- TF-A - lists.trustedfirmware.org

Re: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary

by raghu.ncstate＠icloud.com

Adding tf-a list again. -----Original Message----- From: raghu.ncstate(a)icloud.com <raghu.ncstate(a)icloud.com> Sent: Thursday, May 13, 2021 9:33 AM To: 'Heiko Thiery' <heiko.thiery(a)gmail.com>; 'tf-a-bounces(a)lists.trustedfirmware.org' <tf-a-bounces(a)lists.trustedfirmware.org> Subject: RE: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary Right. The point I was trying to make is the same as the comment in the C file says "this is better than nothing but not necessarily really secure". I'm just saying SSP without truly random stack canary in an open source project is as good as not having SSP 😊 >From an TF-A point of view, I think we want to encourage folks to include TRNG's on their platform and we should not provide an insecure default implementation, since people may assume security properties about it if they don’t look closely enough. Thanks Raghu -----Original Message----- From: Heiko Thiery <heiko.thiery(a)gmail.com> Sent: Thursday, May 13, 2021 8:57 AM To: raghu.ncstate(a)icloud.com; tf-a-bounces(a)lists.trustedfirmware.org Subject: Re: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary Hi, Am Do., 13. Mai 2021 um 17:13 Uhr schrieb <raghu.ncstate(a)icloud.com>: > > Without a RNG, implementing a generic function as you have mentioned below would mean returning a constant value or random numbers that are not cryptographically secure for the stack canary. Neither of those options will really provide any security benefit. In absence of a TRNG or secret seed that can be used to generate secure random numbers, I think turning off SSP is not that much worse than returning bad values. But as you can read in the comments of some implementations, it is better to return a pseudo value than none at all. Or am I wrong there? And assuming that this is true, it would be good to have an implementation for all those who don't use TRNG like the ones at https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rockc…. > > A quick google search tells me that imx8m may have a random number generator so the platform code may need to hook up tf-a platform port to the random number. > > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Heiko > Thiery via TF-A > Sent: Thursday, May 13, 2021 12:34 AM > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Stack Protector for platforms not implementing > plat_get_stack_protector_canary > > Hi all, > > I recently encountered a build issue with the imx8m platform. > Buildroot will set the SSP (Stack Smashing Protection) option to on by > default in the next release. This option also turns on the > ENABLE_STACK_PROTECTOR in the ATF. But since the > plat_get_stack_protector_canary() function is not implemented for the > imx8m for example, the build fails for this platform. My question now > is: could you implement a generic function like it is implemented for some platforms that don't have a real RNG? Or is there a concern here? > > I must admit that I have no experience with ATF other than building and deploying it. > > Thanks > -- > Heiko > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > Thanks -- Heiko

4 years

2
3
0 0

Re: [TF-A] Lost gerrit email notifications

by Joanna Farley

Hi Raghu, That’s should have been corrected as there was a fault on trustedfirmware.org servers which was fixed overnight as I was also missing notifications but they have started to come through now. Joanna From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Raghu Krishnamurthy via TF-A <tf-a(a)lists.trustedfirmware.org> Reply to: "raghu.ncstate(a)icloud.com" <raghu.ncstate(a)icloud.com> Date: Thursday, 13 May 2021 at 15:47 To: "tf-a(a)lists.trustedfirmware.org" <tf-a(a)lists.trustedfirmware.org> Subject: [TF-A] Lost gerrit email notifications Hi All, I seem to have lost email notification of comments on gerrit reviews. I’ve checked my gerrit settings and reset the settings to enable notifications but I cant seem to get notifications from gerrit. Is this something others are seeing as well? Thanks Raghu

4 years

2
1
0 0

Lost gerrit email notifications

by raghu.ncstate＠icloud.com

Hi All, I seem to have lost email notification of comments on gerrit reviews. I've checked my gerrit settings and reset the settings to enable notifications but I cant seem to get notifications from gerrit. Is this something others are seeing as well? Thanks Raghu

4 years

1
0
0 0

Stack Protector for platforms not implementing plat_get_stack_protector_canary

by Heiko Thiery

Hi all, I recently encountered a build issue with the imx8m platform. Buildroot will set the SSP (Stack Smashing Protection) option to on by default in the next release. This option also turns on the ENABLE_STACK_PROTECTOR in the ATF. But since the plat_get_stack_protector_canary() function is not implemented for the imx8m for example, the build fails for this platform. My question now is: could you implement a generic function like it is implemented for some platforms that don't have a real RNG? Or is there a concern here? I must admit that I have no experience with ATF other than building and deploying it. Thanks -- Heiko

4 years

1
0
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by François Ozog

Hi here is the meeting recording: https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page). I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail. Cheers FF On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > Hi, > > From TF-A project point of view, we prefer to use existing mechanism to > pass parameters across boot stages using linked list of tagged elements (as > suggested by Julius). It has support for both generic and SiP-specific > tags. Having said that, it does not stop partners to introduce new > mechanisms suitable for their usecase in platform port initially and later > move to generic code if its suitable for other platforms. > > To start with, Ampere can introduce a platform specific implementation of > memory tag(speed/NUMA topology etc) which can be evaluated and discussed > for generalization in future. The tag will be populated in BL2 stage and > can be forwarded to further stages(and to BL33) by passing the head of list > pointer in one of the registers. Initially any register can be used but > going forward a standardization will be needed. > > The U-boot bloblist mentioned by Simon is conceptually similar to what > TF-A is using, if there is consensus of using bloblist/taglist then TF-A > tag list may be enhanced to take best of both the implementations. > > One of the potential problems of having structure used in different > projects is maintainability, this can be avoided by having a single copy of > these structures in TF-A (kept inside "include/export" which intended to be > used by other projects.) > > Regarding usage of either UUID or tag, I echo the sentiments of Simon and > Julius to keep it simple and use tag values. > > Looking forward to having further discussions on zoom call today. > > Thanks > Manish P > > ------------------------------ > *From:* TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius > Werner via TF-A <tf-a(a)lists.trustedfirmware.org> > *Sent:* 25 March 2021 02:43 > *To:* Simon Glass <sjg(a)chromium.org> > *Cc:* Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot > Architecture Mailman List <boot-architecture(a)lists.linaro.org>; > tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot > Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; > Ron Minnich <rminnich(a)google.com> > *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for > information passing between boot stages > > Just want to point out that TF-A currently already supports a (very > simple) mechanism like this: > > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > It's just a linked list of tagged elements. The tag space is split into > TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare > if more areas need to be defined -- a 64-bit tag can fit a lot). This is > currently being used by some platforms that run coreboot in place of > BL1/BL2, to pass information from coreboot (BL2) to BL31. > > I would echo Simon's sentiment of keeping this as simple as possible and > avoiding complicated and bloated data structures with UUIDs. You usually > want to parse something like this as early as possible in the passed-to > firmware stage, particularly if the structure encodes information about the > debug console (like it does for the platforms I mentioned above). For > example, in BL31 this basically means doing it right after moving from > assembly to C in bl31_early_platform_setup2() to get the console up before > running anything else. At that point in the BL31 initialization, the MMU > and caches are disabled, so data accesses are pretty expensive and you > don't want to spend a lot of parsing effort or calculate complicated > checksums or the like. You just want something extremely simple where you > ideally have to touch every data word only once. > > On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A < > tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Harb, > > On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS < > abdulhamid(a)os.amperecomputing.com> wrote: > > Hello Folks, > > Appreciate the feedback and replies on this. Glad to see that there is > interest in this topic. 😊 > > > > I try to address the comments/feedback from Francois and Simon below…. > > > > @François Ozog <francois.ozog(a)linaro.org> – happy to discuss this on a > zoom call. I will make that time slot work, and will be available to > attend April 8, 4pm CT. > > > > Note that I’m using the term “HOB” here more generically, as there are > typically vendor specific structures beyond the resource descriptor HOB, > which provides only a small subset of the information that needs to be > passed between the boot phases. > > > > The whole point here is to provide mechanism to develop firmware that we > can build ARM Server SoC’s that support **any** BL33 payload (e.g. EDK2, > AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some > point). In other-words, we are trying to come up with a TF-A that would > be completely agnostic to the implementation of BL33 (i.e. BL33 is built > completely independently by a separate entity – e.g. an ODM/OEM). > > > > Keep in mind, in the server/datacenter market segment we are not building > vertically integrated systems with a single entity compiling > firmware/software stacks like most folks in TF-A have become use to. There > are two categories of higher level firmware code blobs in the > server/datacenter model: > > 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, > BL31, and **possibly** one or more BL32 instances > 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and * > *possibly** one or more BL32 instances. > > > > Even the platform firmware stack could be further fragmented by having > multiple entities involved in delivering the entire firmware stack: IBVs, > ODMs, OEMs, CSPs, and possibly even device vendor code. > > > > To support a broad range of platform designs with a broad range of memory > devices, we need a crisp and clear contract between the SoC firmware that > initializes memory (e.g. BL2) and how that platform boot firmware (e.g. > BL33) gathers information about what memory that was initialized, at what > speeds, NUMA topology, and many other relevant information that needs to be > known and comprehended by the platform firmware and eventually by the > platform software. > > > > I understand the versatility of DT, but I see two major problems with DT: > > - DT requires more complicated parsing to get properties, and even > more complex to dynamically set properties – this HOB structures may need > to be generated in boot phases where DDR is not available, and therefore we > will be extremely memory constrained. > - DT is probably overkill for this purpose – We really just want a > list of pointers to simple C structures that code cast (e.g. JEDEC SPD data > blob) > > > > I think that we should not mix the efforts around DT/ACPI specs with what > we are doing here, because those specs and concepts were developed for a > completely different purpose (i.e. abstractions needed for OS / RTOS > software, and not necessarily suitable for firmware-to-firmware hand-offs). > > > > Frankly, I would personally push back pretty hard on defining SMC’s for > something that should be one way information passing. Every SMC we add is > another attack vector to the secure world and an increased burden on the > folks that have to do security auditing and threat analysis. I see no > benefit in exposing these boot/HOB/BOB structures at run-time via SMC > calls. > > > > Please do let me know if you disagree and why. Look forward to discussing > on this thread or on the call. > > > > @Simon Glass <sjg(a)chromium.org> - Thanks for the pointer to bloblist. > I briefly reviewed and it seems like a good baseline for what we may be > looking for. > > > > That being said, I would say that there is some benefit in having some > kind of unique identifiers (e.g. UUID or some unique signature) so that we > can tie standardized data structures (based on some future TBD specs) to a > particular ID. For example, if the TPM driver in BL33 is looking for the > TPM structure in the HOB/BOB list, and may not care about the other data > blobs. The driver needs a way to identify and locate the blob it cares > about. > > > The tag is intended to serve that purpose, although perhaps it should > switch from an auto-allocating enum to one with explicit values for each > entry and a range for 'local' use. > > > > I guess we can achieve this with the tag, but the problem with tag when > you have eco-system with a lot of parties doing parallel development, you > can end up with tag collisions and folks fighting about who has rights to > what tag values. We would need some official process for folks to register > tags for whatever new structures we define, or maybe some tag range for > vendor specific structures. This comes with a lot of pain and > bureaucracy. On the other hand, UUID has been a proven way to make it easy > to just define your own blobs with **either** standard or vendor specific > structures without worry of ID collisions between vendors. > > > True. I think the pain is overstated, though. In this case I think we > actually want something that can be shared between projects and orgs, so > some amount of coordination could be considered a benefit. It could just be > a github pull request. I find the UUID unfriendly and not just to code size > and eyesight! Trying to discover what GUIDs mean or are valid is quite > tricky. E.g. see this code: > > #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ > EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ > 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) > (etc.) > > static struct guid_name { > efi_guid_t guid; > const char *name; > } guid_name[] = { > { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, > { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, > { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, > { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, > { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, > { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, > (never figured out what those two are) > > { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, > { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, > { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, > { {}, "zero-guid" }, > {} > }; > > static const char *guid_to_name(const efi_guid_t *guid) > { > struct guid_name *entry; > > for (entry = guid_name; entry->name; entry++) { > if (!guidcmp(guid, &entry->guid)) > return entry->name; > } > > return NULL; > } > > Believe it or not it took a fair bit of effort to find just that small > list, with nearly every one in a separate doc, from memory. > > > > We can probably debate whether there is any value in GUID/UUID or not > during the call… but again, boblist seems like a reasonable starting point > as an alternative to HOB. > > > Indeed. There is certainly value in both approaches. > > Regards, > Simon > > > > > Thanks, > > --Harb > > > > *From:* François Ozog <francois.ozog(a)linaro.org> > *Sent:* Tuesday, March 23, 2021 10:00 AM > *To:* François Ozog <francois.ozog(a)linaro.org>; Ron Minnich < > rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> > *Cc:* Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS < > abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List < > boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org > *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for > information passing between boot stages > > > > +Ron Minnich <rminnich(a)google.com> +Paul Isaac's <paul.isaacs(a)linaro.org> > > > > Adding Ron and Paul because I think this interface should be also > benefiting LinuxBoot efforts. > > > > On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A < > tf-a(a)lists.trustedfirmware.org> wrote: > > Hi, > > > > I propose we cover the topic at the next Trusted Substrate > <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom > call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. > > > > The agenda: > > ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, > S-EL2, SCP) to adapt hardware description to some runtime conditions. > > runtime conditions here relates to DRAM size and topology detection, > secure DRAM memory carvings, PSCI and SCMI interface publishing. > > > > For additional background on existing metadata: UEFI Platform > Initialization Specification Version 1.7 > <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…> > , 5.5 Resource Descriptor HOB > > Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. > > This HOB lacks memory NUMA attachment or something that could be related > to fill SRAT table for ACPI or relevant DT proximity domains. > > HOB is not consistent accros platforms: some platforms (Arm) lists memory > from the booting NUMA node, other platforms (x86) lists all memory from all > NUMA nodes. (At least this is the case on the two platforms I tested). > > > > There are two proposals to use memory structures from SPL/BLx up to the > handover function (as defined in the Device Tree technical report > <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) > which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or > EDK2. > > I would propose we also discuss possibility of FF-A interface to actually > query information or request actions to be done (this is a model actually > used in some SoCs with proprietary SMC calls). > > > > Requirements (to be validated): > > - ACPI and DT hardware descriptions. > > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) > > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, > TF-A/LinuxBoot) > > - at least allows complete DRAM description and "persistent" usage > (reserved areas for secure world or other usages) > > - support secure world device assignment > > > > Cheers > > > > FF > > > > > > On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: > > Hi, > > Can I suggest using bloblist for this instead? It is lightweight, > easier to parse, doesn't have GUIDs and is already used within U-Boot > for passing info between SPL/U-Boot, etc. > > Docs here: > https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist > Header file describes the format: > https://github.com/u-boot/u-boot/blob/master/include/bloblist.h > > Full set of unit tests: > https://github.com/u-boot/u-boot/blob/master/test/bloblist.c > > Regards, > Simon > > On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> > wrote: > > > > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> > > > > standardization is very much welcomed here and need to accommodate a very > > diverse set of situations. > > For example, TEE OS may need to pass memory reservations to BL33 or > > "capture" a device for the secure world. > > > > I have observed a number of architectures: > > 1) pass information from BLx to BLy in the form of a specific object > > 2) BLx called by BLy by a platform specific SMC to get information > > 3) BLx called by BLy by a platform specific SMC to perform Device Tree > > fixups > > > > I also imagined a standardized "broadcast" FF-A call so that any firmware > > element can either provide information or "do something". > > > > My understanding of your proposal is about standardizing on architecture > 1) > > with the HOB format. > > > > The advantage of the HOB is simplicity but it may be difficult to > implement > > schemes such as pruning a DT because device assignment in the secure > world. > > > > In any case, it looks feasible to have TF-A and OP-TEE complement the > list > > of HOBs to pass information downstream (the bootflow). > > > > It would be good to start with building the comprehensive list of > > information that need to be conveyed between firmware elements: > > > > information. | authoritative entity | reporting entity | information > > exchanged: > > dram | TFA | TFA | > > <format to be detailed, NUMA topology to build the SRAT table or DT > > equivalent?> > > PSCI | SCP | TFA? | > > SCMI | SCP or TEE-OS | TFA? TEE-OS?| > > secure SRAM | TFA. | TFA. | > > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | > > other? | | > > | > > > > Cheers > > > > FF > > > > > > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < > > tf-a(a)lists.trustedfirmware.org> wrote: > > > > > Hello Folks, > > > > > > > > > > > > I'm emailing to start an open discussion about the adoption of a > concept > > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware > > > Framework Architecture (FFA). This is something that is a pretty major > > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s > > > designed to enable a broad range of highly configurable datacenter > > > platforms. > > > > > > > > > > > > > > > > > > What is a HOB (Background)? > > > > > > --------------------------- > > > > > > UEFI PI spec describes a particular definition for how HOB may be used > for > > > transitioning between the PEI and DXE boot phases, which is a good > > > reference point for this discussion, but not necessarily the exact > solution > > > appropriate for TF-A. > > > > > > > > > > > > A HOB is simply a dynamically generated data structure passed in > between > > > two boot phases. This is information that was obtained through > discovery > > > and needs to be passed forward to the next boot phase *once*, with no > API > > > needed to call back (e.g. no call back into previous firmware phase is > > > needed to fetch this information at run-time - it is simply passed one > time > > > during boot). > > > > > > > > > > > > There may be one or more HOBs passed in between boot phases. If there > are > > > more than one HOB that needs to be passed, this can be in a form of a > "HOB > > > table", which (for example) could be a UUID indexed array of pointers > to > > > HOB structures, used to locate a HOB of interest (based on UUID). In > such > > > cases, instead of passing a single HOB, the boot phases may rely on > passing > > > the pointer to the HOB table. > > > > > > > > > > > > This has been extremely useful concept to employ on highly configurable > > > systems that must rely on flexible discovery mechanisms to initialize > and > > > boot the system. This is especially helpful when you have multiple > > > > > > > > > > > > > > > > > > Why do we need HOBs in TF-A?: > > > > > > ----------------------------- > > > > > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC > in > > > a way that is SoC specific *but* platform agnostic. This means that a > > > single ARM SoC that a SiP may deliver to customers may provide a single > > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad > > > range of platform designs and configurations in order to boot a > platform > > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to > > > achieve this, the platform configuration must be *discovered* instead > of > > > statically compiled as it is today in TF-A via device tree based > > > enumeration. The mechanisms of discovery may differ broadly depending > on > > > the relevant industry standard, or in some cases may have rely on SiP > > > specific discovery flows. > > > > > > > > > > > > For example: On server systems that support a broad range DIMM memory > > > population/topologies, all the necessary information required to boot > is > > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over > an > > > I2C bus. Leveraging the SPD bus, may platform variants could be > supported > > > with a single TF-A binary. Not only is this information required to > > > initialize memory in early boot phases (e.g. BL2), the subsequent boot > > > phases will also need this SPD info to construct a system physical > address > > > map and properly initialize the MMU based on the memory present, and > where > > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) > may > > > need to generate standard firmware tables to the operating systems, > such as > > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. > SLIT, > > > SRAT, even NFIT if NVDIMM's are present). > > > > > > > > > > > > In short, it all starts with a standardized or vendor specific > discovery > > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of > > > information to the next boot stages (e.g. BL31/BL32/BL33). > > > > > > > > > > > > Today, every HOB may be a vendor specific structure, but in the future > > > there may be benefit of defining standard HOBs. This may be useful for > > > memory discovery, passing the system physical address map, enabling TPM > > > measured boot, and potentially many other common HOB use-cases. > > > > > > > > > > > > It would be extremely beneficial to the datacenter market segment if > the > > > TF-A community would adopt this concept of information passing between > all > > > boot phases as opposed to rely solely on device tree enumeration. > This is > > > not intended to replace device tree, rather intended as an alternative > way > > > to describe the info that must be discovered and dynamically generated. > > > > > > > > > > > > > > > > > > Conclusion: > > > > > > ----------- > > > > > > We are proposing that the TF-A community begin pursuing the adoption of > > > HOBs as a mechanism used for information exchange between each boot > stage > > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we > > > want to explore standardizing some HOB structures for the BL33 phase > (e.g. > > > UEFI HOB structures), but initially would like to agree on this being a > > > useful mechanism used to pass information between each boot stage. > > > > > > > > > > > > Thanks, > > > > > > --Harb > > > > > > > > > > > > > > > > > > > > > -- > > > TF-A mailing list > > > TF-A(a)lists.trustedfirmware.org > > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > > > > > -- > > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > > francois.ozog(a)linaro.org | Skype: ffozog > > _______________________________________________ > > boot-architecture mailing list > > boot-architecture(a)lists.linaro.org > > https://lists.linaro.org/mailman/listinfo/boot-architecture > > > > > -- > > *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > -- > > *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 1 month

4
3
0 0

Rockchip rk3399 build broken with gcc11

by Olivier Deprez

Hi Rockchip platform maintainers, There's a build issue spotted with GCC11 on rk3399 platform reported here using tip of master: https://developer.trustedfirmware.org/T925 The issue is not breaking the build with earlier gcc versions, but we think the error is legitimate and caused by a mistake in the platform code. Details in the ticket. Any chance for you to have a look? Thanks, Olivier.

4 years, 1 month

1
0
0 0

MEM_PROTECT for secure world?

by Okash Khawaja

Hi, As a PSCI call, MEM_PROTECT which is used to protect against cold reboot attack, can't be called from TZ-secure. In a situation where at run time, HLOS in NS-EL1 transfers some buffer that it owns, to a secure partition then secure partition can't call MEM_PROTECT because psci_smc_handler will return SMC_UNK if the caller is secure. Should MEM_PROTECT be available to TZ-secure as well? Thanks, Okash

4 years, 1 month

1
0
0 0

TF-A Tech Forum Agenda @ Thr 6th May 2021 16:00-1700 BST

by Joanna Farley

Hi All, The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST). Agenda: * Discussion Session: Static and Dynamic Information Handling in TF-A * Lead by Manish Pandy and Madhukar Pappireddy · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages. The requirement is two-fold: 1. Passing static information(config files) 2. Passing dynamic information (Hob list) In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects. The two specific item which we would like to discuss are: 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both? 2. Standardization on Physical register use to pass base of HoB data structure. References: [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q% Thanks Joanna You have been invited to the following event. TF-A Tech Forum When Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time Calendar tf-a(a)lists.trustedfirmware.org Who • Bill Fletcher- creator • tf-a(a)lists.trustedfirmware.org more details »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/<https://www.google.com/url?q=https%3A%2F%2Fwww.trustedfirmware.org%2Fmeetin…> Trusted Firmware is inviting you to a scheduled Zoom meeting. Join Zoom Meeting https://zoom.us/j/9159704974<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9159704974&sa=D&us…> Meeting ID: 915 970 4974 One tap mobile +16465588656,,9159704974# US (New York) +16699009128,,9159704974# US (San Jose) Dial by your location +1 646 558 8656 US (New York) +1 669 900 9128 US (San Jose) 877 853 5247 US Toll-free 888 788 0099 US Toll-free Meeting ID: 915 970 4974 Find your local number: https://zoom.us/u/ad27hc6t7h<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2Fad27hc6t7h&sa=D&us…> Going (tf-a(a)lists.trustedfirmware.org)? All events in this series: Yes<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - Maybe<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - No<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> more options »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…> Invitation from Google Calendar<https://www.google.com/calendar/> You are receiving this courtesy email at the account tf-a(a)lists.trustedfirmware.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively, you can sign up for a Google Account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organiser and be added to the guest list, invite others regardless of their own invitation status or to modify your RSVP. Learn more<https://support.google.com/calendar/answer/37135#forwarding>.

4 years, 1 month

1
0
0 0

Re: [TF-A] Run BL33 (u-boot) in EL3

by François Ozog

Le mar. 27 avr. 2021 à 11:04, Loh, Tien Hock via TF-A < tf-a(a)lists.trustedfirmware.org> a écrit : > Achin, > > Yes that’s what I have suspected in the first place, but no harm asking :) > > > > Tien Fong, > > As per discussed, we could probably expose the a compile time option in > BL31 that expose a command that read/write to the secure domain. > > That case, u-boot shell will be able to access secure domain and not need > to run in EL3. > Would you allow an OS to access underlying hypervisor ? In essence this is what you are asking: there are architectural services such as kicking off a new cpu that are supposed to be routed to the right service handler (PSCI) or secure firmware updates with anti-bricking support.... Could you be more specific on what you want to do and why ? That may help us advise on achieving your goals while still being architecturally correct. > > > Thanks > > > > *From:* Chee, Tien Fong <tien.fong.chee(a)intel.com> > *Sent:* Tuesday, April 27, 2021 5:01 PM > *To:* Achin Gupta <Achin.Gupta(a)arm.com>; tf-a(a)lists.trustedfirmware.org; > Loh, Tien Hock <tien.hock.loh(a)intel.com> > *Cc:* See, Chin Liang <chin.liang.see(a)intel.com>; Hea, Kok Kiang < > kok.kiang.hea(a)intel.com> > *Subject:* RE: Run BL33 (u-boot) in EL3 > > > > Hi Achin, > > > > Thanks for the feedback. > > > > This is use case when user doing development, testing and bring up the > board, they can use this option to run their script on U-Boot shell to > access these secure region. Once they have finished the development, and > testing, then user can switch U-Boot into EL2. This flexibility would > definitely giving some degree of convenience for development and testing. > > > > Thanks. > > > > *From:* Achin Gupta <Achin.Gupta(a)arm.com> > *Sent:* Tuesday, 27 April, 2021 4:38 PM > *To:* tf-a(a)lists.trustedfirmware.org; Loh, Tien Hock < > tien.hock.loh(a)intel.com> > *Cc:* Chee, Tien Fong <tien.fong.chee(a)intel.com>; See, Chin Liang < > chin.liang.see(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com> > *Subject:* Re: Run BL33 (u-boot) in EL3 > > > > Hi Tien Hock, > > > > The maintainers will have more thoughts on this but my $0.02 fwiw. > > > > I cannot see why the Trusted Firmware project should carry any option that > enables use of EL3 by users who do not care about security. EL3 is not > meant to run u-boot with a shell that can be used to fiddle with secure > memory. This flies against the basic security principles that the project > is built upon. > > > > cheers, > Achin > > > ------------------------------ > > *From:* TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Loh, > Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org> > *Sent:* 27 April 2021 09:02 > *To:* tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> > *Cc:* Chee, Tien Fong <tien.fong.chee(a)intel.com>; See, Chin Liang < > chin.liang.see(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com> > *Subject:* [TF-A] Run BL33 (u-boot) in EL3 > > > > Hi, > > > > I’m maintaining TF-A for Intel SoCFPGA platform. > > Would it be possible if we should have the option to run BL33 (u-boot in > our case) in EL3? > > > > The Intel SoCFPGA platform u-boot used to handle all SMC calls: > > SPL u-boot (EL3) -> u-boot (EL3) > > And we have since move to use TF-A’s BL31, thus boot became > SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2) > > > > Main reason is that some users would like to keep u-boot at EL3 as they do > not care about security, and some users wanted to run some debugging > read/write to secure region in u-boot shell. > > > > Thanks > > Tien Hock > > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 1 month

2
3
0 0

Re: [TF-A] Run BL33 (u-boot) in EL3

by Manish Pandey2

Hi Tien Hock, Did you explored EL3_PAYLOAD_BASE build option. This option enables booting an EL3 payload, if it suits you then u-boot as EL3 payload. thanks Manish ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 27 April 2021 20:16 To: Loh, Tien Hock <tien.hock.loh(a)intel.com> Cc: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; See, Chin Liang <chin.liang.see(a)intel.com>; Chee, Tien Fong <tien.fong.chee(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com> Subject: Re: [TF-A] Run BL33 (u-boot) in EL3 Le mar. 27 avr. 2021 à 11:04, Loh, Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> a écrit : Achin, Yes that’s what I have suspected in the first place, but no harm asking :) Tien Fong, As per discussed, we could probably expose the a compile time option in BL31 that expose a command that read/write to the secure domain. That case, u-boot shell will be able to access secure domain and not need to run in EL3. Would you allow an OS to access underlying hypervisor ? In essence this is what you are asking: there are architectural services such as kicking off a new cpu that are supposed to be routed to the right service handler (PSCI) or secure firmware updates with anti-bricking support.... Could you be more specific on what you want to do and why ? That may help us advise on achieving your goals while still being architecturally correct. Thanks From: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>> Sent: Tuesday, April 27, 2021 5:01 PM To: Achin Gupta <Achin.Gupta(a)arm.com<mailto:Achin.Gupta@arm.com>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>; Loh, Tien Hock <tien.hock.loh(a)intel.com<mailto:tien.hock.loh@intel.com>> Cc: See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>> Subject: RE: Run BL33 (u-boot) in EL3 Hi Achin, Thanks for the feedback. This is use case when user doing development, testing and bring up the board, they can use this option to run their script on U-Boot shell to access these secure region. Once they have finished the development, and testing, then user can switch U-Boot into EL2. This flexibility would definitely giving some degree of convenience for development and testing. Thanks. From: Achin Gupta <Achin.Gupta(a)arm.com<mailto:Achin.Gupta@arm.com>> Sent: Tuesday, 27 April, 2021 4:38 PM To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>; Loh, Tien Hock <tien.hock.loh(a)intel.com<mailto:tien.hock.loh@intel.com>> Cc: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>>; See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>> Subject: Re: Run BL33 (u-boot) in EL3 Hi Tien Hock, The maintainers will have more thoughts on this but my $0.02 fwiw. I cannot see why the Trusted Firmware project should carry any option that enables use of EL3 by users who do not care about security. EL3 is not meant to run u-boot with a shell that can be used to fiddle with secure memory. This flies against the basic security principles that the project is built upon. cheers, Achin ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org<mailto:tf-a-bounces@lists.trustedfirmware.org>> on behalf of Loh, Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Sent: 27 April 2021 09:02 To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Cc: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>>; See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>> Subject: [TF-A] Run BL33 (u-boot) in EL3 Hi, I’m maintaining TF-A for Intel SoCFPGA platform. Would it be possible if we should have the option to run BL33 (u-boot in our case) in EL3? The Intel SoCFPGA platform u-boot used to handle all SMC calls: SPL u-boot (EL3) -> u-boot (EL3) And we have since move to use TF-A’s BL31, thus boot became SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2) Main reason is that some users would like to keep u-boot at EL3 as they do not care about security, and some users wanted to run some debugging read/write to secure region in u-boot shell. Thanks Tien Hock -- TF-A mailing list TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog

4 years, 1 month

2
1
0 0

Re: [TF-A] Run BL33 (u-boot) in EL3

by Achin Gupta

Hi Tien Hock, The maintainers will have more thoughts on this but my $0.02 fwiw. I cannot see why the Trusted Firmware project should carry any option that enables use of EL3 by users who do not care about security. EL3 is not meant to run u-boot with a shell that can be used to fiddle with secure memory. This flies against the basic security principles that the project is built upon. cheers, Achin ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Loh, Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 27 April 2021 09:02 To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Cc: Chee, Tien Fong <tien.fong.chee(a)intel.com>; See, Chin Liang <chin.liang.see(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com> Subject: [TF-A] Run BL33 (u-boot) in EL3 Hi, I’m maintaining TF-A for Intel SoCFPGA platform. Would it be possible if we should have the option to run BL33 (u-boot in our case) in EL3? The Intel SoCFPGA platform u-boot used to handle all SMC calls: SPL u-boot (EL3) -> u-boot (EL3) And we have since move to use TF-A’s BL31, thus boot became SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2) Main reason is that some users would like to keep u-boot at EL3 as they do not care about security, and some users wanted to run some debugging read/write to secure region in u-boot shell. Thanks Tien Hock

4 years, 1 month

3
2
0 0

Question on how enable TF-A SPM on iMX8M

by Jun Nie

Hi, I am trying to enable SPM on iMX8MP platform, which is cortex-A53. The BL2 is already enabled and the dts file is needed. But I am not sure how to write below dts information when I referencing fvp_spmc_manifest.dts. Could you help to give some suggestion or where should I find the anwsers? 1. Is fvp_spmc_manifest.dts enough to enable SPM? I see there are dts files, such as fvp_fw_config.dts. What's necessary dts nodes to enable SPM? 2. Does vcpu_count means CPU number? 3. I see load_address of attribute is optee-os load address. But I do not know how should I decide the load addresses of hypervisors. Is this address decided by virtual machine, or it is decided in runtime? I cannot find the 0x7100000 in trusted-services project. 4. I am confused on "Secure Partitions are bundled as independent package files" in below link. Does this bundle package means fip image, or into another file by jason file? Could you help point to the files and image generation command? https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/compo… Regards, Jun

4 years, 1 month

5
20
0 0

Run BL33 (u-boot) in EL3

by Loh, Tien Hock

Hi, I'm maintaining TF-A for Intel SoCFPGA platform. Would it be possible if we should have the option to run BL33 (u-boot in our case) in EL3? The Intel SoCFPGA platform u-boot used to handle all SMC calls: SPL u-boot (EL3) -> u-boot (EL3) And we have since move to use TF-A's BL31, thus boot became SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2) Main reason is that some users would like to keep u-boot at EL3 as they do not care about security, and some users wanted to run some debugging read/write to secure region in u-boot shell. Thanks Tien Hock

4 years, 1 month

1
0
0 0

suspend to ram on rk3399 theobroma puma

by Mika Penttilä

Hi all! We are developing a product around the rk3399 Theobroma Q7 module. For power savings, we need S3 sleep (suspend-to-ram). As far as I know, the heart of this is in ATF code. We have linux kernel 5.4, which starts the process nicely, drives down all the other cores and finally calls for the psci suspend. We have wakeup on irq, and it sure wakes up, but does a reset from the very beginning. So no context saving resume. I have tried the newest on the ATF git, with a newish mainline uboot. I suppose the role of uboot is not that important here. What should I look at to find the problem? Has someone got the Q7 module done S3 ok? Finally, how do I get some debug uart output from ATF code? Thanks for any hints! Mika Penttilä

4 years, 1 month

1
0
0 0

New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 1 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 1 of 1 defect(s) ** CID 370380: Code maintainability issues (UNUSED_VALUE) /plat/xilinx/versal/pm_service/pm_svc_main.c: 96 in pm_setup() ________________________________________________________________________________________________________ *** CID 370380: Code maintainability issues (UNUSED_VALUE) /plat/xilinx/versal/pm_service/pm_svc_main.c: 96 in pm_setup() 90 int status, ret = 0; 91 92 status = pm_ipi_init(primary_proc); 93 94 if (status < 0) { 95 INFO("BL31: PM Service Init Failed, Error Code %d!\n", status); >>> CID 370380: Code maintainability issues (UNUSED_VALUE) >>> Assigning value from "status" to "ret" here, but that stored value is overwritten before it can be used. 96 ret = status; 97 } else { 98 pm_up = true; 99 } 100 101 /* ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P…

4 years, 1 month

1
0
0 0

Re: [TF-A] [Hafnium] Getting Started page: problem with the command under "Getting the source code"

by Gyorgy Szing

Hi, Just my two cents: - I suggest using $() instead of the backtick operator to enhance readability. This means f=`git rev-parse --git-dir` becomes f=$(git rev-parse --git-dir) - use {} to group commands instead of () (no sub-shell is needed) - stop processing if curl fails (hence second {} block) - if the repo path has spaces, then some quotes are missing So finally the command would become: git clone --recurse-submodules https://git.trustedfirmware.org/hafnium/hafnium.git && { cd hafnium && f="$(git rev-parse --git-dir)"; curl -Lo "$f/hooks/commit-msg" https://review.trustedfirmware.org/tools/hooks/commit-msg && { chmod +x "$f/hooks/commit-msg"; git submodule --quiet foreach "cp \"\$toplevel/$f/hooks/commit-msg\" \"\$toplevel/$f/modules/\$path/hooks/commit-msg\"" ; } ; } /George -----Original Message----- From: Hafnium <hafnium-bounces(a)lists.trustedfirmware.org> On Behalf Of Olivier Deprez via Hafnium Sent: 21 April 2021 19:12 To: Rebecca Cran <rebecca(a)bsdio.com>; hafnium(a)lists.trustedfirmware.org Subject: Re: [Hafnium] Getting Started page: problem with the command under "Getting the source code" Hi, Ah sorry for that; looks like there's some variable escape problem. I tried this with success, let me know if it works for you. I will update the doc page then. git clone --recurse-submodules https://git.trustedfirmware.org/hafnium/hafnium.git && (cd hafnium && f=`git rev-parse --git-dir`; curl -Lo $f/hooks/commit-msg https://review.trustedfirmware.org/tools/hooks/commit-msg; chmod +x $f/hooks/commit-msg; git submodule --quiet foreach "cp \$toplevel/$f/hooks/commit-msg \$toplevel/$f/modules/\$path/hooks/commit-msg") If you don't require the git hooks a simpler way to clone the project can be: git clone "https://review.trustedfirmware.org/hafnium/hafnium"; cd hafnium git submodule update --init Regards, Olivier. ________________________________________ From: Rebecca Cran <rebecca(a)bsdio.com> Sent: 21 April 2021 16:33 To: Olivier Deprez; hafnium(a)lists.trustedfirmware.org Subject: Re: [Hafnium] Getting Started page: problem with the command under "Getting the source code" It now exits with the message: cp: cannot stat '/home/rebecca/src/uefi/tmp/hafnium//hooks/commit-msg': No such file or directory fatal: run_command returned non-zero status for driver/linux . -- Rebecca Cran On 4/21/21 2:23 AM, Olivier Deprez wrote: > Hi Rebecca, > > Thanks for reporting. > > Can you try with the updated command: > https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/r > efs/changes/31/9731/1/docs/GettingStarted.md > > Thanks, Olivier. > > > ________________________________________ > From: Hafnium <hafnium-bounces(a)lists.trustedfirmware.org> on behalf of > Rebecca Cran via Hafnium <hafnium(a)lists.trustedfirmware.org> > Sent: 21 April 2021 04:39 > To: hafnium(a)lists.trustedfirmware.org > Subject: [Hafnium] Getting Started page: problem with the command under "Getting the source code" > > On the Getting Started document > (https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/ > HEAD/docs/GettingStarted.md) there's a command listed to get the > source code: > > git clone --recurse-submodules > https://git.trustedfirmware.org/hafnium/hafnium.git && (cd hafnium && > f=`git rev-parse --git-dir`/hooks/commit-msg ; curl -Lo $f > https://review.trustedfirmware.org/tools/hooks/commit-msg ; chmod +x > $f ; for m in `git rev-parse --git-dir`/modules/*; do cp $f > $m/hooks/commit-msg; done) > > > However, on my system it's erroring out because the 'hooks' directory > it tries to write to doesn't exist: > > % Total % Received % Xferd Average Speed Time Time Time > Current > Dload Upload Total Spent Left Speed > 100 2174 100 2174 0 0 4221 0 --:--:-- --:--:-- > --:--:-- 4221 > cp: cannot create regular file '.git/modules/driver/hooks/commit-msg': > No such file or directory > cp: cannot create regular file '.git/modules/project/hooks/commit-msg': > No such file or directory > cp: cannot create regular file > '.git/modules/third_party/hooks/commit-msg': No such file or directory > > > -- > Rebecca Cran > > -- > Hafnium mailing list > Hafnium(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/hafnium > -- Hafnium mailing list Hafnium(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium

4 years, 1 month

2
1
0 0

Canceled event with note: TF-A Tech Forum @ Thu Apr 22, 2021 8am - 9am (MST) (tf-a@lists.trustedfirmware.org)

by Don Harbin

This event has been canceled with this note: "Cancelled per Joanna" Title: TF-A Tech Forum We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/Tr… Firmware is inviting you to a scheduled Zoom meeting.Join Zoom Meetinghttps://zoom.us/j/9159704974Meeting ID: 915 970 4974One tap mobile+16465588656,,9159704974# US (New York)+16699009128,,9159704974# US (San Jose)Dial by your location        +1 646 558 8656 US (New York)        +1 669 900 9128 US (San Jose)        877 853 5247 US Toll-free        888 788 0099 US Toll-freeMeeting ID: 915 970 4974Find your local number: https://zoom.us/u/ad27hc6t7h   When: Thu Apr 22, 2021 8am – 9am Mountain Standard Time - Phoenix Calendar: tf-a(a)lists.trustedfirmware.org Who: * Bill Fletcher - creator * marek.bykowski(a)gmail.com * okash.khawaja(a)gmail.com * tf-a(a)lists.trustedfirmware.org Invitation from Google Calendar: https://calendar.google.com/calendar/ You are receiving this courtesy email at the account tf-a(a)lists.trustedfirmware.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding

4 years, 1 month

1
0
0 0

TF-A Tech Forum Agenda @ Thr 22nd April 2021 16:00-1700 BST CANCELLED

by Joanna Farley

Hi Everyone, I am cancelling this weeks TF-A Tech Forum as I don’t have any areas to present/discuss. I would encourage any contributors that wants to present or lead a discussion subject to please let me know as we are always looking for topics of interest to the project community to run sessions on. Cancellations of the calendar invite will come from trustedformware.org. Thanks Joanna

4 years, 1 month

1
0
0 0

Re: [TF-A] zynqmp: How to inform the bl33 about RAM reservation?

by François Ozog

Hi There is a discussion started by Harb from Ampere about standardizing information from secure firmware to BL33: look at HOB in the object. A side aspect of the HOB is: DT shall be used wisely for things that are really static. Dynamic (such as plugged DIMMs) or configurable aspects (secure memory size) should be controllable by a single authoritative entity. On a number of platforms, the definition of secure memory size is "copied" in at least for different independent projects which make it a nightmare for product makers to choose a size for the trusted application they want to onboard. Cheers FF On Tue, 20 Apr 2021 at 07:49, Jan Kiszka via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > On 20.04.21 02:51, Samuel Holland wrote: > > On 4/19/21 11:11 AM, Jan Kiszka via TF-A wrote: > >> On 19.04.21 17:21, Michal Simek wrote: > >>> On 4/18/21 8:44 PM, Jan Kiszka wrote: > >>>> when SPD or DEBUG is enabled, TF-A is moved to RAM on the zynqmp (as > it > >>>> longer fits into OCM). U-Boot happens to avoid that region, but the > >>>> kernel's DTB has no reservation entry, and Linux will trigger an > >>>> exception when accessing that region during early boot. > >>>> > >>>> Can we improve this - without requiring the user to manually add a > >>>> reservation to the DTB? Should we unconditionally reserve > >>>> 0x1000..0x7ffff in all BL33 DTBs? Or is there a chance to communicate > >>>> that need? Or some way to detect in BL33 whether it is needed? > >>> > >>> Normally this ddr region should be also protected by security IPs that > >>> NS has no access there. > >>> It means in Xilinx flow this can be (and should be) propagated via > >>> device-tree generator to final DTS file that you don't need to touch it > >>> by hand. > >>> I am not aware about any way that NS can query secure world what memory > >>> can be used. And not sure if there is any standard way to do so. > >>> > >> > >> OK, understood. But then, to be safe, shouldn't the upstream "static" > >> default DT contain an exclusion of that region so that it won't get > >> stuck if it is in use? Would block half a meg, but when you have a > >> custom platform that does not need that, you can and will provide your > >> own DT anyway. > > > > Ideally, the static DTS is a description of the hardware only, and not > > of runtime constraints imposed by the firmware. If BL31 needs to reserve > > some memory, it can add that reservation to the DTB at runtime. The > > fdt_add_reserved_memory() function is available for this purpose. For an > > example, see the code used by the rpi4[0] or sun50i_h616[1] platforms. > > > > If you later load a DTB from disk for use by Linux, you will need to > > copy the reserved-memory nodes from the U-Boot DTB to the loaded DTB. > > > > I know the RPi4 model (just had to debug it [3]). But I wonder if that > is possible on the zynqmp as well. Are we passing a DT to BL33 here > already and, thus, could inject that reservation? > > Jan > > > Regards, > > Samuel > > > > [0]: > > > https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rpi/r… > > [1]: > > > https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/allwi… > > > > [3] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9316 > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 1 month

1
0
0 0

Re: [TF-A] [RFC] TF-A threat model

by Varun Wadekar

Hi, This looks promising. Can you also create a list of guidelines resulting from the analysis? We can then roll them up as coding guidelines or design guidelines or to-do for platforms. -Varun From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Zelalem Aweke via TF-A Sent: Friday, April 16, 2021 8:15 AM To: tf-a(a)lists.trustedfirmware.org Subject: [TF-A] [RFC] TF-A threat model External email: Use caution opening links or attachments Hi All, We are releasing the first TF-A threat model document. This release provides the baseline for future updates to be applied as required by developments to the TF-A code base. Please review the document provide comments here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9627<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…>. Thanks, Zelalem

4 years, 1 month

2
2
0 0

Re: [TF-A] platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035

by Manish Pandey2

Hi, >From git log g12a platform was first introduced in 2019 and never has any further changes, also there is no documentation for this platform, so from platform perspective not sure if you are doing everything right or not ? However, i have some generic comments 1. There is no such macro DISABLE_PEDANTIC 2. Which CPU you have in Odroid-C4 boards(is it Cortext-A55?), You probably need to add cpu lib file in platform.mk file In file plat/amlogic/g12a/platform.mk BL31_SOURCES += lib/cpus/aarch64/cortex_a53.S \ lib/cpus/aarch64/cortex_a55.S thanks Manish ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Matwey V. Kornilov via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 19 April 2021 16:47 To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Subject: [TF-A] platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Hello, Sorry, if this is the wrong place to ask. I am trying to run ATF v2.4 for platform g12a on the Odroid-C4 board. I've built ATF as the following make DISABLE_PEDANTIC=1 DEBUG=1 PLAT=g12a Unfortunately, the only thing I see in the console when BL31 is supposed to run is CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Is there any chance to figure out what is wrong? -- With best regards, Matwey V. Kornilov -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 1 month

1
0
0 0

zynqmp: How to inform the bl33 about RAM reservation?

by Jan Kiszka

Hi all, when SPD or DEBUG is enabled, TF-A is moved to RAM on the zynqmp (as it longer fits into OCM). U-Boot happens to avoid that region, but the kernel's DTB has no reservation entry, and Linux will trigger an exception when accessing that region during early boot. Can we improve this - without requiring the user to manually add a reservation to the DTB? Should we unconditionally reserve 0x1000..0x7ffff in all BL33 DTBs? Or is there a chance to communicate that need? Or some way to detect in BL33 whether it is needed? Jan

4 years, 1 month

2
2
0 0

platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035

by Matwey V. Kornilov

Hello, Sorry, if this is the wrong place to ask. I am trying to run ATF v2.4 for platform g12a on the Odroid-C4 board. I've built ATF as the following make DISABLE_PEDANTIC=1 DEBUG=1 PLAT=g12a Unfortunately, the only thing I see in the console when BL31 is supposed to run is CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Is there any chance to figure out what is wrong? -- With best regards, Matwey V. Kornilov

4 years, 1 month

1
0
0 0

Re: [TF-A] Adoption of Conventional Commits

by Chris Kay

Thanks to all those who attended the Tech Forum today! It’s become apparent that the initial 2 week deadline for alternative proposals or implementations is too short, so – as agreed – we’ll push the deadline for the investigation period to the end of March. This period is dedicated to evaluating the changelog automation proposal made, or to identifying alternative solutions. If you have an alternative proposal, any proof-of-concept tooling would be highly appreciated so we can get a clear idea of what sort of work and maintenance is going to be involved. If you do find a solution you wish to propose, please give it just a short name (e.g. “Update it manually”) and make it obvious you want to propose it formally – I’ll collect up the proposals made on the mailing list thread at the end of March and set up a Wiki poll so we can get a clear picture of where the community wants to take this. Chris From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Chris Kay via TF-A <tf-a(a)lists.trustedfirmware.org> Reply to: Chris Kay <Chris.Kay(a)arm.com> Date: Thursday, 11 February 2021 at 13:59 To: "tf-a(a)lists.trustedfirmware.org" <tf-a(a)lists.trustedfirmware.org> Subject: [TF-A] Adoption of Conventional Commits Hi all, Recently we had an internal discussion on the merits of introducing semantics to commit messages pushed to the main TF-A repository, the conclusion being that we would look to adopting the Conventional Commits<https://www.conventionalcommits.org/en/v1.0.0/> specification in the near future. There was one major reason for this, which was to help us in automating the changelog in future releases, but it might also help us to dramatically reduce the overall amount of work needed to make a formal release in the future. This requires some buy-in (or buy-out, in this case) from maintainers because - even though it’s to only a relatively minor extent - it does involve an adjustment to everybody’s workflow. Notably, commit messages will be expected to adopt the structure defined by the specification, which will be enforced by the CI. Most commits that go upstream today adhere to “something that looks like Conventional Commits”, so the change is not exactly sweeping, but any change has the potential be an inconvenience. With that in mind, I propose the following: * We collectively adopt the specification, enforced only for @arm.com contributors until such a time that the majority of maintainers are familiar with the new demands * We suggest - in the prerequisites documentation - the installation of two helper tools: * Commitizen<https://github.com/commitizen/cz-cli> * Commitlint<https://github.com/conventional-changelog/commitlint> Installation of these tools will be optional, but I believe they can help with the transition. In the patches currently in review, they are installed as Git hooks automatically upon execution of npm install, so it requires no manual installation or configuration (other than a relatively up-to-date Node.js installation). You’ll find the patches here<https://review.trustedfirmware.org/q/topic:%22ck%252Fconventional-commits%2…>, and specifically the changes to the prerequisites documentation here<https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/8224/1/docs/…>. Feel free to review these changes if you have comments specifically on their implementation. Let me know if you have any questions or concerns. If everybody’s on board, we can look to have this upstreamed shortly. Chris

4 years, 1 month

1
2
0 0

[RFC] TF-A threat model

by Zelalem Aweke

Hi All, We are releasing the first TF-A threat model document. This release provides the baseline for future updates to be applied as required by developments to the TF-A code base. Please review the document provide comments here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9627. Thanks, Zelalem

4 years, 1 month

1
0
0 0

Re: [TF-A] [OCP-OSF] Firmware: Sustainability vs planned obsolescence

by François Ozog

Hi Open System Firmware and Trusted Firmware communities have common interests in driving *some* firmware discussions because upstream projects like EDK2, U-Boot and Linux boot greatly benefit from common approaches regardless of processor architecture and early firmware components. The discussion on passing metadata between early firmware components and from early firmware to EDK2/U-Boot/LinuxBoot is typically such a topic. EDK2 is the only project that has defined metadata in the form of Platform Initialization HOBs (chapter 5 of PI spec). U-Boot and LinuxBoot have platform specific techniques to consume that metadata. Let's make sure that at least there is common solution for those two and hope that the result is enticing enough that EDK2 decide to leverage the result one way or the other. Here is a patched repost of the state of discussion after last Trusted Substrate call: Topics where there seem to be consensus - Scope include diverse firmware flows (U-Boot/SPL, TFA, CoreBoot…) on different architectures (Arm, RiscV) - Definitions: The Hand Over Function is the firmware component that hands off to the booted payload = {OS/Hypervisor/Grub/Shim}. - Hand Over Function can be EDK2, U-Boot or LinuxBoot. - The HOF, through ACPI or DT is responsible to describe what shall be controlled and partly how (some parameters) - *There is information that can only be discovered at runtime by diverse early firmware components and needs to be conveyed through the HOF to the booted payload.* - The proposal is to convey that dynamic information in the form of HandOverBlocks (HOBs - generic idea, not the EDK2 construct) whose format is yet to be defined and built as a linked list of objects. The other proposal to use call backs (mmc calls or equivalent) from HOF to firmware is rejected. In Arm architecture, that choice does not preclude some firmware components to use SCMI calls into SCP to obtain authoritative information. - The firmware components shall not care about what is the actual HOF: the format is standard regardless if HOF is EDK2, U-Boot or LinuxBoot. In TF-A words, the HOBs become part of the input ABI for BL33. In the best world, it should be possible for the platform "buyer" to choose the HOF. Characteristics to consider about HOBs: - HOBs can be built by very early components and must fit into highly constrained SRAM - A HOB may be passed between different firmware components, secure and non-secure. - A HOB can be built by secure and non-secure firmware components - An information can have a single format: no alternative representation is allowed. In other words if the information is passed as a data structure it cannot be represented by a DT fragment by another implementation and conversely. Topics that need more discussion - HOBs need a way to be identified: UUID, ID, hybrid (like Platform Initialization). *My views: the hybrid allows constraints firmware components to be using simple IDs and richer components may want leverage UUIDs (same as Platform Initialization).* - HOB format: binary information; just static structure, flatten device tree fragments/overlays or even CBOR. *My views: again hybrid approach seem very efficient. Static structures for memory information, DT fragment for device assignment (for non-secure partitions or for secure world / secure partitions). Typically I would imagine a UUID HOB with a DT fragment seems just good. This is actually implemented like that with Platform Initialization:* *HOBs are identified by a simple ID, out of IDs are EFI_HOB_RESOURCE_DESCRIPTOR for DRAM description and EFI_HOB_GUID_TYPE that contains something identified by a GUID. There is a GUID used in the context of EDK2 to actually contain a DT fragment today.* *As an open specification that allows extension, there shall be a mandate to publish an open specification of any extension.* On Fri, 16 Apr 2021 at 07:51, François Ozog via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > +tf.org as the discussion evolved to a topic discussed there. > > Le ven. 16 avr. 2021 à 01:25, Zimmer, Vincent <vincent.zimmer(a)intel.com> > a écrit : > >> >> >> For the wayback machine, the design of HOB’s dates back to early 2000’s. >> >> >> >> >> >> The HOB defin was part of the Intel Framework specs & it was made public >> in 2003 through a click-through, as folks noted. HOBs became part of the >> UEFI Forum Platform Initialization (PI) spec in 2006. Essentially PI 1.0 >> absorbed most of the Framework 0.9x specs (sans datahub, CSM). >> >> from https://link.springer.com/book/10.1007/978-1-4842-0070-4 >> >> >> >> IMHO the biggest bug on the present Type Length Value (TLV)-based HOB >> design entails the “L” of the TLV, namely the 16-bit length limitation on >> the size of a specific HOB. Servers often bump into this limitation today >> given the amount of state discovered in these early initialization flows. >> The use of GUID’s w/o strings is also a usability challenge, I’d agree, >> that any new design can address. >> >> >> >> Going forward >> >> The more recent proposed use of HOB's for the generic payload interface >> https://github.com/universalpayload/documentation launching was more for >> convenience since it's a simple TLV encoded mechanism and there are parsing >> libraries already in the wild. But the use of HOB’s versus DT versus …. >> for the inargs of the payload is definitely open for discussion/change in >> the design. The earlier thread suggestions of CBOR/8949 >> https://www.rfc-editor.org/rfc/rfc8949.html from Francois/Nate is >> interesting. We can update the already open issue on this topic >> https://github.com/universalpayload/documentation/issues/9 with some of >> these thoughts and build upon the sentiments Ron shared earlier on the >> topic. >> >> >> >> And regarding the payload specification >> https://universalpayload.github.io/documentation/ mentioned above, I’m >> happy to present on this design effort in an upcoming OSF meeting, >> including how payloads may relate to the OSF workstream. The payload >> design is intended to be an open process with a code-first workflow that >> doesn’t tie itself to any specific bootloader design, as demonstrated by >> the different bootloaders and payloads ported at >> https://github.com/universalpayload. Although there isn’t a U-Boot >> example ported (I thought I heard mention of U-boot in this thread or >> meeting?), addressing the needs of U-boot and other *boot solutions (e.g., >> oreboot) is definitely part of the design scope intent, too. >> >> >> >> Thanks, >> >> >> >> Vincent >> >> >> >> >> >> -----Original Message----- >> From: OCP-OSF(a)OCP-All.groups.io <OCP-OSF(a)OCP-All.groups.io> On Behalf Of >> ron minnich >> Sent: Thursday, April 15, 2021 3:14 PM >> To: Desimone, Nathaniel L <nathaniel.l.desimone(a)intel.com> >> Cc: OCP-OSF(a)OCP-All.groups.io; Boot Architecture Mailman List < >> boot-architecture(a)lists.linaro.org>; Leif Lindholm <leif(a)nuviainc.com> >> Subject: Re: [OCP-OSF] Firmware: Sustainability vs planned obsolescence >> >> >> >> actually isn't device tree a 1980s design :-) >> >> >> >> anyway, as long as we can hit the things I care so much about, >> >> >> >> self describing >> >> alignment independent >> >> endian independent >> >> names not magic numbers (I mean, you want to put a UUID in there too, >> fine, but I doubt a human-readable string will kill us on space) >> >> >> >> it can be anything you all think best. >> >> >> >> On Thu, Apr 15, 2021 at 2:49 PM Desimone, Nathaniel L < >> nathaniel.l.desimone(a)intel.com> wrote: >> >> > >> >> > On Thu, Apr 15, 2021 at 1:29 -0700, ron minnich wrote: >> >> > >> >> > >I'd rather not take HOB as a given without considering alternatives. >> >> > >It's a very 1990s design. >> >> > >> >> > Device tree is also a very early 90s design for that matter. If we are >> talking about clean slate design, how about something actually new and >> modern like RFC 8949? >> >> > >> >> > From a practical standpoint I don't see HOBs going away very soon but >> I'm open to possibility thinking on a long term basis. >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> >> >> >> _._,_._,_ >> ------------------------------ >> Groups.io Links: >> >> You receive all messages sent to this group. >> >> View/Reply Online (#149) >> <https://OCP-All.groups.io/g/OCP-OSF/message/149> | Reply To Group >> <OCP-OSF@OCP-All.groups.io?subject=Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> >> | Reply To Sender >> <vincent.zimmer@intel.com?subject=Private:%20Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> >> | Mute This Topic <https://groups.io/mt/81937262/675475> | New Topic >> <https://OCP-All.groups.io/g/OCP-OSF/post> >> Your Subscription <https://OCP-All.groups.io/g/OCP-OSF/editsub/675475> | Contact >> Group Owner <OCP-OSF+owner(a)OCP-All.groups.io> | Unsubscribe >> <https://OCP-All.groups.io/g/OCP-OSF/leave/10214763/675475/1625423992/xyzzy> >> [francois.ozog(a)linaro.org] >> _._,_._,_ >> >> -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 1 month

1
0
0 0

Re: [TF-A] Problems building for qemu with SPM (S-EL2) support

by Olivier Deprez

Hi Rebecca, qemu is currently not supported for use with the SPM at S-EL2. The two available options are FVP (https://trustedfirmware-a.readthedocs.io/en/latest/components/secure-partit…) or Total Compute platform (https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs…) Regards, Olivier. ________________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Rebecca Cran via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 16 April 2021 00:02 To: tf-a(a)lists.trustedfirmware.org Subject: [TF-A] Problems building for qemu with SPM (S-EL2) support I'm having problems building TF-A with SPM/S-EL2 support. I can build with PLAT=fvp fine, but building with PLAT=qemu results in the error: LD /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf /home/rebecca/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-ld: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/spmd_main.o: in function `spmd_setup': spmd_main.c:(.text.spmd_setup+0x74): undefined reference to `plat_spm_core_manifest_load' spmd_main.c:(.text.spmd_setup+0x74): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `plat_spm_core_manifest_load' make: *** [Makefile:1136: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf] Error 1 The command line I'm using is: make PLAT=qemu DEBUG=0 \ CROSS_COMPILE=~/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu- \ SPD=spmd CTX_INCLUDE_EL2_REGS=1 BL32=bl32.bin BL33=bl33.bin \ SP_LAYOUT_FILE=sp_layout.json ARM_ARCH_MINOR=4 all fip Adding the following files to BL31_SOURCES in plat/qemu/platform.mk resolves the problem, but I suspect that's not the correct solution? plat/common/plat_spmd_manifest.c common/fdt_wrappers.c -- Rebecca Cran -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 1 month

1
0
0 0

Re: [TF-A] [OCP-OSF] Firmware: Sustainability vs planned obsolescence

by François Ozog

+tf.org as the discussion evolved to a topic discussed there. Le ven. 16 avr. 2021 à 01:25, Zimmer, Vincent <vincent.zimmer(a)intel.com> a écrit : > > > For the wayback machine, the design of HOB’s dates back to early 2000’s. > > > > > > The HOB defin was part of the Intel Framework specs & it was made public > in 2003 through a click-through, as folks noted. HOBs became part of the > UEFI Forum Platform Initialization (PI) spec in 2006. Essentially PI 1.0 > absorbed most of the Framework 0.9x specs (sans datahub, CSM). > > from https://link.springer.com/book/10.1007/978-1-4842-0070-4 > > > > IMHO the biggest bug on the present Type Length Value (TLV)-based HOB > design entails the “L” of the TLV, namely the 16-bit length limitation on > the size of a specific HOB. Servers often bump into this limitation today > given the amount of state discovered in these early initialization flows. > The use of GUID’s w/o strings is also a usability challenge, I’d agree, > that any new design can address. > > > > Going forward > > The more recent proposed use of HOB's for the generic payload interface > https://github.com/universalpayload/documentation launching was more for > convenience since it's a simple TLV encoded mechanism and there are parsing > libraries already in the wild. But the use of HOB’s versus DT versus …. > for the inargs of the payload is definitely open for discussion/change in > the design. The earlier thread suggestions of CBOR/8949 > https://www.rfc-editor.org/rfc/rfc8949.html from Francois/Nate is > interesting. We can update the already open issue on this topic > https://github.com/universalpayload/documentation/issues/9 with some of > these thoughts and build upon the sentiments Ron shared earlier on the > topic. > > > > And regarding the payload specification > https://universalpayload.github.io/documentation/ mentioned above, I’m > happy to present on this design effort in an upcoming OSF meeting, > including how payloads may relate to the OSF workstream. The payload > design is intended to be an open process with a code-first workflow that > doesn’t tie itself to any specific bootloader design, as demonstrated by > the different bootloaders and payloads ported at > https://github.com/universalpayload. Although there isn’t a U-Boot > example ported (I thought I heard mention of U-boot in this thread or > meeting?), addressing the needs of U-boot and other *boot solutions (e.g., > oreboot) is definitely part of the design scope intent, too. > > > > Thanks, > > > > Vincent > > > > > > -----Original Message----- > From: OCP-OSF(a)OCP-All.groups.io <OCP-OSF(a)OCP-All.groups.io> On Behalf Of > ron minnich > Sent: Thursday, April 15, 2021 3:14 PM > To: Desimone, Nathaniel L <nathaniel.l.desimone(a)intel.com> > Cc: OCP-OSF(a)OCP-All.groups.io; Boot Architecture Mailman List < > boot-architecture(a)lists.linaro.org>; Leif Lindholm <leif(a)nuviainc.com> > Subject: Re: [OCP-OSF] Firmware: Sustainability vs planned obsolescence > > > > actually isn't device tree a 1980s design :-) > > > > anyway, as long as we can hit the things I care so much about, > > > > self describing > > alignment independent > > endian independent > > names not magic numbers (I mean, you want to put a UUID in there too, > fine, but I doubt a human-readable string will kill us on space) > > > > it can be anything you all think best. > > > > On Thu, Apr 15, 2021 at 2:49 PM Desimone, Nathaniel L < > nathaniel.l.desimone(a)intel.com> wrote: > > > > > > On Thu, Apr 15, 2021 at 1:29 -0700, ron minnich wrote: > > > > > > >I'd rather not take HOB as a given without considering alternatives. > > > >It's a very 1990s design. > > > > > > Device tree is also a very early 90s design for that matter. If we are > talking about clean slate design, how about something actually new and > modern like RFC 8949? > > > > > > From a practical standpoint I don't see HOBs going away very soon but > I'm open to possibility thinking on a long term basis. > > > > > > > > > > > > > > > > > > > > > _._,_._,_ > ------------------------------ > Groups.io Links: > > You receive all messages sent to this group. > > View/Reply Online (#149) <https://OCP-All.groups.io/g/OCP-OSF/message/149> > | Reply To Group > <OCP-OSF@OCP-All.groups.io?subject=Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> > | Reply To Sender > <vincent.zimmer@intel.com?subject=Private:%20Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> > | Mute This Topic <https://groups.io/mt/81937262/675475> | New Topic > <https://OCP-All.groups.io/g/OCP-OSF/post> > Your Subscription <https://OCP-All.groups.io/g/OCP-OSF/editsub/675475> | Contact > Group Owner <OCP-OSF+owner(a)OCP-All.groups.io> | Unsubscribe > <https://OCP-All.groups.io/g/OCP-OSF/leave/10214763/675475/1625423992/xyzzy> > [francois.ozog(a)linaro.org] > _._,_._,_ > > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 1 month

1
0
0 0

Re: [TF-A] Adoption of Conventional Commits

by Varun Wadekar

>> Otherwise, we will begin adopting Conventional Commits in the CI at the beginning of April, pending full rollout for everybody in the next release. IIRC, I already proposed another option that builds on the tagging mechanism from Conventional Commits. Did we document the objections somewhere? I remember, CC did get some "nays" on the wiki page. Were all those concerns resolved? From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Chris Kay via TF-A Sent: Thursday, March 18, 2021 5:08 AM To: tf-a(a)lists.trustedfirmware.org Subject: Re: [TF-A] Adoption of Conventional Commits External email: Use caution opening links or attachments Just a reminder to everybody that we're now most of the way through March, and therefore most of the way through the investigation period. If anybody has any proposals they'd like to make, please do share them as soon as possible so that we have time to brainstorm and come to a conclusion. Otherwise, we will begin adopting Conventional Commits in the CI at the beginning of April, pending full rollout for everybody in the next release. Chris From: Chris Kay <Chris.Kay(a)arm.com<mailto:Chris.Kay@arm.com>> Date: Thursday, 25 February 2021 at 17:30 To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: Re: [TF-A] Adoption of Conventional Commits Thanks to all those who attended the Tech Forum today! It's become apparent that the initial 2 week deadline for alternative proposals or implementations is too short, so - as agreed - we'll push the deadline for the investigation period to the end of March. This period is dedicated to evaluating the changelog automation proposal made, or to identifying alternative solutions. If you have an alternative proposal, any proof-of-concept tooling would be highly appreciated so we can get a clear idea of what sort of work and maintenance is going to be involved. If you do find a solution you wish to propose, please give it just a short name (e.g. "Update it manually") and make it obvious you want to propose it formally - I'll collect up the proposals made on the mailing list thread at the end of March and set up a Wiki poll so we can get a clear picture of where the community wants to take this. Chris From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org<mailto:tf-a-bounces@lists.trustedfirmware.org>> on behalf of Chris Kay via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Reply to: Chris Kay <Chris.Kay(a)arm.com<mailto:Chris.Kay@arm.com>> Date: Thursday, 11 February 2021 at 13:59 To: "tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>" <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: [TF-A] Adoption of Conventional Commits Hi all, Recently we had an internal discussion on the merits of introducing semantics to commit messages pushed to the main TF-A repository, the conclusion being that we would look to adopting the Conventional Commits<https://www.conventionalcommits.org/en/v1.0.0/> specification in the near future. There was one major reason for this, which was to help us in automating the changelog in future releases, but it might also help us to dramatically reduce the overall amount of work needed to make a formal release in the future. This requires some buy-in (or buy-out, in this case) from maintainers because - even though it's to only a relatively minor extent - it does involve an adjustment to everybody's workflow. Notably, commit messages will be expected to adopt the structure defined by the specification, which will be enforced by the CI. Most commits that go upstream today adhere to "something that looks like Conventional Commits", so the change is not exactly sweeping, but any change has the potential be an inconvenience. With that in mind, I propose the following: * We collectively adopt the specification, enforced only for @arm.com contributors until such a time that the majority of maintainers are familiar with the new demands * We suggest - in the prerequisites documentation - the installation of two helper tools: * Commitizen<https://github.com/commitizen/cz-cli> * Commitlint<https://github.com/conventional-changelog/commitlint> Installation of these tools will be optional, but I believe they can help with the transition. In the patches currently in review, they are installed as Git hooks automatically upon execution of npm install, so it requires no manual installation or configuration (other than a relatively up-to-date Node.js installation). You'll find the patches here<https://review.trustedfirmware.org/q/topic:%22ck%252Fconventional-commits%2…>, and specifically the changes to the prerequisites documentation here<https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/8224/1/docs/…>. Feel free to review these changes if you have comments specifically on their implementation. Let me know if you have any questions or concerns. If everybody's on board, we can look to have this upstreamed shortly. Chris

4 years, 1 month

2
3
0 0

Problems building for qemu with SPM (S-EL2) support

by Rebecca Cran

I'm having problems building TF-A with SPM/S-EL2 support. I can build with PLAT=fvp fine, but building with PLAT=qemu results in the error: LD /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf /home/rebecca/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-ld: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/spmd_main.o: in function `spmd_setup': spmd_main.c:(.text.spmd_setup+0x74): undefined reference to `plat_spm_core_manifest_load' spmd_main.c:(.text.spmd_setup+0x74): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `plat_spm_core_manifest_load' make: *** [Makefile:1136: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf] Error 1 The command line I'm using is: make PLAT=qemu DEBUG=0 \ CROSS_COMPILE=~/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu- \ SPD=spmd CTX_INCLUDE_EL2_REGS=1 BL32=bl32.bin BL33=bl33.bin \ SP_LAYOUT_FILE=sp_layout.json ARM_ARCH_MINOR=4 all fip Adding the following files to BL31_SOURCES in plat/qemu/platform.mk resolves the problem, but I suspect that's not the correct solution? plat/common/plat_spmd_manifest.c common/fdt_wrappers.c -- Rebecca Cran

4 years, 1 month

1
0
0 0

Re: [TF-A] Debugging a lock-up in opteed_system_reset

by Jens Wiklander

Hi Jan, On Sat, Apr 10, 2021 at 1:18 PM Jan Kiszka via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > On 09.04.21 14:56, Jan Kiszka wrote: > > Hi all, > > > > I'm currently debugging sporadic lockups in TF-A when calling the system > > reset hook of OP-TEE: opteed_system_reset() gets stuck on > > opteed_synchronous_sp_entry(), and the thread_system_reset_handler of > > OP-TEE is not invoked (I left a debug output on the OP-TEE side). > > Platform is k3, target hardware our IOT2050 device. I was using today's > > master of TF-A and OP-TEE, but also older versions of both. > > > > What could cause this? I would assume that TF-A and OP-TEE are protected > > against overwriting of the non-secure world and we would see exceptions > > in case some reservation is not properly set, possibly misleading Linux. > > > > Turned out that we had a bug in our device tree: "reserved_memory", > rather than "reserved-memory". That caused Linux to ignore the RAM > reservation, eventually accessing the memory that OP-TEE is using. > > But that still does not explain why the secured memory is left behind > unsecured. Who is responsible for that, TF-A or the TEE itself? This might be memory reserved for the static shared memory pool used when communicating between Linux normal world and OP-TEE in secure world. If that's the case it's normal that the memory is accessible from Linux, however if Linux uses it for other purposes too there will be memory corruptions. Cheers, Jens

4 years, 1 month

2
1
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Manish Pandey2

Hi, From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms. To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed. The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations. One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.) Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values. Looking forward to having further discussions on zoom call today. Thanks Manish P ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 25 March 2021 02:43 To: Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Just want to point out that TF-A currently already supports a (very simple) mechanism like this: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: Hi Harb, On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com<mailto:abdulhamid@os.amperecomputing.com>> wrote: Hello Folks, Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. 😊 I try to address the comments/feedback from Francois and Simon below…. @François Ozog<mailto:francois.ozog@linaro.org> – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. I understand the versatility of DT, but I see two major problems with DT: * DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. * DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. @Simon Glass<mailto:sjg@chromium.org> - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) (etc.) static struct guid_name { efi_guid_t guid; const char *name; } guid_name[] = { { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, (never figured out what those two are) { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, { {}, "zero-guid" }, {} }; static const char *guid_to_name(const efi_guid_t *guid) { struct guid_name *entry; for (entry = guid_name; entry->name; entry++) { if (!guidcmp(guid, &entry->guid)) return entry->name; } return NULL; } Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. Indeed. There is certainly value in both approaches. Regards, Simon Thanks, --Harb From: François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>> Sent: Tuesday, March 23, 2021 10:00 AM To: François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>>; Ron Minnich <rminnich(a)google.com<mailto:rminnich@google.com>>; Paul Isaac's <paul.isaacs(a)linaro.org<mailto:paul.isaacs@linaro.org>> Cc: Simon Glass <sjg(a)chromium.org<mailto:sjg@chromium.org>>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com<mailto:abdulhamid@os.amperecomputing.com>>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages +Ron Minnich<mailto:rminnich@google.com> +Paul Isaac's<mailto:paul.isaacs@linaro.org> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: Hi, I propose we cover the topic at the next Trusted Substrate<https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom call<https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. The agenda: ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7<https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…>, 5.5 Resource Descriptor HOB Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report<https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). Requirements (to be validated): - ACPI and DT hardware descriptions. - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) - support secure world device assignment Cheers FF On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org<mailto:sjg@chromium.org>> wrote: Hi, Can I suggest using bloblist for this instead? It is lightweight, easier to parse, doesn't have GUIDs and is already used within U-Boot for passing info between SPL/U-Boot, etc. Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist Header file describes the format: https://github.com/u-boot/u-boot/blob/master/include/bloblist.h Full set of unit tests: https://github.com/u-boot/u-boot/blob/master/test/bloblist.c Regards, Simon On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>> wrote: > > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>> > > standardization is very much welcomed here and need to accommodate a very > diverse set of situations. > For example, TEE OS may need to pass memory reservations to BL33 or > "capture" a device for the secure world. > > I have observed a number of architectures: > 1) pass information from BLx to BLy in the form of a specific object > 2) BLx called by BLy by a platform specific SMC to get information > 3) BLx called by BLy by a platform specific SMC to perform Device Tree > fixups > > I also imagined a standardized "broadcast" FF-A call so that any firmware > element can either provide information or "do something". > > My understanding of your proposal is about standardizing on architecture 1) > with the HOB format. > > The advantage of the HOB is simplicity but it may be difficult to implement > schemes such as pruning a DT because device assignment in the secure world. > > In any case, it looks feasible to have TF-A and OP-TEE complement the list > of HOBs to pass information downstream (the bootflow). > > It would be good to start with building the comprehensive list of > information that need to be conveyed between firmware elements: > > information. | authoritative entity | reporting entity | information > exchanged: > dram | TFA | TFA | > <format to be detailed, NUMA topology to build the SRAT table or DT > equivalent?> > PSCI | SCP | TFA? | > SCMI | SCP or TEE-OS | TFA? TEE-OS?| > secure SRAM | TFA. | TFA. | > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | > other? | | > | > > Cheers > > FF > > > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < > tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: > > > Hello Folks, > > > > > > > > I'm emailing to start an open discussion about the adoption of a concept > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware > > Framework Architecture (FFA). This is something that is a pretty major > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s > > designed to enable a broad range of highly configurable datacenter > > platforms. > > > > > > > > > > > > What is a HOB (Background)? > > > > --------------------------- > > > > UEFI PI spec describes a particular definition for how HOB may be used for > > transitioning between the PEI and DXE boot phases, which is a good > > reference point for this discussion, but not necessarily the exact solution > > appropriate for TF-A. > > > > > > > > A HOB is simply a dynamically generated data structure passed in between > > two boot phases. This is information that was obtained through discovery > > and needs to be passed forward to the next boot phase *once*, with no API > > needed to call back (e.g. no call back into previous firmware phase is > > needed to fetch this information at run-time - it is simply passed one time > > during boot). > > > > > > > > There may be one or more HOBs passed in between boot phases. If there are > > more than one HOB that needs to be passed, this can be in a form of a "HOB > > table", which (for example) could be a UUID indexed array of pointers to > > HOB structures, used to locate a HOB of interest (based on UUID). In such > > cases, instead of passing a single HOB, the boot phases may rely on passing > > the pointer to the HOB table. > > > > > > > > This has been extremely useful concept to employ on highly configurable > > systems that must rely on flexible discovery mechanisms to initialize and > > boot the system. This is especially helpful when you have multiple > > > > > > > > > > > > Why do we need HOBs in TF-A?: > > > > ----------------------------- > > > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in > > a way that is SoC specific *but* platform agnostic. This means that a > > single ARM SoC that a SiP may deliver to customers may provide a single > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad > > range of platform designs and configurations in order to boot a platform > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to > > achieve this, the platform configuration must be *discovered* instead of > > statically compiled as it is today in TF-A via device tree based > > enumeration. The mechanisms of discovery may differ broadly depending on > > the relevant industry standard, or in some cases may have rely on SiP > > specific discovery flows. > > > > > > > > For example: On server systems that support a broad range DIMM memory > > population/topologies, all the necessary information required to boot is > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an > > I2C bus. Leveraging the SPD bus, may platform variants could be supported > > with a single TF-A binary. Not only is this information required to > > initialize memory in early boot phases (e.g. BL2), the subsequent boot > > phases will also need this SPD info to construct a system physical address > > map and properly initialize the MMU based on the memory present, and where > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may > > need to generate standard firmware tables to the operating systems, such as > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, > > SRAT, even NFIT if NVDIMM's are present). > > > > > > > > In short, it all starts with a standardized or vendor specific discovery > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of > > information to the next boot stages (e.g. BL31/BL32/BL33). > > > > > > > > Today, every HOB may be a vendor specific structure, but in the future > > there may be benefit of defining standard HOBs. This may be useful for > > memory discovery, passing the system physical address map, enabling TPM > > measured boot, and potentially many other common HOB use-cases. > > > > > > > > It would be extremely beneficial to the datacenter market segment if the > > TF-A community would adopt this concept of information passing between all > > boot phases as opposed to rely solely on device tree enumeration. This is > > not intended to replace device tree, rather intended as an alternative way > > to describe the info that must be discovered and dynamically generated. > > > > > > > > > > > > Conclusion: > > > > ----------- > > > > We are proposing that the TF-A community begin pursuing the adoption of > > HOBs as a mechanism used for information exchange between each boot stage > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we > > want to explore standardizing some HOB structures for the BL33 phase (e.g. > > UEFI HOB structures), but initially would like to agree on this being a > > useful mechanism used to pass information between each boot stage. > > > > > > > > Thanks, > > > > --Harb > > > > > > > > > > > > > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog > _______________________________________________ > boot-architecture mailing list > boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org> > https://lists.linaro.org/mailman/listinfo/boot-architecture -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 1 month

6
5
0 0

Debugging a lock-up in opteed_system_reset

by Jan Kiszka

Hi all, I'm currently debugging sporadic lockups in TF-A when calling the system reset hook of OP-TEE: opteed_system_reset() gets stuck on opteed_synchronous_sp_entry(), and the thread_system_reset_handler of OP-TEE is not invoked (I left a debug output on the OP-TEE side). Platform is k3, target hardware our IOT2050 device. I was using today's master of TF-A and OP-TEE, but also older versions of both. What could cause this? I would assume that TF-A and OP-TEE are protected against overwriting of the non-secure world and we would see exceptions in case some reservation is not properly set, possibly misleading Linux. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux

4 years, 1 month

2
2
0 0

TF-A 2.5 Release: Code-Freeze 30th April

by Gary Morrison

Hi, This is to notify that we are planning to target the Trusted Firmware-A 2.5 release during the second week of May 2021 as part of the regular ~6-month cadence. The aim is to consolidate all TF-A work since the 2.4 release. As part of this, a release candidate tag will be created and release activities will commence after the 30th of April. Essentially we will not merge any major enhancements from this date until the release is made. Please ensure any Gerrit Patch Reviews desired to make the 2.5 release are submitted in good time to be complete by last week of Apr 2021. Any major enhancement Gerrit Patch Reviews still open after that date will not be merged until after the release.

4 years, 1 month

1
0
0 0

OpenCI and trusted-firmware-ci organization in github

by Joanna Farley

Hi Everyone, If you get an invite to join the trusted-firmware-ci organization in Github it’s to allow all the project contributors seeded from the TF-A maintainers file (maintainers and code owners) to have the privileges to be able to perform Jenkin job rebuilds from the OpenCI Jenkins pages for the TF-A project. All the TF-A project maintainers will have the admin ability to add new people. Thanks Joanna

4 years, 2 months

1
0
0 0

TF-A Tech Forum Agenda @ Thr 8th April 2021 16:00-1700 BST

by Joanna Farley

Hi All, The next TF-A Tech Forum is scheduled for Thu 8th April 2021 16:00 – 17:00 (BST). Agenda: * TF-A OpenCI Update and Q&A * Lead by Joanna Farley * Following the posting in late March https://lists.trustedfirmware.org/pipermail/tf-a/2021-March/001045.html announcing the availability of the OpenCI this session is an update on the status and a run through of what’s available in the OpenCI to project contributors. I will have representatives from the OpenCI infrastructure team from Linaro along side TF-A project members familiar with the TF-A CI testing on the call to help answer any questions. * Attached is an early draft of the OpenCI documentation with Version 1.0 expected soon. Thanks Joanna

4 years, 2 months

1
0
0 0

Trusted Substrate architecture call: HandOverBlocks discussion

by François Ozog

Hi following a mail discussion on trusted-firmware A we will have a discussion on HOBs during this week's Trusted Substrate <http://trusted-substrate.org>architecture council call <https://linaro-org.zoom.us/j/94563644892>. In addition to mail thread, here is a deck <https://docs.google.com/presentation/d/1KyqkyqoGXHUynZSI2hRFBoO_P7sFwgUJWhj…> I'll use to start things up. Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 2 months

2
2
0 0

New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 12 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s) ** CID 369886: Uninitialized variables (UNINIT) /drivers/nxp/flexspi/nor/fspi.c: 130 in fspi_op_setup() ________________________________________________________________________________________________________ *** CID 369886: Uninitialized variables (UNINIT) /drivers/nxp/flexspi/nor/fspi.c: 130 in fspi_op_setup() 124 cmd_id2 = FSPI_NOR_CMD_RDSR; 125 break; 126 } 127 128 x_addr = FSPI_LUTREG_OFFSET + (uint32_t)(0x10 * fspi_op_seq_id); 129 if ((F_FLASH_SIZE_BYTES <= SZ_16M_BYTES) || (ignore_flash_sz)) { >>> CID 369886: Uninitialized variables (UNINIT) >>> Using uninitialized value "cmd_id1". 130 x_instr0 = FSPI_INSTR_OPRND0(cmd_id1); 131 x_instr1 = FSPI_INSTR_OPRND1(FSPI_LUT_ADDR24BIT); 132 VERBOSE("CMD_ID = %x offset = 0x%x\n", cmd_id1, x_addr); 133 } else { 134 x_instr0 = FSPI_INSTR_OPRND0(cmd_id2); 135 x_instr1 = FSPI_INSTR_OPRND1(FSPI_LUT_ADDR32BIT); ** CID 369885: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 369885: Memory - corruptions (ARRAY_VS_SINGLETON) /plat/nxp/common/nv_storage/plat_nv_storage.c: 64 in read_nv_app_data() 58 if (ret != XSPI_SUCCESS) { 59 ERROR("Failed to initialized driver flexspi-nor.\n"); 60 ERROR("exiting warm-reset request.\n"); 61 return -ENODEV; 62 } 63 >>> CID 369885: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "(uint32_t *)&nv_app_data" to function "xspi_read" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. 64 xspi_read(nv_base_addr, 65 (uint32_t *)&nv_app_data, sizeof(nv_app_data_t)); 66 xspi_sector_erase((uint32_t) nv_base_addr, 67 F_SECTOR_ERASE_SZ); 68 #endif 69 return ret; ** CID 369884: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 369884: Memory - corruptions (ARRAY_VS_SINGLETON) /drivers/brcm/i2c/i2c.c: 669 in i2c_send_byte() 663 struct iproc_xact_info info; 664 665 iproc_i2c_fill_info(&info, bus_id, devaddr, 0U, &value, 666 SMBUS_PROT_SEND_BYTE, 0U); 667 668 /* Refer to i2c_smbus_write_byte params passed. */ >>> CID 369884: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "info.data" via argument "&info" to function "iproc_i2c_data_send" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. 669 rc = iproc_i2c_data_send(&info); 670 671 if (rc < 0) { 672 ERROR("%s: %s error accessing device 0x%x\n", 673 __func__, "Write", devaddr); 674 } ** CID 369883: Memory - illegal accesses (UNINIT) ________________________________________________________________________________________________________ *** CID 369883: Memory - illegal accesses (UNINIT) /drivers/nxp/crypto/caam/src/caam.c: 142 in configure_jr() 136 return -1; 137 } 138 139 start_jr(num); 140 141 /* Do HW configuration of the JR */ >>> CID 369883: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "reg_base_addr" when calling "init_job_ring". 142 job_ring = init_job_ring(SEC_NOTIFICATION_TYPE_POLL, 0, 0, 143 reg_base_addr, 0); 144 145 if (job_ring == NULL) { 146 ERROR("Error in init_job_ring"); 147 return -1; ** CID 369882: (BAD_SHIFT) /drivers/nxp/ddr/phy-gen2/phy.c: 2320 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2338 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2308 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2347 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2334 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2329 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2312 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2351 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2298 in parse_odt() /drivers/nxp/ddr/phy-gen2/phy.c: 2316 in parse_odt() ________________________________________________________________________________________________________ *** CID 369882: (BAD_SHIFT) /drivers/nxp/ddr/phy-gen2/phy.c: 2320 in parse_odt() 2314 case DDR_ODT_OTHER_DIMM: 2315 for (j = 0; j < DDRC_NUM_CS; j++) { 2316 if ((((cs_d0 & (1 << i)) != 0) && 2317 ((cs_d1 & (1 << j)) != 0)) || 2318 (((cs_d1 & (1 << i)) != 0) && 2319 ((cs_d0 & (1 << j)) != 0))) { >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2320 odt[j] |= (1 << i) << shift; 2321 } 2322 } 2323 break; 2324 case DDR_ODT_ALL: 2325 for (j = 0; j < DDRC_NUM_CS; j++) { /drivers/nxp/ddr/phy-gen2/phy.c: 2338 in parse_odt() 2332 case DDR_ODT_SAME_DIMM: 2333 for (j = 0; j < DDRC_NUM_CS; j++) { 2334 if ((((cs_d0 & (1 << i)) != 0) && 2335 ((cs_d0 & (1 << j)) != 0)) || 2336 (((cs_d1 & (1 << i)) != 0) && 2337 ((cs_d1 & (1 << j)) != 0))) { >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2338 odt[j] |= (1 << i) << shift; 2339 } 2340 } 2341 break; 2342 case DDR_ODT_OTHER_CS_ONSAMEDIMM: 2343 for (j = 0; j < DDRC_NUM_CS; j++) { /drivers/nxp/ddr/phy-gen2/phy.c: 2308 in parse_odt() 2302 if (i == j) { 2303 continue; 2304 } 2305 if (((cs_d0 | cs_d1) & (1 << j)) == 0) { 2306 continue; 2307 } >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2308 odt[j] |= (1 << i) << shift; 2309 } 2310 break; 2311 case DDR_ODT_CS_AND_OTHER_DIMM: 2312 odt[i] |= (1 << i) << 4; 2313 /* fallthrough */ /drivers/nxp/ddr/phy-gen2/phy.c: 2347 in parse_odt() 2341 break; 2342 case DDR_ODT_OTHER_CS_ONSAMEDIMM: 2343 for (j = 0; j < DDRC_NUM_CS; j++) { 2344 if (i == j) { 2345 continue; 2346 } >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2347 if ((((cs_d0 & (1 << i)) != 0) && 2348 ((cs_d0 & (1 << j)) != 0)) || 2349 (((cs_d1 & (1 << i)) != 0) && 2350 ((cs_d1 & (1 << j)) != 0))) { 2351 odt[j] |= (1 << i) << shift; 2352 } /drivers/nxp/ddr/phy-gen2/phy.c: 2334 in parse_odt() 2328 } 2329 odt[j] |= (1 << i) << shift; 2330 } 2331 break; 2332 case DDR_ODT_SAME_DIMM: 2333 for (j = 0; j < DDRC_NUM_CS; j++) { >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2334 if ((((cs_d0 & (1 << i)) != 0) && 2335 ((cs_d0 & (1 << j)) != 0)) || 2336 (((cs_d1 & (1 << i)) != 0) && 2337 ((cs_d1 & (1 << j)) != 0))) { 2338 odt[j] |= (1 << i) << shift; 2339 } /drivers/nxp/ddr/phy-gen2/phy.c: 2329 in parse_odt() 2323 break; 2324 case DDR_ODT_ALL: 2325 for (j = 0; j < DDRC_NUM_CS; j++) { 2326 if (((cs_d0 | cs_d1) & (1 << j)) == 0) { 2327 continue; 2328 } >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2329 odt[j] |= (1 << i) << shift; 2330 } 2331 break; 2332 case DDR_ODT_SAME_DIMM: 2333 for (j = 0; j < DDRC_NUM_CS; j++) { 2334 if ((((cs_d0 & (1 << i)) != 0) && /drivers/nxp/ddr/phy-gen2/phy.c: 2312 in parse_odt() 2306 continue; 2307 } 2308 odt[j] |= (1 << i) << shift; 2309 } 2310 break; 2311 case DDR_ODT_CS_AND_OTHER_DIMM: >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2312 odt[i] |= (1 << i) << 4; 2313 /* fallthrough */ 2314 case DDR_ODT_OTHER_DIMM: 2315 for (j = 0; j < DDRC_NUM_CS; j++) { 2316 if ((((cs_d0 & (1 << i)) != 0) && 2317 ((cs_d1 & (1 << j)) != 0)) || /drivers/nxp/ddr/phy-gen2/phy.c: 2351 in parse_odt() 2345 continue; 2346 } 2347 if ((((cs_d0 & (1 << i)) != 0) && 2348 ((cs_d0 & (1 << j)) != 0)) || 2349 (((cs_d1 & (1 << i)) != 0) && 2350 ((cs_d1 & (1 << j)) != 0))) { >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2351 odt[j] |= (1 << i) << shift; 2352 } 2353 } 2354 break; 2355 case DDR_ODT_NEVER: 2356 break; /drivers/nxp/ddr/phy-gen2/phy.c: 2298 in parse_odt() 2292 2293 if (i < 0 || i > 3) { 2294 printf("Error: invalid chip-select value\n"); 2295 } 2296 switch (val) { 2297 case DDR_ODT_CS: >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2298 odt[i] |= (1 << i) << shift; 2299 break; 2300 case DDR_ODT_ALL_OTHER_CS: 2301 for (j = 0; j < DDRC_NUM_CS; j++) { 2302 if (i == j) { 2303 continue; /drivers/nxp/ddr/phy-gen2/phy.c: 2316 in parse_odt() 2310 break; 2311 case DDR_ODT_CS_AND_OTHER_DIMM: 2312 odt[i] |= (1 << i) << 4; 2313 /* fallthrough */ 2314 case DDR_ODT_OTHER_DIMM: 2315 for (j = 0; j < DDRC_NUM_CS; j++) { >>> CID 369882: (BAD_SHIFT) >>> In expression "1 << i", shifting by a negative amount has undefined behavior. The shift amount, "i", is no more than -1. 2316 if ((((cs_d0 & (1 << i)) != 0) && 2317 ((cs_d1 & (1 << j)) != 0)) || 2318 (((cs_d1 & (1 << i)) != 0) && 2319 ((cs_d0 & (1 << j)) != 0))) { 2320 odt[j] |= (1 << i) << shift; 2321 } ** CID 369881: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 369881: Memory - corruptions (OVERRUN) /drivers/brcm/i2c/i2c.c: 556 in i2c_init() 550 { 551 if (bus_id > MAX_I2C) { 552 WARN("%s: Invalid Bus %u\n", __func__, bus_id); 553 return -1; 554 } 555 >>> CID 369881: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 2 by passing argument "bus_id" (which evaluates to 2) in call to "iproc_i2c_init". 556 iproc_i2c_init(bus_id, speed); 557 return 0U; 558 } 559 560 /* 561 * Function Name: i2c_probe ** CID 369880: Error handling issues (CHECKED_RETURN) /drivers/nxp/ddr/nxp-ddr/utility.c: 43 in get_ddr_freq() ________________________________________________________________________________________________________ *** CID 369880: Error handling issues (CHECKED_RETURN) /drivers/nxp/ddr/nxp-ddr/utility.c: 43 in get_ddr_freq() 37 #define CCN_HN_F_SAM_NODEID_DDR1 0x18 38 #endif 39 40 unsigned long get_ddr_freq(struct sysinfo *sys, int ctrl_num) 41 { 42 if (sys->freq_ddr_pll0 == 0) { >>> CID 369880: Error handling issues (CHECKED_RETURN) >>> Calling "get_clocks" without checking return value (as is done elsewhere 4 out of 5 times). 43 get_clocks(sys); 44 } 45 46 switch (ctrl_num) { 47 case 0: 48 return sys->freq_ddr_pll0; ** CID 369879: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 369879: Memory - corruptions (ARRAY_VS_SINGLETON) /drivers/brcm/i2c/i2c.c: 763 in i2c_write_byte() 757 struct iproc_xact_info info; 758 759 iproc_i2c_fill_info(&info, bus_id, devaddr, regoffset, &value, 760 SMBUS_PROT_WR_BYTE, 1U); 761 762 /* Refer to i2c_smbus_write_byte params passed. */ >>> CID 369879: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "info.data" via argument "&info" to function "iproc_i2c_data_send" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. 763 rc = iproc_i2c_data_send(&info); 764 765 if (rc < 0) { 766 ERROR("%s: %s error accessing device 0x%x\n", 767 __func__, "Write", devaddr); 768 return -1; ** CID 369878: Control flow issues (DEADCODE) /drivers/nxp/ddr/nxp-ddr/utility.c: 169 in disable_unused_ddrc() ________________________________________________________________________________________________________ *** CID 369878: Control flow issues (DEADCODE) /drivers/nxp/ddr/nxp-ddr/utility.c: 169 in disable_unused_ddrc() 163 debug("Both controllers in use.\n"); 164 return 0; 165 } 166 167 for (i = 0; i < num_hnf_nodes; i++) { 168 val = mmio_read_64((uintptr_t)hnf_sam_ctrl); >>> CID 369878: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "i < 4" inside this statement: "nodeid = ((disable_ddrc == ...". 169 nodeid = disable_ddrc == 1 ? CCN_HN_F_SAM_NODEID_DDR1 : 170 (disable_ddrc == 2 ? CCN_HN_F_SAM_NODEID_DDR0 : 171 (i < 4 ? CCN_HN_F_SAM_NODEID_DDR0 172 : CCN_HN_F_SAM_NODEID_DDR1)); 173 if (nodeid != (val & CCN_HN_F_SAM_NODEID_MASK)) { 174 debug("Setting HN-F node %d\n", i); ** CID 369877: Incorrect expression (NO_EFFECT) /drivers/nxp/ddr/nxp-ddr/utility.c: 145 in disable_unused_ddrc() ________________________________________________________________________________________________________ *** CID 369877: Incorrect expression (NO_EFFECT) /drivers/nxp/ddr/nxp-ddr/utility.c: 145 in disable_unused_ddrc() 139 switch (disable_ddrc) { 140 case 1: 141 priv->num_ctlrs = 1; 142 priv->spd_addr = &priv->spd_addr[priv->dimm_on_ctlr]; 143 priv->ddr[0] = priv->ddr[1]; 144 priv->ddr[1] = NULL; >>> CID 369877: Incorrect expression (NO_EFFECT) >>> Assigning "priv->phy[0]" to itself has no effect. 145 priv->phy[0] = priv->phy[0]; 146 priv->phy[1] = NULL; 147 debug("Disable first DDR controller\n"); 148 break; 149 case 2: 150 priv->num_ctlrs = 1; ** CID 369876: Incorrect expression (UNUSED_VALUE) /plat/nxp/soc-lx2160a/lx2160aqds/ddr_init.c: 333 in init_ddr() ________________________________________________________________________________________________________ *** CID 369876: Incorrect expression (UNUSED_VALUE) /plat/nxp/soc-lx2160a/lx2160aqds/ddr_init.c: 333 in init_ddr() 327 info.phy_gen2_fw_img_buf = PHY_GEN2_FW_IMAGE_BUFFER; 328 if (info.clk == 0) { 329 info.clk = get_ddr_freq(&sys, 1); 330 } 331 info.dimm_on_ctlr = DDRC_NUM_DIMM; 332 >>> CID 369876: Incorrect expression (UNUSED_VALUE) >>> Assigning value "DDR_WRM_BOOT_NT_SUPPORTED" to "info.warm_boot_flag" here, but that stored value is overwritten before it can be used. 333 info.warm_boot_flag = DDR_WRM_BOOT_NT_SUPPORTED; 334 #ifdef NXP_WARM_BOOT 335 info.warm_boot_flag = DDR_COLD_BOOT; 336 if (wrm_bt_flg != 0U) { 337 info.warm_boot_flag = DDR_WARM_BOOT; 338 } else { ** CID 369875: Uninitialized variables (UNINIT) /drivers/nxp/flexspi/nor/fspi.c: 134 in fspi_op_setup() ________________________________________________________________________________________________________ *** CID 369875: Uninitialized variables (UNINIT) /drivers/nxp/flexspi/nor/fspi.c: 134 in fspi_op_setup() 128 x_addr = FSPI_LUTREG_OFFSET + (uint32_t)(0x10 * fspi_op_seq_id); 129 if ((F_FLASH_SIZE_BYTES <= SZ_16M_BYTES) || (ignore_flash_sz)) { 130 x_instr0 = FSPI_INSTR_OPRND0(cmd_id1); 131 x_instr1 = FSPI_INSTR_OPRND1(FSPI_LUT_ADDR24BIT); 132 VERBOSE("CMD_ID = %x offset = 0x%x\n", cmd_id1, x_addr); 133 } else { >>> CID 369875: Uninitialized variables (UNINIT) >>> Using uninitialized value "cmd_id2". 134 x_instr0 = FSPI_INSTR_OPRND0(cmd_id2); 135 x_instr1 = FSPI_INSTR_OPRND1(FSPI_LUT_ADDR32BIT); 136 VERBOSE("CMD_ID = %x offset = 0x%x\n", cmd_id2, x_addr); 137 } 138 x_instr0 |= FSPI_INSTR_PAD0(FSPI_LUT_PAD1) 139 | FSPI_INSTR_OPCODE0(FSPI_LUT_CMD); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P…

4 years, 2 months

1
0
0 0

Re: [TF-A] please fix incomplete distclean Makefile target

by Nicolas Boulenguez

raghu.ncstate(a)icloud.com: > Are you pushing ssh://<username>@review.trustedfirmware.org:29418/TF-A/trusted-firmware-a HEAD:refs/for/integration? > Note that 29418 port. That tripped me up initially. It is not clear from your earlier emails where you cloned from(review.trustedfirmware.org or git.trustedfirmware.org). [α] links to [β] which recommends # git clone "https://review.trustedfirmware.org/TF-A/trusted-firmware-a" I had an existing repository (most contributors probably do) and used 'git add remote' and 'git fetch' instead. [α] recommends # git push <remote-name> HEAD:refs/for/integration%<topic-branch> As expected, the host requires a password. # git push ssh://<user>@review.trustedfirmware.org:29418/TF-A/trusted-firmware-a HEAD:refs/for/integration? -> fatal: invalid refspec 'HEAD:refs/for/integration?' Anyhow, the host would require an SSH key. [α] https://developer.trustedfirmware.org/w/tf_a/gerrit-getting-started/ [β] https://review.trustedfirmware.org/admin/repos/TF-A%2Ftrusted-firmware-a

4 years, 2 months

1
0
0 0

Re: [TF-A] please fix incomplete distclean Makefile target

by Sandrine Bailleux

Hi Nicolas, On 3/29/21 12:40 AM, Nicolas Boulenguez via TF-A wrote: > Currently, tools/cert_create/cert_create is not removed. > The attached one-line patch fixes this. Thank you for your patch! The TF-A project uses the Gerrit review system for patch reviews, would you mind resending your patch on review.trustedfirmware.org please? If you need help with that, there's a "getting started" guide there (it is a bit outdated but hopefully still helpful): https://developer.trustedfirmware.org/w/tf_a/gerrit-getting-started/ And our project specific contribution guidelines are there: https://trustedfirmware-a.readthedocs.io/en/latest/process/contributing.html Regards, Sandrine

4 years, 2 months

2
6
0 0

Glitching protection

by François Ozog

Hi Trusted Firmware M recently introduced protection against glitching at key decision points: https://github.com/mcu-tools/mcuboot/pull/776 To me this is a key mitigation element for companies that target PSA level 3 compliance which means hardware attacks resilience. I believe similar techniques need to be used in different projects involved in Linux secure booting (TF-A, OP-TEE, U-Boot, Linux kernel). Are there any efforts planned around this ? Is it feasible to have a "library" that could be integrated in different projects? Cheers FF

4 years, 2 months

4
8
0 0

Re: [TF-A] Firmware FuSa workshop

by Miklos Balint

To += op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of François Ozog via TF-A Sent: 26 March 2021 19:08 To: Heinrich Schuchardt <xypron.glpk(a)gmx.de> Cc: tf-a(a)lists.trustedfirmware.org; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; Ilias Apalodimas <ilias.apalodimas(a)linaro.org> Subject: Re: [TF-A] Firmware FuSa workshop Le ven. 26 mars 2021 à 18:42, Heinrich Schuchardt <xypron.glpk(a)gmx.de<mailto:xypron.glpk@gmx.de>> a écrit : On 26.03.21 16:05, François Ozog wrote: > Hi, > > > Linaro is conducting an opportunity assessment to make OP-TEE ready for > functional safety sensitive environments. The goal is to present a plan to > Linaro members by the end of July 2021. > > The scope of the research is somewhat bigger because we can’t think of > OP-TEE without thinking of Trusted Firmware and Hafnium. The plan will > though not address those (unless we recognize we have to). We don’t think > U-Boot shall be part of the picture but we are welcoming contradictory > points of views. Hello François, Some boards boot via SPL->TF-A->U-Boot. Here U-Boot's SPL is relevant for OP-TEE's security. U-Boot can save variables via OP-TEE (implemented by Ilias). In this case OP-TEE has an implication on secure boot. I fully understand that these scenarios are not in the focus of the workshop. it may if companies have this particular flow in mind for safety certification. Our goal is not to make all boot flows safety ready but to identify which ones we need to consider. And the workshop may help in this identification. Best regards Heinrich > > We are organizing a 2 hours workshop on April 15th 9am CET to mostly hear > about use cases and ideas about Long Term Support requirements . We will > present the state of the research. > > The first use case is booting a safety certified type-1 hypervisor (open > source or commercial is irrelevant). > > But we know there are many more: please be ready to contribute. > > We think of more radical use cases: a safety payload is actually loaded as > a Secure Partition on top of Hafnium with OP-TEE or Zephyr used as a device > backends. In other words, Trust Zone hosts both safety and security worlds > , EL3 being the « software root of trust » pivot world. In those cases, > some cores never go out of secure state… > > > Agenda (to be refined) > > - > > Vision > - > > State of the research > <https://docs.google.com/presentation/u/0/d/1jWqu39gCF-5XzbFkodXsiVNJJLUN88B…> > - > > Use cases discussion > - > > What is the right scope? > - > > “Who do what” discussion (LTS, archiving...) > - > > Safety personnel (Linaro and contractors) discussion > - > > Other considerations from participants? > - > > Community organizations and funding? > - > > Closing and next steps > > > Should you want to participate and have not yet received an invite, please > contact me directly. > > Cordially, > > François-Frédéric > > PS: Please reach out should you want another date with a time compatible > with more time zones. This alternate date is not guaranteed though. > > -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog

4 years, 2 months

1
0
0 0

please fix incomplete distclean Makefile target

by Nicolas Boulenguez

Hello. Currently, tools/cert_create/cert_create is not removed. The attached one-line patch fixes this.

4 years, 2 months

1
0
0 0

TF-A OpenCI Update

by Joanna Farley

Hi Everyone, I wanted to give an update on the availability of the TF-A OpenCI. Recognised projects contributors can now invoke the OpenCI on patches they submit or patches they review through Gerrit and so view results and fix any issues identified without an Arm reviewer having to intercede and start the Open CI for them. This is achieved in Gerrit patches (https://review.trustedfirmware.org/p/TF-A/trusted-firmware-a/+/dashboard/si…) by setting the Allow-CI label with +1 or +2 where +1 is a light level of testing and +2 includes additional tests on top of the +1 tests. Results are linked to in the Gerrit patch comments. Recognised projects contributors is currently seeded as everybody listed in https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/about… including all maintainers and code-owners. The intent going forward is to include others when vouched for by other recognised projects contributors. In this way we hope to be open to all project contributors to have access to the OpenCI while providing some protection to the OpenCI back end resources. The plan is to have another TF-A Tech-Forum session on the OpenCI on 8th April 2021 where more of the details of the OpenCI can be shared, discussed and questions can be taken. For now please experiment with the OpenCI through your patch submissions or reviews. Please be aware this is a shared resource and use when appropriate during the patch review and be tolerant if its not quite perfect yet. Please rest assured the existing Legacy CI is still available during this transition to the OpenCI where needed to help ensure patches are adequately tested to maintain repository quality levels. I’ll like to say a big thanks to the Linaro team working in the background to provide the OpenCI service to the TF-A project. Cheers Joanna

4 years, 2 months

1
0
0 0

Firmware FuSa workshop

by François Ozog

Hi, Linaro is conducting an opportunity assessment to make OP-TEE ready for functional safety sensitive environments. The goal is to present a plan to Linaro members by the end of July 2021. The scope of the research is somewhat bigger because we can’t think of OP-TEE without thinking of Trusted Firmware and Hafnium. The plan will though not address those (unless we recognize we have to). We don’t think U-Boot shall be part of the picture but we are welcoming contradictory points of views. We are organizing a 2 hours workshop on April 15th 9am CET to mostly hear about use cases and ideas about Long Term Support requirements . We will present the state of the research. The first use case is booting a safety certified type-1 hypervisor (open source or commercial is irrelevant). But we know there are many more: please be ready to contribute. We think of more radical use cases: a safety payload is actually loaded as a Secure Partition on top of Hafnium with OP-TEE or Zephyr used as a device backends. In other words, Trust Zone hosts both safety and security worlds , EL3 being the « software root of trust » pivot world. In those cases, some cores never go out of secure state… Agenda (to be refined) - Vision - State of the research <https://docs.google.com/presentation/u/0/d/1jWqu39gCF-5XzbFkodXsiVNJJLUN88B…> - Use cases discussion - What is the right scope? - “Who do what” discussion (LTS, archiving...) - Safety personnel (Linaro and contractors) discussion - Other considerations from participants? - Community organizations and funding? - Closing and next steps Should you want to participate and have not yet received an invite, please contact me directly. Cordially, François-Frédéric PS: Please reach out should you want another date with a time compatible with more time zones. This alternate date is not guaranteed though. -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 2 months

2
2
0 0

Glitching protection

by Tamas Ban

Hi, Recently the same fault injection protection code what is used in MCUboot was added to TF-M project. https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/7468 It is a library which can be reused in any project to harden the critical call path and condition checks, which are crucial from device security point of view. BR, Tamas Ban

4 years, 2 months

1
1
0 0

Re: [TF-A] Glitching protection

by Joanna Farley

Hi François, The TF-A team members have thought about trying to explore the use of more mitigations for Side Channel attacks along the lines of "Canary In the Coalmine" type techniques to as you say build additional resilience and as you can expect the techniques used by our peer TF-M project are one we would like to explore. I would not say this is a plan as such but definitely something already listed on our backlog. As to if the TF-M code can be reused that would need to be explored more. Cheers Joanna On 26/03/2021, 14:12, "TF-A on behalf of François Ozog via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: Hi Trusted Firmware M recently introduced protection against glitching at key decision points: https://github.com/mcu-tools/mcuboot/pull/776 To me this is a key mitigation element for companies that target PSA level 3 compliance which means hardware attacks resilience. I believe similar techniques need to be used in different projects involved in Linux secure booting (TF-A, OP-TEE, U-Boot, Linux kernel). Are there any efforts planned around this ? Is it feasible to have a "library" that could be integrated in different projects? Cheers FF -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 2 months

1
0
0 0

Re: [TF-A] EHF + OPTEE on ARM64

by Peng Fan

Hi Sandeep, I just noticed that your PR is abandoned. Will you resend your PR? Thanks, Peng. ________________________________ From: OP-TEE <op-tee-bounces(a)lists.trustedfirmware.org> on behalf of Peng Fan via OP-TEE <op-tee(a)lists.trustedfirmware.org> Sent: Tuesday, March 23, 2021 10:14 AM To: Sandeep Tripathy <sandeep.tripathy(a)broadcom.com> Cc: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; op-tee(a)lists.trustedfirmware.org <op-tee(a)lists.trustedfirmware.org> Subject: RE: [TF-A] EHF + OPTEE on ARM64 Hi Sandeep > Subject: Re: [TF-A] EHF + OPTEE on ARM64 > > Hi Peng, > > 1-Asynchronous preemption of SP: > The long route is to make changes in the dispatcher and the > corresponding SPD implementation to have synchronous preemption. > ie: OP-TEE dispatcher will implement a G1NS (fiq) handler and invoke > an entry of OP-TEE synchronously. OP-TEE will save the thread context > and return. > I did some POC but the complexity and effort to generalise was not > justified by our requirement at that point especially envisioning the > movement to SPMD in future. > > 2-Synchronous preemption of SP: > ref: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr… > > I used this approach instead to unblock OP-TEE work alongside EHF. > This serves the purpose without changing the routing model with a > limitation that non yielding/fast SMC can > not be preempted. And ofcourse OP-TEE can mask G0 interrupt in > anycase. But I think this is sufficient for your purpose. > > Please feedback if the above patch works for you. I was trying using #ifndef SPD_opteed to wrap the secure stuff. Thanks for your patch. I test on i.MX8MM-EVK, it works well. Thanks, Peng. > > Thanks > Sandeep > > On Mon, Mar 22, 2021 at 2:43 PM Peng Fan via TF-A > <tf-a(a)lists.trustedfirmware.org> wrote: > > > > Hi Achin, > > > > > > > > We are using SDEI for Jailhouse hypervisor to minimize interrupt latency, > however we also wanna use OP-TEE when SDEI enabled. > > > > > > > > So I wanna how to make both work together. > > > > > > > > Thanks, > > > > Peng. > > > > > > > > From: Achin Gupta [mailto:Achin.Gupta@arm.com] > > Sent: 2021年3月17日 17:59 > > To: Peng Fan <peng.fan(a)nxp.com>; Jens Wiklander > <jens.wiklander(a)linaro.org> > > Cc: op-tee(a)lists.trustedfirmware.org; tf-a(a)lists.trustedfirmware.org > > Subject: Re: EHF + OPTEE on ARM64 > > > > > > > > Hi Peng, > > > > > > > > +TF-A folk. > > > > > > > > My 0.02$. > > > > > > > > What is the problem you are trying to solve? Why do you need to run > OP-TEE and EHF together? EHF was originally written to support a S-EL0 SP > that is managed directly by TF-A in EL3 (TF-A folk can chime in). > > > > > > > > The SP could perform RAS error handling for which it needs the EHF. The EHF > triages asynchronous exceptions and hands RAS errors to the SP for further > handling. > > > > > > > > This is just one use case but there is no Trusted OS in these configurations. > > > > > > > > So, it would help to understand the requirement. > > > > > > > > cheers, > > > > Achin > > > > > > > > ________________________________ > > > > From: OP-TEE <op-tee-bounces(a)lists.trustedfirmware.org> on behalf of > Jens Wiklander via OP-TEE <op-tee(a)lists.trustedfirmware.org> > > Sent: 17 March 2021 09:23 > > To: Peng Fan <peng.fan(a)nxp.com> > > Cc: op-tee(a)lists.trustedfirmware.org <op-tee(a)lists.trustedfirmware.org> > > Subject: Re: EHF + OPTEE on ARM64 > > > > > > > > On Wed, Mar 17, 2021 at 9:43 AM Peng Fan <peng.fan(a)nxp.com> wrote: > > > > > > > Subject: Re: EHF + OPTEE on ARM64 > > > > > > > > On Wed, Mar 17, 2021 at 9:02 AM Peng Fan <peng.fan(a)nxp.com> > wrote: > > > > > > > > > > > Subject: Re: EHF + OPTEE on ARM64 > > > > > > > > > > > > On Wed, Mar 17, 2021 at 8:41 AM Peng Fan <peng.fan(a)nxp.com> > wrote: > > > > > > > > > > > > > > > Subject: Re: EHF + OPTEE on ARM64 > > > > > > > > > > > > > > > > On Tue, Mar 16, 2021 at 11:08 AM Peng Fan > <peng.fan(a)nxp.com> > > > > wrote: > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > In bl31/ehf.c, there are following two lines, per my > > > > > > > > > understanding, when cpu is in secure world, the non-secure > > > > > > > > > interrupt as FIQ(GICv3) will be directly catched by EL3, not > S-EL1 > > > > > > > > > /* Route EL3 interrupts when in Secure and > Non-secure. > > > > */ > > > > > > > > > set_interrupt_rm_flag(flags, NON_SECURE); > > > > > > > > > set_interrupt_rm_flag(flags, SECURE); > > > > > > > > > > > > > > > > > > So this will conflict with OP-TEE, because OP-TEE needs catch > > > > > > > > > NS-interrupt as FIQ in S-EL1 world. > > > > > > > > > > > > > > > > In the case of GICv3, OP-TEE is configured to receive the > > > > > > > > non-secure interrupts as FIQ and secure interrupts as IRQ. See > > > > CFG_ARM_GICV3. > > > > > > > > > > > > > > But EHF needs NS-interrupt FIQ be catched by EL3 if I understand > > > > > > > correct, per " set_interrupt_rm_flag(flags, SECURE);" > > > > > > > > > > > > > > So currently EHF could not work together with OP-TEE, right? > > > > > > > > > > > > To be honest, I'm not completely sure what EHF does. From OP-TEE > > > > > > point of view we expect to receive the non-secure interrupts as a > > > > > > way of doing a controlled exit. This allows OP-TEE to resume > > > > > > execution with a different core on re-entry. If EL3 takes the > > > > > > non-secure interrupts directly it will have to make sure to only > re-enter > > > > OP-TEE on this core as a return from exception. > > > > > > > > > > Is this easy to be achieved? > > > > > > > > I don't know, it depends on what you intend to do with this non-secure > > > > interrupt. If it's handled at EL3 and then there's a return from exception > back > > > > to S-EL1 there's likely no harm done. But if there's a world switch > involved > > > > there might be trouble, OP-TEE might not be in a suitable state for a > world > > > > switch. > > > > > > > > > > > > > > Or by using opteed_sel1_interrupt_handler, could we have similar > > > > > behavior to allow the other core resume execution? > > > > > > > > Only OP-TEE itself can make a controlled exit as there's an internal state > to > > > > maintain. Currently that's signalled with a non-secure interrupt. > > > > > > > > > Per EHF, > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedfi… > andling.html?highlight=Exception%20Handling%20Framework > > > On GICv3 systems, when executing in S-EL1, pending Non-secure > interrupts of > > > sufficient priority are signalled as FIQs, and therefore will be routed to > EL3. > > > As a result, S-EL1 software cannot expect to handle Non-secure interrupts > at S-EL1. > > > Essentially, this deprecates the routing mode described as CSS=0, TEL3=0. > > > > > > In order for S-EL1 software to handle Non-secure interrupts while having > EHF enabled, > > > the dispatcher must adopt a model where Non-secure interrupts are > received at EL3, > > > but are then synchronously handled over to S-EL1. > > > > > > The issue to me here how to synchronously handled over to S-EL1 and not > break optee. > > > > I understand. OP-TEE is masking interrupts in some critical sections, > > while in such a state OP-TEE cannot handle any asynchronous interrupt. > > Temporarily masking interrupts is normally a quick operation so we do > > it in quite a few places. > > So the crux of the problem is to make sure that OP-TEE is in a state > > where it can make a controlled exit. I don't have any good ideas for > > this right now. > > > > Cheers, > > Jens > > > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…

4 years, 2 months

1
0
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Julius Werner

Just want to point out that TF-A currently already supports a (very simple) mechanism like this: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > Hi Harb, > > On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS < > abdulhamid(a)os.amperecomputing.com> wrote: > >> Hello Folks, >> >> Appreciate the feedback and replies on this. Glad to see that there is >> interest in this topic. 😊 >> >> >> >> I try to address the comments/feedback from Francois and Simon below…. >> >> >> >> @François Ozog <francois.ozog(a)linaro.org> – happy to discuss this on a >> zoom call. I will make that time slot work, and will be available to >> attend April 8, 4pm CT. >> >> >> >> Note that I’m using the term “HOB” here more generically, as there are >> typically vendor specific structures beyond the resource descriptor HOB, >> which provides only a small subset of the information that needs to be >> passed between the boot phases. >> >> >> >> The whole point here is to provide mechanism to develop firmware that we >> can build ARM Server SoC’s that support **any** BL33 payload (e.g. EDK2, >> AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some >> point). In other-words, we are trying to come up with a TF-A that would >> be completely agnostic to the implementation of BL33 (i.e. BL33 is built >> completely independently by a separate entity – e.g. an ODM/OEM). >> >> >> >> Keep in mind, in the server/datacenter market segment we are not building >> vertically integrated systems with a single entity compiling >> firmware/software stacks like most folks in TF-A have become use to. There >> are two categories of higher level firmware code blobs in the >> server/datacenter model: >> >> 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, >> BL31, and **possibly** one or more BL32 instances >> 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and * >> *possibly** one or more BL32 instances. >> >> >> >> Even the platform firmware stack could be further fragmented by having >> multiple entities involved in delivering the entire firmware stack: IBVs, >> ODMs, OEMs, CSPs, and possibly even device vendor code. >> >> >> >> To support a broad range of platform designs with a broad range of memory >> devices, we need a crisp and clear contract between the SoC firmware that >> initializes memory (e.g. BL2) and how that platform boot firmware (e.g. >> BL33) gathers information about what memory that was initialized, at what >> speeds, NUMA topology, and many other relevant information that needs to be >> known and comprehended by the platform firmware and eventually by the >> platform software. >> >> >> >> I understand the versatility of DT, but I see two major problems with DT: >> >> - DT requires more complicated parsing to get properties, and even >> more complex to dynamically set properties – this HOB structures may need >> to be generated in boot phases where DDR is not available, and therefore we >> will be extremely memory constrained. >> - DT is probably overkill for this purpose – We really just want a >> list of pointers to simple C structures that code cast (e.g. JEDEC SPD data >> blob) >> >> >> >> I think that we should not mix the efforts around DT/ACPI specs with what >> we are doing here, because those specs and concepts were developed for a >> completely different purpose (i.e. abstractions needed for OS / RTOS >> software, and not necessarily suitable for firmware-to-firmware hand-offs). >> >> >> >> Frankly, I would personally push back pretty hard on defining SMC’s for >> something that should be one way information passing. Every SMC we add is >> another attack vector to the secure world and an increased burden on the >> folks that have to do security auditing and threat analysis. I see no >> benefit in exposing these boot/HOB/BOB structures at run-time via SMC >> calls. >> >> >> >> Please do let me know if you disagree and why. Look forward to >> discussing on this thread or on the call. >> >> >> >> @Simon Glass <sjg(a)chromium.org> - Thanks for the pointer to >> bloblist. I briefly reviewed and it seems like a good baseline for what >> we may be looking for. >> >> >> >> That being said, I would say that there is some benefit in having some >> kind of unique identifiers (e.g. UUID or some unique signature) so that we >> can tie standardized data structures (based on some future TBD specs) to a >> particular ID. For example, if the TPM driver in BL33 is looking for the >> TPM structure in the HOB/BOB list, and may not care about the other data >> blobs. The driver needs a way to identify and locate the blob it cares >> about. >> > > The tag is intended to serve that purpose, although perhaps it should > switch from an auto-allocating enum to one with explicit values for each > entry and a range for 'local' use. > >> >> >> I guess we can achieve this with the tag, but the problem with tag when >> you have eco-system with a lot of parties doing parallel development, you >> can end up with tag collisions and folks fighting about who has rights to >> what tag values. We would need some official process for folks to register >> tags for whatever new structures we define, or maybe some tag range for >> vendor specific structures. This comes with a lot of pain and >> bureaucracy. On the other hand, UUID has been a proven way to make it easy >> to just define your own blobs with **either** standard or vendor >> specific structures without worry of ID collisions between vendors. >> > > True. I think the pain is overstated, though. In this case I think we > actually want something that can be shared between projects and orgs, so > some amount of coordination could be considered a benefit. It could just be > a github pull request. I find the UUID unfriendly and not just to code size > and eyesight! Trying to discover what GUIDs mean or are valid is quite > tricky. E.g. see this code: > > #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ > EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ > 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) > (etc.) > > static struct guid_name { > efi_guid_t guid; > const char *name; > } guid_name[] = { > { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, > { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, > { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, > { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, > { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, > { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, > (never figured out what those two are) > > { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, > { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, > { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, > { {}, "zero-guid" }, > {} > }; > > static const char *guid_to_name(const efi_guid_t *guid) > { > struct guid_name *entry; > > for (entry = guid_name; entry->name; entry++) { > if (!guidcmp(guid, &entry->guid)) > return entry->name; > } > > return NULL; > } > > Believe it or not it took a fair bit of effort to find just that small > list, with nearly every one in a separate doc, from memory. > > >> >> We can probably debate whether there is any value in GUID/UUID or not >> during the call… but again, boblist seems like a reasonable starting point >> as an alternative to HOB. >> > > Indeed. There is certainly value in both approaches. > > Regards, > Simon > > >> >> >> Thanks, >> >> --Harb >> >> >> >> *From:* François Ozog <francois.ozog(a)linaro.org> >> *Sent:* Tuesday, March 23, 2021 10:00 AM >> *To:* François Ozog <francois.ozog(a)linaro.org>; Ron Minnich < >> rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> >> *Cc:* Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS < >> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List < >> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org >> *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for >> information passing between boot stages >> >> >> >> +Ron Minnich <rminnich(a)google.com> +Paul Isaac's <paul.isaacs(a)linaro.org> >> >> >> >> >> Adding Ron and Paul because I think this interface should be also >> benefiting LinuxBoot efforts. >> >> >> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A < >> tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> I propose we cover the topic at the next Trusted Substrate >> <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom >> call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. >> >> >> >> The agenda: >> >> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, >> S-EL2, SCP) to adapt hardware description to some runtime conditions. >> >> runtime conditions here relates to DRAM size and topology detection, >> secure DRAM memory carvings, PSCI and SCMI interface publishing. >> >> >> >> For additional background on existing metadata: UEFI Platform >> Initialization Specification Version 1.7 >> <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…> >> , 5.5 Resource Descriptor HOB >> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. >> >> This HOB lacks memory NUMA attachment or something that could be related >> to fill SRAT table for ACPI or relevant DT proximity domains. >> >> HOB is not consistent accros platforms: some platforms (Arm) lists memory >> from the booting NUMA node, other platforms (x86) lists all memory from all >> NUMA nodes. (At least this is the case on the two platforms I tested). >> >> >> >> There are two proposals to use memory structures from SPL/BLx up to the >> handover function (as defined in the Device Tree technical report >> <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) >> which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or >> EDK2. >> >> I would propose we also discuss possibility of FF-A interface to actually >> query information or request actions to be done (this is a model actually >> used in some SoCs with proprietary SMC calls). >> >> >> >> Requirements (to be validated): >> >> - ACPI and DT hardware descriptions. >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, >> TF-A/LinuxBoot) >> >> - at least allows complete DRAM description and "persistent" usage >> (reserved areas for secure world or other usages) >> >> - support secure world device assignment >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> >> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: >> >> Hi, >> >> Can I suggest using bloblist for this instead? It is lightweight, >> easier to parse, doesn't have GUIDs and is already used within U-Boot >> for passing info between SPL/U-Boot, etc. >> >> Docs here: >> https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist >> Header file describes the format: >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h >> >> Full set of unit tests: >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c >> >> Regards, >> Simon >> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> >> wrote: >> > >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> >> > >> > standardization is very much welcomed here and need to accommodate a >> very >> > diverse set of situations. >> > For example, TEE OS may need to pass memory reservations to BL33 or >> > "capture" a device for the secure world. >> > >> > I have observed a number of architectures: >> > 1) pass information from BLx to BLy in the form of a specific object >> > 2) BLx called by BLy by a platform specific SMC to get information >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree >> > fixups >> > >> > I also imagined a standardized "broadcast" FF-A call so that any >> firmware >> > element can either provide information or "do something". >> > >> > My understanding of your proposal is about standardizing on >> architecture 1) >> > with the HOB format. >> > >> > The advantage of the HOB is simplicity but it may be difficult to >> implement >> > schemes such as pruning a DT because device assignment in the secure >> world. >> > >> > In any case, it looks feasible to have TF-A and OP-TEE complement the >> list >> > of HOBs to pass information downstream (the bootflow). >> > >> > It would be good to start with building the comprehensive list of >> > information that need to be conveyed between firmware elements: >> > >> > information. | authoritative entity | reporting entity | information >> > exchanged: >> > dram | TFA | TFA | >> > <format to be detailed, NUMA topology to build the SRAT table or DT >> > equivalent?> >> > PSCI | SCP | TFA? | >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?| >> > secure SRAM | TFA. | TFA. | >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | >> > other? | | >> > | >> > >> > Cheers >> > >> > FF >> > >> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < >> > tf-a(a)lists.trustedfirmware.org> wrote: >> > >> > > Hello Folks, >> > > >> > > >> > > >> > > I'm emailing to start an open discussion about the adoption of a >> concept >> > > known as "hand-off blocks" or HOB to become a part of the TF-A >> Firmware >> > > Framework Architecture (FFA). This is something that is a pretty >> major >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s >> > > designed to enable a broad range of highly configurable datacenter >> > > platforms. >> > > >> > > >> > > >> > > >> > > >> > > What is a HOB (Background)? >> > > >> > > --------------------------- >> > > >> > > UEFI PI spec describes a particular definition for how HOB may be >> used for >> > > transitioning between the PEI and DXE boot phases, which is a good >> > > reference point for this discussion, but not necessarily the exact >> solution >> > > appropriate for TF-A. >> > > >> > > >> > > >> > > A HOB is simply a dynamically generated data structure passed in >> between >> > > two boot phases. This is information that was obtained through >> discovery >> > > and needs to be passed forward to the next boot phase *once*, with no >> API >> > > needed to call back (e.g. no call back into previous firmware phase is >> > > needed to fetch this information at run-time - it is simply passed >> one time >> > > during boot). >> > > >> > > >> > > >> > > There may be one or more HOBs passed in between boot phases. If >> there are >> > > more than one HOB that needs to be passed, this can be in a form of a >> "HOB >> > > table", which (for example) could be a UUID indexed array of pointers >> to >> > > HOB structures, used to locate a HOB of interest (based on UUID). In >> such >> > > cases, instead of passing a single HOB, the boot phases may rely on >> passing >> > > the pointer to the HOB table. >> > > >> > > >> > > >> > > This has been extremely useful concept to employ on highly >> configurable >> > > systems that must rely on flexible discovery mechanisms to initialize >> and >> > > boot the system. This is especially helpful when you have multiple >> > > >> > > >> > > >> > > >> > > >> > > Why do we need HOBs in TF-A?: >> > > >> > > ----------------------------- >> > > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server >> SoC in >> > > a way that is SoC specific *but* platform agnostic. This means that a >> > > single ARM SoC that a SiP may deliver to customers may provide a >> single >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a >> broad >> > > range of platform designs and configurations in order to boot a >> platform >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order >> to >> > > achieve this, the platform configuration must be *discovered* instead >> of >> > > statically compiled as it is today in TF-A via device tree based >> > > enumeration. The mechanisms of discovery may differ broadly >> depending on >> > > the relevant industry standard, or in some cases may have rely on SiP >> > > specific discovery flows. >> > > >> > > >> > > >> > > For example: On server systems that support a broad range DIMM memory >> > > population/topologies, all the necessary information required to boot >> is >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over >> an >> > > I2C bus. Leveraging the SPD bus, may platform variants could be >> supported >> > > with a single TF-A binary. Not only is this information required to >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot >> > > phases will also need this SPD info to construct a system physical >> address >> > > map and properly initialize the MMU based on the memory present, and >> where >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) >> may >> > > need to generate standard firmware tables to the operating systems, >> such as >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. >> SLIT, >> > > SRAT, even NFIT if NVDIMM's are present). >> > > >> > > >> > > >> > > In short, it all starts with a standardized or vendor specific >> discovery >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of >> > > information to the next boot stages (e.g. BL31/BL32/BL33). >> > > >> > > >> > > >> > > Today, every HOB may be a vendor specific structure, but in the future >> > > there may be benefit of defining standard HOBs. This may be useful >> for >> > > memory discovery, passing the system physical address map, enabling >> TPM >> > > measured boot, and potentially many other common HOB use-cases. >> > > >> > > >> > > >> > > It would be extremely beneficial to the datacenter market segment if >> the >> > > TF-A community would adopt this concept of information passing >> between all >> > > boot phases as opposed to rely solely on device tree enumeration. >> This is >> > > not intended to replace device tree, rather intended as an >> alternative way >> > > to describe the info that must be discovered and dynamically >> generated. >> > > >> > > >> > > >> > > >> > > >> > > Conclusion: >> > > >> > > ----------- >> > > >> > > We are proposing that the TF-A community begin pursuing the adoption >> of >> > > HOBs as a mechanism used for information exchange between each boot >> stage >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term >> we >> > > want to explore standardizing some HOB structures for the BL33 phase >> (e.g. >> > > UEFI HOB structures), but initially would like to agree on this being >> a >> > > useful mechanism used to pass information between each boot stage. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > --Harb >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > TF-A mailing list >> > > TF-A(a)lists.trustedfirmware.org >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> > > >> > >> > >> > -- >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* >> > T: +33.67221.6485 >> > francois.ozog(a)linaro.org | Skype: ffozog >> > _______________________________________________ >> > boot-architecture mailing list >> > boot-architecture(a)lists.linaro.org >> > https://lists.linaro.org/mailman/listinfo/boot-architecture >> >> >> >> >> -- >> >> *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >

4 years, 2 months

1
0
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by François Ozog

+Ron Minnich <rminnich(a)google.com> +Paul Isaac's <paul.isaacs(a)linaro.org> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > Hi, > > I propose we cover the topic at the next Trusted Substrate > <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom > call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. > > The agenda: > ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, > S-EL2, SCP) to adapt hardware description to some runtime conditions. > runtime conditions here relates to DRAM size and topology detection, > secure DRAM memory carvings, PSCI and SCMI interface publishing. > > For additional background on existing metadata: UEFI Platform > Initialization Specification Version 1.7 > <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…> > , 5.5 Resource Descriptor HOB > Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. > This HOB lacks memory NUMA attachment or something that could be related > to fill SRAT table for ACPI or relevant DT proximity domains. > HOB is not consistent accros platforms: some platforms (Arm) lists memory > from the booting NUMA node, other platforms (x86) lists all memory from all > NUMA nodes. (At least this is the case on the two platforms I tested). > > There are two proposals to use memory structures from SPL/BLx up to the > handover function (as defined in the Device Tree technical report > <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) > which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or > EDK2. > I would propose we also discuss possibility of FF-A interface to actually > query information or request actions to be done (this is a model actually > used in some SoCs with proprietary SMC calls). > > Requirements (to be validated): > - ACPI and DT hardware descriptions. > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) > - at least allows complete DRAM description and "persistent" usage > (reserved areas for secure world or other usages) > - support secure world device assignment > > Cheers > > FF > > > On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: > >> Hi, >> >> Can I suggest using bloblist for this instead? It is lightweight, >> easier to parse, doesn't have GUIDs and is already used within U-Boot >> for passing info between SPL/U-Boot, etc. >> >> Docs here: >> https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist >> Header file describes the format: >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h >> >> Full set of unit tests: >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c >> >> Regards, >> Simon >> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> >> wrote: >> > >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> >> > >> > standardization is very much welcomed here and need to accommodate a >> very >> > diverse set of situations. >> > For example, TEE OS may need to pass memory reservations to BL33 or >> > "capture" a device for the secure world. >> > >> > I have observed a number of architectures: >> > 1) pass information from BLx to BLy in the form of a specific object >> > 2) BLx called by BLy by a platform specific SMC to get information >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree >> > fixups >> > >> > I also imagined a standardized "broadcast" FF-A call so that any >> firmware >> > element can either provide information or "do something". >> > >> > My understanding of your proposal is about standardizing on >> architecture 1) >> > with the HOB format. >> > >> > The advantage of the HOB is simplicity but it may be difficult to >> implement >> > schemes such as pruning a DT because device assignment in the secure >> world. >> > >> > In any case, it looks feasible to have TF-A and OP-TEE complement the >> list >> > of HOBs to pass information downstream (the bootflow). >> > >> > It would be good to start with building the comprehensive list of >> > information that need to be conveyed between firmware elements: >> > >> > information. | authoritative entity | reporting entity | information >> > exchanged: >> > dram | TFA | TFA | >> > <format to be detailed, NUMA topology to build the SRAT table or DT >> > equivalent?> >> > PSCI | SCP | TFA? | >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?| >> > secure SRAM | TFA. | TFA. | >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | >> > other? | | >> > | >> > >> > Cheers >> > >> > FF >> > >> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < >> > tf-a(a)lists.trustedfirmware.org> wrote: >> > >> > > Hello Folks, >> > > >> > > >> > > >> > > I'm emailing to start an open discussion about the adoption of a >> concept >> > > known as "hand-off blocks" or HOB to become a part of the TF-A >> Firmware >> > > Framework Architecture (FFA). This is something that is a pretty >> major >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s >> > > designed to enable a broad range of highly configurable datacenter >> > > platforms. >> > > >> > > >> > > >> > > >> > > >> > > What is a HOB (Background)? >> > > >> > > --------------------------- >> > > >> > > UEFI PI spec describes a particular definition for how HOB may be >> used for >> > > transitioning between the PEI and DXE boot phases, which is a good >> > > reference point for this discussion, but not necessarily the exact >> solution >> > > appropriate for TF-A. >> > > >> > > >> > > >> > > A HOB is simply a dynamically generated data structure passed in >> between >> > > two boot phases. This is information that was obtained through >> discovery >> > > and needs to be passed forward to the next boot phase *once*, with no >> API >> > > needed to call back (e.g. no call back into previous firmware phase is >> > > needed to fetch this information at run-time - it is simply passed >> one time >> > > during boot). >> > > >> > > >> > > >> > > There may be one or more HOBs passed in between boot phases. If >> there are >> > > more than one HOB that needs to be passed, this can be in a form of a >> "HOB >> > > table", which (for example) could be a UUID indexed array of pointers >> to >> > > HOB structures, used to locate a HOB of interest (based on UUID). In >> such >> > > cases, instead of passing a single HOB, the boot phases may rely on >> passing >> > > the pointer to the HOB table. >> > > >> > > >> > > >> > > This has been extremely useful concept to employ on highly >> configurable >> > > systems that must rely on flexible discovery mechanisms to initialize >> and >> > > boot the system. This is especially helpful when you have multiple >> > > >> > > >> > > >> > > >> > > >> > > Why do we need HOBs in TF-A?: >> > > >> > > ----------------------------- >> > > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server >> SoC in >> > > a way that is SoC specific *but* platform agnostic. This means that a >> > > single ARM SoC that a SiP may deliver to customers may provide a >> single >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a >> broad >> > > range of platform designs and configurations in order to boot a >> platform >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order >> to >> > > achieve this, the platform configuration must be *discovered* instead >> of >> > > statically compiled as it is today in TF-A via device tree based >> > > enumeration. The mechanisms of discovery may differ broadly >> depending on >> > > the relevant industry standard, or in some cases may have rely on SiP >> > > specific discovery flows. >> > > >> > > >> > > >> > > For example: On server systems that support a broad range DIMM memory >> > > population/topologies, all the necessary information required to boot >> is >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over >> an >> > > I2C bus. Leveraging the SPD bus, may platform variants could be >> supported >> > > with a single TF-A binary. Not only is this information required to >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot >> > > phases will also need this SPD info to construct a system physical >> address >> > > map and properly initialize the MMU based on the memory present, and >> where >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) >> may >> > > need to generate standard firmware tables to the operating systems, >> such as >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. >> SLIT, >> > > SRAT, even NFIT if NVDIMM's are present). >> > > >> > > >> > > >> > > In short, it all starts with a standardized or vendor specific >> discovery >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of >> > > information to the next boot stages (e.g. BL31/BL32/BL33). >> > > >> > > >> > > >> > > Today, every HOB may be a vendor specific structure, but in the future >> > > there may be benefit of defining standard HOBs. This may be useful >> for >> > > memory discovery, passing the system physical address map, enabling >> TPM >> > > measured boot, and potentially many other common HOB use-cases. >> > > >> > > >> > > >> > > It would be extremely beneficial to the datacenter market segment if >> the >> > > TF-A community would adopt this concept of information passing >> between all >> > > boot phases as opposed to rely solely on device tree enumeration. >> This is >> > > not intended to replace device tree, rather intended as an >> alternative way >> > > to describe the info that must be discovered and dynamically >> generated. >> > > >> > > >> > > >> > > >> > > >> > > Conclusion: >> > > >> > > ----------- >> > > >> > > We are proposing that the TF-A community begin pursuing the adoption >> of >> > > HOBs as a mechanism used for information exchange between each boot >> stage >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term >> we >> > > want to explore standardizing some HOB structures for the BL33 phase >> (e.g. >> > > UEFI HOB structures), but initially would like to agree on this being >> a >> > > useful mechanism used to pass information between each boot stage. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > --Harb >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > TF-A mailing list >> > > TF-A(a)lists.trustedfirmware.org >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> > > >> > >> > >> > -- >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* >> > T: +33.67221.6485 >> > francois.ozog(a)linaro.org | Skype: ffozog >> > _______________________________________________ >> > boot-architecture mailing list >> > boot-architecture(a)lists.linaro.org >> > https://lists.linaro.org/mailman/listinfo/boot-architecture >> > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 2 months

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-A