The Secure Channel Protocol 03 command sends control requests
(enable/provision) to the TEE implementing the protocol between the
processor and the secure element.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org>
Adds support for a working SCP03 emulation. Input parameters are
validated however the commands (enable, provision) executed by the TEE
are assumed to always succeed.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org>
Enable and provision the SCP03 keys on a TEE controlled secured elemt
from the U-Boot shell.
Executing this command will generate and program new SCP03 encryption
keys on the secure element NVM.
Depending on the TEE implementation, the keys would then be stored in
some persistent storage or better derived from some platform secret
(so they can't be lost).
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
common: SCP03 control (enable and provision of keys)
This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).
All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.
For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.
To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).
For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
check:
core/drivers/crypto/se050/adaptors/utils/scp_config.c
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org>
Simon Glass [Sun, 7 Feb 2021 21:27:05 +0000 (14:27 -0700)]
test: acpi: Fix warnings on 32-bit build
Some format strings use the wrong type. Fix them.
Example warnings:
In file included from test/dm/acpi.c:22:
test/dm/acpi.c: In function ‘dm_test_acpi_cmd_list’:
test/dm/acpi.c:362:21: warning: format ‘%lx’ expects argument of type
‘long unsigned int’, but argument 4 has type ‘unsigned int’ [-Wformat=]
ut_assert_nextline("RSDP %08lx %06lx (v02 U-BOOT)", addr,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sizeof(struct acpi_rsdp));
~~~~~~~~~~~~~~~~~~~~~~~~
include/test/ut.h:282:33: note: in definition of macro ‘ut_assert_nextline’
if (ut_check_console_line(uts, fmt, ##args)) { \
^~~
Simon Glass [Sun, 7 Feb 2021 21:27:04 +0000 (14:27 -0700)]
tpm: Correct warning on 32-bit build
Fix the warning:
drivers/tpm/tpm2_tis_sandbox.c: In function ‘sandbox_tpm2_xfer’:
drivers/tpm/tpm2_tis_sandbox.c:288:48: warning: format ‘%ld’ expects
argument of type ‘long int’, but argument 2 has type ‘size_t’
{aka ‘unsigned int’} [-Wformat=]
printf("TPM2: Unmatching length, received: %ld, expected: %d\n",
~~^
%d
send_size, length);
~~~~~~~~~
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Simon Glass [Thu, 21 Jan 2021 03:10:54 +0000 (20:10 -0700)]
log: Add return-checking macros for 0 being success
The existing log_ret() and log_msg_ret() macros consider an error to be
less than zero. But some function may return a positive number to indicate
a different kind of failure. Add macros to check for that also.
Simon Glass [Thu, 21 Jan 2021 03:10:53 +0000 (20:10 -0700)]
log: Handle line continuation
When multiple log() calls are used which don't end in newline, the
log prefix is prepended multiple times in the same line. This makes the
output look strange.
Fix this by detecting when the previous log record did not end in newline.
In that case, setting a flag.
Drop the unused BUFFSIZE in the test while we are here.
As an example implementation, update log_console to check the flag and
produce the expected output.
Simon Glass [Thu, 21 Jan 2021 03:10:52 +0000 (20:10 -0700)]
log: Set up a flag byte for log records
At present only a single flag (force_debug) is used in log records. Before
adding more, convert this into a bitfield, so more can be added without
using more space.
To avoid expanding the log_record struct itself (which some drivers may
wish to store in memory) reduce the line-number field to 16 bits. This
provides for up to 64K lines which should be enough for anyone.
Simon Glass [Mon, 8 Mar 2021 00:35:16 +0000 (17:35 -0700)]
test: sandbox: Move sandbox test docs into doc/develop
At present some of the documentation about running sandbox tests is in the
sandbox docs. It makes more sense to put it in with the other testing
docs, with a link there from sandbox. Update the documentation
accordingly.
Also add a paragraph explaining why sandbox exists and the test philosophy
that it uses.
Simon Glass [Mon, 8 Mar 2021 00:35:15 +0000 (17:35 -0700)]
spl: test: Add a test for spl_load_simple_fit()
As an example of an SPL test, add a new test for loading a FIT within
SPL. This runs on sandbox_spl. For this to work, the text base is adjusted
so that there is plenty of space available.
While we are here, document struct spl_load_info properly, since this is
currently ambiguous.
This test only verifies the logic path. It does not actually check that
the image is loaded correctly. It is not possible for sandbox's SPL to
actually run u-boot.img since it currently includes u-boot.bin rather than
u-boot. Further work could expand the test in that direction.
Simon Glass [Mon, 8 Mar 2021 00:35:14 +0000 (17:35 -0700)]
spl: Convert spl_fit to work with sandbox
At present this casts addresses to pointers so cannot work with sandbox.
Update the code to use map_sysmem() instead.
As part of this change, the existing load_ptr is renamed to src_ptr since
it is not a pointer to load_addr. It is confusing to use a similar name
for something that is not actually related. For the alignment code,
ALIGN() is used instead of open-coded alignment. Add a comment to the line
that casts away a const.
Use a (new) load_ptr variable to access memory at address load_addr.
Simon Glass [Mon, 8 Mar 2021 00:35:13 +0000 (17:35 -0700)]
sandbox: Update os_find_u_boot() to find the .img file
At present this function can only locate the u-boot ELF file. For SPL it
is handy to be able to locate u-boot.img since this is what would normally
be loaded by SPL.
Add another argument to allow this to be selected.
While we are here, update the function to load SPL when running in TPL,
since that is the next stage.
Simon Glass [Mon, 8 Mar 2021 00:35:11 +0000 (17:35 -0700)]
test: Rename all linker lists to have a ut_ prefix
At present each test suite has its own portion of the linker_list section
of the image, but other lists are interspersed. This makes it hard to
enumerate all the available tests without knowing the suites that each one
is in.
Place all tests together in a single contiguous list by giving them
common prefix not used elsewhere in U-Boot. This makes it possible to find
the start and end of all tests.
Simon Glass [Mon, 8 Mar 2021 00:35:10 +0000 (17:35 -0700)]
test: Add a macros for finding tests in linker_lists
At present we use the linker list directly. This is not very friendly, so
add a helpful macro instead. This will also allow us to change the naming
later without updating this code.
Simon Glass [Mon, 8 Mar 2021 00:35:07 +0000 (17:35 -0700)]
test: Move the devicetree check into ut_run_list()
Add a check to ut_run_list() as to whether a list has driver model tests.
Move the logic for the test devicetree into that function, in an effort
to eventually remove all logic from dm_test_run().
Simon Glass [Mon, 8 Mar 2021 00:35:06 +0000 (17:35 -0700)]
test: Use return values in dm_test_run()
Update this function to use the return value of ut_run_list() to check for
success/failure, so that they are in sync. Also return a command success
code so that the caller gets what it expects.
Simon Glass [Mon, 8 Mar 2021 00:35:04 +0000 (17:35 -0700)]
test: Use a local variable for test state
At present we use a global test state for all driver-model tests. Make use
of a local struct like we do with the other tests.
To make this work, add functions to get and set this state. When a test
starts, the state is set (so it can be used in the test). When a test
finishes, the state is unset, so it cannot be used by mistake.
Simon Glass [Mon, 8 Mar 2021 00:35:03 +0000 (17:35 -0700)]
test: Add ut_run_test_live_flat() to run tests twice
Driver model tests are generally run twice, once with livetree enable and
again with it disabled. Add a function to handle this and call it from the
driver model test runner.
Make ut_run_test() private since it is not used outside test-main.c now.
Simon Glass [Mon, 8 Mar 2021 00:35:01 +0000 (17:35 -0700)]
test: Use ut_run_test() to run driver model tests
Instead of having a separate function for running driver model tests, use
the common one. Make the pre/post-run functions private since we don't
need these outside of test-main.c
Simon Glass [Mon, 8 Mar 2021 00:34:57 +0000 (17:34 -0700)]
test: Drop struct dm_test_state
Driver model is a core part of U-Boot. We don't really need to have a
separate test structure for the driver model tests and it makes it harder
to write a test if you have to think about which type of test it is.
Subsume the fields from struct dm_test_state into struct unit_test_state
and delete the former.
Simon Glass [Mon, 8 Mar 2021 00:34:56 +0000 (17:34 -0700)]
test: Handle driver model reinit in test_pre_run()
For driver model tests we want to reinit the data structures so that
everything is in a known state before the test runs. This avoids one test
changing something that breaks a subsequent tests.
Simon Glass [Mon, 8 Mar 2021 00:34:49 +0000 (17:34 -0700)]
test: Call test_pre/post_run() from driver model tests
Ultimately we want to get rid of the special driver model test init and
use test_pre_run() and test_post_run() for all tests. As a first step,
use those function to handle console recording.
For now we need a special case for setting uts->start, but that wil go
away once all init is in one place.
Simon Glass [Mon, 8 Mar 2021 00:34:47 +0000 (17:34 -0700)]
test: Add an overall test runner
Add a new test runner that will eventually be able to run any test. For
now, have it run the 'command' unit tests, so that the functionality in
cmd_ut_category() moves into it.
Simon Glass [Mon, 8 Mar 2021 00:34:44 +0000 (17:34 -0700)]
test: Correct setexpr test prefix
This prefix should be for setexpr, not mem. This means that trying to
select just these tests to run does not work. Fix it.
For some reason this provokes an assertion failure due to memory not
being freed. Move the env_set() in setexpr_test_str() to before the
malloc() heap size size is recorded and disable the rest in
setexpr_test_str_oper().
Simon Glass [Mon, 8 Mar 2021 00:34:42 +0000 (17:34 -0700)]
doc: Explain how to run tests without pytest
Add details about how to run a sandbox test directly, without using
pytest. This is more convenient for rapid development, since it is faster
and allows easier use of a debugger. Also mention sandbox_flattree as an
example of the different sandbox builds available.
Simon Glass [Mon, 8 Mar 2021 00:34:37 +0000 (17:34 -0700)]
dm: core: Fix allocation of empty of-platdata
With of-platdata we always have a dtv struct that holds the platform data
provided by the driver_info record. However, this struct can be empty if
there are no actual devicetree properties provided.
The upshot of empty platform data is that it will end up as a zero-size
member in the BSS section, which is fine. But if the driver specifies
plat_auto then it expects the correct amount of space to be allocated.
At present this does not happen, since device_bind() assumes that the
platform-data size will always be >0. As a result we end up not
allocating the space and just use the BSS region, overwriting whatever
other contents are present.
Fix this by removing the condition that platform data be non-empty, always
allocating space if requested.
This fixes a strange bug that has been lurking since of-platdata was
implemented. It has likely never been noticed since devices normally have
at least some devicetree properties, BSS is seldom used on SPL, the dtv
structs are normally at the end of bss and the overwriting only happens
if a driver changes its platform data.
It was discovered using sandbox_spl, which exercises more features than
a normal board might, and the critical global_data variable 'gd' happened
to be at the end of BSS.
Fixes: 9fa28190091 ("dm: core: Expand platdata for of-platdata devices") Signed-off-by: Simon Glass <sjg@chromium.org>
Simon Glass [Fri, 5 Feb 2021 04:22:09 +0000 (21:22 -0700)]
gpio: Add a way to read 3-way strapping pins
Using the internal vs. external pull resistors it is possible to get
27 different combinations from 3 strapping pins. Add an implementation
of this.
This involves updating the sandbox GPIO driver to model external and
(weaker) internal pull resistors. The get_value() method now takes account
of what is driving a pin:
sandbox: GPIOD_EXT_DRIVEN - in which case GPIO_EXT_HIGH provides the
value
outside source - in which case GPIO_EXT_PULL_UP/DOWN indicates the
external state and we work the final state using those flags and
the internal GPIOD_PULL_UP/DOWN flags
Of course the outside source does not really exist in sandbox. We are just
modelling it for test purpose.
Simon Glass [Fri, 5 Feb 2021 04:22:07 +0000 (21:22 -0700)]
gpio: sandbox: Track whether a GPIO is driven
Add a new flag to keep track of whether sandbox is driving the pin, or
whether it is expecting an input signal. If it is driving, then the value
of the pin is the value being driven (0 or 1). If not driving, then we
consider the value 0, since we don't currently handle things like pull-ups
yet.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:22:05 +0000 (21:22 -0700)]
gpio: Use an 'ops' variable everywhere
Update this driver to use the common method of putting the driver
operations in an 'ops' variable install of calling gpio_get_ops()
repeatedly. Make it const since operations do not change.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:22:04 +0000 (21:22 -0700)]
gpio: Replace direction_input() and direction_output()
The new update_flags() method is more flexible since it allows the
driver to see the full flags all at once. Use that in preference to these
two functions. Add comments to that effect.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:22:03 +0000 (21:22 -0700)]
dm: gpio: Add a way to update flags
It is convenient to be able to adjust some of the flags for a GPIO while
leaving others alone. Add a function for this.
Update dm_gpio_set_dir_flags() to make use of this.
Also update dm_gpio_set_value() to use this also, since this allows the
open-drain / open-source features to be implemented directly in the
driver, rather than using the uclass workaround.
Update the sandbox tests accordingly. This involves a lot of changes to
dm_test_gpio_opendrain_opensource() since we no-longer have the direciion
being reported differently depending on the open drain/open source flags.
Also update the STM32 drivers to let the uclass handle the active low/high
logic.
Drop the GPIOD_FLAGS_OUTPUT() macro which is no-longer used.
Signed-off-by: Simon Glass <sjg@chromium.org> Tested-by: Kory Maincent <kory.maincent@bootlin.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com> Tested-by: Patrick Delaunay <patrick.delaunay@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com> Tested-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:22:01 +0000 (21:22 -0700)]
gpio: sandbox: Fully separate pin value from output value
At present we have the concept of a pin's external value. This is what
is used when getting the value of a pin. But we still set the
GPIOD_IS_OUT_ACTIVE flag when changing the value. This is not actually
correct, since if the pin changes from output to input, the external
value need not change. Adjust the logic for this difference.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:22:00 +0000 (21:22 -0700)]
gpio: sandbox: Use a separate flag for the value
At present with the sandbox GPIO driver it is not possible to change the
value of GPIOD_IS_OUT_ACTIVE unless the GPIO is an output. This makes it
hard to test changing the flags since we need to be aware of the internal
workings of the driver.
The feature is designed to aid testing.
Split this feature out into a separate sandbox-specific flag, so that the
flags can change unimpeded. This will make it easier to allow updating the
flags in a future patch.
Simon Glass [Fri, 5 Feb 2021 04:21:59 +0000 (21:21 -0700)]
gpio: sandbox: Rename GPIO dir_flags to flags
Adjust the terminology in this driver to reflect that fact that all flags
are handled, not just direction flags.
Create a new access function to get the full GPIO state, not just the
direction flags. Drop the static invalid_dir_flags since we can rely on a
segfault if something is wrong.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Simon Glass [Fri, 5 Feb 2021 04:21:56 +0000 (21:21 -0700)]
dm: gpio: Rename get_dir_flags() method to get_flags()
It is more useful to be able to read all the flags, not just the direction
ones. In fact this is what the STM32 driver does. Update the method name
to reflect this.
Tweak the docs a little and use 'flagsp' as the return argument, as is
common in driver model, to indicate it returns a value.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com> Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
Jagan Teki [Mon, 22 Feb 2021 00:12:34 +0000 (00:12 +0000)]
video: sunxi_display: Convert to DM_VIDEO
DM_VIDEO migration deadline is already expired, but around
80 Allwinner boards are still using video in a legacy way:
===================== WARNING ======================
This board does not use CONFIG_DM_VIDEO Please update
the board to use CONFIG_DM_VIDEO before the v2019.07 release.
Failure to update by the deadline may result in board removal.
See doc/driver-model/migration.rst for more info.
====================================================
Convert the legacy video driver over to the DM_VIDEO framework. This is
a minimal conversion: it doesn't use the DT for finding its resources,
nor does it use DM clocks or DM devices for the outputs (LCD, HDMI, CVBS).
Tested in Bananapi M1+ Plus 1920x1200 HDMI out. (Jagan)
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
[Andre: rebase and smaller fixes] Signed-off-by: Andre Przywara <andre.przywara@arm.com> Acked-by: Maxime Ripard <mripard@kernel.org> Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net> Reviewed-by: Simon Glass <sjg@chromium.org>
Simon Glass [Sat, 6 Feb 2021 21:23:42 +0000 (14:23 -0700)]
tpm: Allow disabling platform hierarchy with TPM2
With TPM2 we don't actually lock the TPM once verified boot is finished.
Instead we disable the platform hierarchy which serves the same purpose.
Add an implementation of this so we can safely boot into the kernel.
Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Simon Glass [Sat, 6 Feb 2021 21:23:37 +0000 (14:23 -0700)]
tpm: Add a basic API implementation for TPMv2
Add support for TPMv2 versions of API functions. So far this is not
complete as the standard is quite large, but it implements everything
currently available for TPMv2 in U-Boot.
Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Simon Glass [Sat, 6 Feb 2021 21:23:36 +0000 (14:23 -0700)]
tpm: Switch TPMv1 over to use the new API
Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
all the TPMv1 functions so they are called from the API.
Update the TPMv1 functions so that they are called from the API. Change
existing users to use the tpm1_ prefix so they don't need to go through
the API, which might introduce uncertainty.
Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Simon Glass [Sat, 6 Feb 2021 21:23:35 +0000 (14:23 -0700)]
tpm: Add an API that can support v1.2 and v2
There are two different TPM standards. U-Boot supports both but each has
its own set of functions. We really need a single TPM API that can call
one or the other. This is not always possible as there are some
differences between the two standards, but it is mostly possible.
Add an API to handle this. So far it is not plumbed into the build and
only supports TPMv1.
Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Simon Glass [Sat, 6 Feb 2021 16:57:33 +0000 (09:57 -0700)]
sandbox: Avoid using malloc() for system state
This state is not accessible to the running U-Boot but at present it is
allocated in the emulated SDRAM. This doesn't seem very useful. Adjust
it to allocate from the OS instead.
The RAM buffer is currently not freed, but should be, so add that into
state_uninit(). Update the comment for os_free() to indicate that NULL is
a valid parameter value.
Note that the strdup() in spl_board_load_image() is changed as well, since
strdup() allocates memory in the RAM buffer.
Simon Glass [Sat, 6 Feb 2021 16:57:32 +0000 (09:57 -0700)]
sandbox: Add os_realloc()
We provide os_malloc() and os_free() but not os_realloc(). Add this,
following the usual semantics. Also update os_malloc() to behave correctly
when passed a zero size.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Simon Glass [Sat, 6 Feb 2021 16:57:31 +0000 (09:57 -0700)]
s5p4418_nanopi2: Drop dead code
This code is still using the old command typedef. It was not noticed since
this file is not currently built. It is using a non-existent option in the
Makefile.
Drop this file since it is not needed for correct operation.
Simon Glass [Sat, 6 Feb 2021 16:57:30 +0000 (09:57 -0700)]
doc: Add a note about producing 'md.b' output using hexdump
Comparing a hex dump on the U-Boot command line with the contents of a
file on the host system is fairly easy and convenient to do manually if
it is small. But the format used hexdump by default differs from that
shown by U-Boot. Add a note about how to make them the same.
(For large dumps, writing the data to the network with tftpput, or to a
USB stick with ext4save is easiest.)
Simon Glass [Sat, 6 Feb 2021 16:57:27 +0000 (09:57 -0700)]
spl: Drop duplicate 'Jumping to U-Boot' message
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.
arm: cp15: update DACR value to activate access control
Update the initial value of Domain Access Control Register (DACR)
and set by default the access permission to client (DACR_Dn_CLIENT = 1U)
for each of the 16 domains and no more to all-supervisor
(DACR_Dn_MANAGER = 3U).
This patch allows to activate the domain checking in MMU against the
permission bits in the translation tables and avoids prefetching issue
on ARMv7 [1].
Today it was already done for OMAP2 architecture
./arch/arm/mach-omap2/omap-cache.c::arm_init_domains
introduced by commit de63ac278cba ("ARM: mmu: Set domain permissions
to client access") which fixes lot of speculative prefetch aborts seen
on OMAP5 secure devices.
arm: remove TTB_SECT_XN_MASK in DCACHE_WRITETHROUGH
The normal memory (other that DCACHE_OFF) should be executable by default,
only the device memory (DCACHE_OFF) used for peripheral access should have
the bit execute never (TTB_SECT_XN_MASK).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>