(Zephyr 3.7) update to 2.1.2 #131
Conversation
…yout.h" This reverts commit 60ebade.
This reverts commit 6404a15.
This reverts commit 7bc2f4a.
This reverts commit 6580105.
….1.0" This reverts commit 36252fc.
This reverts commit 8bc7403.
This reverts commit 3f7d311.
This reverts commit 624f3b9.
This reverts commit 891fb22.
This reverts commit e21d04f.
This reverts commit 609c62c.
This reverts commit 17dee2a.
…TESTS_VERSION" This reverts commit e83c437.
This reverts commit fb7725f.
This reverts commit 806fc7f.
This reverts commit 652d7d9.
This reverts commit 08c2348.
This reverts commit 5430331.
This reverts commit b5069f0.
update_caller_outvec_len is used in only one place (psa_api), thus move it where it's used. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: I9071f645685a46190d5ccc5a21a20da8e48db56e (cherry picked from commit 9452136)
Move reporting of zero outvec data written inside update_caller_outvec_len to have a common place where those vects are updated. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: I3440235a045c4d3100c9602f4691835223643958 (cherry picked from commit 8cc0aaa)
The field iovec_status is used to track the status of memory-mapped invecs and outvecs through an encoding. Two bits used respectively for mapped and unmapped status are set but not individually cleared. In some places, those bits are checked but their conditions do not reflect the right status for the vectors. Improve the intent and use of the encoding by making _MAPPED_BIT and _UNMAPPED_BIT mutually exclusive. This avoids the situation where a mm-iovec is first mapped and then correctly unmapped, while the respective status is both mapped and unmapped, making checks confusing and not valid. As a consequence, update the reporting of 'no data written' in outvects for update_caller_outvec_len. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: I3137e74bc2d29b296ad698a41ee7896ab90f2110 (cherry picked from commit 8dc73f5)
tfm_crypto_call_srv performs the initialization and mapping of mm-iovecs and after the required operation is completed, the outvecs are unmapped. The invec are not unmapped though, resulting in a situation where subsequent PSA calls would fail. Note that currently this is not immediately visible due to the fact that PSA crypto services are accessed via a static handle, so each call takes a new connection with a clean mm-iovec status. It would take a stateful Crypto service to actually fall into the issue noticed above. Signed-off-by: Nicola Mazzucato <[email protected]> Reported-by: Brian Quach <[email protected]> Change-Id: Idb4dc40ff439e177c64ddad2421f8febf6007dcb (cherry picked from commit 9d4a1ad)
psa_attest_get_token maps memory-mapped invec and outvec but only unmaps the outvec. Thus, add missing unmapping of invec. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: I7ad128a5bace89ddbc6b7241117061cd7b788601 (cherry picked from commit ad1ed93)
When the SPM or RoT refuse the connection or cannot make the connection,
psa_connect can return two errors: either
PSA_ERROR_CONNECTION_REFUSED or PSA_ERROR_CONNECTION_BUSY.
In the first case, in tfm_spm_partition_psa_reply the connection is set
to be deleted immediately, while in the latter the connection is not
deleted at all.
This leaves us into two unwanted scenarios:
a. deleting the connection immediately would cause its fields to be
filled with some predefined values - in debug builds - to catch
use-after-free cases. This in turn is reflected in the returned
value to the caller, instead of the expected PSA error value.
b. the connection is not deleted and never recovered so eventually the
allocator will run out of free connections.
Fix both scenarios above by setting the connection handle status to
TFM_HANDLE_STATUS_TO_FREE which will allow SPM to correctly pick up the
corresponding PSA_ERROR and return it to the caller. The connection
will then be freed immediately if the backend is SFN or later in IPC
model.
Signed-off-by: Nicola Mazzucato <[email protected]>
Change-Id: I7f87ec004f076d71640c7a339d44a90f7a015347
(cherry picked from commit d6a9e94)
Add support for Analog Devices MAX32657 platform and fetch ADI HAL library. Co-authored-by: Hao Zhang <[email protected]> Co-authored-by: Sadik Ozer <[email protected]> Change-Id: If884aa9a35664f6117574b0d4cde363a19e4eca5 Signed-off-by: Jayashree Srinivasan <[email protected]>
To enable BL2 for MAX32657, this commit - Enables BL2 - Updates CMakeFile - Adds gcc linker file, common/gcc/tfm_bl2_common.ld copied as max32657_sla.ld - Adds system file Co-authored-by: Jayashree Srinivasan <[email protected]> Co-authored-by: Hao Zhang <[email protected]> Co-authored-by: Tanmaya Mishra <[email protected]> Change-Id: Ifd0379aadd74df8006fad062397c093cab27c560 Signed-off-by: Sadik Ozer <[email protected]>
Update CMakeFile for tf-m integration Enable tf-m flags in config file Co-authored-by: Jayashree Srinivasan <[email protected]> Co-authored-by: Hao Zhang <[email protected]> Co-authored-by: Tanmaya Mishra <[email protected]> Change-Id: I67484cdd9c4b8d3c94873a2d1fc8e69ef7eb1d08 Signed-off-by: Sadik Ozer <[email protected]>
Add PPC driver for MAX32657, it is a shim driver that filled with hal_adi call functions Co-authored-by: Jayashree Srinivasan <[email protected]> Co-authored-by: Hao Zhang <[email protected]> Co-authored-by: Tanmaya Mishra <[email protected]> Change-Id: I1f16c64263846321f1f156b744af5ac25d0e6d12 Signed-off-by: Sadik Ozer <[email protected]>
Define secure, non-secure memory and required peripheral address Co-authored-by: Jayashree Srinivasan <[email protected]> Co-authored-by: Hao Zhang <[email protected]> Co-authored-by: Tanmaya Mishra <[email protected]> Change-Id: I5b6c0335d6e34c55a7a671008848e94cb851b6fb Signed-off-by: Sadik Ozer <[email protected]>
Avoids including `t_cose` and `qcbor` in the build unless the initial attestation secure partition is enabled via the `TFM_PARTITION_INITIAL_ATTESTATION` flag. This is required to avoid automatically downloading QCBOR at build time -- pulled in as a dependency of t_cose -- unless required. This commit should be reverted once an acceptable upstream solution has been found for this situation, and merged there. Signed-off-by: Kevin Townsend <[email protected]> (cherry picked from commit 05bc9f0)
Add zephyr module file to to include CMakeLists.txt and Kconfig located in the zephyr repository. Originally included in: 69dc29a but this will change the root folder of the module. Signed-off-by: Joakim Andersson <[email protected]> Signed-off-by: David Brown <[email protected]> (cherry picked from commit 2bc3041)
Save the lpcxpresso55s69 platform SDK files that get downloaded when building TF-M. The version used is defined by the CMake variable NXP_SDK_GIT_TAG found in platform/ext/target/nxp/lpcxpresso55s69/config.cmake. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 08ae38f)
This reverts commit 7de505f. This needs to be reverted for boards based on Nordic chips that aren't one of the DKs; all the boards make use of their partition folder, so it cannot live only inside the chip's DK directory. Signed-off-by: Tomi Fontanilles <[email protected]>
If NRF_SECURE_UART_INSTANCE is not defined (which it is only in NCS), bring back the default behavior of assigning Driver_USART1 to TFM_DRIVER_STDIO. This fixes the issue of undefined references to Driver_USART0 in non-NCS environments that was introduced by commit 2ed1f3f/ Change-Id Iffdce1df87fd603cf76f435028896c12f1d2c276. Signed-off-by: Tomi Fontanilles <[email protected]>
…RSION Fix a typo. Change-Id: Iccfe6dd0bc0c344eb4fdc8e6c780cdb35433b5b8 Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit f38236c)
Introduce the CMake variable TFM_TESTS_REVISION_CHECKS to allow not performing the revision checks in the tf-m-tests repo. This is needed for TF-M forks where the upstream tags are not found, which makes the build fail. Change-Id: I10371841925f9fb811f0d47a2e0dc2c9e8e7cfac Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit dc38db8)
Fix "unused variable" compilation warning. Change-Id: I460c4d612184ea57e47ee8da050495435c21912d Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit ca9be3b)
Turns out it's called by the BL2 in Zephyr's TF-M PSA arch tests. This undoes commit 99f05ce. Change-Id: Ic3c1549c46ca53c7c7ab680a6fe2ab3811cca692 Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 55a6684)
Use generic assert for NRFX_ASSERT since SPM_ASSERT can either expand to secure-fw specific or generic assert. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: If42d18798e7b4e9e3cd03bac42ec70f0faefca04 (cherry picked from commit 37d49d2)
Replace SPM_ASSERT with assert. The behaviour is unchanged when the build is for secure-fw runtime cause assert is expanded to SPM_ASSERT. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: If6815016f3c4d38031c2f76b4bcd8cd683447ab7 (cherry picked from commit 48ef350)
Replace SPM_ASSERT with assert. The behaviour is unchanged when the build is for secure-fw runtime cause assert is expanded to SPM_ASSERT. Signed-off-by: Nicola Mazzucato <[email protected]> Change-Id: I6f72bad0a9e8fd32f8650f25da865d66dd8c689d (cherry picked from commit 309232e)
In the case of Zephyr's integration of TF-M, the Git tags of the upstream TF-M repo are not fetched. This resulted in this warning firing up at every build for every user while in fact it does not require any action from the user, and is just noise. Thus remove it. Change-Id: I9fc78ff89e978a0622e80d59dadc8dcfeeb7e553 Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit b6c19b7)
This adds all the files (minus `.git*` and `CMSIS/Documentation/` for saving on size) from the CMSIS v6 repository (https://github.com/ARM-software/CMSIS_6) at the revision `d0c460c169` as defined in `lib/ext/cmsis/CMakeLists.txt`. The patch `lib/ext/cmsis/0001-iar-Add-missing-v8.1m-check` is applied on top. This is because as of v2.1.0 TF-M has updated to CMSIS v6 and switched from hosting the sources to depending on the upstream repository, cloning it at build time. To prevent a download from happening during the build, CMSIS v6 sources are pushed and the CMSIS_PATH CMake variable is used to point to them. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 069455b)
The option MCUBOOT_DIRECT_XIP_REVERT can be an enabled only when XIP upgrade mechanism is enabled in MCUBOOT. The MCUBOOT default configuration in Cmake does't select XIP as the default upgrade option and thus it should not enable XIP_REVERT. This updates the default cmake config to disable XIP_REVERT. It also adds a Kconfig dependency for this option and it adds a cmake configuration check for this as well. Signed-off-by: Georgios Vasilakis <[email protected]> Change-Id: I8e4844ab70d927836a890ca8123b734a471f3270 (cherry picked from commit 32ffe3f)
flash_layout.h uses the definition of MCUBOOT_OVERWRITE_ONLY to enforce this strategy, and then expects it to undefine it for MCUBOOT_UPGRADE_STRATEGY contents to have effect. This might work but it is confusing, hence align the two. Signed-off-by: Antonio de Angelis <[email protected]> Change-Id: I75b62b433536a81d973ac45c212201d12dd38e07 (cherry picked from commit c140d6e)
|
@tomi-font thanks for this PR, it covers #128 too. SHA:
|
Sure. Though this PR is for 3.7, while your PR targets main. I think you rather want me to do that on #130? (BTW a review there would be welcome.) |
I missed to check target branch. You are right. I need it for main branch, #130 |
added the commits in that PR |
|
whats up with all those reverts? why moving to a new version involves so many reverts? |
This is how it's been done, the local patches (which only live in this repo) are reverted, the updated upstream is brought in, and the patches are re-applied. |
This approach is following what is described in the guide, section "Updating modules by merging the upstream branch". Reverting the commits helps avoiding conflict resolution in the merge commit itself, which is then considered an "evil merge". |
To add to this, upstream TF-M has LTS version 2.1.x, version 2.2.x and the main branch. Zephyr's TF-M follows the 2.1.x version of upstream (which I heard what was decided in some security group meeting) but also has cherry-picked commits from 2.2.x and main. The current version update is from 2.1.1 to 2.1.2 and reverting/reapplying the patches helps avoid the conflicts. |
when I see a revert, for me this is always a signal that something bad happened, removing bad commits and such, sure it helps with a clean merge and avoid conflicts but this is not easy to follow when I am looking at an update to a released branch and when trying to understand impact of the changes. |
3.7 version of #130