From patchwork Wed May 18 13:13:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emekcan Aras X-Patchwork-Id: 8227 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 393D8C43217 for ; Wed, 18 May 2022 13:14:17 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web09.4818.1652879648589924736 for ; Wed, 18 May 2022 06:14:09 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: emekcan.aras@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3979123A; Wed, 18 May 2022 06:14:08 -0700 (PDT) Received: from e126835.arm.com (unknown [10.57.2.226]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 076D73F73D; Wed, 18 May 2022 06:14:06 -0700 (PDT) From: emekcan.aras@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, emeara01 , Emekcan Aras Subject: [PATCH 1/3] arm/trusted-firmware-a: upgrade mbedtls to 2.28 Date: Wed, 18 May 2022 14:13:54 +0100 Message-Id: <20220518131356.86191-2-emekcan.aras@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220518131356.86191-1-emekcan.aras@arm.com> References: <20220518131356.86191-1-emekcan.aras@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 13:14:17 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3433 From: emeara01 The latest TF-A version requires mbedtls v2.28. This commit upgrades mbedtls to v2.28 for TF-A recipe. An upstreamed patch included to the base recipe from TF-A master that fixes the build issues beween TF-A 2.6 and Mbedtls 2.28. Signed-off-by: Emekcan Aras --- ...uild-deps-upgrade-to-mbed-TLS-2.28.0.patch | 72 +++++++++++++++++++ .../trusted-firmware-a/trusted-firmware-a.inc | 4 +- .../trusted-firmware-a_2.6.bb | 6 +- 3 files changed, 78 insertions(+), 4 deletions(-) create mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch new file mode 100644 index 00000000..058423c6 --- /dev/null +++ b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch @@ -0,0 +1,72 @@ +Upstream-Status: Backport +Signed-off-by: Emekcan Aras + +From a93084be95634b66b917f1c8baf403067dc75c5d Mon Sep 17 00:00:00 2001 +From: Sandrine Bailleux +Date: Thu, 21 Apr 2022 10:21:29 +0200 +Subject: [PATCH] build(deps): upgrade to mbed TLS 2.28.0 + +Upgrade to the latest and greatest 2.x release of Mbed TLS library +(i.e. v2.28.0) to take advantage of their bug fixes. + +Note that the Mbed TLS project published version 3.x some time +ago. However, as this is a major release with API breakages, upgrading +to 3.x might require some more involved changes in TF-A, which we are +not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7 +release of TF-A. + +Actually, the upgrade this time simply boils down to including the new +source code module 'constant_time.c' into the firmware. + +To quote mbed TLS v2.28.0 release notes [1]: + + The mbedcrypto library includes a new source code module + constant_time.c, containing various functions meant to resist timing + side channel attacks. This module does not have a separate + configuration option, and functions from this module will be + included in the build as required. + +As a matter of fact, if one is attempting to link TF-A against mbed +TLS v2.28.0 without the present patch, one gets some linker errors +due to missing symbols from this new module. + +Apart from this, none of the items listed in mbed TLS release +notes [1] directly affect TF-A. Special note on the following one: + + Fix a bug in mbedtls_gcm_starts() when the bit length of the iv + exceeds 2^32. + +In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption +feature is enabled with AES-GCM as the authenticated decryption +algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable +which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a +32-bit value which by definition is always less than 2**32. Therefore, +we are immune to this bug. + +With this upgrade, the size of BL1 and BL2 binaries does not appear to +change on a standard sample test build (with trusted boot and measured +boot enabled). + +[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0 + +Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6 +Signed-off-by: Sandrine Bailleux +--- + drivers/auth/mbedtls/mbedtls_common.mk | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk +index 0a4775d00..3eb41617f 100644 +--- a/drivers/auth/mbedtls/mbedtls_common.mk ++++ b/drivers/auth/mbedtls/mbedtls_common.mk +@@ -48,6 +48,7 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \ + rsa_internal.c \ + x509.c \ + x509_crt.c \ ++ constant_time.c \ + ) + + # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key +-- +2.25.1 + diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc index 2e3b50c5..510a7d44 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc @@ -6,7 +6,9 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" inherit deploy SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master \ - file://ssl.patch" + file://ssl.patch \ + file://build-deps-upgrade-to-mbed-TLS-2.28.0.patch" + UPSTREAM_CHECK_GITTAGREGEX = "^v(?P\d+(\.\d+)+)$" SRCREV_FORMAT = "tfa" diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb index ec1bec95..89a92141 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb @@ -5,8 +5,8 @@ SRCREV_tfa = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15" LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" -# mbed TLS v2.26.0 -SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=master" -SRCREV_mbedtls = "e483a77c85e1f9c1dd2eb1c5a8f552d2617fe400" +# mbed TLS v2.28.0 +SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-2.28" +SRCREV_mbedtls = "8b3f26a5ac38d4fdccbc5c5366229f3e01dafcc0" LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" From patchwork Wed May 18 13:13:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emekcan Aras X-Patchwork-Id: 8226 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23C97C433EF for ; Wed, 18 May 2022 13:14:17 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.4714.1652879650173666024 for ; Wed, 18 May 2022 06:14:10 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: emekcan.aras@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D9D2123A; Wed, 18 May 2022 06:14:09 -0700 (PDT) Received: from e126835.arm.com (unknown [10.57.2.226]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8BC213F73D; Wed, 18 May 2022 06:14:08 -0700 (PDT) From: emekcan.aras@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, emeara01 , Emekcan Aras Subject: [PATCH 2/3] arm-bsp/trusted-firmware-a: corstone1000: fix FF-A Version in SPMC manifest Date: Wed, 18 May 2022 14:13:55 +0100 Message-Id: <20220518131356.86191-3-emekcan.aras@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220518131356.86191-1-emekcan.aras@arm.com> References: <20220518131356.86191-1-emekcan.aras@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 13:14:17 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3434 From: emeara01 FF-A version is defined 1.1 in corstone1000_spmc_manifest.dts. However, SPMC does not support FF-A version 1.1 at the moment. This commit fixes FF-A version issue by defining 1.0 again. Signed-off-by: Emekcan Aras --- ...01-Fix-FF-A-version-in-SPMC-manifest.patch | 34 +++++++++++++++++++ .../trusted-firmware-a-corstone1000.inc | 4 +++ 2 files changed, 38 insertions(+) create mode 100644 meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0001-Fix-FF-A-version-in-SPMC-manifest.patch diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0001-Fix-FF-A-version-in-SPMC-manifest.patch b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0001-Fix-FF-A-version-in-SPMC-manifest.patch new file mode 100644 index 00000000..016de8d3 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0001-Fix-FF-A-version-in-SPMC-manifest.patch @@ -0,0 +1,34 @@ +Upstream-Status: Inappropriate +Signed-off-by: Emekcan Aras + +From a31aee0988ef64724ec5866f10709f51f8cb3237 Mon Sep 17 00:00:00 2001 +From: emeara01 +Date: Wed, 11 May 2022 14:37:06 +0100 +Subject: [PATCH] Fix FF-A version in SPMC manifest + +OPTEE does not support FF-A version 1.1 in SPMC at the moment. +This commit corrects the FF-A version in corstone1000_spmc_manifest.dts. +This patch will not be upstreamed and will be dropped once +OPTEE version is updated for Corstone1000. + +Signed-off-by: Emekcan Aras +--- + .../corstone1000/common/fdts/corstone1000_spmc_manifest.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plat/arm/board/corstone1000/common/fdts/corstone1000_spmc_manifest.dts b/plat/arm/board/corstone1000/common/fdts/corstone1000_spmc_manifest.dts +index 8e49ab83f..5baa1b115 100644 +--- a/plat/arm/board/corstone1000/common/fdts/corstone1000_spmc_manifest.dts ++++ b/plat/arm/board/corstone1000/common/fdts/corstone1000_spmc_manifest.dts +@@ -20,7 +20,7 @@ + attribute { + spmc_id = <0x8000>; + maj_ver = <0x1>; +- min_ver = <0x1>; ++ min_ver = <0x0>; + exec_state = <0x0>; + load_address = <0x0 0x2002000>; + entrypoint = <0x0 0x2002000>; +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc index ac4a412c..bf5d2759 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc @@ -6,6 +6,10 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/corstone1000:" SRCREV_tfa = "cf89fd57ed3286d7842eef41cd72a3977eb6d317" PV = "2.6+git${SRCPV}" +SRC_URI:append = " \ + file://0001-Fix-FF-A-version-in-SPMC-manifest.patch \ + " + SRC_URI:remove = " \ file://ssl.patch \ " From patchwork Wed May 18 13:13:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emekcan Aras X-Patchwork-Id: 8225 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A385C4332F for ; Wed, 18 May 2022 13:14:17 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web08.4677.1652879652391329733 for ; Wed, 18 May 2022 06:14:12 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: emekcan.aras@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9CCB523A; Wed, 18 May 2022 06:14:11 -0700 (PDT) Received: from e126835.arm.com (unknown [10.57.2.226]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4BCD63F73D; Wed, 18 May 2022 06:14:10 -0700 (PDT) From: emekcan.aras@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, emeara01 , Emekcan Aras Subject: [PATCH 3/3] arm-bsp/trusted-firmware-a: increase BL2 size for TC Date: Wed, 18 May 2022 14:13:56 +0100 Message-Id: <20220518131356.86191-4-emekcan.aras@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220518131356.86191-1-emekcan.aras@arm.com> References: <20220518131356.86191-1-emekcan.aras@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 13:14:17 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3435 From: emeara01 The new mbedtls version (v2.28) increase the size of TF-A slightly. This commit increases the size of BL2 for TC, so that TF-A with updated mbedtls version can fit. Signed-off-by: Emekcan Aras --- .../files/tc/0001-plat-tc-Increase-maximum-BL2-size.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tc/0001-plat-tc-Increase-maximum-BL2-size.patch b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tc/0001-plat-tc-Increase-maximum-BL2-size.patch index b6a5b4de..e9755efc 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tc/0001-plat-tc-Increase-maximum-BL2-size.patch +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tc/0001-plat-tc-Increase-maximum-BL2-size.patch @@ -22,10 +22,10 @@ index ccabced9e..f45457b9f 100644 */ #if TRUSTED_BOARD_BOOT -# define PLAT_ARM_MAX_BL2_SIZE 0x20000 -+# define PLAT_ARM_MAX_BL2_SIZE 0x22000 ++# define PLAT_ARM_MAX_BL2_SIZE 0x25000 #else -# define PLAT_ARM_MAX_BL2_SIZE 0x14000 -+# define PLAT_ARM_MAX_BL2_SIZE 0x16000 ++# define PLAT_ARM_MAX_BL2_SIZE 0x19000 #endif /*