module: add security info to module.yml #5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Describe this module using a file named 'zephyr/module.yml' Signed-off-by: Huifeng Zhang <[email protected]>
Zephyr needs fiptool compile build out-of-tree fix Zephyr #51165 Signed-off-by: Jaxson Han <[email protected]>
Trusted Firmware-A release v2.9.0 Signed-off-by: Huifeng Zhang <[email protected]>
…2.9.0-updates TF-A 2.9.0 updates
Cortex-X3 erratum 2779509 is a Cat B erratum that applies to all revisions <= r1p1 and is fixed in r1p2. The workaround is to set chicken bit CPUACTLR3_EL1[47], this might have a small impact on power and has negligible impact on performance. SDEN documentation: https://developer.arm.com/documentation/2055130/latest Change-Id: Id92dbae6f1f313b133ffaa018fbf9c078da55d75 Signed-off-by: Sona Mathew <[email protected]>
Neoverse V1 erratum 2348377 is a Cat B erratum that applies to all revisions <= r1p1 and is fixed in r1p2. The workaround is to set CPUACTLR5_EL1[61] to 1. SDEN documentation: https://developer.arm.com/documentation/SDEN-1401781/latest Change-Id: Ica402494f78811c85e56a262e1f60b09915168fe Signed-off-by: Sona Mathew <[email protected]>
Cortex-A78C erratum 2743232 is a Cat B erratum that applies to revisions r0p1 and r0p2 and is still open. The workaround is to set CPUACTLR5_EL1[56:55] to 2'b01. SDEN Documentation: https://developer.arm.com/documentation/SDEN-2004089/latest Change-Id: Ic62579c2dd69b7a8cbbeaa936f45b2cc9436439a Signed-off-by: Sona Mathew <[email protected]>
Neoverse V2 erratum 2662553 is a Cat B erratum that applies to all revisions <= r0p1 and is fixed in r0p2. The workaround is to set L2 TQ size statically to it's full size. SDEN documentation: https://developer.arm.com/documentation/SDEN-2332927/latest Change-Id: I3bc43e7299c17db8a6771a547515ffb2a172fa0f Signed-off-by: Bipin Ravi <[email protected]>
This patch enables support for the gcc compiler option "-mharden-sls", the default is not to use this option. Setting HARDEN_SLS=1 sets "-mharden-sls=all" that enables all hardening against straight line speculation. Signed-off-by: Bipin Ravi <[email protected]> Change-Id: I59f5963c22431571f5aebe7e0c5642b32362f4c9
The DSU contains system control registers in the SCU and L3 logic to control the functionality of the cluster. If "DIRECT CONNECT" L3 memory system variant is used, there won't be any L3 cache, snoop filter, and SCU logic present hence no system control register will be present. Hence check SCU presence before accessing DSU register for DSU_2313941 errata. (commit message taken from commit 942013e by Pramod Kumar <[email protected]> just errata number changed) Signed-off-by: Marcin Juszkiewicz <[email protected]> Change-Id: I38cee6085d6e49ba23de95b3de08bc98798ab2b3
Apply erratum ERRATA_A53_1530924. Signed-off-by: Olivier Deprez <[email protected]> Change-Id: Ib4130fd9d4cd16b12322f44e91196607fcb6bf6b
Neoverse V2 erratum 2618597 is a Cat B erratum that applies to all revisions <= r0p1 and is fixed in r0p2. The workaround is to disable the use of the Full Retention power mode in the core (setting WFI_RET_CTRL and WFE_RET_CTRL in IMP_CPUPWRCTLR_EL1 to 0b000). SDEN can be found here: https://developer.arm.com/documentation/SDEN-2332927/latest Change-Id: I23a81275d1e40cae39e6897093d6cdd3e11c08ea Signed-off-by: Bipin Ravi <[email protected]>
Signed-off-by: Javier Almansa Sobrino <[email protected]> Change-Id: I6d6b7ff084cc731470e873cfdf37beeec0d3635a
For RD-N2 and variant platforms, enable workarounds available for the N2 CPU erratum. Signed-off-by: Thomas Abraham <[email protected]> Change-Id: Ib0240f56813a913309e5a6a1902e2990979e9617
Cortex-A710 erratum 2778471 is a Cat B erratum that applies to revisions r0p1, r1p0, r2p0 and r2p1 and is still open. The workaround is to set CPUACTLR3_EL1[47] to 1. SDEN documentation: https://developer.arm.com/documentation/SDEN-1775101/latest Change-Id: Id3bb4a2673e41ff237682e46784d37752daf2f83 Signed-off-by: Sona Mathew <[email protected]>
Cortex-X2 erratum 2778471 is a Cat B erratum that applies to revisions r0p1, r1p0, r2p0 and r2p1 and is still open. The workaround is to set CPUACTLR3_EL1[47] to 1. SDEN documentation: https://developer.arm.com/documentation/SDEN-1775100/latest Change-Id: Ia95f0e276482283bf50e06c58c2bc5faab3f62c6 Signed-off-by: Sona Mathew <[email protected]>
Cortex-A520 erratum is a Cat B erratum that applies to revisions r0p0 and r0p1 and is still open. The workaround is to set CPUACTLR_EL1[38] to 1. SDEN Documentation: https://developer.arm.com/documentation/SDEN-2444153/latest Change-Id: Idb6f32f680ee1378a57c2d2f809ea847fffe5910 Signed-off-by: Sona Mathew <[email protected]>
Include the missing Cortex-A520 header. Signed-off-by: Arvind Ram Prakash <[email protected]> Change-Id: I45153a1aa2d6dace38650268a32106f5201f48bd
Cortex-A520 erratum 2858100 is a Cat B erratum that applies to all revisions <=r0p1 and is still open. The workaround is to set bit[29] of CPUACTLR_EL1. SDEN Documentation: https://developer.arm.com/documentation/SDEN-2444153/latest Signed-off-by: Arvind Ram Prakash <[email protected]> Change-Id: I5a07163f919352583b03328abd5659bf7b268677
The errata ABI feature-specific build flag, the flag enabling CPUs in the CPU list, and the flags testing non-ARM interconnect-based errata when enabled from a platform level are added to the AMD-Xilinx Versal platform makefile to assess the errata ABI feature implementation. ERRATA_ABI_SUPPORT : Boolean option to enable support for Errata management firmware interface for the BL31 image. By default, its disabled set to zero. Signed-off-by: Prasad Kummari <[email protected]> Change-Id: I54cda23d699abc0782f44172c28933f5cbb010b8
Cortex X3 erratum 2743088 is a Cat B erratum that applies to all revisions <= r1p1 and is fixed in r1p2. The workaround is to add a DSB instruction before the ISB of the powerdown code sequence specified in the TRM. SDEN documentation: https://developer.arm.com/documentation/2055130 Change-Id: I2c8577e3ca0781af8b1c3912e577d3bd77f92709 Signed-off-by: Harrison Mutai <[email protected]>
Cortex-X3 erratum 2302506 is a cat B erratum that applies to revisions r0p0-r1p1 and is fixed in r1p2. The workaround is to set bit[0] of CPUACTLR2 which will force PLDW/PFRM ST to behave like PLD/PRFM LD and not cause invalidation to other PE caches. There might be a small performance degradation to this workaround for certain workloads that share data. SDEN can be found here: https://developer.arm.com/documentation/2055130/latest Change-Id: I048b830867915b88afa36582c6da05734a56d22a Signed-off-by: Bipin Ravi <[email protected]>
Cortex-X3 erratum 2266875 is a Cat B erratum that applies to all revisions <= r1p0 and is fixed in r1p1. The workaround is to set CPUACTLR_EL1[22]=1 which will cause the CFP instruction to invalidate all branch predictor resources regardless of context. SDEN Documentation: https://developer.arm.com/documentation/2055130/latest Change-Id: I9c610777e222f57f520d223bb03fc5ad05af1077 Signed-off-by: Bipin Ravi <[email protected]>
Cortex-A78C erratum 2683027 is a cat B erratum that applies to revisions r0p1 - r0p2 and is still open. The workaround is to execute a specific code sequence in EL3 during reset. SDEN can be found here: https://developer.arm.com/documentation/SDEN-2004089/latest Change-Id: I2bf9e675f48b62b4cd203100f7df40f4846aafa8 Signed-off-by: Bipin Ravi <[email protected]>
Reported-by: Christian Lindenmeier <[email protected]> Signed-off-by: Manish Pandey <[email protected]> Change-Id: I13fa93a65e5017dae6c837e88cd80bda72d4c2a3
…into lts-v2.10 * changes: docs(security): security advisory for CVE-2023-49100 fix(cpus): workaround for Cortex-A78C erratum 2683027 fix(cpus): workaround for Cortex-X3 erratum 2266875 fix(cpus): workaround for Cortex-X3 erratum 2302506 fix(cpus): workaround for Cortex X3 erratum 2743088 feat(versal): enable errata management feature fix(cpus): workaround for Cortex-A520 erratum 2858100 fix(errata): add Cortex-A520 definitions fix(cpus): workaround for Cortex-A520 erratum 2630792 fix(cpus): workaround for Cortex-X2 erratum 2778471 fix(cpus): workaround for Cortex-A710 erratum 2778471 fix(sgi): apply workarounds for N2 CPU erratum docs: fix errata in RMM-EL3 Communication Interface documentation fix(cpus): workaround for Neoverse V2 erratum 2618597 fix(rk3328): apply ERRATA_A53_1530924 erratum fix(errata): check for SCU before accessing DSU feat(security): add support for SLS mitigation fix(cpus): workaround for Neoverse V2 erratum 2662553 fix(cpus): workaround for Cortex-A78C erratum 2743232 fix(cpus): workaround for Neoverse V1 erratum 2348377 fix(cpus): workaround for Cortex-X3 erratum 2779509
Cortex X3 erratum 2641945 is a Cat B erratum that applies to all revisions <= r1p0 and is fixed in r1p1. The workaround is to disable the affected L1 data cache prefetcher by setting CPUACTLR6_EL1[41] to 1. Doing so will incur a performance penalty of ~1%. Contact Arm for an alternate workaround that impacts power. SDEN documentation: https://developer.arm.com/documentation/2055130/latest Change-Id: Ia6d6ac8a66936c63b8aa8d7698b937f42ba8f044 Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit c1aa3fa)
SCR_EL3.EEL2 bit enabled denotes that the system has S-EL2 present and enabled, Ideally this bit is constant throughout the lifetime and should not be modified. Currently this bit is initialized in the context mgmt code where each world copy of the SCR_EL3 register has this bit set to 1, but for the time duration between the RESET and the first exit to a lower EL this bit is zero. Modifying SCR_EL3.EEL2 along with EA bit at RESET does also helps in mitigating against ERRATA_V2_3099206. For details on Neoverse V2 errata 3099206, refer the SDEN document given below. https://developer.arm.com/documentation/SDEN-2332927/latest Signed-off-by: Manish Pandey <[email protected]> Change-Id: If8b2bdbb19bc65391a33dd34cc9824a0203ae4b1 (cherry picked from commit 8815cda)
Cortex-A715 erratum 2561034 is a Cat B erratum that applies to revision r1p0 and is fixed in r1p1. The workaround is to set bit[26] in CPUACTLR2_EL1. Setting this bit is not expected to have a significant performance impact. SDEN documentation: https://developer.arm.com/documentation/SDEN2148827/latest Change-Id: I377f250a2994b6ced3ac7d93f947af6ceb690d49 Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit 6a6b282)
Generated with the command: npm run release -- --release-as 2.10.1 Signed-off-by: Yann Gautier <[email protected]> Change-Id: I38d7378a18b139e27296d46ebea7855a61740b00
Cortex-A715 erratum 2413290 is a Cat B erratum that is present only in revision r1p0 and is fixed in r1p1. The errata is only present when SPE(Statistical Profiling Extension) is enabled. The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11 when SPE is enabled, ENABLE_SPE_FOR_NS=1. SDEN documentation: https://developer.arm.com/documentation/SDEN2148827/latest Change-Id: Iaeb258c8b0a92e93d70b7dad6ba59d1056aeb135 Signed-off-by: Sona Mathew <[email protected]> (cherry picked from commit 15a0461)
Cortex-A715 erratum 2561034 mitigation needs to be applied during reset. This patch fixes the current macro usage from runtime to reset for both start and end macros. Change-Id: I4f115bbb27c57f16cada2a7eb314af8380f93cb4 Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit 57ab6d8)
Cortex-A720 erratum 2940794 is a Cat B erratum that is present in revision r0p0, r0p1 and is fixed in r0p2. The workaround is to set bit[37] of the CPUACTLR2_EL1 to 1. SDEN documentation: https://developer.arm.com/documentation/SDEN2439421/latest Change-Id: I1488802e0ec7c16349c9633bb45de4d0e1faa9ad Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit 7385213)
SDEN documentation: https://developer.arm.com/documentation/2055130/latest Change-Id: Ied7150bab505a743401cf4afa9a0a5f81d5fdff1 Signed-off-by: Sona Mathew <[email protected]> (cherry picked from commit f589a2a)
Cortex-A720 erratum 2926083 is a Cat B erratum that is present in revisions r0p0, r0p1 and is fixed in r0p2. The errata is only present when SPE (Statistical Profiling Extension) is implemented and enabled. The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11 when SPE is "implemented and enabled". SDEN documentation: https://developer.arm.com/documentation/SDEN2439421/latest Change-Id: I30182c3893416af65b55fca9a913cb4512430434 Signed-off-by: Bipin Ravi <[email protected]> Signed-off-by: Govindraj Raja <[email protected]> (cherry picked from commit 152f4cf)
Erratum 2413290 is a Cat B erratum that is present only in revision r0p1 and is fixed in r1p1. The initial implementation did not consider that this fix is to be applied only when SPE (Statistical Profiling Extension) is implemented and enabled. This patch applies the fix by adding a check for ENABLE_SPE_FOR_NS. Change-Id: I87b2175b89d6fb168c77e6ab233c90ca056791a1 Signed-off-by: Sona Mathew <[email protected]> (cherry picked from commit bd2f7d3)
Update the Poseidon CPU variant name to "POSEIDON VNAE" in alignment with the MIDR 0x410FD830. This adjustment reflects the accurate designation for the default Poseidon CPU and allows for seamless support of other variants in the future. CC: Vijayenthiran Subramaniam <[email protected]> Signed-off-by: Rohit Mathew <[email protected]> Change-Id: I48183290ffc2889d6ae000d3aa423c0ee5e4d211 (cherry picked from commit 61a2968)
Enable support for Poseidon V CPUs. Poseidon V CPUs are distinguished by a 3MB L2 cache, differing from Poseidon VN(AE) CPUs with a 2MB L2 cache. This enhancement ensures compatibility with RD-Fremont and similar platforms utilizing Poseidon V CPUs. CC: Vijayenthiran Subramaniam <[email protected]> Signed-off-by: Rohit Mathew <[email protected]> Change-Id: Icdcc5f57c62855b2ec54c58a401d3bf09f292189 (cherry picked from commit b77f55d)
Rename Neoverse Poseidon to Neoverse V3, make changes to related build flags, macros, file names etc. Change-Id: I9e40ba8f80b7390703d543787e6cd2ab6301e891 Signed-off-by: Sona Mathew <[email protected]> (cherry picked from commit 328d304)
* changes: chore: rename Poseidon to Neoverse V3 feat(cpu): add support for Poseidon V CPU fix(cpu): correct variant name for default Poseidon CPU fix(cpus): workaround for Cortex-A715 erratum 2413290 fix(cpus): workaround for Cortex-A720 erratum 2926083 chore: update status of Cortex-X3 erratum 2615812 fix(cpus): workaround for Cortex-A720 erratum 2940794 fix(cpus): fix a defect in Cortex-A715 erratum 2561034 fix(cpus): workaround for Cortex-A715 erratum 2413290 docs(sdei): provide security guidelines when using SDEI docs(threat_model): mark power analysis threats out-of-scope fix(cpus): workaround for Cortex-A715 erratum 2344187 fix(cpus): workaround for Cortex-X4 erratum 2701112 fix(cpus): workaround for Cortex-A715 erratum 2331818 fix(cpus): workaround for Cortex-A715 erratum 2420947 fix(gic600): workaround for Part 1 of GIC600 erratum 2384374 chore: rearrange the fvp_cpu_errata.mk file fix(cpus): add erratum 2701951 to Cortex-X3's list refactor(errata-abi): workaround platforms non-arm interconnect refactor(errata-abi): optimize errata ABI using errata framework fix(cpus): workaround for Cortex-A715 erratum 2429384 fix(cpus): workaround for Cortex-X3 erratum 2372204
Remove the hidden parameter in changelog.yaml for the sections types: build, ci, docs, perf, refactor, revert, style, test and chore. Signed-off-by: Yann Gautier <[email protected]> Change-Id: Ie40be9e6b99f9c3e14d55227ea299d6faf977fef (cherry picked from commit a43c627)
Change-Id: Ifc50a5a8fa00fbd797aaa2bb3116a0cd4e937805 Signed-off-by: Release CI <[email protected]>
While comments introduced with the original commit claim that pmuv3_disable_el3()/pmuv3_init_el3() are compatible with PMUv2 and PMUv1, this is not true in practice: The function accesses the Secure Debug Control Register (SDCR), which only available to ARMv8 CPUs. ARMv8 CPUs executing in AArch32 mode would thus be able to disable their PMUv3, while ARMv7 CPUs would hang trying to access the SDCR. Fix this by only doing PMUv3 handling when we know a PMUv3 to be available. This resolves boot hanging on all STM32MP15 platforms that use SP_min as BL32 instead of OP-TEE. Change-Id: I40f7611cf46b89a30243cc55bf55a8d9c9de93c8 Fixes: c73686a ("feat(pmu): introduce pmuv3 lib/extensions folder") Signed-off-by: Ahmad Fatoum <[email protected]> (cherry picked from commit e6f8fc7)
Cortex-A715 erratum 2728106 is a Cat B(rare) erratum that is present in revision r0p0, r1p0 and r1p1. It is fixed in r1p2. The workaround is to execute an implementation specific sequence in the CPU. SDEN documentation: https://developer.arm.com/documentation/SDEN2148827/latest Change-Id: Ic825f9942e7eb13893fdbb44a2090b897758cbc4 Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit 10134e3)
Cortex-X4 erratum 2740089 is a Cat B erratum that applies to all revisions <=r0p1 and is fixed in r0p2. The workaround is to insert a dsb before the isb in the power down sequence. SDEN documentation: https://developer.arm.com/documentation/SDEN2432808/latest Change-Id: I1d0fa4dd383437044a4467591f65a4a8514cabdc Signed-off-by: Bipin Ravi <[email protected]> (cherry picked from commit c833ca6)
* changes: fix(cpus): workaround for Cortex-X4 erratum 2740089 fix(cpus): workaround for Cortex-A715 erratum 2728106
Our code does not preclude the use of versions 1.0.x of OpenSSL. Instead, we discourage it's use due to security concerns. Update the documentation to reflect this. Change-Id: I5c60907337f10b05d5c43b0384247c5d4135db50 Signed-off-by: Harrison Mutai <[email protected]> (cherry picked from commit 1b86ec5)
Cortex-X4 erratum 2763018 is a Cat B erratum that is present in revisions r0p0, r0p1 and is fixed in r0p2. The workaround is to set bit[47] of CPUACTLR3_EL1 register. Setting this chicken bit might have a small impact on power and negligible impact on performance. SDEN documentation: https://developer.arm.com/documentation/SDEN2432808/latest Change-Id: Ia188e08c2eb2952923ec72e2a56efdeea836fe1e Signed-off-by: Sona Mathew <[email protected]> (cherry picked from commit 4731211)
* changes: fix(cpus): workaround for Cortex-X4 erratum 2763018 docs: decrease the minimum supported OpenSSL
Change-Id: I5fe34502a91a16ae71f44644a391803d2f9d6098 Signed-off-by: Release CI <[email protected]>
This reverts commit 28f5e13.
Trusted Firmware-A release v2.10.4 Signed-off-by: Flavio Ceolin <[email protected]>
Zephyr needs fiptool compile build out-of-tree fix Zephyr #51165 Signed-off-by: Jaxson Han <[email protected]>
Update TF-A to V2.10.4
Add CPE and PURL references to module.yml file for use by Zephyr's SPDX generation tool Signed-off-by: Matt Rodgers <[email protected]>
mrodgers-witekio
force-pushed
the
add-security-info
branch
from
a0e8d0a to
57b42a6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add CPE and PURL references to module.yml file for use by Zephyr's SPDX generation tool.
See github issue in Zephyr repo: zephyrproject-rtos/zephyr#53479