From patchwork Tue Sep 16 15:00:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 70362 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD5A4CAC599 for ; Tue, 16 Sep 2025 15:00:26 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.585.1758034821627054562 for ; Tue, 16 Sep 2025 08:00:21 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0BAB62ED2; Tue, 16 Sep 2025 08:00:13 -0700 (PDT) Received: from LXKV206JHX.arm.com (unknown [10.57.80.132]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A63A73F694; Tue, 16 Sep 2025 08:00:20 -0700 (PDT) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA Subject: [PATCH 3/4] arm-bsp/ts:corstone1000: Remove obsolete patches Date: Tue, 16 Sep 2025 16:00:12 +0100 Message-ID: <20250916150013.30666-4-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250916150013.30666-1-hugues.kambampiana@arm.com> References: <20250916150013.30666-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Sep 2025 15:00:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6713 The Corstone-1000 Trusted Services patches removed in this change are no longer required following the upgrade to Trusted Services v1.2.0. Signed-off-by: Hugues KAMBA MPIANA --- ...01-Fix-in-AEAD-for-psa-arch-test-254.patch | 129 ------ .../0002-Fix-psa-api-crypto-test-no-243.patch | 31 -- ...-sizes-compile-time-definitions-user.patch | 40 -- .../0006-Align-PSA-Crypto-with-TF-Mv2.1.patch | 298 ------------ .../0008-se-proxy-protobuf-change.patch | 71 --- ...-FWU-IPC-framework-for-Corstone-1000.patch | 436 ------------------ ...mage-state-in-PSA-FWU-M-update-agent.patch | 188 -------- ...fine-PSA-FWU-image-mapping-structure.patch | 128 ----- ...orm-corstone1000-Enable-ESRT-support.patch | 129 ------ ...n-PSA-Crypto-structs-with-TF-Mv2.1.1.patch | 29 -- 10 files changed, 1479 deletions(-) delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch delete mode 100644 meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch deleted file mode 100644 index a2e72b79..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Fix-in-AEAD-for-psa-arch-test-254.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 74a07ccbb4eb573269672a0c1f61b9165a592b44 Mon Sep 17 00:00:00 2001 -From: Satish Kumar -Date: Mon, 14 Feb 2022 08:22:25 +0000 -Subject: [PATCH 02/12] Fix in AEAD for psa-arch test 254 - -PSA crypto test 254 fails at checkpoint 6. -Fix output arguments in various crypto AEAD functions -to match crypto service implementation in TF-M. AEAD API's -in TF-M start expecting output size as an argument. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31176] -Signed-off-by: Emekcan Aras -Signed-off-by: Satish Kumar -Signed-off-by: Rui Miguel Silva -Signed-off-by: Harsimran Singh Tungal ---- - .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 + - components/service/crypto/include/psa/crypto_sizes.h | 2 +- - .../crypto/provider/extension/aead/aead_provider.c | 10 ++++++++-- - .../aead/serializer/aead_provider_serializer.h | 1 + - .../packed-c/packedc_aead_provider_serializer.c | 2 ++ - protocols/service/crypto/packed-c/aead.h | 1 + - 6 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -index 417189e87..236d3e258 100644 ---- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h -@@ -314,6 +314,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont - size_t req_len = req_fixed_len; - - *output_length = 0; -+ req_msg.output_size = output_size; - req_msg.op_handle = op_handle; - - /* Mandatory input data parameter */ -diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h -index 30aa102da..130d27295 100644 ---- a/components/service/crypto/include/psa/crypto_sizes.h -+++ b/components/service/crypto/include/psa/crypto_sizes.h -@@ -351,7 +351,7 @@ - * just the largest size that may be generated by - * #psa_aead_generate_nonce(). - */ --#define PSA_AEAD_NONCE_MAX_SIZE 12 -+#define PSA_AEAD_NONCE_MAX_SIZE 16 - - /** A sufficient output buffer size for psa_aead_update(). - * -diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c -index b73d88d32..510cffa34 100644 ---- a/components/service/crypto/provider/extension/aead/aead_provider.c -+++ b/components/service/crypto/provider/extension/aead/aead_provider.c -@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) - uint32_t op_handle; - const uint8_t *input; - size_t input_len; -+ uint32_t recv_output_size; - - if (serializer) - rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle, -- &input, &input_len); -+ &recv_output_size, &input, &input_len); - - if (rpc_status == RPC_SUCCESS) { - -@@ -300,9 +301,14 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req) - if (crypto_context) { - - size_t output_len = 0; -- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len); -+ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24); -+ /* Always allocate maximum size to be more robust to implementations of psa_aead_update() */ - uint8_t *output = malloc(output_size); - -+ if (recv_output_size < output_size) { -+ output_size = recv_output_size; -+ } -+ - if (output) { - - psa_status = psa_aead_update(&crypto_context->op.aead, -diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -index be76d2bc6..590973048 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -+++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h -@@ -51,6 +51,7 @@ struct aead_provider_serializer { - /* Operation: aead_update */ - rpc_status_t (*deserialize_aead_update_req)(const struct rpc_buffer *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len); - - rpc_status_t (*serialize_aead_update_resp)(struct rpc_buffer *resp_buf, -diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -index 8f8c3c7f2..922a7b651 100644 ---- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -+++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c -@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct rpc_buffer *req_ - /* Operation: aead_update */ - static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf, - uint32_t *op_handle, -+ uint32_t *output_size, - const uint8_t **input, size_t *input_len) - { - rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY; -@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct rpc_buffer *req_buf - memcpy(&recv_msg, req_buf->data, expected_fixed_len); - - *op_handle = recv_msg.op_handle; -+ *output_size = recv_msg.output_size; - - tlv_const_iterator_begin(&req_iter, - (uint8_t*)req_buf->data + expected_fixed_len, -diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h -index 0be266b52..435fd3b52 100644 ---- a/protocols/service/crypto/packed-c/aead.h -+++ b/protocols/service/crypto/packed-c/aead.h -@@ -98,6 +98,7 @@ enum - struct __attribute__ ((__packed__)) ts_crypto_aead_update_in - { - uint32_t op_handle; -+ uint32_t output_size; - }; - - /* Variable length input parameter tags */ --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch deleted file mode 100644 index 9253d8ec..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-psa-api-crypto-test-no-243.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c74d0d62fede8ef0207a909fb4157dbbb4830dc9 Mon Sep 17 00:00:00 2001 -From: Bence Balogh -Date: Wed, 10 Apr 2024 09:17:39 +0200 -Subject: [PATCH 04/12] Fix psa-api-crypto-test no 243 - -Enable MbedTLS ECP DP SECP521R1 ECC algorithm to pass -PSA-API tests's `psa-api-crypto-test` number 243 as it is -required for Corstone-1000. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31177/1] -Signed-off-by: Emekcan Aras -Signed-off-by: Harsimran Singh Tungal ---- - platform/providers/arm/corstone1000/platform.cmake | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index d39b79033..0c7c51b6e 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -14,6 +14,7 @@ target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 - PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 - COMMS_MHU_MSG_SIZE=0x3500 -+ MBEDTLS_ECP_DP_SECP521R1_ENABLED - ) - - get_property(_platform_driver_dependencies TARGET ${TGT} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch deleted file mode 100644 index 90dadc6c..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1c8b1d017cbdd26c9b75580936017eecd2b1f70c Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Fri, 18 Oct 2024 12:08:21 +0000 -Subject: [PATCH 10/12] Make RSE and MHU sizes compile-time definitions - user-configurable - -Replace the hardcoded RSE and MHU compile definitions values with CMake -cache variables that users can configure to change the size of the RSE -communication payload and the MHU message. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31178/1] -Signed-off-by: Bence Balogh -Signed-off-by: Harsimran Singh Tungal ---- - platform/providers/arm/corstone1000/platform.cmake | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 0c7c51b6e..66a55ab85 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -9,11 +9,13 @@ - set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") - set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") - set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") -+set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSE_COMMS_PAYLOAD buffer") -+set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") - - target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -- PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=0x2080 -- COMMS_MHU_MSG_SIZE=0x3500 -+ PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE} -+ COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} - MBEDTLS_ECP_DP_SECP521R1_ENABLED - ) - --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch deleted file mode 100644 index 906a27d2..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0006-Align-PSA-Crypto-with-TF-Mv2.1.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 111c15d7bf79e023bfb8bdcf631dfa95503f5f4e Mon Sep 17 00:00:00 2001 -From: Gyorgy Szing -Date: Fri, 18 Oct 2024 11:40:29 +0000 -Subject: [PATCH 11/12] Align PSA Crypto with TF-Mv2.1 - -Update following files using the TF-Mv2.1 release (0c4c99b) commit. - -* crypto_sid.h -This is derived from TF-M's tfm_crypto_defs.h file. The crypto function -ID definitions were reworked. This change had to be done on the TS -side too to keep the compatibility. - -* crypto_ipc_backend.h -This file is also derived from the tfm_crypto_defs.h file. The -tfm_crypto_pack_iovec struct changed in TF-M so the -psa_ipc_crypto_pack_iovec struct had to be updated in TS to -keep the compatibility. - -* crypto_client_struct.h -The psa_client_key_attributes_s struct had to be aligned with the -psa_key_attributes_s struct in TF-M. (psa_crypto.c) - -Signed-off-by: Bence Balogh -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31179/1] ---- - .../service/common/include/psa/crypto_sid.h | 166 +++++------------- - .../backend/psa_ipc/crypto_ipc_backend.h | 9 +- - .../crypto/include/psa/crypto_client_struct.h | 4 +- - 3 files changed, 54 insertions(+), 125 deletions(-) - -diff --git a/components/service/common/include/psa/crypto_sid.h b/components/service/common/include/psa/crypto_sid.h -index 5b05f46d7..e1fbb15e2 100644 ---- a/components/service/common/include/psa/crypto_sid.h -+++ b/components/service/common/include/psa/crypto_sid.h -@@ -19,21 +19,23 @@ extern "C" { - * Asym sign, Asym encrypt, Key derivation). - */ - enum tfm_crypto_group_id { -- TFM_CRYPTO_GROUP_ID_RANDOM = 0x0, -- TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, -- TFM_CRYPTO_GROUP_ID_HASH, -- TFM_CRYPTO_GROUP_ID_MAC, -- TFM_CRYPTO_GROUP_ID_CIPHER, -- TFM_CRYPTO_GROUP_ID_AEAD, -- TFM_CRYPTO_GROUP_ID_ASYM_SIGN, -- TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, -- TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, -+ TFM_CRYPTO_GROUP_ID_RANDOM = UINT8_C(1), -+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT = UINT8_C(2), -+ TFM_CRYPTO_GROUP_ID_HASH = UINT8_C(3), -+ TFM_CRYPTO_GROUP_ID_MAC = UINT8_C(4), -+ TFM_CRYPTO_GROUP_ID_CIPHER = UINT8_C(5), -+ TFM_CRYPTO_GROUP_ID_AEAD = UINT8_C(6), -+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN = UINT8_C(7), -+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT = UINT8_C(8), -+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION = UINT8_C(9) - }; - --/* X macro describing each of the available PSA Crypto APIs */ -+/* Set of X macros describing each of the available PSA Crypto APIs */ -+#define RANDOM_FUNCS \ -+ X(TFM_CRYPTO_GENERATE_RANDOM) -+ - #define KEY_MANAGEMENT_FUNCS \ - X(TFM_CRYPTO_GET_KEY_ATTRIBUTES) \ -- X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES) \ - X(TFM_CRYPTO_OPEN_KEY) \ - X(TFM_CRYPTO_CLOSE_KEY) \ - X(TFM_CRYPTO_IMPORT_KEY) \ -@@ -89,13 +91,13 @@ enum tfm_crypto_group_id { - X(TFM_CRYPTO_AEAD_VERIFY) \ - X(TFM_CRYPTO_AEAD_ABORT) - --#define ASYMMETRIC_SIGN_FUNCS \ -+#define ASYM_SIGN_FUNCS \ - X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE) \ - X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE) \ - X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH) \ - X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH) - --#define AYSMMETRIC_ENCRYPT_FUNCS \ -+#define ASYM_ENCRYPT_FUNCS \ - X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT) \ - X(TFM_CRYPTO_ASYMMETRIC_DECRYPT) - -@@ -106,133 +108,55 @@ enum tfm_crypto_group_id { - X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY) \ - X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES) \ - X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY) \ -+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_INTEGER) \ - X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT) \ - X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES) \ - X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY) \ - X(TFM_CRYPTO_KEY_DERIVATION_ABORT) - --#define RANDOM_FUNCS \ -- X(TFM_CRYPTO_GENERATE_RANDOM) -- --/* -- * Define function IDs in each group. The function ID will be encoded into -- * tfm_crypto_func_sid below. -- * Each group is defined as a dedicated enum in case the total number of -- * PSA Crypto APIs exceeds 256. -- */ --#define X(func_id) func_id, --enum tfm_crypto_key_management_func_id { -- KEY_MANAGEMENT_FUNCS --}; --enum tfm_crypto_hash_func_id { -- HASH_FUNCS --}; --enum tfm_crypto_mac_func_id { -- MAC_FUNCS --}; --enum tfm_crypto_cipher_func_id { -- CIPHER_FUNCS --}; --enum tfm_crypto_aead_func_id { -- AEAD_FUNCS --}; --enum tfm_crypto_asym_sign_func_id { -- ASYMMETRIC_SIGN_FUNCS --}; --enum tfm_crypto_asym_encrypt_func_id { -- AYSMMETRIC_ENCRYPT_FUNCS --}; --enum tfm_crypto_key_derivation_func_id { -- KEY_DERIVATION_FUNCS --}; --enum tfm_crypto_random_func_id { -- RANDOM_FUNCS --}; --#undef X -- --#define FUNC_ID(func_id) (((func_id) & 0xFF) << 8) -+#define BASE__VALUE(x) ((uint16_t)((((uint16_t)(x)) << 8) & 0xFF00)) - --/* -- * Numerical progressive value identifying a function API exposed through -- * the interfaces (S or NS). It's used to dispatch the requests from S/NS -- * to the corresponding API implementation in the Crypto service backend. -+/** -+ * \brief This type defines numerical progressive values identifying a function API -+ * exposed through the interfaces (S or NS). It's used to dispatch the requests -+ * from S/NS to the corresponding API implementation in the Crypto service backend. -+ * -+ * \note Each function SID is encoded as uint16_t. -+ * +------------+------------+ -+ * | Group ID | Func ID | -+ * +------------+------------+ -+ * (MSB)15 8 7 0(LSB) - * -- * Each function SID is encoded as uint16_t. -- * | Func ID | Group ID | -- * 15 8 7 0 -- * Func ID is defined in each group func_id enum above -- * Group ID is defined in tfm_crypto_group_id. - */ --enum tfm_crypto_func_sid { -- --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT & 0xFF)), -- -+enum tfm_crypto_func_sid_t { -+#define X(FUNCTION_NAME) FUNCTION_NAME ## _SID, -+ BASE__RANDOM = BASE__VALUE(TFM_CRYPTO_GROUP_ID_RANDOM) - 1, -+ RANDOM_FUNCS -+ BASE__KEY_MANAGEMENT = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT) - 1, - KEY_MANAGEMENT_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_HASH & 0xFF)), -+ BASE__HASH = BASE__VALUE(TFM_CRYPTO_GROUP_ID_HASH) - 1, - HASH_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_MAC & 0xFF)), -+ BASE__MAC = BASE__VALUE(TFM_CRYPTO_GROUP_ID_MAC) - 1, - MAC_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_CIPHER & 0xFF)), -+ BASE__CIPHER = BASE__VALUE(TFM_CRYPTO_GROUP_ID_CIPHER) - 1, - CIPHER_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_AEAD & 0xFF)), -+ BASE__AEAD = BASE__VALUE(TFM_CRYPTO_GROUP_ID_AEAD) - 1, - AEAD_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_ASYM_SIGN & 0xFF)), -- ASYMMETRIC_SIGN_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT & 0xFF)), -- AYSMMETRIC_ENCRYPT_FUNCS -- --#undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_KEY_DERIVATION & 0xFF)), -+ BASE__ASYM_SIGN = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_SIGN) - 1, -+ ASYM_SIGN_FUNCS -+ BASE__ASYM_ENCRYPT = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT) - 1, -+ ASYM_ENCRYPT_FUNCS -+ BASE__KEY_DERIVATION = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_DERIVATION) - 1, - KEY_DERIVATION_FUNCS -- - #undef X --#define X(func_id) func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \ -- (TFM_CRYPTO_GROUP_ID_RANDOM & 0xFF)), -- RANDOM_FUNCS -- - }; --#undef X - - /** -- * \brief Define an invalid value for an SID -- * -+ * \brief This macro is used to extract the group_id from an encoded function id -+ * by accessing the upper 8 bits. A \a _function_id is uint16_t type - */ --#define TFM_CRYPTO_SID_INVALID (~0x0u) -- --/** -- * \brief This value is used to mark an handle as invalid. -- * -- */ --#define TFM_CRYPTO_INVALID_HANDLE (0x0u) -- --/** -- * \brief Define miscellaneous literal constants that are used in the service -- * -- */ --enum { -- TFM_CRYPTO_NOT_IN_USE = 0, -- TFM_CRYPTO_IN_USE = 1 --}; -+#define TFM_CRYPTO_GET_GROUP_ID(_function_id) \ -+ ((enum tfm_crypto_group_id_t)(((uint16_t)(_function_id) >> 8) & 0xFF)) - - #ifdef __cplusplus - } -diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -index f9bbf84d6..27fe3496a 100644 ---- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h -@@ -30,10 +30,9 @@ struct psa_ipc_crypto_aead_pack_input { - struct psa_ipc_crypto_pack_iovec { - psa_key_id_t key_id; /*!< Key id */ - psa_algorithm_t alg; /*!< Algorithm */ -- uint32_t op_handle; /*!< Frontend context handle associated to a -+ uint32_t op_handle; /*!< Client context handle associated to a - * multipart operation - */ -- uint32_t capacity; /*!< Key derivation capacity */ - uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ - uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ - -@@ -44,7 +43,11 @@ struct psa_ipc_crypto_pack_iovec { - * See tfm_crypto_func_sid for detail - */ - uint16_t step; /*!< Key derivation step */ --} __attribute__((__packed__)); -+ union { -+ size_t capacity; /*!< Key derivation capacity */ -+ uint64_t value; /*!< Key derivation integer for update*/ -+ }; -+}; - - #define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) - -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index 1f68aba21..ebc400811 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -34,9 +34,11 @@ struct psa_client_key_attributes_s - uint16_t type; - uint16_t bits; - uint32_t lifetime; -- psa_key_id_t id; - uint32_t usage; - uint32_t alg; -+ uint32_t alg2; -+ uint32_t id; -+ int32_t owner_id; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch deleted file mode 100644 index c7ac1614..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0008-se-proxy-protobuf-change.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 77dbb98428b0661f0ceee54208d226fc7fb27130 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Sun, 1 Jun 2025 11:06:00 +0000 -Subject: [PATCH 02/11] se proxy protobuf change - -Upstream-Status: Pending (not yet submitted to upstream) -Signed-off-by: Emekcan Aras -Signed-off-by: Harsimran Singh Tungal ---- - .../se-proxy/env/commonsp/se_proxy_sp.c | 24 ++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -index 485d7649..9f94092b 100644 ---- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c -+++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c -@@ -13,6 +13,7 @@ - #include "trace.h" - #include "deployments/se-proxy/infra/service_proxy_factory.h" - #include "deployments/se-proxy/se_proxy_interfaces.h" -+#include - - static bool sp_init(uint16_t *own_sp_id); - -@@ -25,6 +26,8 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - uint16_t own_id = 0; - sp_result result = SP_RESULT_INTERNAL_ERROR; - rpc_status_t rpc_status = RPC_ERROR_INTERNAL; -+ struct rpc_service_interface *crypto_iface_protobuf = NULL; -+ struct crypto_provider *crypto_protobuf_provider = NULL; - - /* Boot phase */ - if (!sp_init(&own_id)) { -@@ -39,7 +42,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 5, 16); -+ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 6, 16); - if (rpc_status != RPC_SUCCESS) { - EMSG("Failed to initialize RPC endpoint: %d", rpc_status); - goto fatal_error; -@@ -106,6 +109,25 @@ void __noreturn sp_main(union ffa_boot_info *boot_info) - goto fatal_error; - } - -+ crypto_protobuf_provider = crypto_protobuf_provider_factory_create(); -+ if (!crypto_protobuf_provider) { -+ EMSG("Failed to create crypto protobuf provider factory"); -+ goto fatal_error; -+ } -+ -+ crypto_iface_protobuf = service_provider_get_rpc_interface( -+ &crypto_protobuf_provider->base_provider); -+ if (!crypto_iface_protobuf) { -+ EMSG("Failed to create service provider RPC interface"); -+ goto fatal_error; -+ } -+ -+ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, crypto_iface_protobuf); -+ if (rpc_status != RPC_SUCCESS) { -+ EMSG("Failed to add service to RPC endpoint: %d", rpc_status); -+ goto fatal_error; -+ } -+ - /* End of boot phase */ - result = sp_msg_wait(&req_msg); - if (result != SP_RESULT_OK) { --- -2.34.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch deleted file mode 100644 index 4a80e6b3..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Integrate-PSA-FWU-IPC-framework-for-Corstone-1000.patch +++ /dev/null @@ -1,436 +0,0 @@ -From f385ddacc8cc62842f7c9c91622d59959c41e718 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 28 Nov 2024 12:02:28 +0000 -Subject: [PATCH 04/11] Integrate PSA FWU IPC framework for Corstone-1000 - -Integrate IPC framework for PSA FWU calls between Cortex-A side and Cortex-M subsystems. - -IPC framework is required to bridge the PSA FWU calls for the platforms which have -both Cortex-A and Cortex-M subsystems. Corstone-1000 falls under this category of -platforms. In these platforms, the PSA FWU client and PSA FWU provider exist on -Cortex-A and all the PSA FWU services are implemented on Cortex-M side. This IPC -framework forwards the PSA FWU calls from Cortex-A to Cortex-M subsystem. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/33826] -Signed-off-by: Harsimran Singh Tungal ---- - components/service/common/include/psa/sid.h | 6 +- - .../interface/psa_ipc/component.cmake | 13 + - .../psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c | 253 ++++++++++++++++++ - .../psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h | 49 ++++ - .../se-proxy/infra/corstone1000/infra.cmake | 2 +- - .../corstone1000/service_proxy_factory.c | 16 ++ - 6 files changed, 337 insertions(+), 2 deletions(-) - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c - create mode 100644 components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h - -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index 5aaa659d..0235764d 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019-2023, Arm Limited. All rights reserved. -+ * Copyright (c) 2019-2024, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -58,6 +58,10 @@ extern "C" { - #define TFM_ATTEST_GET_TOKEN_SIZE 1002 - - /******** TFM_SP_FWU ********/ -+#define TFM_FIRMWARE_UPDATE_SERVICE_SID (0x000000A0U) -+#define TFM_FIRMWARE_UPDATE_SERVICE_VERSION (1U) -+#define TFM_FIRMWARE_UPDATE_SERVICE_HANDLE (0x40000104U) -+ - #define TFM_FWU_WRITE_SID (0x000000A0U) - #define TFM_FWU_WRITE_VERSION (1U) - #define TFM_FWU_INSTALL_SID (0x000000A1U) -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake b/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake -new file mode 100644 -index 00000000..cdc653a6 ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/psa_fwu_ipc.c" -+) -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -new file mode 100644 -index 00000000..a47ae539 ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.c -@@ -0,0 +1,253 @@ -+/* -+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" -+#include "service/fwu/psa_fwu_m/interface/tfm_fwu_defs.h" -+#include "service/fwu/psa_fwu_m/interface/update.h" -+ -+/** -+ * @brief The singleton psa_fwu_ipc instance -+ * -+ * The psa attestation C API assumes a single backend service provider. -+ */ -+static struct service_client instance; -+ -+psa_status_t psa_fwu_ipc_init(struct rpc_caller_session *session) -+{ -+ return service_client_init(&instance, session); -+} -+ -+void psa_fwu_ipc_deinit(void) -+{ -+ service_client_deinit(&instance); -+} -+ -+int psa_fwu_rpc_status(void) -+{ -+ return instance.rpc_status; -+} -+ -+psa_status_t psa_fwu_query(psa_fwu_component_t component, -+ psa_fwu_component_info_t *info) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ if (!info) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(info), .len = sizeof(*info) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_QUERY, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_start(psa_fwu_component_t component, -+ const void *manifest, -+ size_t manifest_size) -+{ -+ if(manifest_size > UINT32_MAX) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ { .base = psa_ptr_const_to_u32(manifest), .len = manifest_size }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_START, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_write(psa_fwu_component_t component, -+ size_t image_offset, -+ const void *block, -+ size_t block_size) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ if (!block || !block_size) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ if((image_offset > UINT32_MAX) || (block_size > UINT32_MAX)) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ { .base = psa_ptr_to_u32(&image_offset), .len = sizeof(uint32_t) }, -+ { .base = psa_ptr_const_to_u32(block), .len = block_size }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_WRITE, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_finish(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_FINISH, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_cancel(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_CANCEL, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_clean(psa_fwu_component_t component) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&component), .len = sizeof(component) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_CLEAN, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_install(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_INSTALL, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_request_reboot(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_REQUEST_REBOOT, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_reject(psa_status_t error) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&error), .len = sizeof(error) }, -+ }; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_REJECT, in_vec, IOVEC_LEN(in_vec), -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -+ -+psa_status_t psa_fwu_accept(void) -+{ -+ if (!instance.session) -+ return PSA_ERROR_BAD_STATE; -+ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller_interface *caller = instance.session->caller; -+ struct psa_invec in_vec[] = {}; -+ -+ status = psa_call(caller, TFM_FIRMWARE_UPDATE_SERVICE_HANDLE, -+ TFM_FWU_ACCEPT, in_vec, 0, -+ NULL, 0); -+ if (status != PSA_SUCCESS) -+ EMSG("failed to psa_call: %d", status); -+ -+ return status; -+} -diff --git a/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h -new file mode 100644 -index 00000000..867a1c9c ---- /dev/null -+++ b/components/service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h -@@ -0,0 +1,49 @@ -+/* -+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#ifndef PSA_FWU_IPC_H -+#define PSA_FWU_IPC_H -+ -+#include -+#include "rpc_caller_session.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * @brief Initialize a PSA FWU ipc client -+ * -+ * A PSA FWU ipc client makes RPC calls to a remote FWU service. -+ * -+ * @param[in] rpc_caller RPC caller instance -+ * -+ * @return A status indicating the success/failure of the operation -+ */ -+psa_status_t psa_fwu_ipc_init(struct rpc_caller_session *session); -+ -+/** -+ * @brief Deinitialize a PSA FWU ipc client -+ * -+ */ -+void psa_fwu_ipc_deinit(void); -+ -+/** -+ * @brief Return the most recent RPC status -+ * -+ * May be used to obtain information about an RPC error that resulted -+ * in an API operation failure -+ * -+ * @return Most recent RPC operation status -+ */ -+int psa_fwu_rpc_status(void); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* PSA_FWU_IPC_H */ -+ -diff --git a/deployments/se-proxy/infra/corstone1000/infra.cmake b/deployments/se-proxy/infra/corstone1000/infra.cmake -index 3830f9d6..2bf6b36e 100644 ---- a/deployments/se-proxy/infra/corstone1000/infra.cmake -+++ b/deployments/se-proxy/infra/corstone1000/infra.cmake -@@ -26,7 +26,7 @@ add_components(TARGET "se-proxy" - "components/service/fwu/provider" - "components/service/fwu/provider/serializer" - "components/service/fwu/psa_fwu_m/agent" -- "components/service/fwu/psa_fwu_m/interface/stub" -+ "components/service/fwu/psa_fwu_m/interface/psa_ipc" - "components/service/secure_storage/backend/secure_storage_ipc" - ) - -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index 759983b4..547e84bc 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -14,6 +14,7 @@ - #include - #include "service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.h" - #include "service/fwu/provider/fwu_provider.h" -+#include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" - #include -@@ -134,10 +135,25 @@ struct rpc_service_interface *its_proxy_create(void) - - struct rpc_service_interface *fwu_proxy_create(void) - { -+ rpc_status_t rpc_status = RPC_ERROR_INTERNAL; - static struct update_agent *agent; - static struct fwu_provider fwu_provider = { 0 }; - -+ /* Static objects for proxy instance */ -+ static struct rpc_caller_interface rss_comms = { 0 }; -+ static struct rpc_caller_session rpc_session = { 0 }; -+ -+ rpc_status = rss_comms_caller_init(&rss_comms); -+ if (rpc_status != RPC_SUCCESS) -+ return NULL; -+ -+ rpc_status = rpc_caller_session_open(&rpc_session, &rss_comms, &dummy_uuid, 0, 0); -+ if (rpc_status != RPC_SUCCESS) -+ return NULL; -+ - agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); -+ if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) -+ return NULL; - - return fwu_provider_init(&fwu_provider, agent); - } --- -2.34.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch deleted file mode 100644 index 2f43369f..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0011-Load-initial-image-state-in-PSA-FWU-M-update-agent.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 6fb3bead9e0eea3640ad1209347691c2b40512a2 Mon Sep 17 00:00:00 2001 -From: Imre Kis -Date: Wed, 5 Feb 2025 14:27:45 +0100 -Subject: [PATCH 2/8] Load initial image state in PSA FWU M update agent - -Set initial image state based on the image state returned by -psa_fwu_query. This way the update agent has the correct view of images -after reboot and it can accept or reject them. - -Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/35155] -Signed-off-by: Imre Kis -Change-Id: I150e4fdb4584c8d07f5f1f642ee88197f9cff49b -Signed-off-by: Harsimran Singh Tungal ---- - .../psa_fwu_m/agent/psa_fwu_m_update_agent.c | 23 +++++++-- - .../test/test_psa_fwu_m_update_agent.cpp | 49 ++++++++++++++++++- - docs/services/fwu/psa-fwu-m.rst | 14 +++++- - 3 files changed, 80 insertions(+), 6 deletions(-) - -diff --git a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -index 6de9ba71..48b86f6e 100644 ---- a/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -+++ b/components/service/fwu/psa_fwu_m/agent/psa_fwu_m_update_agent.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2024, Arm Limited. All rights reserved. -+ * Copyright (c) 2024-2025, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -609,8 +609,11 @@ struct update_agent *psa_fwu_m_update_agent_init( - const struct psa_fwu_m_image_mapping image_mapping[], size_t image_count, - uint32_t max_payload_size) - { -+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR; - struct psa_fwu_m_update_agent *context = NULL; -+ struct psa_fwu_component_info_t info = { 0 }; - struct psa_fwu_m_image *images = NULL; -+ enum psa_fwu_m_state state = regular; - struct update_agent *agent = NULL; - size_t i = 0; - -@@ -637,9 +640,23 @@ struct update_agent *psa_fwu_m_update_agent_init( - } - - for (i = 0; i < image_count; i++) { -+ psa_status = psa_fwu_query(image_mapping[i].component, &info); -+ if (psa_status != PSA_SUCCESS) { -+ free(images); -+ free(context); -+ free(agent); -+ return NULL; -+ } -+ - images[i].uuid = image_mapping[i].uuid; - images[i].component = image_mapping[i].component; -- images[i].selected_for_staging = false; -+ if (info.state == PSA_FWU_TRIAL) { -+ images[i].selected_for_staging = true; -+ state = trial; -+ } else { -+ images[i].selected_for_staging = false; -+ } -+ - images[i].read = NULL; /* Cannot read images */ - images[i].write = image_write; - } -@@ -654,7 +671,7 @@ struct update_agent *psa_fwu_m_update_agent_init( - context->images = images; - context->image_count = image_count + 1; - context->max_payload_size = max_payload_size; -- context->state = regular; -+ context->state = state; - - agent->context = context; - agent->interface = &interface; -diff --git a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -index de289fff..3805d182 100644 ---- a/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -+++ b/components/service/fwu/psa_fwu_m/agent/test/test_psa_fwu_m_update_agent.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2024, Arm Limited. All rights reserved. -+ * Copyright (c) 2024-2025, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * -@@ -14,6 +14,9 @@ - - TEST_GROUP(psa_fwu_m_update_agent) { - TEST_SETUP() { -+ psa_fwu_component_info_t info = {0}; -+ expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info, PSA_SUCCESS); - agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); - handle = 0; - progress = 0; -@@ -667,4 +670,46 @@ TEST(psa_fwu_m_update_agent, select_previous) - - expect_mock_psa_fwu_reject(0, PSA_SUCCESS); - LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_select_previous(agent)); --} -\ No newline at end of file -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_query_fail) { -+ psa_fwu_component_info_t info = {0}; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info, PSA_ERROR_GENERIC_ERROR); -+ POINTERS_EQUAL(NULL, psa_fwu_m_update_agent_init(mapping, 2, 4096)); -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_select_previous) { -+ psa_fwu_component_info_t info0 = {0}; -+ psa_fwu_component_info_t info1 = {0}; -+ -+ info1.state = PSA_FWU_TRIAL; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); -+ -+ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); -+ -+ expect_mock_psa_fwu_reject(0, PSA_SUCCESS); -+ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_select_previous(agent)); -+ -+ psa_fwu_m_update_agent_deinit(agent); -+} -+ -+TEST(psa_fwu_m_update_agent, boot_in_trial_mode_accept) { -+ psa_fwu_component_info_t info0 = {0}; -+ psa_fwu_component_info_t info1 = {0}; -+ -+ info1.state = PSA_FWU_TRIAL; -+ -+ expect_mock_psa_fwu_query(mapping[0].component, &info0, PSA_SUCCESS); -+ expect_mock_psa_fwu_query(mapping[1].component, &info1, PSA_SUCCESS); -+ -+ update_agent *agent = psa_fwu_m_update_agent_init(mapping, 2, 4096); -+ -+ expect_mock_psa_fwu_accept(PSA_SUCCESS); -+ LONGS_EQUAL(FWU_STATUS_DENIED, update_agent_accept_image(agent, &mapping[0].uuid)); -+ LONGS_EQUAL(FWU_STATUS_SUCCESS, update_agent_accept_image(agent, &mapping[1].uuid)); -+ -+ psa_fwu_m_update_agent_deinit(agent); -+} -diff --git a/docs/services/fwu/psa-fwu-m.rst b/docs/services/fwu/psa-fwu-m.rst -index 26ffed09..1358015f 100644 ---- a/docs/services/fwu/psa-fwu-m.rst -+++ b/docs/services/fwu/psa-fwu-m.rst -@@ -44,6 +44,11 @@ The solutions to these differences: - * Convert the image query result returned by FWU-M to FWU-A format. There are similar field, but this imposes some - limitations. - -+Initialization -+``````````````` -+ -+The initial image and agent state is determined based on the image state returned by ``psa_fwu_query()``. -+ - - ``fwu_discover()`` - `````````````````` -@@ -71,6 +76,10 @@ agent switches to trial state, so the client can validate the new set of images - - On calling ``fwu_end_staging()`` the agent calls ``psa_fwu_finish()`` on each selected image, then calls - ``psa_fwu_install()``. If all images have been accepted (see ``fwu_commit()``) it also calls ``psa_fwu_accept()``. -+The implementation treats ``PSA_SUCCESS_REBOOT`` and ``PSA_SUCCESS_RESTART`` status values as error. In an A+M system the M -+class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the system. There's also no -+PSA FWU A return code for inidicating the restart request to the normal world. If the normal world has to restart the -+system after ending the staging phase, it has to do it in an implementation defined way. - - .. uml:: ../uml/psa_fwu_m_update_agent/fwu_end_staging.puml - -@@ -136,7 +145,10 @@ calls ``psa_fwu_accept()`` when all images have been accepted. This results in a - ````````````````````````` - - Selects previous working state (i.e. rejects the firmware update) and transitions back to regular state after calling --``psa_fwu_reject()``. -+``psa_fwu_reject()``. The implementation treats ``PSA_SUCCESS_REBOOT`` and ``PSA_SUCCESS_RESTART`` status values as error. -+In an A+M system the M class side shouldn't restart the system, so calling ``psa_fwu_request_reboot()`` does not fit the -+system. There's also no PSA FWU A return code for inidicating the restart request to the normal world. If the normal -+world has to restart the system when rejecting the installed firmware, it has to do it in an implementation defined way. - - .. uml:: ../uml/psa_fwu_m_update_agent/fwu_select_previous.puml - --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch deleted file mode 100644 index 17b1f87e..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0012-Corstone1000-Define-PSA-FWU-image-mapping-structure.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 5344d7d0580ca7f2f2569f388dd6e3cd17a372f2 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Thu, 6 Feb 2025 10:26:04 +0000 -Subject: [PATCH 3/8] Corstone1000: Define PSA FWU image mapping structure - -This commit involves following changes - -1. Define PSA FWU image mapping structure for Corstone-1000. -This structure is responsible to map specific image guid with -component number. -To enable platform-specific handling, service_proxy_factory.c now -conditionally selects the appropriate image mapping -based on PLATFORM_IS_FVP. This ensures that both FVP and MPS3 -platforms use the correct GUID and firmware update configuration. - -2. Rename RSS to RSE - -Upstream-Status: Pending -Signed-off-by: Harsimran Singh Tungal -Signed-off-by: Ali Can Ozaslan ---- - .../infra/corstone1000/corstone1000_config.h | 28 +++++++++++++++++++ - .../corstone1000/service_proxy_factory.c | 25 +++++++++++++---- - 2 files changed, 48 insertions(+), 5 deletions(-) - create mode 100644 deployments/se-proxy/infra/corstone1000/corstone1000_config.h - -diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -new file mode 100644 -index 00000000..319401f3 ---- /dev/null -+++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -@@ -0,0 +1,28 @@ -+/* -+ * Copyright (c) 2025, Arm Limited. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ * -+ */ -+ -+#ifndef CORSTONE1000_CONFIG_H -+#define CORSTONE1000_CONFIG_H -+ -+#define FWU_IMAGE_COUNT 1 -+ -+/* Maximum payload size to be transferred at once to Secure Enclave */ -+#define MAX_PAYLOAD_SIZE 4096 -+ -+#define CORSTONE1000_FVP_FULL_CAPSULE_UUID \ -+{ 0x4e, 0x3a, 0x9f, 0x98, 0xe0, 0x46, 0xd0, 0x4c, 0x98, 0x77, 0xa2, 0x5c, 0x70, 0xc0, 0x13, 0x29, } -+ -+#define CORSTONE1000_MPS3_FULL_CAPSULE_UUID \ -+{ 0xd1, 0x65, 0x18, 0xdf, 0xfb, 0x90, 0x59, 0x4d, 0x9c, 0x38, 0xc9, 0xf2, 0xc1, 0xbb, 0xa8, 0xcc, } -+ -+/* Image indexes in the UEFI capsule */ -+enum fwu_image_index -+{ -+ FWU_IMAGE_INDEX_FULL_CAPSULE = 1, -+}; -+ -+#endif /* CORSTONE1000_CONFIG_H */ -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index ef91efe0..6e5f1221 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. -+ * Copyright (c) 2021-2025, Arm Limited and Contributors. All rights reserved. - * Copyright (c) 2021-2023, Linaro Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause -@@ -19,6 +19,7 @@ - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" - #include -+#include "corstone1000_config.h" - - /* backends */ - #include -@@ -27,6 +28,20 @@ - - static const struct rpc_uuid dummy_uuid = { 0 }; - -+static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { -+#if PLATFORM_IS_FVP -+ { -+ .uuid = CORSTONE1000_FVP_FULL_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ }, -+#else -+ { -+ .uuid = CORSTONE1000_MPS3_FULL_CAPSULE_UUID, -+ .component = FWU_IMAGE_INDEX_FULL_CAPSULE -+ }, -+#endif -+}; -+ - struct rpc_service_interface *attest_proxy_create(void) - { - struct rpc_service_interface *attest_iface = NULL; -@@ -141,20 +156,20 @@ struct rpc_service_interface *fwu_proxy_create(void) - static struct fwu_provider fwu_provider = { 0 }; - - /* Static objects for proxy instance */ -- static struct rpc_caller_interface rss_comms = { 0 }; -+ static struct rpc_caller_interface rse_comms = { 0 }; - static struct rpc_caller_session rpc_session = { 0 }; - -- rpc_status = rss_comms_caller_init(&rss_comms); -+ rpc_status = rse_comms_caller_init(&rse_comms); - if (rpc_status != RPC_SUCCESS) - return NULL; - -- rpc_status = rpc_caller_session_open(&rpc_session, &rss_comms, &dummy_uuid, 0, 0); -+ rpc_status = rpc_caller_session_open(&rpc_session, &rse_comms, &dummy_uuid, 0, 0); - if (rpc_status != RPC_SUCCESS) - return NULL; - -- agent = psa_fwu_m_update_agent_init(NULL, 0, 4096); - if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) - return NULL; -+ agent = psa_fwu_m_update_agent_init(img_mapping, FWU_IMAGE_COUNT, MAX_PAYLOAD_SIZE); - - return fwu_provider_init(&fwu_provider, agent); - } --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch deleted file mode 100644 index 18581440..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0015-platform-corstone1000-Enable-ESRT-support.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 27d3ce79128478cd163a2db113326c873bda8d08 Mon Sep 17 00:00:00 2001 -From: Harsimran Singh Tungal -Date: Fri, 28 Feb 2025 21:12:56 +0000 -Subject: [PATCH 6/8] platform: corstone1000: Enable ESRT support - -Enable ESRT support for Corstone-1000. -Introduce ESRT image UUID and its component number and -set TFM_FWU_MAX_DIGEST_SIZE to ESRT data size. - -Upstream-Status: Pending -Signed-off-by: Harsimran Singh Tungal ---- - .../infra/corstone1000/corstone1000_config.h | 3 +-- - .../corstone1000/service_proxy_factory.c | 22 +++++++++++++++++-- - .../providers/arm/corstone1000/platform.cmake | 9 ++++++++ - 3 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -index 319401f3..4a68c2fa 100644 ---- a/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -+++ b/deployments/se-proxy/infra/corstone1000/corstone1000_config.h -@@ -8,8 +8,6 @@ - #ifndef CORSTONE1000_CONFIG_H - #define CORSTONE1000_CONFIG_H - --#define FWU_IMAGE_COUNT 1 -- - /* Maximum payload size to be transferred at once to Secure Enclave */ - #define MAX_PAYLOAD_SIZE 4096 - -@@ -23,6 +21,7 @@ - enum fwu_image_index - { - FWU_IMAGE_INDEX_FULL_CAPSULE = 1, -+ FWU_IMAGE_INDEX_ESRT, - }; - - #endif /* CORSTONE1000_CONFIG_H */ -diff --git a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -index 6e5f1221..f0a4853e 100644 ---- a/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -+++ b/deployments/se-proxy/infra/corstone1000/service_proxy_factory.c -@@ -18,6 +18,7 @@ - #include "service/fwu/psa_fwu_m/interface/psa_ipc/psa_fwu_ipc.h" - #include - #include "service/secure_storage/frontend/secure_storage_provider/secure_storage_uuid.h" -+#include - #include - #include "corstone1000_config.h" - -@@ -26,9 +27,17 @@ - #include - #include - -+/* IMAGE_MAPPING_ELEMENT_COUNT includes the number of images to be updated and ESRT image */ -+#define IMAGE_MAPPING_ELEMENT_COUNT (FWU_IMAGE_CAPSULE_COUNT + 1) -+ -+/* The index to access the ESRT image in the psa_fwu_m_image_mapping structure -+ * collection. The ESRT image is always accessed at the end of the collection. -+ */ -+#define IMAGE_MAPPING_ESRT_INDEX (IMAGE_MAPPING_ELEMENT_COUNT - 1) -+ - static const struct rpc_uuid dummy_uuid = { 0 }; - --static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { -+static struct psa_fwu_m_image_mapping img_mapping[IMAGE_MAPPING_ELEMENT_COUNT] = { - #if PLATFORM_IS_FVP - { - .uuid = CORSTONE1000_FVP_FULL_CAPSULE_UUID, -@@ -42,6 +51,13 @@ static const struct psa_fwu_m_image_mapping img_mapping[FWU_IMAGE_COUNT] = { - #endif - }; - -+/* Every platform needs to define esrt image mapping, if ESRT image UUID is to be used to extract ESRT data */ -+static void define_esrt_image_mapping() -+{ -+ uuid_octets_from_canonical(&img_mapping[IMAGE_MAPPING_ESRT_INDEX].uuid, EFI_SYSTEM_RESOURCE_TABLE_CANONICAL_UUID); -+ img_mapping[IMAGE_MAPPING_ESRT_INDEX].component = FWU_IMAGE_INDEX_ESRT; -+} -+ - struct rpc_service_interface *attest_proxy_create(void) - { - struct rpc_service_interface *attest_iface = NULL; -@@ -169,7 +185,9 @@ struct rpc_service_interface *fwu_proxy_create(void) - - if (psa_fwu_ipc_init(&rpc_session) != PSA_SUCCESS) - return NULL; -- agent = psa_fwu_m_update_agent_init(img_mapping, FWU_IMAGE_COUNT, MAX_PAYLOAD_SIZE); -+ -+ define_esrt_image_mapping(); -+ agent = psa_fwu_m_update_agent_init(img_mapping, IMAGE_MAPPING_ELEMENT_COUNT, MAX_PAYLOAD_SIZE); - - return fwu_provider_init(&fwu_provider, agent); - } -diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake -index 60bc208b..db1e9743 100644 ---- a/platform/providers/arm/corstone1000/platform.cmake -+++ b/platform/providers/arm/corstone1000/platform.cmake -@@ -6,11 +6,18 @@ - # Platform definition for the Corstone-1000 platform. - #------------------------------------------------------------------------------- - -+# For ESRT v1 details : https://uefi.org/specs/UEFI/2.9_A/23_Firmware_Update_and_Reporting.html#efi-system-resource-table -+set(FWU_IMAGE_CAPSULE_COUNT 4 CACHE STRING "Maximum number of FWU Images in a capsule to be updated") -+set(ESRT_IMAGE_ENTRY_SIZE 40 CACHE STRING "Size of one ESRT v1 Image entry structure object") -+set(ESRT_REMAINING_FIELDS_SIZE 16 CACHE STRING "Size of remaining fields of ESRT v1 table structure") -+math(EXPR TOTAL_ESRT_SIZE "${FWU_IMAGE_CAPSULE_COUNT} * ${ESRT_IMAGE_ENTRY_SIZE} + ${ESRT_REMAINING_FIELDS_SIZE}" OUTPUT_FORMAT DECIMAL) -+ - set(SMM_GATEWAY_MAX_UEFI_VARIABLES 80 CACHE STRING "Maximum UEFI variable count") - set(SMM_RPC_CALLER_SESSION_SHARED_MEMORY_SIZE 4*4096 CACHE STRING "RPC caller buffer size in SMMGW") - set(SMM_SP_HEAP_SIZE 80*1024 CACHE STRING "SMM gateway SP heap size") - set(PLAT_RSE_COMMS_PAYLOAD_MAX_SIZE 0x43C0 CACHE STRING "Size of the RSE_COMMS_PAYLOAD buffer") - set(COMMS_MHU_MSG_SIZE 0x4500 CACHE STRING "Max message size that can be transfered via MHU") -+set(TFM_FWU_MAX_DIGEST_SIZE ${TOTAL_ESRT_SIZE} CACHE STRING "Maximum size of ESRT entries of all the images in a bank") - - target_compile_definitions(${TGT} PRIVATE - SMM_VARIABLE_INDEX_STORAGE_UID=0x787 -@@ -18,6 +25,8 @@ target_compile_definitions(${TGT} PRIVATE - COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE} - MBEDTLS_ECP_DP_SECP521R1_ENABLED - PLATFORM_IS_FVP=${PLATFORM_IS_FVP} -+ TFM_FWU_MAX_DIGEST_SIZE=${TFM_FWU_MAX_DIGEST_SIZE} -+ FWU_IMAGE_CAPSULE_COUNT=${FWU_IMAGE_CAPSULE_COUNT} - ) - - get_property(_platform_driver_dependencies TARGET ${TGT} --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch b/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch deleted file mode 100644 index 238037cd..00000000 --- a/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 71da6c0384fb241cadf052968e8dce9c357e4a33 Mon Sep 17 00:00:00 2001 -From: Ali Can Ozaslan -Date: Tue, 29 Apr 2025 07:52:14 +0000 -Subject: [PATCH] Align PSA Crypto structs with TF-Mv2.1.1 - -The psa_client_key_attributes_s struct had to be aligned with the -psa_key_attributes_s struct in TF-M. - -Signed-off-by: Ali Can Ozaslan -Upstream-Status: Backport [Included in version v1.2.0] ---- - components/service/crypto/include/psa/crypto_client_struct.h | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h -index ebc4008..f0c8cad 100644 ---- a/components/service/crypto/include/psa/crypto_client_struct.h -+++ b/components/service/crypto/include/psa/crypto_client_struct.h -@@ -38,7 +38,6 @@ struct psa_client_key_attributes_s - uint32_t alg; - uint32_t alg2; - uint32_t id; -- int32_t owner_id; - }; - - #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} --- -2.34.1 -