Add MM communication support using FF-A transport
This feature allows accessing MM partitions services through
EFI MM communication protocol. MM partitions such as StandAlonneMM
or smm-gateway secure partitions which reside in secure world.
An MM shared buffer and a door bell event are used to exchange
the data.
The data is used by EFI services such as GetVariable()/SetVariable()
and copied from the communication buffer to the MM shared buffer.
The secure partition is notified about availability of data in the
MM shared buffer by an FF-A message (door bell).
On such event, MM SP can read the data and updates the MM shared
buffer with the response data.
The response data is copied back to the communication buffer and
consumed by the EFI subsystem.
MM communication protocol supports FF-A 64-bit direct messaging.
We tested the FF-A MM communication on the Corstone-1000 platform.
We ran the UEFI SCT test suite containing EFI setVariable, getVariable and
getNextVariable tests which involve FF-A MM communication and all tests
are passing with the current changes.
We made the SCT test reports (part of the ACS results) public following the
latest Corstone-1000 platform software release. Please find the test
reports at [1].
[1]: https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/master/embedded-a/corstone1000/CORSTONE1000-2023.06/acs_results_fpga.zip
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Tested-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Provide armffa command showcasing the use of the U-Boot FF-A support
armffa is a command showcasing how to invoke FF-A operations.
This provides a guidance to the client developers on how to
call the FF-A bus interfaces. The command also allows to gather secure
partitions information and ping these partitions. The command is also
helpful in testing the communication with secure partitions.
For more details please refer to the command documentation [1].
A Sandbox test is provided for the armffa command.
[1]: doc/usage/cmd/armffa.rst
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add functional test cases for the FF-A support
These tests rely on the FF-A sandbox emulator and FF-A
sandbox driver which help in inspecting the FF-A communication.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Emulate Secure World's FF-A ABIs and allow testing U-Boot FF-A support
Features of the sandbox FF-A support:
- Introduce an FF-A emulator
- Introduce an FF-A device driver for FF-A comms with emulated Secure World
- Provides test methods allowing to read the status of the inspected ABIs
The sandbox FF-A emulator supports only 64-bit direct messaging.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add Arm FF-A support implementing Arm Firmware Framework for Armv8-A v1.0
The Firmware Framework for Arm A-profile processors (FF-A v1.0) [1]
describes interfaces (ABIs) that standardize communication
between the Secure World and Normal World leveraging TrustZone
technology.
This driver uses 64-bit registers as per SMCCCv1.2 spec and comes
on top of the SMCCC layer. The driver provides the FF-A ABIs needed for
querying the FF-A framework from the secure world.
The driver uses SMC32 calling convention which means using the first
32-bit data of the Xn registers.
All supported ABIs come with their 32-bit version except FFA_RXTX_MAP
which has 64-bit version supported.
Both 32-bit and 64-bit direct messaging are supported which allows both
32-bit and 64-bit clients to use the FF-A bus.
FF-A is a discoverable bus and similar to architecture features.
FF-A bus is discovered using ARM_SMCCC_FEATURES mechanism performed
by the PSCI driver.
Clients are able to probe then use the FF-A bus by calling the DM class
searching APIs (e.g: uclass_first_device).
The Secure World is considered as one entity to communicate with
using the FF-A bus. FF-A communication is handled by one device and
one instance (the bus). This FF-A driver takes care of all the
interactions between Normal world and Secure World.
The driver exports its operations to be used by upper layers.
Exported operations:
- ffa_partition_info_get
- ffa_sync_send_receive
- ffa_rxtx_unmap
Generic FF-A methods are implemented in the Uclass (arm-ffa-uclass.c).
Arm specific methods are implemented in the Arm driver (arm-ffa.c).
For more details please refer to the driver documentation [2].
[1]: https://developer.arm.com/documentation/den0077/latest/
[2]: doc/arch/arm64.ffa.rst
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
provide a test case
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
convert UUID string to little endian binary data
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
add support for x0-x17 registers used by the SMC calls
In SMCCC v1.2 [1] arguments are passed in registers x1-x17.
Results are returned in x0-x17.
This work is inspired from the following kernel commit:
arm64: smccc: Add support for SMCCCv1.2 extended input/output registers
[1]: https://documentation-service.arm.com/static/5f8edaeff86e16515cdbe4c6?token=
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
In [1] Sam points out an assertion does not hold true for 32-bit
platforms, which only impacts Large File Support (LFS) API usage
in erofs-utils according to Xiang [2]. We don't think these APIs
are used in u-boot and this restriction could be safely removed.
[1] https://lists.denx.de/pipermail/u-boot/2023-July/524679.html
[2] https://lists.denx.de/pipermail/u-boot/2023-July/524727.html
Fixes: 3a21e92fc2 ("fs/erofs: Introduce new features including ztailpacking, fragments and dedupe")
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Tested-by: Sam Edwards <CFSworks@gmail.com>
CONFIG_$(SPL_TPL_)SYS_MALLOC_F_LEN is defined as hex. If set to zero
manually, .config contains '0x0' and not '0' as value.
The default value for CONFIG_SPL_SYS_MALLOC_F_LEN should not be set to 0
but to 0x0 if CONFIG_SPL_FRAMEWORK=n to match a manually set value.
Fixes: c0126bd862 ("spl: Support bootstage, log, hash and early malloc in TPL")
Fixes: b616947052 ("SPL: Do not enable SPL_SYS_MALLOC_SIMPLE without SPL_FRAMEWORK by default")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
All SPL hash algorithm options are collected in lib/Kconfig. Move
SPL_CRC32 there as well.
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
There is another SPL_MD5 option defined in lib/Kconfig.
Renaming SPL_MD5_SUPPORT introduced duplicate option with
different description. As for now FIT and hash algorithm options
are not related to each others, removing a duplicate option seems OK.
Fixes: 4b00fd1a84 ("Kconfig: Rename SPL_MD5_SUPPORT to SPL_MD5")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
In the common bloblist code we call crc32 to get a checksum for the
data. Ensure we will have the CRC32 code via select.
Signed-off-by: Tom Rini <trini@konsulko.com>
With this change the DT and binding files are under the at91 tree
maintainer, and get_maintainer.pl correctly reports the entry.
Signed-off-by: Eugen Hristev <eugen.hristev@collabora.com>
The retimer reset/power on logic was changed in a recent commit,
however, it neglected to check if the commands sent to the
board microcontroller (to control power to the retimer chip)
actually completed.
Add return checks for these operations so any failures will
be reported to the user.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Fixes: 7a041fea2 ("board: traverse: ten64: ensure retimer reset
is done on new board revisions")
Update MAINTAINERS file. Add missing MAINTAINERS file for Spider,
Whitehawk and V3HSK boards. Update mail addresses. Add file globs
to match on DT and driver files related to these boards.
The GRPEACH and R2DPLUS are special in that they are not R-Car
and have their own set of specialized drivers.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
As Pali Rohár has asked to not be copied on changes to files he is not
a specific maintainer of, add his address to .get_maintainer.ignore.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
To reduce overall job time, move a number of smaller jobs together.
These should still be safely under 1 hour total time, but reducing the
overall number of jobs should help with the queue slightly.
Signed-off-by: Tom Rini <trini@konsulko.com>
The job for rockchip vendor platforms has again gotten close to or
exceeded one hour. Rework things such that we move the 32bit platforms
back to the general 32bit ARM job (as there's time there) and make these
build only the 64bit platforms.
Signed-off-by: Tom Rini <trini@konsulko.com>
buildman minor fixes
-----BEGIN PGP SIGNATURE-----
iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAmTOp5wRHHNqZ0BjaHJv
bWl1bS5vcmcACgkQfxc6PpAIreYApAf+P45nQXX2L0lFpu5vJQ+Xy1VHDh+OE5sU
yVWm2A0zc7L0TyLn4fX5PGF+1C7gZjYGQ6I9OVroS58fXR5o6WjCelCMhE1wxL5i
AgHKmrUUw6XUalF317RquRWDPLAD6KZ1T8XUgjF2PnBwd2RwMH4zW/Ls73UFBf+4
gIi0zlqLsX8zSeFAyitRWobM4gJT4PUAxz7jexBEk9y3EjOufcLqpdl2Y4JAxTtl
82AYy9nJbPyFrT9lIGP9nfPenVPGKL6wdzc5C/sGLeRlutNKgrJTnjWRkJV+ThPx
mIZVSzwi2cbYnMpq1nEGnj+cH6R73xxybj17MVzevyAQNXAZcZfQ+Q==
=Nbd9
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-5aug23' of https://source.denx.de/u-boot/custodians/u-boot-dm
binman support for Xilinx signing
buildman minor fixes
Some boards use a MAINTAINERS entry to specify common files without
referencing any defconfigs. This is allowed and should not result in a
warning.
Drop the warning in this case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Recent refactoring changed buildman to continue operation after fetching
a toolchain. Fix this.
Fixes: b868064652 ("bulidman: Move toolchain handling to a function")
Signed-off-by: Simon Glass <sjg@chromium.org>
DM_POST_INIT was changed to DM_POST_INIT_F.
To debug correct message, change type_name from dm_post_init to
dm_post_init_f.
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
s/an/a/ :
Signed-off-by: Simon Glass <sjg@chromium.org>
Add test for the 'xilinx-bootgen' etype
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Allow missing bootgen tool; comment testXilinxBootgenMissing() comment:
Signed-off-by: Simon Glass <sjg@chromium.org>
This adds a new etype 'xilinx-bootgen'. By using this etype it is
possible to created an signed SPL (FSBL in Xilinx terms) for
ZynqMP boards.
The etype uses Xilinx Bootgen tools in order to transform the SPL into
a bootable image and sign the image with a given primary and secondary
public key. For more information to signing the FSBL please refer to the
Xilinx Bootgen documentation.
Here is an example of the etype in use:
spl {
filename = "boot.signed.bin";
xilinx-bootgen {
pmufw-filename = "pmu-firmware.elf";
psk-key-name-hint = "psk0";
ssk-key-name-hint = "ssk0";
auth-params = "ppk_select=0", "spk_id=0x00000000";
u-boot-spl-nodtb {
};
u-boot-spl-dtb {
};
};
};
For this to work the hash of the primary public key has to be fused
into the ZynqMP device and authentication (RSA_EN) has to be set.
For testing purposes: if ppk hash check should be skipped one can add
the property 'fsbl_config = "bh_auth_enable";' to the etype. However,
this should only be used for testing(!).
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the Xilinx Bootgen as bintool. Xilinx Bootgen is used to create
bootable SPL (FSBL in Xilinx terms) images for Zynq/ZynqMP devices. The
btool creates a signed version of the SPL. Additionally to signing the
key source for the decryption engine can be passend to the boot image.
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
The nature of the network stack means that if we are going to use the
gadget mode USB network driver there's no easy path to implicitly
bind/unbind the driver. Enable the "bind" command by default here so
that we can bind/unbind this as needed.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Move the ethernet gadget driver registration and removal from ethernet
bind and unbind callbacks into driver DM probe and remove callbacks.
This way, when the driver is bound, which is triggered deliberately
using 'bind' command, the USB ethernet gadget driver is instantiated
and bound to the matching UDC. In reverse, when the driver is unbound,
which is again triggered deliberately using 'unbind' command, the USB
ethernet gadget driver instance is removed.
Effectively, this now behaves like running either 'ums' or 'dfu' or
any other commands utilizing USB gadget functionality.
This also drops use of usb_gadget_release() and moves the use of
usb_gadget_initialize() into usb_ether_init() used only by legacy
platforms that do not use 'bind' command properly yet. Those have
no place in drivers.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Move the driver probe function above the driver structure, so it
can be placed alongside other related functions, like upcoming
remove function. No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
These functions here are only ever called once since drop of non-DM
networking code. Inline them. No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Tom Rini <trini@konsulko.com>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Two Toradex platform series. First, to quote Andrejs:
This series adds Yavia Carrier board name string to the known
Toradex carrier board list, and reworks carrier board and display
adapter name handling.
And then to quote Marcel:
This series adds initial support for the Toradex Verdin AM62 SoM.
The first commit adds resp. PID4s to the ConfigBlock, the second one
fixes an early clocking issue confirmed to be a weird bug in TI's
scripting, the third one fixes some binman labeling issue. And last but
not least support for the Toradex Verdin AM62 is added.
This adds initial support for the Toradex Verdin AM62 Quad 1GB WB IT
V1.0A module and subsequent V1.1 launch configuration SKUs. They are
strapped to boot from their on-module eMMC. U-Boot supports booting
from the on-module eMMC only, DFU support is disabled for now due to
missing AM62x USB support.
The device trees were taken straight from Linux v6.5-rc1.
Boot sequence is:
SYSFW ---> R5 SPL (both in tiboot3.bin) ---> ATF (TF-A) ---> OP-TEE
---> A53 SPL (part of tispl.bin) ---> U-boot proper (u-boot.img)
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Nishanth Menon <nm@ti.com>
Fix rcfg_yaml to really point to rm-cfg.yaml and pcfg_yaml to really
point to pm-cfg.yaml which likely is the intention.
While at it also add labels for the remaining items like custmpk_pem,
dkey_pem, bcfg_yaml_sysfw, scfg_yaml_sysfw, pcfg_yaml_sysfw and
rcfg_yaml_sysfw.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Neha Malcom Francis <n-francis@ti.com>
Reviewed-by: Nishanth Menon <nm@ti.com>
Fix second mux option of clkout0 which should really be
DEV_BOARD0_CLKOUT0_IN_PARENT_HSDIV4_16FFT_MAIN_2_HSDIVOUT1_CLK10
rather than twice the same according to [1].
[1] https://software-dl.ti.com/tisci/esd/latest/5_soc_doc/am62x/clocks.html#clocks-for-board0-device
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Reviewed-by: Nishanth Menon <nm@ti.com>
Rework the rather big array of zero length strings with 4 entries of
actual display adapter names to a array of structs which ties a pid4
to its correspondent human readable string.
Provide an accessor to get the string for a given PID4.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
Rework the rather big array of zero length strings with 4 entries of
actual carrier board names to a array of structs which ties a pid4
to its correspondent human readable string.
Provide an accessor to get the string for a given PID4.
Rework the user of the information to use the accessor.
Note that check_pid8_sanity() is used for early samples of Dahlia and
the development board. Yavia isn't affected.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
Add the Yavia Carrier board name string to the known carrier
board list.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Andrejs Cainikovs <andrejs.cainikovs@toradex.com>
The implementation in extlinux_pxe_getfile() does not pass a valid size
to bootmeth_read_file(), so this can fail if the uninited value happens to
be too small.
Fix this.
Signed-off-by: Simon Glass <sjg@chromium.org>
The implementation in distro_efi_try_bootflow_files() does not pass a
valid size to bootmeth_common_read_file(), so this can fail if the
uninted value happens to be too small.
Fix this.
This was reported by someone but I cannot now find the email.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current bootflow-iteration algorithm reads the bootflow file into
an allocated memory buffer so it can be examined. This works well in
most cases.
However, while the common case is that the first bootflow is immediately
booted, it is also possible just to scan for available bootflows, perhaps
selecting one to boot later.
Even with the common case, EFI bootflows can be quite large. It doesn't
make sense to read it into an allocated buffer when we have kernel_addr_t
providing a suitable address for it. Even if we do have plenty of malloc()
space available, it is a violation of U-Boot's lazy-init principle to
read the bootflow before it is needed.
So overall it seems better to make a change.
Adjust the logic to read just the size of the EFI file at first. Later,
when the bootflow is booted, read the rest of the file into the designated
kernel buffer.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Da Xue <da@libre.computer>
Reported-by: Vincent Stehlé <vincent.stehle@arm.com>
This checks for a network-based bootflow in two places, one of which is
less than ideal. Move the correct test into a function and use it in both
places.
Signed-off-by: Simon Glass <sjg@chromium.org>