- TF-A - lists.trustedfirmware.org

TF-A Tech Forum Agenda @ Thr 22nd April 2021 16:00-1700 BST CANCELLED

by Joanna Farley

Hi Everyone, I am cancelling this weeks TF-A Tech Forum as I don’t have any areas to present/discuss. I would encourage any contributors that wants to present or lead a discussion subject to please let me know as we are always looking for topics of interest to the project community to run sessions on. Cancellations of the calendar invite will come from trustedformware.org. Thanks Joanna

4 years, 9 months

1
0
0 0

Re: [TF-A] zynqmp: How to inform the bl33 about RAM reservation?

by François Ozog

Hi There is a discussion started by Harb from Ampere about standardizing information from secure firmware to BL33: look at HOB in the object. A side aspect of the HOB is: DT shall be used wisely for things that are really static. Dynamic (such as plugged DIMMs) or configurable aspects (secure memory size) should be controllable by a single authoritative entity. On a number of platforms, the definition of secure memory size is "copied" in at least for different independent projects which make it a nightmare for product makers to choose a size for the trusted application they want to onboard. Cheers FF On Tue, 20 Apr 2021 at 07:49, Jan Kiszka via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > On 20.04.21 02:51, Samuel Holland wrote: > > On 4/19/21 11:11 AM, Jan Kiszka via TF-A wrote: > >> On 19.04.21 17:21, Michal Simek wrote: > >>> On 4/18/21 8:44 PM, Jan Kiszka wrote: > >>>> when SPD or DEBUG is enabled, TF-A is moved to RAM on the zynqmp (as > it > >>>> longer fits into OCM). U-Boot happens to avoid that region, but the > >>>> kernel's DTB has no reservation entry, and Linux will trigger an > >>>> exception when accessing that region during early boot. > >>>> > >>>> Can we improve this - without requiring the user to manually add a > >>>> reservation to the DTB? Should we unconditionally reserve > >>>> 0x1000..0x7ffff in all BL33 DTBs? Or is there a chance to communicate > >>>> that need? Or some way to detect in BL33 whether it is needed? > >>> > >>> Normally this ddr region should be also protected by security IPs that > >>> NS has no access there. > >>> It means in Xilinx flow this can be (and should be) propagated via > >>> device-tree generator to final DTS file that you don't need to touch it > >>> by hand. > >>> I am not aware about any way that NS can query secure world what memory > >>> can be used. And not sure if there is any standard way to do so. > >>> > >> > >> OK, understood. But then, to be safe, shouldn't the upstream "static" > >> default DT contain an exclusion of that region so that it won't get > >> stuck if it is in use? Would block half a meg, but when you have a > >> custom platform that does not need that, you can and will provide your > >> own DT anyway. > > > > Ideally, the static DTS is a description of the hardware only, and not > > of runtime constraints imposed by the firmware. If BL31 needs to reserve > > some memory, it can add that reservation to the DTB at runtime. The > > fdt_add_reserved_memory() function is available for this purpose. For an > > example, see the code used by the rpi4[0] or sun50i_h616[1] platforms. > > > > If you later load a DTB from disk for use by Linux, you will need to > > copy the reserved-memory nodes from the U-Boot DTB to the loaded DTB. > > > > I know the RPi4 model (just had to debug it [3]). But I wonder if that > is possible on the zynqmp as well. Are we passing a DT to BL33 here > already and, thus, could inject that reservation? > > Jan > > > Regards, > > Samuel > > > > [0]: > > > https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rpi/r… > > [1]: > > > https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/allwi… > > > > [3] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9316 > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 9 months

1
0
0 0

Re: [TF-A] [RFC] TF-A threat model

by Varun Wadekar

Hi, This looks promising. Can you also create a list of guidelines resulting from the analysis? We can then roll them up as coding guidelines or design guidelines or to-do for platforms. -Varun From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Zelalem Aweke via TF-A Sent: Friday, April 16, 2021 8:15 AM To: tf-a(a)lists.trustedfirmware.org Subject: [TF-A] [RFC] TF-A threat model External email: Use caution opening links or attachments Hi All, We are releasing the first TF-A threat model document. This release provides the baseline for future updates to be applied as required by developments to the TF-A code base. Please review the document provide comments here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9627<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…>. Thanks, Zelalem

4 years, 9 months

2
2
0 0

Re: [TF-A] platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035

by Manish Pandey2

Hi, >From git log g12a platform was first introduced in 2019 and never has any further changes, also there is no documentation for this platform, so from platform perspective not sure if you are doing everything right or not ? However, i have some generic comments 1. There is no such macro DISABLE_PEDANTIC 2. Which CPU you have in Odroid-C4 boards(is it Cortext-A55?), You probably need to add cpu lib file in platform.mk file In file plat/amlogic/g12a/platform.mk BL31_SOURCES += lib/cpus/aarch64/cortex_a53.S \ lib/cpus/aarch64/cortex_a55.S thanks Manish ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Matwey V. Kornilov via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 19 April 2021 16:47 To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Subject: [TF-A] platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Hello, Sorry, if this is the wrong place to ask. I am trying to run ATF v2.4 for platform g12a on the Odroid-C4 board. I've built ATF as the following make DISABLE_PEDANTIC=1 DEBUG=1 PLAT=g12a Unfortunately, the only thing I see in the console when BL31 is supposed to run is CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Is there any chance to figure out what is wrong? -- With best regards, Matwey V. Kornilov -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 9 months

1
0
0 0

zynqmp: How to inform the bl33 about RAM reservation?

by Jan Kiszka

Hi all, when SPD or DEBUG is enabled, TF-A is moved to RAM on the zynqmp (as it longer fits into OCM). U-Boot happens to avoid that region, but the kernel's DTB has no reservation entry, and Linux will trigger an exception when accessing that region during early boot. Can we improve this - without requiring the user to manually add a reservation to the DTB? Should we unconditionally reserve 0x1000..0x7ffff in all BL33 DTBs? Or is there a chance to communicate that need? Or some way to detect in BL33 whether it is needed? Jan

4 years, 9 months

2
2
0 0

platform g12a: CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035

by Matwey V. Kornilov

Hello, Sorry, if this is the wrong place to ask. I am trying to run ATF v2.4 for platform g12a on the Odroid-C4 board. I've built ATF as the following make DISABLE_PEDANTIC=1 DEBUG=1 PLAT=g12a Unfortunately, the only thing I see in the console when BL31 is supposed to run is CSSERT: File lib/cpus/aarch64/cpu_helpers.S Line 00035 Is there any chance to figure out what is wrong? -- With best regards, Matwey V. Kornilov

4 years, 9 months

1
0
0 0

Re: [TF-A] Adoption of Conventional Commits

by Chris Kay

Thanks to all those who attended the Tech Forum today! It’s become apparent that the initial 2 week deadline for alternative proposals or implementations is too short, so – as agreed – we’ll push the deadline for the investigation period to the end of March. This period is dedicated to evaluating the changelog automation proposal made, or to identifying alternative solutions. If you have an alternative proposal, any proof-of-concept tooling would be highly appreciated so we can get a clear idea of what sort of work and maintenance is going to be involved. If you do find a solution you wish to propose, please give it just a short name (e.g. “Update it manually”) and make it obvious you want to propose it formally – I’ll collect up the proposals made on the mailing list thread at the end of March and set up a Wiki poll so we can get a clear picture of where the community wants to take this. Chris From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Chris Kay via TF-A <tf-a(a)lists.trustedfirmware.org> Reply to: Chris Kay <Chris.Kay(a)arm.com> Date: Thursday, 11 February 2021 at 13:59 To: "tf-a(a)lists.trustedfirmware.org" <tf-a(a)lists.trustedfirmware.org> Subject: [TF-A] Adoption of Conventional Commits Hi all, Recently we had an internal discussion on the merits of introducing semantics to commit messages pushed to the main TF-A repository, the conclusion being that we would look to adopting the Conventional Commits<https://www.conventionalcommits.org/en/v1.0.0/> specification in the near future. There was one major reason for this, which was to help us in automating the changelog in future releases, but it might also help us to dramatically reduce the overall amount of work needed to make a formal release in the future. This requires some buy-in (or buy-out, in this case) from maintainers because - even though it’s to only a relatively minor extent - it does involve an adjustment to everybody’s workflow. Notably, commit messages will be expected to adopt the structure defined by the specification, which will be enforced by the CI. Most commits that go upstream today adhere to “something that looks like Conventional Commits”, so the change is not exactly sweeping, but any change has the potential be an inconvenience. With that in mind, I propose the following: * We collectively adopt the specification, enforced only for @arm.com contributors until such a time that the majority of maintainers are familiar with the new demands * We suggest - in the prerequisites documentation - the installation of two helper tools: * Commitizen<https://github.com/commitizen/cz-cli> * Commitlint<https://github.com/conventional-changelog/commitlint> Installation of these tools will be optional, but I believe they can help with the transition. In the patches currently in review, they are installed as Git hooks automatically upon execution of npm install, so it requires no manual installation or configuration (other than a relatively up-to-date Node.js installation). You’ll find the patches here<https://review.trustedfirmware.org/q/topic:%22ck%252Fconventional-commits%2…>, and specifically the changes to the prerequisites documentation here<https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/8224/1/docs/…>. Feel free to review these changes if you have comments specifically on their implementation. Let me know if you have any questions or concerns. If everybody’s on board, we can look to have this upstreamed shortly. Chris

4 years, 9 months

1
2
0 0

[RFC] TF-A threat model

by Zelalem Aweke

Hi All, We are releasing the first TF-A threat model document. This release provides the baseline for future updates to be applied as required by developments to the TF-A code base. Please review the document provide comments here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9627. Thanks, Zelalem

4 years, 9 months

1
0
0 0

Re: [TF-A] [OCP-OSF] Firmware: Sustainability vs planned obsolescence

by François Ozog

Hi Open System Firmware and Trusted Firmware communities have common interests in driving *some* firmware discussions because upstream projects like EDK2, U-Boot and Linux boot greatly benefit from common approaches regardless of processor architecture and early firmware components. The discussion on passing metadata between early firmware components and from early firmware to EDK2/U-Boot/LinuxBoot is typically such a topic. EDK2 is the only project that has defined metadata in the form of Platform Initialization HOBs (chapter 5 of PI spec). U-Boot and LinuxBoot have platform specific techniques to consume that metadata. Let's make sure that at least there is common solution for those two and hope that the result is enticing enough that EDK2 decide to leverage the result one way or the other. Here is a patched repost of the state of discussion after last Trusted Substrate call: Topics where there seem to be consensus - Scope include diverse firmware flows (U-Boot/SPL, TFA, CoreBoot…) on different architectures (Arm, RiscV) - Definitions: The Hand Over Function is the firmware component that hands off to the booted payload = {OS/Hypervisor/Grub/Shim}. - Hand Over Function can be EDK2, U-Boot or LinuxBoot. - The HOF, through ACPI or DT is responsible to describe what shall be controlled and partly how (some parameters) - *There is information that can only be discovered at runtime by diverse early firmware components and needs to be conveyed through the HOF to the booted payload.* - The proposal is to convey that dynamic information in the form of HandOverBlocks (HOBs - generic idea, not the EDK2 construct) whose format is yet to be defined and built as a linked list of objects. The other proposal to use call backs (mmc calls or equivalent) from HOF to firmware is rejected. In Arm architecture, that choice does not preclude some firmware components to use SCMI calls into SCP to obtain authoritative information. - The firmware components shall not care about what is the actual HOF: the format is standard regardless if HOF is EDK2, U-Boot or LinuxBoot. In TF-A words, the HOBs become part of the input ABI for BL33. In the best world, it should be possible for the platform "buyer" to choose the HOF. Characteristics to consider about HOBs: - HOBs can be built by very early components and must fit into highly constrained SRAM - A HOB may be passed between different firmware components, secure and non-secure. - A HOB can be built by secure and non-secure firmware components - An information can have a single format: no alternative representation is allowed. In other words if the information is passed as a data structure it cannot be represented by a DT fragment by another implementation and conversely. Topics that need more discussion - HOBs need a way to be identified: UUID, ID, hybrid (like Platform Initialization). *My views: the hybrid allows constraints firmware components to be using simple IDs and richer components may want leverage UUIDs (same as Platform Initialization).* - HOB format: binary information; just static structure, flatten device tree fragments/overlays or even CBOR. *My views: again hybrid approach seem very efficient. Static structures for memory information, DT fragment for device assignment (for non-secure partitions or for secure world / secure partitions). Typically I would imagine a UUID HOB with a DT fragment seems just good. This is actually implemented like that with Platform Initialization:* *HOBs are identified by a simple ID, out of IDs are EFI_HOB_RESOURCE_DESCRIPTOR for DRAM description and EFI_HOB_GUID_TYPE that contains something identified by a GUID. There is a GUID used in the context of EDK2 to actually contain a DT fragment today.* *As an open specification that allows extension, there shall be a mandate to publish an open specification of any extension.* On Fri, 16 Apr 2021 at 07:51, François Ozog via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > +tf.org as the discussion evolved to a topic discussed there. > > Le ven. 16 avr. 2021 à 01:25, Zimmer, Vincent <vincent.zimmer(a)intel.com> > a écrit : > >> >> >> For the wayback machine, the design of HOB’s dates back to early 2000’s. >> >> >> >> >> >> The HOB defin was part of the Intel Framework specs & it was made public >> in 2003 through a click-through, as folks noted. HOBs became part of the >> UEFI Forum Platform Initialization (PI) spec in 2006. Essentially PI 1.0 >> absorbed most of the Framework 0.9x specs (sans datahub, CSM). >> >> from https://link.springer.com/book/10.1007/978-1-4842-0070-4 >> >> >> >> IMHO the biggest bug on the present Type Length Value (TLV)-based HOB >> design entails the “L” of the TLV, namely the 16-bit length limitation on >> the size of a specific HOB. Servers often bump into this limitation today >> given the amount of state discovered in these early initialization flows. >> The use of GUID’s w/o strings is also a usability challenge, I’d agree, >> that any new design can address. >> >> >> >> Going forward >> >> The more recent proposed use of HOB's for the generic payload interface >> https://github.com/universalpayload/documentation launching was more for >> convenience since it's a simple TLV encoded mechanism and there are parsing >> libraries already in the wild. But the use of HOB’s versus DT versus …. >> for the inargs of the payload is definitely open for discussion/change in >> the design. The earlier thread suggestions of CBOR/8949 >> https://www.rfc-editor.org/rfc/rfc8949.html from Francois/Nate is >> interesting. We can update the already open issue on this topic >> https://github.com/universalpayload/documentation/issues/9 with some of >> these thoughts and build upon the sentiments Ron shared earlier on the >> topic. >> >> >> >> And regarding the payload specification >> https://universalpayload.github.io/documentation/ mentioned above, I’m >> happy to present on this design effort in an upcoming OSF meeting, >> including how payloads may relate to the OSF workstream. The payload >> design is intended to be an open process with a code-first workflow that >> doesn’t tie itself to any specific bootloader design, as demonstrated by >> the different bootloaders and payloads ported at >> https://github.com/universalpayload. Although there isn’t a U-Boot >> example ported (I thought I heard mention of U-boot in this thread or >> meeting?), addressing the needs of U-boot and other *boot solutions (e.g., >> oreboot) is definitely part of the design scope intent, too. >> >> >> >> Thanks, >> >> >> >> Vincent >> >> >> >> >> >> -----Original Message----- >> From: OCP-OSF(a)OCP-All.groups.io <OCP-OSF(a)OCP-All.groups.io> On Behalf Of >> ron minnich >> Sent: Thursday, April 15, 2021 3:14 PM >> To: Desimone, Nathaniel L <nathaniel.l.desimone(a)intel.com> >> Cc: OCP-OSF(a)OCP-All.groups.io; Boot Architecture Mailman List < >> boot-architecture(a)lists.linaro.org>; Leif Lindholm <leif(a)nuviainc.com> >> Subject: Re: [OCP-OSF] Firmware: Sustainability vs planned obsolescence >> >> >> >> actually isn't device tree a 1980s design :-) >> >> >> >> anyway, as long as we can hit the things I care so much about, >> >> >> >> self describing >> >> alignment independent >> >> endian independent >> >> names not magic numbers (I mean, you want to put a UUID in there too, >> fine, but I doubt a human-readable string will kill us on space) >> >> >> >> it can be anything you all think best. >> >> >> >> On Thu, Apr 15, 2021 at 2:49 PM Desimone, Nathaniel L < >> nathaniel.l.desimone(a)intel.com> wrote: >> >> > >> >> > On Thu, Apr 15, 2021 at 1:29 -0700, ron minnich wrote: >> >> > >> >> > >I'd rather not take HOB as a given without considering alternatives. >> >> > >It's a very 1990s design. >> >> > >> >> > Device tree is also a very early 90s design for that matter. If we are >> talking about clean slate design, how about something actually new and >> modern like RFC 8949? >> >> > >> >> > From a practical standpoint I don't see HOBs going away very soon but >> I'm open to possibility thinking on a long term basis. >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> >> >> >> _._,_._,_ >> ------------------------------ >> Groups.io Links: >> >> You receive all messages sent to this group. >> >> View/Reply Online (#149) >> <https://OCP-All.groups.io/g/OCP-OSF/message/149> | Reply To Group >> <OCP-OSF@OCP-All.groups.io?subject=Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> >> | Reply To Sender >> <vincent.zimmer@intel.com?subject=Private:%20Re:%20Re%3A%20%5BOCP-OSF%5D%20Firmware%3A%20Sustainability%20vs%20planned%20obsolescence> >> | Mute This Topic <https://groups.io/mt/81937262/675475> | New Topic >> <https://OCP-All.groups.io/g/OCP-OSF/post> >> Your Subscription <https://OCP-All.groups.io/g/OCP-OSF/editsub/675475> | Contact >> Group Owner <OCP-OSF+owner(a)OCP-All.groups.io> | Unsubscribe >> <https://OCP-All.groups.io/g/OCP-OSF/leave/10214763/675475/1625423992/xyzzy> >> [francois.ozog(a)linaro.org] >> _._,_._,_ >> >> -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 9 months

1
0
0 0

Re: [TF-A] Problems building for qemu with SPM (S-EL2) support

by Olivier Deprez

Hi Rebecca, qemu is currently not supported for use with the SPM at S-EL2. The two available options are FVP (https://trustedfirmware-a.readthedocs.io/en/latest/components/secure-partit…) or Total Compute platform (https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-docs…) Regards, Olivier. ________________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Rebecca Cran via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 16 April 2021 00:02 To: tf-a(a)lists.trustedfirmware.org Subject: [TF-A] Problems building for qemu with SPM (S-EL2) support I'm having problems building TF-A with SPM/S-EL2 support. I can build with PLAT=fvp fine, but building with PLAT=qemu results in the error: LD /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf /home/rebecca/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-ld: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/spmd_main.o: in function `spmd_setup': spmd_main.c:(.text.spmd_setup+0x74): undefined reference to `plat_spm_core_manifest_load' spmd_main.c:(.text.spmd_setup+0x74): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `plat_spm_core_manifest_load' make: *** [Makefile:1136: /home/rebecca/src/arm-trusted-firmware/build/qemu/release/bl31/bl31.elf] Error 1 The command line I'm using is: make PLAT=qemu DEBUG=0 \ CROSS_COMPILE=~/gcc-arm-10.2-2020.11-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu- \ SPD=spmd CTX_INCLUDE_EL2_REGS=1 BL32=bl32.bin BL33=bl33.bin \ SP_LAYOUT_FILE=sp_layout.json ARM_ARCH_MINOR=4 all fip Adding the following files to BL31_SOURCES in plat/qemu/platform.mk resolves the problem, but I suspect that's not the correct solution? plat/common/plat_spmd_manifest.c common/fdt_wrappers.c -- Rebecca Cran -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 9 months

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

TF-A