during the smc call and does expose secure world timing information to > > > NonSecure in that matter. > > > > > > Thanks, > > > Marek > > > -- > > > TF-A mailing list > > > TF-A(a)lists.trustedfirmware.org > > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > -- > Slán, > Marek > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- Slán, Marek

5 years, 9 months

1
0
0 0

Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Marek

Thank you Dan for checking this out. Looking forward into the fix. Marek On Thu, 8 Aug 2019 at 17:52, Dan Handley via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Marek > > Thanks for pointing this out. Typically we expect any timing sensitive secure operations to be implemented at Secure-EL1 or lower, which the current code does protect. However, you are correct that all secure world code including EL3 should not expose timing information. A fix is in progress to address this. > > Regards > > Dan. > > > -----Original Message----- > > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Marek > > Bykowski via TF-A > > Sent: 03 August 2019 07:37 > > To: tf-a(a)lists.trustedfirmware.org; David Cunado <David.Cunado(a)arm.com> > > Subject: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the > > PMCR_EL0 across world switching > > > > Hi David/ATF Support, > > > > An excerpt from the commit message to CVE-2017-15031 is "Additionally, > > PMCR_EL0 is added to the list of registers that are saved and restored during > > a world switch." > > > > My question is why it is only being saved/restored across the world switch > > and not during a "normal" SMC call? When I do modify the > > PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter > > counts during the smc call and does expose secure world timing information to > > NonSecure in that matter. > > > > Thanks, > > Marek > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- Slán, Marek

5 years, 9 months

1
0
0 0

Re: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Dan Handley

Hi Marek Thanks for pointing this out. Typically we expect any timing sensitive secure operations to be implemented at Secure-EL1 or lower, which the current code does protect. However, you are correct that all secure world code including EL3 should not expose timing information. A fix is in progress to address this. Regards Dan. > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Marek > Bykowski via TF-A > Sent: 03 August 2019 07:37 > To: tf-a(a)lists.trustedfirmware.org; David Cunado <David.Cunado(a)arm.com> > Subject: [TF-A] Advisory TFV 5 to CVE-2017-15031 only saves/stores the > PMCR_EL0 across world switching > > Hi David/ATF Support, > > An excerpt from the commit message to CVE-2017-15031 is "Additionally, > PMCR_EL0 is added to the list of registers that are saved and restored during > a world switch." > > My question is why it is only being saved/restored across the world switch > and not during a "normal" SMC call? When I do modify the > PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter > counts during the smc call and does expose secure world timing information to > NonSecure in that matter. > > Thanks, > Marek > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 9 months

1
0
0 0

On supporting unmaintained platforms and downstream projects

by Julius Werner

Hi Soby et. al., I wanna kick off a little discussion about how TF-A intends to deal with in-tree platform ports as they get older and the interest in maintaining them drops off. Concretely, I noticed that the plat/nvidia/tegra platforms no longer build since the removal of the deprecated console API in https://review.trustedfirmware.org/842 last month. There has been a patch suggestion to fix it uploaded at https://review.trustedfirmware.org/1192 for two months, but it hasn't moved forward because it seems that Arm thinks it's on the platform maintainer (Nvidia) to finish up and test the patch, and they don't seem to be responding. This creates a problem for downstream projects like coreboot and Chrome OS that use Trusted Firmware on Tegra chips and build-test them in their CI systems. My assumption when setting up the Trusted Firmware integration for them was that the Trusted Firmware CI would build test all in-tree platforms for every commit anyway, so we could always assume that all platforms build on the current master... but clearly, that assumption broke in this case. (I guess because you manually overrode the CI in https://review.trustedfirmware.org/842? Or does it not test all platforms anyway?) So now, coreboot is stuck on an old TF-A version and cannot move forward for any platform until we either kick out the Tegra SoCs or get the problem fixed in TF-A (which is a problem with the testing because I don't have a Tegra board on hand either). How do you think we should solve issues like this? Is keeping platforms that don't build in the tree an intended state? Is there some deadline after which you intend to remove the platform completely? Or would it be better to just merge "best effort" commits like https://review.trustedfirmware.org/1192 that we think should do the right thing for the platform (and at least makes it build again), even if nobody is around to test it on real hardware? To give some experience from the coreboot project, I think it's an unfortunate truth that SoC vendors just tend to lose interest in maintaining hardware once it's more than 2-3 years old. At that point the open-source community has to jump in to continue maintenance, and they can only do it on a best effort basis. It's not possible to always find someone with the right hardware and time to test it for all these old platforms whenever you're trying to do some large, project wide API change, so eventually you'll just have to accept patches that haven't been tested for them. Most of the times (if reviewers pay attention) it works well, sometimes they break. If they do, eventually someone will notice and then they'll have to bisect and fix it. I believe Linux is essentially doing the same thing for lesser-used hardware. It's either that, or you have to constantly kick out old platforms after a few years. (From the coreboot point of view, kicking the Tegra platforms out of TF-A would mean we're forced to remove them from coreboot as well, which would be unfortunate.) Let me know what you think! Julius

5 years, 9 months

3
4
0 0

Re: [TF-A] On supporting unmaintained platforms and downstream projects

by Joanna Farley

Hi Julius, It’s a valid issue you have raised. In general we rely on the platform maintainer to work with us to keep their platform port fresh and in this case we proposed some changes and was looking for feedback from the maintainer. We try in our internal standups at least once a week to look for patch reviews that have had no work on them for 21 days and if we do identify any we start chasing to progress these. Eventually if after several attempts we cannot get the patch to progress we would generally look to abandon if it’s the patch originator we cannot contact. In this case it was the platform maintainer who we needed a review from and you managed to get Varun to notice the patches. If we had not managed to contact them then we would have had to make a call on if to submit the changes or not to at least get the build working even though we would not be able to test them. I would like to think in the case of a broken build we would take that option rather than abandon. I think this issue is made a little worse in that the CI results are not yet open so not obvious to everybody although hopefully that will be eventually addressed with the proposed Open CI system on trustedfirmware.org where build results will be available. On top of that if partners want to engage in providing a board available that could be integrated into the LAVA farm that’s part of the CI system and would also be tested. Joanna On 03/08/2019, 01:10, "TF-A on behalf of Julius Werner via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: > Thanks for the email, Julius. To be clear, we very well intend to be part of the TF-A project. Having said that, I was not aware of the two commits you mentioned in the email and di not know that Tegra builds are broken in the master branch. Thanks. You were CCed on the patch so I assumed you would've seen it. If not, maybe your email address isn't set correctly in your Gerrit account or something? I've already pushed an update to https://review.trustedfirmware.org/1192 which I think should fix the issue for Tegra, but I need someone to test it. Nevertheless, I think it's a good idea to answer these questions in a general case (e.g. whether we can make sure that we won't break the build on master even if there are temporary issues with certain platforms), because it's probably going to become relevant again sooner or later even if the Tegra issue gets fixed now. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 9 months

1
0
0 0

Advisory TFV 5 to CVE-2017-15031 only saves/stores the PMCR_EL0 across world switching

by Marek Bykowski

Hi David/ATF Support, An excerpt from the commit message to CVE-2017-15031 is "Additionally, PMCR_EL0 is added to the list of registers that are saved and restored during a world switch." My question is why it is only being saved/restored across the world switch and not during a "normal" SMC call? When I do modify the PMCR_EL0 in EL2 or NonSecure-EL1 and run the smc call the PMCCNTR counter counts during the smc call and does expose secure world timing information to NonSecure in that matter. Thanks, Marek

5 years, 9 months

1
0
0 0

Raspberry Pi 4 ATF port

by Andre Przywara

Hi, (BCC:ing Antonio as well) not sure if someone gets notified, but I pushed a patch set to add Raspberry Pi 4 support to Trusted Firmware: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1629 This port is quite a departure from the existing RPi3 port, that's why I wanted to start a discussion about it here. I originally started by copying files. But for the sake of simplicity, also to get away without a BL33 loader, it turned into just a BL31-only port (for now?). This ties more into the existing RPi Foundation boot style, as the resulting bl31.bin is a drop-in replacement for the existing armstub8.bin. So you put your AArch64 kernel into kernel8.img and copy bl31.bin to armstub8.bin (or use the respective config.txt options to point to any other filename), and it should work (TM). The code will pick up the actual kernel and DTB load address from the GPU firmware, patch the DT to use PSCI instead of spin tables, then will drop into EL2 at the kernel load address. There could (should?) be U-Boot or EDK-II there as well, or any other kernel, for that matter. The only thing Linux specific we do is to put the DTB address into x0. I guess this doesn't hurt, even if the BL33 payload does not use this information. I would be grateful to hear some opinions about this approach. Does that sound sensible? Is the split of the platform directory (plat/rpi3 -> plat/rpi/rpi[34]) reasonable? Shall we add this design as a build option to RPi3 as well? Shall we add the "full featured" RPi3 design to RPi4 also? Looking forward to any feedback! Cheers, Andre.

5 years, 9 months

3
2
0 0

Re: [TF-A] Defects detected by Coverity Scan Online

by Sandrine Bailleux

Hi, On 7/3/19 11:15 AM, Sandrine Bailleux via TF-A wrote: > We would need help from the TF-A community for analyzing and fixing > them, especially those in platform ports and drivers. Note that there > might be false positives, in which case we would just triage them as > such in the tool's database. > > Hopefully everyone should be able to view the defects, according to the > tool's settings. You might need to create an account on > https://scan.coverity.com for that. We've received a couple of requests from users to get access to the TF-A defects database in the Coverity Scan Online service. I think it's worth clarifying the different levels of access the tool offers and how we envisage the defects triaging. In Coverity Scan Online, users can have any of the following 4 roles (in ascending order of permissions): - Observer/User: Only sees defects summary. - Defect Viewer. - Contributor/Member: Can also triage defects. - Maintainer/Owner: Also has some admin powers, like managing users and submitting builds to be analyzed. Right now, all users should be able to see the project summary and view the defects in read-only mode so this is equivalent to the "Defect viewer" role. I suspect people still need to create an account in Coverity Scan Online and be logged in to see the data. We would expect subsystems and platforms maintainers (i.e. people listed in docs/maintainers.rst [1]) to manage the defects in the part of the codebase they own, as they know best how to assess the severity of these defects and how to fix or triage them. As such, they need to have the "contributor/member" role in the tool. If you are such a maintainer, please feel free to create an account and request this role. If you would like to delegate part/all of the triaging process to a peer, that is also possible. In this case, could you please send me an email to indicate who you have chosen for this task? This is just to make sure that whoever requests the "contributor/member" role has done so with the relevant maintainer's approval. Please be aware that those with "contributor/member" role will be able to triage any defects in any part of the codebase, and not just in the subsystem/platform they maintain. "Maintainer/Owner" role will be reserved to the main maintainers (i.e. people listed at the top of docs/maintainers.rst) for now. Best regards, Sandrine [1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/maint…

5 years, 10 months

1
0
0 0

Re: [TF-A] How can I check detail error of CI failure?

by Sandrine Bailleux

Hi Jun, On 7/16/19 11:30 AM, John Tsichritzis via TF-A wrote: > Thank you for your email. Unfortunately detailed information is not available in Gerrit since CI is hosted internally. The maintainers post detailed information of the errors in case there is something that needs fixing. In this case I will post the error details in the Gerrit review itself. > > When a patch stack is submitted, usually we launch the tests on the topmost patch on the stack. In this case the entire branch gets tested, not a single commit. In other words, the testing doesn't do any "cherry-picking" on the patches, so even if there are dependencies between the patches this doesn't affect the test. That's why we usually launch the tests on the topmost patch. To add on top of what John said, I would like to mention that we are working with Linaro to have the CI loop opened up to all contributors in the future. When this day comes, you will be able to check the error log by yourself. In the meantime, I'm afraid you'll have to rely on Arm maintainers to give you the details, as John said. If they forget, please feel free to ping them in Gerrit (like you've already done for this patch). Best regards, Sandrine

5 years, 10 months

1
0
0 0

Re: [TF-A] How can I check detail error of CI failure?

by John Tsichritzis

Dear Jun, Thank you for your email. Unfortunately detailed information is not available in Gerrit since CI is hosted internally. The maintainers post detailed information of the errors in case there is something that needs fixing. In this case I will post the error details in the Gerrit review itself. When a patch stack is submitted, usually we launch the tests on the topmost patch on the stack. In this case the entire branch gets tested, not a single commit. In other words, the testing doesn't do any "cherry-picking" on the patches, so even if there are dependencies between the patches this doesn't affect the test. That's why we usually launch the tests on the topmost patch. Kind regards, John -- John Tsichritzis | Graduate Software Engineer Email: john.tsichritzis(a)arm.com<mailto:john.tsichritzis@arm.com> 110 Fulbourn Road, Cambridge, CB1 9NJ, United Kingdom https://www.arm.com/ On 16/07/2019 09.24, Jun Nie via TF-A wrote: Hi, I see below failure in this link: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1367 How can I check the error log? I am not sure it is due to lack of earlier patch in patch set or something. Because local build is OK. Patch Set 4: Verified-1 Build Failed https://jenkins.oss.arm.com/job/tf-gerrit-tforg-l1/221/ : FAILURE Jun

5 years, 10 months

1
0
0 0

How can I check detail error of CI failure?

by Jun Nie

Hi, I see below failure in this link: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1367 How can I check the error log? I am not sure it is due to lack of earlier patch in patch set or something. Because local build is OK. Patch Set 4: Verified-1 Build Failed https://jenkins.oss.arm.com/job/tf-gerrit-tforg-l1/221/ : FAILURE Jun

5 years, 10 months

1
0
0 0

Header file re-org

by Soby Mathew

Hi Everyone, This is regarding the header file re-organization patch that was submitted by Julius https://review.trustedfirmware.org/#/c/TF-A/trusted-firmware-a/+/1207/. It is necessary for the headers which form the ABI/handover interface for BL31 to be able to copied separately and included in other projects. The current approach taken in the patch is to define a "raw" version of such headers and have the original header include them. This certainly is the easiest way to solve the problem. But if it possible to have a more refined solution, that would be preferable. For that I have the following questions : 1. Should the project recognize these special headers and have them organized together in a folder ? It is important to recognize that the ABI can be extended by the platform. I would expect even if these "common" headers are organized into a folder, the platform specific ones need not go together with them. 2. Should the header be restricted from including standard C library headers ? 3. Should these ABI headers be allowed to include each other ? Forward declaration might be able to solve some of the issues, but good to have a policy on this. The current patch as such can be treated as step towards the ideal solution, if that solution needs more work/churn in the code base. Comments welcome. Best Regards Soby Mathew

5 years, 10 months

3
8
0 0

Re: [TF-A] [RFC] isolate the memory into different pagetable for TF-A

by feng chen

Hi Soby Mathew, Thanks for your reply. IMHO, the isolate pagetable is much more heavy. It looks like a big idea. And if we have a dynamic mapping function, which map the service's needed memory in the service's call can also mitigate this. But this can be more slower. For accessing limited resource, what's your idea? -Feng On 2019/7/9 4:27 下午, Soby Mathew wrote: > Hi Feng, > Thanks for your email. This is an interesting topic and this is an active area of work for us but in a slightly different manner. Could you please send this message to the mailing list tf-a(a)lists.trustedfirmware.org , so we can continue conversation on the list ? > > The mailing list info can be found here : > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > Thanks & Regards > Soby Mathew > >> -----Original Message----- >> From: feng chen <puck.chen(a)foxmail.com> >> Sent: 08 July 2019 16:24 >> To: Dan Handley <Dan.Handley(a)arm.com>; Soby Mathew >> <Soby.Mathew(a)arm.com>; Sandrine Bailleux <Sandrine.Bailleux(a)arm.com>; >> Alexei Fedorov <Alexei.Fedorov(a)arm.com>; Paul Beesley >> <Paul.Beesley(a)arm.com>; John Tsichritzis <John.Tsichritzis(a)arm.com> >> Subject: [RFC] isolate the memory into different pagetable for TF-A >> >> Hello maintainers, >> >> Is it possible for mapping the memory into different page-tables for TF-A? >> >> Since the ATF is running in EL3 mode, which is the highest level of ARM SoCs. >> >> And for security reason, once one service provided in TF has some >> vulnerabilities, It can access all the memory TF mapped. And it could be more >> acceptable. >> >> Thinking about the userland goto kernelland, the process use isolated page >> tables. >> >> So I want to implement this for TF-A, different memory-mapping for different >> service, and it can also use a shared mem-mapping space which all the service >> need to use. >> >> >> I want to know how do you think about this? Does this make sense to you? >> >> >> Cherrs, >> >> Feng >> > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. >

5 years, 10 months

2
1
0 0

Re: [TF-A] [RFC] isolate the memory into different pagetable for TF-A

by Chen Feng

Move this folk to list > 在 2019年7月9日，下午4:27，Soby Mathew <Soby.Mathew(a)arm.com> 写道： > > Hi Feng, > Thanks for your email. This is an interesting topic and this is an active area of work for us but in a slightly different manner. Could you please send this message to the mailing list tf-a(a)lists.trustedfirmware.org , so we can continue conversation on the list ? > > The mailing list info can be found here : > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > Thanks & Regards > Soby Mathew > >> -----Original Message----- >> From: feng chen <puck.chen(a)foxmail.com> >> Sent: 08 July 2019 16:24 >> To: Dan Handley <Dan.Handley(a)arm.com>; Soby Mathew >> <Soby.Mathew(a)arm.com>; Sandrine Bailleux <Sandrine.Bailleux(a)arm.com>; >> Alexei Fedorov <Alexei.Fedorov(a)arm.com>; Paul Beesley >> <Paul.Beesley(a)arm.com>; John Tsichritzis <John.Tsichritzis(a)arm.com> >> Subject: [RFC] isolate the memory into different pagetable for TF-A >> >> Hello maintainers, >> >> Is it possible for mapping the memory into different page-tables for TF-A? >> >> Since the ATF is running in EL3 mode, which is the highest level of ARM SoCs. >> >> And for security reason, once one service provided in TF has some >> vulnerabilities, It can access all the memory TF mapped. And it could be more >> acceptable. >> >> Thinking about the userland goto kernelland, the process use isolated page >> tables. >> >> So I want to implement this for TF-A, different memory-mapping for different >> service, and it can also use a shared mem-mapping space which all the service >> need to use. >> >> >> I want to know how do you think about this? Does this make sense to you? >> >> >> Cherrs, >> >> Feng >> > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 10 months

1
0
0 0

Defects detected by Coverity Scan Online

by Sandrine Bailleux

Hello, As you may be aware, Trusted Firmware-A source code regularly gets analyzed by Coverity Scan Online [1]. This is a free service offered by Synopsys for open source projects, that TF-A has used since 2015. The analysis currently gets driven by Arm's internal CI system. We've recently made some improvements to this setup, which led to the tool analyzing more files. The latest analysis report from this morning shows 65 newly-found defects, scattered across the code base. We would need help from the TF-A community for analyzing and fixing them, especially those in platform ports and drivers. Note that there might be false positives, in which case we would just triage them as such in the tool's database. Hopefully everyone should be able to view the defects, according to the tool's settings. You might need to create an account on https://scan.coverity.com for that. Best regards, Sandrine [1] https://scan.coverity.com/projects/arm-software-arm-trusted-firmware

5 years, 10 months

1
0
0 0

Why is assembly macro used for registering multi-console driver?

by Masahiro Yamada

Hi, Probably, I should have asked this before pushing my code. I have a question about finalize_console_register. Platforms call console_*_register() from C code. I do not know why we need to fill the callbacks in the assembler macro, finalize_console_register. We could call console_register() directly from C code, like this: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1426/3/plat/… Maybe, we may want to register the console so early in order to enable plat/common/aarch64/crash_console_helpers.S in the boot-up code?

5 years, 10 months

2
1
0 0

Re: [TF-A] Armv8A Suspend/Resume reference code

by Soby Mathew

> -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Gutierrez, > Hernan Ildefonso (Boise R&D, FW) via TF-A > Sent: 24 June 2019 22:35 > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Armv8A Suspend/Resume reference code > > Hi, > > I am looking for reference code for ArmV8A core suspend/resume. > Are there code references that are suggested to look for? > Application notes to read? > Hi Hernan, The PSCI Spec[1] specifies power management on ARM CPUs and this includes suspend and resume. The TF-A provides an implementation of PSCI with appropriate hooks to plug-in in platform specifics. There are documents in the `docs` folder which cover different aspects of PSCI implementation like PSCI topology [2], CPU specifics [3], and platform porting guide [4]. In terms of adding support for a new platform, it is most likely that all the architectural (as in ARMv8A reference manual) and the CPU specific power management as specified in the TRM are covered already (see lib/cpus/ folder for CPUs already supported). So it’s a matter of implementing the platform hooks as mentioned in the porting guide [4]. With respect to implementing platform hooks, the ARM reference platforms like FVP provide an example of how the hooks can be implemented (see fvp_pm.c/fvp_topology.c ). So if you platform is a GICv3 system and the power controller already uses SCMI as the protocol for communication, then most of the code in FVP can be reused for your platform. Hope that provides a starting point for you to begin. [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0022d/Power_State_Coord… [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/about/docs/desi… [3] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/about/docs/desi… (see CPU specific operations framework) [4] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/about/docs/gett… (see Power State Coordination Interface) > Any pointers will be appreciated, thanks. > > Hernan > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

5 years, 10 months

1
0
0 0

Armv8A Suspend/Resume reference code

by Gutierrez, Hernan Ildefonso (Boise R&D, FW)

Hi, I am looking for reference code for ArmV8A core suspend/resume. Are there code references that are suggested to look for? Application notes to read? Any pointers will be appreciated, thanks. Hernan

5 years, 10 months

1
0
0 0

Re: [TF-A] New console interface porting examples

by Soby Mathew

Hi, We are planning merge the patch removing support for legacy console support this week. This is a gentle reminder for platforms not yet migrated to the MULTI_CONSOLE_API. Best Regards Soby Mathew > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Ambroise > Vincent via TF-A > Sent: 31 May 2019 10:40 > To: jens.wiklander(a)linaro.org; yamada.masahiro(a)socionext.com; > siva.durga.paladugu(a)xilinx.com; vwadekar(a)nvidia.com; > bryan.odonoghue(a)linaro.org; jun.nie(a)linaro.org > Cc: tf-a(a)lists.trustedfirmware.org; nd <nd(a)arm.com> > Subject: [TF-A] New console interface porting examples > > Hi, > > An update on the new console API > (https://github.com/ARM-software/tf-issues/issues/692): > > You will find patches below for the platforms that haven't done the migration > to the new interface yet, in order to give them something to test and > potentially adapt if it doesn't work as intended. The commits are independent > from each other and can be easily cherry-picked. > > Tegra: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1192/ > > Zynqmp: https://review.trustedfirmware.org/c/TF-A/trusted-firmware- > a/+/1193/ > > Uniphier: > https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1194/ > > Qemu: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1195/ > > Warp7: a very small patch to look at, removing a soon to be deleted legacy file > from the platform makefile: > https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1191/ > > > As you know, the old interface is going to be removed at the end of June > by https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/842/ > > > Regards > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

5 years, 10 months

2
1
0 0

Re: [TF-A] Can 1 Core in EL3 elevate other 3 cores to EL3?

by Soby Mathew

> -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Thor > Thayer via TF-A > Sent: 20 June 2019 09:05 > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Can 1 Core in EL3 elevate other 3 cores to EL3? > > Hi, > > I have a quad-core ARM64 Cortex-A53 where 1 core is executing in EL3 while > the other 3 cores are in EL1. The 3 cores in EL1 are spinning in a WFI loop. The > EL3 CPU transitioned to EL3 as a result of the PSCI RESET2 call from Linux. > > Is there a way for the EL3 core to switch the other cores into EL3 easily? Hi Thor, One way to do this to configure an IPI (SGI in GICv3 terminology) to be an EL3 interrupt (Group 0). Trigger this IPI from the first core to all the other 3 cores. This will cause the 3 cores to transition to EL3 to handle the EL3 interrupt and you will have to configure a suitable interrupt handler. Implication of this new EL3 IPI is that it can also cause the core to transition to EL3 if triggered when executing in Secure world. Also be aware that configuration of any EL3 interrupt will affect the routing model and change the behaviour of normal world interrupts when executing in Secure world. The secure world executing a "yielding" SMC request will get pre-empted on occurrence of normal world interrupt and the secure world may not get a chance to do a "controlled exit". Usually the PSCI_RESET2 can work without all the cores being in EL3. Could you elaborate why the other cores need to be in EL3 for this reset? > > As far as I know, the communication between cores takes place through the IPI. > Unfortunately, in my case, an SError has occurred that is masking the IPI. > If I understand correctly, the PSCI_RESET2 is being issued after the SError has happened on other cores. The EL3 IPI should cause these cores to transition to EL3 regardless of the interrupt mask state at lower Els. > Thanks, > > Thor > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

5 years, 11 months

2
1
0 0

Can 1 Core in EL3 elevate other 3 cores to EL3?

by Thor Thayer

Hi, I have a quad-core ARM64 Cortex-A53 where 1 core is executing in EL3 while the other 3 cores are in EL1. The 3 cores in EL1 are spinning in a WFI loop. The EL3 CPU transitioned to EL3 as a result of the PSCI RESET2 call from Linux. Is there a way for the EL3 core to switch the other cores into EL3 easily? As far as I know, the communication between cores takes place through the IPI. Unfortunately, in my case, an SError has occurred that is masking the IPI. Thanks, Thor

5 years, 11 months

1
0
0 0

Re: [TF-A] Arm trusted firmware reads wrong fip file from flash on hikey960v2

by Soby Mathew

> -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of David > Cerdeira via TF-A > Sent: 04 June 2019 10:04 > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Arm trusted firmware reads wrong fip file from flash on > hikey960v2 > > Greetings, > i’m having trouble getting arm trusted firmware to work on hikey960v2 I > followed all the steps in this guide https://github.com/ARM-software/arm- > trusted-firmware/blob/master/docs/plat/hikey960.rst, > and the steps in https://optee.readthedocs.io/building/devices/hikey960.html > The problem seems to be in reading the fip.bin, or rather the problem is > writing the fip file as it seems it is not properly flashed. > ATF bl2 fails to find the UUID of the BL2_SCP image in the fip.bin output by the > build process, the fip file it reads from flash only has the BL31 and BL33 UUIDs. > > I tried checking older versions of ATF, as I figured it might be a problem in > current versions, but the same problems occurred. Hi David, I don’t have much insight into platform specifics. One suggestion is to try with pre-built binaries and once they are working, replace with your custom ones. This page may help : http://releases.linaro.org/96boards/hikey/linaro/debian/15.11/ The Hikey Platform maintainers may be able to help more in this regard. Best Regards Soby Mathew > > At this moment I feel the problem is in the flashing step. > I tried moving the partitions in the partition tables, as well as the value of the > macro HIKEY960_FIP_BASE present in hikey960_def.h to match what I thought > would be the writing position of the file in the partition, but without success. > > If anyone could give me any idea as to what the problem might be, that’d be > great Best regards, David Cerdeira > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

5 years, 11 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-A