This consists of two slightly related series. For the first, to quote
the author:
This series implements 2 features in driver/firmware/scmi.
First, a single change adds support for SCMI OP-TEE transport to
use OP-TEE native shared memory. See the 1st patch in this series:
"firmware: scmi: optee: use TEE shared memory for SCMI messages".
Then come changes for supporting multi-channel in the SCMI drivers.
I've split the implementation in 11 several small incremental changes
in the hope it helps the review. Few minor fixup commits are also
inserted in the series.
And the second series implements some smccc improvements.
To quote the author:
This series introduces ASAN and a basic fuzzing infrastructure that
works with sandbox. The example fuzz test towards the end of the series
will find something pretty quickly. That something is fixed by the
series "virtio: Harden and test vring" that needs to be applied for the
final patch in this series.
There is some refactoring to stop using '.' prefixed sections. ELF
defines sections with names that contain anything that isn't
alphanumeric or an underscore as being for system use which means
clang's ASAN instrumentation happily add redzones between the contained
objects. That's not what we want for things like linker lists where the
linker script has carefully placed the sections contiguously. By
renaming the sections, clang sees them as user sections and doesn't add
instrumentation.
ASAN is left disabled by default as there are still some tests that it
triggers on and will need some more investigation to fix. It can be
enabled with CONFIG_ASAN or passing `-a ASAN` to buildman.
Adds random number generator driver using Arm SMCCC TRNG interface to
get entropy bytes from secure monitor. The driver registers as an
Arm SMCCC feature driver to allow PSCI driver to bind a device for
when secure monitor exposes RNG support from Arm SMCCC TRNG interface.
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Use PSCI device to query Arm SMCCC v1.1 support from secure monitor
and if so, bind drivers for the SMCCC features that monitor supports.
Drivers willing to be bound from Arm SMCCC features discovery can use
macro ARM_SMCCC_FEATURE_DRIVER() to register to smccc feature discovery,
providing target driver name and a callback function that returns
whether or not the SMCCC feature is supported by the system.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Defines function IDs ARM_SMCCC_ARCH_FEATURES used to query SMCCC feature
support, applicable from Arm SMCCC v1.1 specification.
Defines macro ARM_SMCCC_RET_NOT_SUPPORTED as generic return identifier
for when a SMCCC feature is not supported.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Updates .process_msg operators of the SCMI transport drivers that
supports multi-channel to use it now that drivers do provide
the reference through channel argument. These are the mailbox
agent, the optee agent and the smccc agent.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Update SCMI regulator controller driver to get its assigned SCMI channel
during initialization. This change allows SCMI voltage domain protocol
to use a dedicated channel when defined in the DT. The reference is
saved in SCMI regulator controller driver private data.
Cc: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Update SCMI reset controller driver to get its assigned SCMI channel
during initialization. This change allows SCMI reset domain protocol
to use a dedicated channel when defined in the DT. The reference is
saved in SCMI reset controller driver private data.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Update SCMI clock driver to get its assigned SCMI channel during
initialization. This change allows SCMI clock protocol to use a
dedicated channel when defined in the DT. The reference is saved
in SCMI clock driver private data.
Cc: Lukasz Majewski <lukma@denx.de>
Cc: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Implements multi SCMI channel support in OP-TEE SCMI transport. An
SCMI protocol may use a dedicated channel, specified by the DT.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Updates SCMI SMCCC transport driver to get SCMI channel reference
at initialization and use when posting SCMI messages.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Updates SCMI mailbox transport driver to get SCMI channel reference
at initialization and use when posting SCMI messages.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Adds resources for SCMI protocols to possibly use a dedicated SCMI
channel instead of the default channel allocated by the SCMI agent
during initialization. As per DT binding documentation, some SCMI
transports can define a specific SCMI communication channel for
given SCMI protocols. It allows SCMI protocols to pass messages
concurrently each other.
This change introduces new scmi agent uclass API function
devm_scmi_of_get_channel() for SCMI drivers probe sequences to get
a reference to the SCMI channel assigned to its related SCMI protocol.
The function queries the channel reference to its SCMI transport driver
through new scmi agent uclass operator .of_get_channel that uses Device
Tree information from related SCMI agent node.
Operator .of_get_channel returns a reference to the SCMI channel
assigned to SCMI protocol used by the caller device. SCMI transport
drivers that do not support multi-channel are not mandated to register
this operator. When so, API function devm_scmi_of_get_channel() returns
NULL and SCMI transport driver are expected to retrieve by their own
means the reference to the unique SCMI channel, for example using
platform data as these drivers currently do in U-Boot source tree.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Defines local helper function find_scmi_transport_device() with the
instructions to find the SCMI transport device from a SCMI protocol
device.
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Changes SCMI driver API function devm_scmi_process_msg() to add
an SCMI channel reference argument for when SCMI agent supports
SCMI protocol specific channels. First argument of devm_scmi_process_msg()
is also change to point to the caller SCMI protocol device rather
than its parent device (the SCMI agent device).
The argument is a pointer to opaque struct scmi_channel known from
the SCMI transport drivers. It is currently unused and caller a pass
NULL value. A later change will enable such support once SCMI protocol
drivers have means to get the channel reference during initialization.
Cc: Lukasz Majewski <lukma@denx.de>
Cc: Sean Anderson <seanga2@gmail.com>
Cc: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Changes implementation when using TEE dynamically allocated shared
memory to synchronize with the Linux implementation where the legacy
SMT protocol cannot be used with such memory since it is expected from
device mapped memory whereas OP-TEE shared memory is cached and
hence should not be accessed using memcpy_toio()/memcpy_fromio().
This change implements the MSG shared memory protocol introduced
in Linux [1]. The protocol uses a simplified SMT header of 32bit
named MSG_SMT to carry SCMI protocol information and uses side channel
means to carry exchanged buffer size information, as TEE invocation API
parameters when used in the SCMI OP-TEE transport.
Link: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f301bba0ca7392d16a6ea4f1d264a91f1fadea1a
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Add a fuzzer to test the vring handling code against unexpected
mutations from the virtio device.
After building the sandbox with CONFIG_FUZZ=y, the fuzzer can be invoked
with by:
UBOOT_SB_FUZZ_TEST=fuzz_vring ./u-boot
This fuzzer finds unvalidated inputs in the vring driver that allow a
buggy or malicious device to make the driver chase wild pointers.
Signed-off-by: Andrew Scull <ascull@google.com>
Add a fuzzing engine driver for the sandbox to take inputs from
libfuzzer and expose them to the fuzz tests.
Signed-off-by: Andrew Scull <ascull@google.com>
Add an implementation of LLVMFuzzerTestOneInput() that starts the
sandbox on a secondary thread and exposes a function to synchronize the
generation of fuzzing inputs with their consumption by the sandbox.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Move the program's entry point to os.c, in preparation for a separate
fuzzing entry point to be added.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the basic infrastructure for declaring fuzz tests and a command to
invoke them.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This new class of device will provide fuzzing inputs from a fuzzing
engine.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In order to prevent build regressions with ASAN, add the builds to CI.
The longer term objective will be to enabled test targets with ASAN
enabled, but there are too many at the moment.
Signed-off-by: Andrew Scull <ascull@google.com>
The stack protector test intentionally overflows a buffer in order to
corrupt the stack canary so that it can test that the corruption is
detected as expected. However, this is incompatible with ASAN, which
detects the buffer overflow and interrupts the test, so disable the test
for such configurations.
Signed-off-by: Andrew Scull <ascull@google.com>
Add CONFIG_ASAN to build with the Address Sanitizer. This only works
with the sandbox so the config is likewise dependent. The resulting
executable will have ASAN instrumentation, including the leak detector
that can be disabled with the ASAN_OPTIONS environment variable:
ASAN_OPTIONS=detect_leaks=0 ./u-boot
Since u-boot uses its own dlmalloc, dynamic allocations aren't
automatically instrumented, but stack variables and globals are.
Instrumentation could be added to dlmalloc to poison and unpoison memory
as it is allocated and deallocated, and to introduce redzones between
allocations. Alternatively, the sandbox may be able to play games with
the system allocator and somehow still keep the required memory
abstraction. No effort to address dynamic allocation is made by this
patch.
The config is not yet enabled for any targets by default.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename the sections used to implement linker lists so they begin with
'__u_boot_list' rather than '.u_boot_list'. The double underscore at the
start is still distinct from the single underscore used by the symbol
names.
Having a '.' in the section names conflicts with clang's ASAN
instrumentation which tries to add redzones between the linker list
elements, causing expected accesses to fail. However, clang doesn't try
to add redzones to user sections, which are names with all alphanumeric
and underscore characters.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename the sections used for defining sandbox command line options so
that they don't start with a '.'. ELF says that sections starting with a
'.' are reserved for system use, but the sandbox runs as a normal user
process so should be using user sections instead.
Clang's ASAN adds redzones to non-user sections and the extra padding
meant that the list of options was being corrupted. Naming the sections
as user sections avoids this issue as clang handles them as we intended.
Signed-off-by: Andrew Scull <ascull@google.com>
Rename the sections used for placing the EFI runtime so that they don't
start with a '.'. ELF says that sections starting with a '.' are
reserved for system use, but the sandbox runs as a normal user process
so should be using user sections instead.
Clang's ASAN adds redzones to non-user sections and the extra padding
meant that the list of options was being corrupted. Naming the sections
as user sections avoids this issue as clang handles them as we intended.
Signed-off-by: Andrew Scull <ascull@google.com>
Fix the buffer underflow that would occur if puts is called with length
of zero.
Fixes: efa51f2bd6 ("serial: sandbox: Implement puts")
Cc: Sean Anderson <sean.anderson@seco.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
AST2600 supports boot from SPI(mmap), eMMC, and UART.
This patch adds the boot mode detection and return the
corresponding boot device type.
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
The commit b583348ca8 ("image: fit: Align hash output buffers") places
the hash output buffer at the .bss section. However, AST2600 by default
executes SPL in the NOR flash XIP way. This results in the hash output
cannot be written to the buffer as it is located at the R/X only region.
We need to move the .bss section out of the SPL body to the DRAM space,
where hash output can be written to. This patch includes:
- Define the .bss section base and size
- A new SPL linker script is added with a separate .bss region specified
- Enable CONFIG_SPL_SEPARATE_BSS kconfig option
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Reviewed-by: Neal Liu <neal_liu@aspeedtech.com>
The HPE SoC is new to linux. A basic device tree layout with minimum
required for linux to boot including a timer and watchdog support has
been created.
The dts file is empty at this point but will be updated in subsequent
updates as board specific features are enabled.
Signed-off-by: Nick Hawkins <nick.hawkins@hpe.com>
The GXP supports 3 separate SPI interfaces to accommodate the system
flash, core flash, and other functions. The SPI engine supports variable
clock frequency, selectable 3-byte or 4-byte addressing and a
configurable x1, x2, and x4 command/address/data modes. The memory
buffer for reading and writing ranges between 256 bytes and 8KB. This
driver supports access to the core flash.
Signed-off-by: Nick Hawkins <nick.hawkins@hpe.com>
Add support for the HPE GXP SOC timer. The GXP supports several different
kinds of timers but for the purpose of this driver there is only support
for the General Timer. The timer has a 1us resolution and is 56 bits.
Signed-off-by: Nick Hawkins <nick.hawkins@hpe.com>
The GXP is the HPE BMC SoC that is used in the majority
of current generation HPE servers. Traditionally the asic will
last multiple generations of server before being replaced.
Info about SoC:
HPE GXP is the name of the HPE Soc. This SoC is used to implement many BMC
features at HPE. It supports ARMv7 architecture based on the Cortex A9
core. It is capable of using an AXI bus to whicha memory controller is
attached. It has multiple SPI interfaces to connect boot flash and BIOS
flash. It uses a 10/100/1000 MAC for network connectivity. It has multiple
i2c engines to drive connectivity with a host infrastructure. There
currently are no public specifications but this process is being worked.
Signed-off-by: Nick Hawkins <nick.hawkins@hpe.com>
