* [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7
@ 2022-06-13 13:20 Andrey Zhizhikin
2022-06-15 3:03 ` Jon Mason
0 siblings, 1 reply; 4+ messages in thread
From: Andrey Zhizhikin @ 2022-06-13 13:20 UTC (permalink / raw)
To: meta-arm; +Cc: jon.mason, ross.burton, Andrey Zhizhikin
Upstream has version v2.7 released, upgrade recipe to pick up new
version.
Drop local patches as they are already applied upstream, namely:
- build-deps-upgrade-to-mbed-TLS-2.28.0.patch is covered by upstream
commit a93084be95 ("build(deps): upgrade to mbed TLS 2.28.0")
- ssl.patch is covered by upstream commit 0a956f8180 ("fix(fiptool):
respect OPENSSL_DIR")
Rename bbappends in meta-arm-bsp to match new PV.
Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
---
...s_2.6.bbappend => tf-a-tests_2.7.bbappend} | 0
...append => trusted-firmware-a_2.7.bbappend} | 0
...uild-deps-upgrade-to-mbed-TLS-2.28.0.patch | 72 -------------------
.../trusted-firmware-a/files/ssl.patch | 52 --------------
.../{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} | 4 +-
.../trusted-firmware-a/trusted-firmware-a.inc | 4 +-
...are-a_2.6.bb => trusted-firmware-a_2.7.bb} | 4 +-
7 files changed, 5 insertions(+), 131 deletions(-)
rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bbappend => tf-a-tests_2.7.bbappend} (100%)
rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bbappend => trusted-firmware-a_2.7.bbappend} (100%)
delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
rename meta-arm/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} (94%)
rename meta-arm/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bb => trusted-firmware-a_2.7.bb} (85%)
diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
similarity index 100%
rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend
rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
similarity index 100%
rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
deleted file mode 100644
index 058423c..0000000
--- a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
-
-From a93084be95634b66b917f1c8baf403067dc75c5d Mon Sep 17 00:00:00 2001
-From: Sandrine Bailleux <sandrine.bailleux@arm.com>
-Date: Thu, 21 Apr 2022 10:21:29 +0200
-Subject: [PATCH] build(deps): upgrade to mbed TLS 2.28.0
-
-Upgrade to the latest and greatest 2.x release of Mbed TLS library
-(i.e. v2.28.0) to take advantage of their bug fixes.
-
-Note that the Mbed TLS project published version 3.x some time
-ago. However, as this is a major release with API breakages, upgrading
-to 3.x might require some more involved changes in TF-A, which we are
-not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
-release of TF-A.
-
-Actually, the upgrade this time simply boils down to including the new
-source code module 'constant_time.c' into the firmware.
-
-To quote mbed TLS v2.28.0 release notes [1]:
-
- The mbedcrypto library includes a new source code module
- constant_time.c, containing various functions meant to resist timing
- side channel attacks. This module does not have a separate
- configuration option, and functions from this module will be
- included in the build as required.
-
-As a matter of fact, if one is attempting to link TF-A against mbed
-TLS v2.28.0 without the present patch, one gets some linker errors
-due to missing symbols from this new module.
-
-Apart from this, none of the items listed in mbed TLS release
-notes [1] directly affect TF-A. Special note on the following one:
-
- Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
- exceeds 2^32.
-
-In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
-feature is enabled with AES-GCM as the authenticated decryption
-algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
-which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
-32-bit value which by definition is always less than 2**32. Therefore,
-we are immune to this bug.
-
-With this upgrade, the size of BL1 and BL2 binaries does not appear to
-change on a standard sample test build (with trusted boot and measured
-boot enabled).
-
-[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
-
-Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
-Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
----
- drivers/auth/mbedtls/mbedtls_common.mk | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
-index 0a4775d00..3eb41617f 100644
---- a/drivers/auth/mbedtls/mbedtls_common.mk
-+++ b/drivers/auth/mbedtls/mbedtls_common.mk
-@@ -48,6 +48,7 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
- rsa_internal.c \
- x509.c \
- x509_crt.c \
-+ constant_time.c \
- )
-
- # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
---
-2.25.1
-
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
deleted file mode 100644
index cdabd1b..0000000
--- a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-fiptool: respect OPENSSL_DIR
-
-fiptool links to libcrypto, so as with the other tools it should respect
-OPENSSL_DIR for include/library paths.
-
-Upstream-Status: Submitted
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/Makefile b/Makefile
-index ec6f88585..2d3b9fc26 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
-
- ${FIPTOOL}: FORCE
- ifdef UNIX_MK
-- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
-+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
- else
- # Clear the MAKEFLAGS as we do not want
- # to pass the gnumake flags to nmake.
-diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
-index 11d2e7b0b..7c2a08379 100644
---- a/tools/fiptool/Makefile
-+++ b/tools/fiptool/Makefile
-@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
- PROJECT := $(notdir ${FIPTOOL})
- OBJECTS := fiptool.o tbbr_config.o
- V ?= 0
-+OPENSSL_DIR := /usr
-+
-
- override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
- HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
-@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
- else
- HOSTCCFLAGS += -O2
- endif
--LDLIBS := -lcrypto
-+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
-
- ifeq (${V},0)
- Q := @
-@@ -28,7 +30,7 @@ else
- Q :=
- endif
-
--INCLUDE_PATHS := -I../../include/tools_share
-+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
-
- HOSTCC ?= gcc
-
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
similarity index 94%
rename from meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
rename to meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
index 2da6116..e4d3880 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
@@ -8,8 +8,8 @@ inherit deploy
COMPATIBLE_MACHINE ?= "invalid"
SRC_URI = "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https;branch=master"
-# post v2.6 snapshot
-SRCREV ?= "af5a517ae9f295455122109100fe5d55668e8eaf"
+# v2.7 snapshot
+SRCREV ?= "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67"
PV .= "+git${SRCPV}"
DEPENDS += "optee-os"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 510a7d4..dfb5675 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -5,9 +5,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit deploy
-SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master \
- file://ssl.patch \
- file://build-deps-upgrade-to-mbed-TLS-2.28.0.patch"
+SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
similarity index 85%
rename from meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
rename to meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
index 89a9214..537ec32 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
@@ -1,7 +1,7 @@
require trusted-firmware-a.inc
-# TF-A v2.6
-SRCREV_tfa = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
+# TF-A v2.7
+SRCREV_tfa = "35f4c7295bafeb32c8bcbdfb6a3f2e74a57e732b"
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7
2022-06-13 13:20 [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7 Andrey Zhizhikin
@ 2022-06-15 3:03 ` Jon Mason
2022-06-15 14:18 ` Andrey Zhizhikin
0 siblings, 1 reply; 4+ messages in thread
From: Jon Mason @ 2022-06-15 3:03 UTC (permalink / raw)
To: Andrey Zhizhikin; +Cc: meta-arm, jon.mason, ross.burton
On Mon, Jun 13, 2022 at 01:20:16PM +0000, Andrey Zhizhikin wrote:
> Upstream has version v2.7 released, upgrade recipe to pick up new
> version.
>
> Drop local patches as they are already applied upstream, namely:
> - build-deps-upgrade-to-mbed-TLS-2.28.0.patch is covered by upstream
> commit a93084be95 ("build(deps): upgrade to mbed TLS 2.28.0")
>
> - ssl.patch is covered by upstream commit 0a956f8180 ("fix(fiptool):
> respect OPENSSL_DIR")
>
> Rename bbappends in meta-arm-bsp to match new PV.
>
> Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
Thank you for sending this patch out. I had one queued up internally
which did the same thing, and had a few extra changes. I sent this
out for review. Please take a look and verify it does everything you
need. It passes our CI.
Welcome, and I look forward to more patches from you.
Thanks,
Jon
> ---
> ...s_2.6.bbappend => tf-a-tests_2.7.bbappend} | 0
> ...append => trusted-firmware-a_2.7.bbappend} | 0
> ...uild-deps-upgrade-to-mbed-TLS-2.28.0.patch | 72 -------------------
> .../trusted-firmware-a/files/ssl.patch | 52 --------------
> .../{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} | 4 +-
> .../trusted-firmware-a/trusted-firmware-a.inc | 4 +-
> ...are-a_2.6.bb => trusted-firmware-a_2.7.bb} | 4 +-
> 7 files changed, 5 insertions(+), 131 deletions(-)
> rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bbappend => tf-a-tests_2.7.bbappend} (100%)
> rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bbappend => trusted-firmware-a_2.7.bbappend} (100%)
> delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> rename meta-arm/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} (94%)
> rename meta-arm/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bb => trusted-firmware-a_2.7.bb} (85%)
>
> diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> similarity index 100%
> rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend
> rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> similarity index 100%
> rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
> rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> deleted file mode 100644
> index 058423c..0000000
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> +++ /dev/null
> @@ -1,72 +0,0 @@
> -Upstream-Status: Backport
> -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> -
> -From a93084be95634b66b917f1c8baf403067dc75c5d Mon Sep 17 00:00:00 2001
> -From: Sandrine Bailleux <sandrine.bailleux@arm.com>
> -Date: Thu, 21 Apr 2022 10:21:29 +0200
> -Subject: [PATCH] build(deps): upgrade to mbed TLS 2.28.0
> -
> -Upgrade to the latest and greatest 2.x release of Mbed TLS library
> -(i.e. v2.28.0) to take advantage of their bug fixes.
> -
> -Note that the Mbed TLS project published version 3.x some time
> -ago. However, as this is a major release with API breakages, upgrading
> -to 3.x might require some more involved changes in TF-A, which we are
> -not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
> -release of TF-A.
> -
> -Actually, the upgrade this time simply boils down to including the new
> -source code module 'constant_time.c' into the firmware.
> -
> -To quote mbed TLS v2.28.0 release notes [1]:
> -
> - The mbedcrypto library includes a new source code module
> - constant_time.c, containing various functions meant to resist timing
> - side channel attacks. This module does not have a separate
> - configuration option, and functions from this module will be
> - included in the build as required.
> -
> -As a matter of fact, if one is attempting to link TF-A against mbed
> -TLS v2.28.0 without the present patch, one gets some linker errors
> -due to missing symbols from this new module.
> -
> -Apart from this, none of the items listed in mbed TLS release
> -notes [1] directly affect TF-A. Special note on the following one:
> -
> - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
> - exceeds 2^32.
> -
> -In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
> -feature is enabled with AES-GCM as the authenticated decryption
> -algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
> -which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
> -32-bit value which by definition is always less than 2**32. Therefore,
> -we are immune to this bug.
> -
> -With this upgrade, the size of BL1 and BL2 binaries does not appear to
> -change on a standard sample test build (with trusted boot and measured
> -boot enabled).
> -
> -[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
> -
> -Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
> -Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
> ----
> - drivers/auth/mbedtls/mbedtls_common.mk | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
> -index 0a4775d00..3eb41617f 100644
> ---- a/drivers/auth/mbedtls/mbedtls_common.mk
> -+++ b/drivers/auth/mbedtls/mbedtls_common.mk
> -@@ -48,6 +48,7 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
> - rsa_internal.c \
> - x509.c \
> - x509_crt.c \
> -+ constant_time.c \
> - )
> -
> - # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
> ---
> -2.25.1
> -
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> deleted file mode 100644
> index cdabd1b..0000000
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> +++ /dev/null
> @@ -1,52 +0,0 @@
> -fiptool: respect OPENSSL_DIR
> -
> -fiptool links to libcrypto, so as with the other tools it should respect
> -OPENSSL_DIR for include/library paths.
> -
> -Upstream-Status: Submitted
> -Signed-off-by: Ross Burton <ross.burton@arm.com>
> -
> -diff --git a/Makefile b/Makefile
> -index ec6f88585..2d3b9fc26 100644
> ---- a/Makefile
> -+++ b/Makefile
> -@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
> -
> - ${FIPTOOL}: FORCE
> - ifdef UNIX_MK
> -- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
> -+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
> - else
> - # Clear the MAKEFLAGS as we do not want
> - # to pass the gnumake flags to nmake.
> -diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
> -index 11d2e7b0b..7c2a08379 100644
> ---- a/tools/fiptool/Makefile
> -+++ b/tools/fiptool/Makefile
> -@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
> - PROJECT := $(notdir ${FIPTOOL})
> - OBJECTS := fiptool.o tbbr_config.o
> - V ?= 0
> -+OPENSSL_DIR := /usr
> -+
> -
> - override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
> - HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
> -@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
> - else
> - HOSTCCFLAGS += -O2
> - endif
> --LDLIBS := -lcrypto
> -+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
> -
> - ifeq (${V},0)
> - Q := @
> -@@ -28,7 +30,7 @@ else
> - Q :=
> - endif
> -
> --INCLUDE_PATHS := -I../../include/tools_share
> -+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
> -
> - HOSTCC ?= gcc
> -
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> similarity index 94%
> rename from meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> rename to meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> index 2da6116..e4d3880 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> @@ -8,8 +8,8 @@ inherit deploy
> COMPATIBLE_MACHINE ?= "invalid"
>
> SRC_URI = "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https;branch=master"
> -# post v2.6 snapshot
> -SRCREV ?= "af5a517ae9f295455122109100fe5d55668e8eaf"
> +# v2.7 snapshot
> +SRCREV ?= "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67"
> PV .= "+git${SRCPV}"
>
> DEPENDS += "optee-os"
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> index 510a7d4..dfb5675 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> @@ -5,9 +5,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>
> inherit deploy
>
> -SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master \
> - file://ssl.patch \
> - file://build-deps-upgrade-to-mbed-TLS-2.28.0.patch"
> +SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
>
> UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
>
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> similarity index 85%
> rename from meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> rename to meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> index 89a9214..537ec32 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> @@ -1,7 +1,7 @@
> require trusted-firmware-a.inc
>
> -# TF-A v2.6
> -SRCREV_tfa = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
> +# TF-A v2.7
> +SRCREV_tfa = "35f4c7295bafeb32c8bcbdfb6a3f2e74a57e732b"
>
> LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
>
> --
> 2.25.1
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7
2022-06-15 3:03 ` Jon Mason
@ 2022-06-15 14:18 ` Andrey Zhizhikin
2022-06-15 15:18 ` Jon Mason
0 siblings, 1 reply; 4+ messages in thread
From: Andrey Zhizhikin @ 2022-06-15 14:18 UTC (permalink / raw)
To: Jon Mason; +Cc: meta-arm, jon.mason, ross.burton
Hello Jon,
On Wed, Jun 15, 2022 at 5:03 AM Jon Mason <jdmason@kudzu.us> wrote:
>
> On Mon, Jun 13, 2022 at 01:20:16PM +0000, Andrey Zhizhikin wrote:
> > Upstream has version v2.7 released, upgrade recipe to pick up new
> > version.
> >
> > Drop local patches as they are already applied upstream, namely:
> > - build-deps-upgrade-to-mbed-TLS-2.28.0.patch is covered by upstream
> > commit a93084be95 ("build(deps): upgrade to mbed TLS 2.28.0")
> >
> > - ssl.patch is covered by upstream commit 0a956f8180 ("fix(fiptool):
> > respect OPENSSL_DIR")
> >
> > Rename bbappends in meta-arm-bsp to match new PV.
> >
> > Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
>
> Thank you for sending this patch out. I had one queued up internally
> which did the same thing, and had a few extra changes. I sent this
> out for review. Please take a look and verify it does everything you
> need. It passes our CI.
No problem, thanks for following this one up!
I needed the v2.7 upgrade of TF-A because it have support for
`imx8mp-lpddr4-evk` machine from meta-freescale layer.
I've introduced the possibility to use upstream TF-A in the layer,
and in order to test the functionality this update was required.
I've verified your upgrade with `imx8mm-lpddr4-evk` and
`imx8mp-lpddr4-evk` machines, and they are both operable with
your new version.
Your version appears to be way better, as you've taken care of `-tc`
patches and clang builds, which I did not include in simply due to
the fact this was not used by machines I was working on.
>
> Welcome, and I look forward to more patches from you.
Sure, thanks for the invite! :-)
>
> Thanks,
> Jon
>
> > ---
> > ...s_2.6.bbappend => tf-a-tests_2.7.bbappend} | 0
> > ...append => trusted-firmware-a_2.7.bbappend} | 0
> > ...uild-deps-upgrade-to-mbed-TLS-2.28.0.patch | 72 -------------------
> > .../trusted-firmware-a/files/ssl.patch | 52 --------------
> > .../{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} | 4 +-
> > .../trusted-firmware-a/trusted-firmware-a.inc | 4 +-
> > ...are-a_2.6.bb => trusted-firmware-a_2.7.bb} | 4 +-
> > 7 files changed, 5 insertions(+), 131 deletions(-)
> > rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bbappend => tf-a-tests_2.7.bbappend} (100%)
> > rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bbappend => trusted-firmware-a_2.7.bbappend} (100%)
> > delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > rename meta-arm/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} (94%)
> > rename meta-arm/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bb => trusted-firmware-a_2.7.bb} (85%)
> >
> > diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> > similarity index 100%
> > rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend
> > rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> > diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> > similarity index 100%
> > rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
> > rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > deleted file mode 100644
> > index 058423c..0000000
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > +++ /dev/null
> > @@ -1,72 +0,0 @@
> > -Upstream-Status: Backport
> > -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> > -
> > -From a93084be95634b66b917f1c8baf403067dc75c5d Mon Sep 17 00:00:00 2001
> > -From: Sandrine Bailleux <sandrine.bailleux@arm.com>
> > -Date: Thu, 21 Apr 2022 10:21:29 +0200
> > -Subject: [PATCH] build(deps): upgrade to mbed TLS 2.28.0
> > -
> > -Upgrade to the latest and greatest 2.x release of Mbed TLS library
> > -(i.e. v2.28.0) to take advantage of their bug fixes.
> > -
> > -Note that the Mbed TLS project published version 3.x some time
> > -ago. However, as this is a major release with API breakages, upgrading
> > -to 3.x might require some more involved changes in TF-A, which we are
> > -not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
> > -release of TF-A.
> > -
> > -Actually, the upgrade this time simply boils down to including the new
> > -source code module 'constant_time.c' into the firmware.
> > -
> > -To quote mbed TLS v2.28.0 release notes [1]:
> > -
> > - The mbedcrypto library includes a new source code module
> > - constant_time.c, containing various functions meant to resist timing
> > - side channel attacks. This module does not have a separate
> > - configuration option, and functions from this module will be
> > - included in the build as required.
> > -
> > -As a matter of fact, if one is attempting to link TF-A against mbed
> > -TLS v2.28.0 without the present patch, one gets some linker errors
> > -due to missing symbols from this new module.
> > -
> > -Apart from this, none of the items listed in mbed TLS release
> > -notes [1] directly affect TF-A. Special note on the following one:
> > -
> > - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
> > - exceeds 2^32.
> > -
> > -In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
> > -feature is enabled with AES-GCM as the authenticated decryption
> > -algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
> > -which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
> > -32-bit value which by definition is always less than 2**32. Therefore,
> > -we are immune to this bug.
> > -
> > -With this upgrade, the size of BL1 and BL2 binaries does not appear to
> > -change on a standard sample test build (with trusted boot and measured
> > -boot enabled).
> > -
> > -[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
> > -
> > -Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
> > -Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
> > ----
> > - drivers/auth/mbedtls/mbedtls_common.mk | 1 +
> > - 1 file changed, 1 insertion(+)
> > -
> > -diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
> > -index 0a4775d00..3eb41617f 100644
> > ---- a/drivers/auth/mbedtls/mbedtls_common.mk
> > -+++ b/drivers/auth/mbedtls/mbedtls_common.mk
> > -@@ -48,6 +48,7 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
> > - rsa_internal.c \
> > - x509.c \
> > - x509_crt.c \
> > -+ constant_time.c \
> > - )
> > -
> > - # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
> > ---
> > -2.25.1
> > -
> > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > deleted file mode 100644
> > index cdabd1b..0000000
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > +++ /dev/null
> > @@ -1,52 +0,0 @@
> > -fiptool: respect OPENSSL_DIR
> > -
> > -fiptool links to libcrypto, so as with the other tools it should respect
> > -OPENSSL_DIR for include/library paths.
> > -
> > -Upstream-Status: Submitted
> > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > -
> > -diff --git a/Makefile b/Makefile
> > -index ec6f88585..2d3b9fc26 100644
> > ---- a/Makefile
> > -+++ b/Makefile
> > -@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
> > -
> > - ${FIPTOOL}: FORCE
> > - ifdef UNIX_MK
> > -- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
> > -+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
> > - else
> > - # Clear the MAKEFLAGS as we do not want
> > - # to pass the gnumake flags to nmake.
> > -diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
> > -index 11d2e7b0b..7c2a08379 100644
> > ---- a/tools/fiptool/Makefile
> > -+++ b/tools/fiptool/Makefile
> > -@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
> > - PROJECT := $(notdir ${FIPTOOL})
> > - OBJECTS := fiptool.o tbbr_config.o
> > - V ?= 0
> > -+OPENSSL_DIR := /usr
> > -+
> > -
> > - override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
> > - HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
> > -@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
> > - else
> > - HOSTCCFLAGS += -O2
> > - endif
> > --LDLIBS := -lcrypto
> > -+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
> > -
> > - ifeq (${V},0)
> > - Q := @
> > -@@ -28,7 +30,7 @@ else
> > - Q :=
> > - endif
> > -
> > --INCLUDE_PATHS := -I../../include/tools_share
> > -+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
> > -
> > - HOSTCC ?= gcc
> > -
> > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > similarity index 94%
> > rename from meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> > rename to meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > index 2da6116..e4d3880 100644
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > @@ -8,8 +8,8 @@ inherit deploy
> > COMPATIBLE_MACHINE ?= "invalid"
> >
> > SRC_URI = "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https;branch=master"
> > -# post v2.6 snapshot
> > -SRCREV ?= "af5a517ae9f295455122109100fe5d55668e8eaf"
> > +# v2.7 snapshot
> > +SRCREV ?= "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67"
> > PV .= "+git${SRCPV}"
> >
> > DEPENDS += "optee-os"
> > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > index 510a7d4..dfb5675 100644
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > @@ -5,9 +5,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
> >
> > inherit deploy
> >
> > -SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master \
> > - file://ssl.patch \
> > - file://build-deps-upgrade-to-mbed-TLS-2.28.0.patch"
> > +SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
> >
> > UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
> >
> > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > similarity index 85%
> > rename from meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> > rename to meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > index 89a9214..537ec32 100644
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > @@ -1,7 +1,7 @@
> > require trusted-firmware-a.inc
> >
> > -# TF-A v2.6
> > -SRCREV_tfa = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
> > +# TF-A v2.7
> > +SRCREV_tfa = "35f4c7295bafeb32c8bcbdfb6a3f2e74a57e732b"
> >
> > LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
> >
> > --
> > 2.25.1
> >
> >
--
Regards,
Andrey.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7
2022-06-15 14:18 ` Andrey Zhizhikin
@ 2022-06-15 15:18 ` Jon Mason
0 siblings, 0 replies; 4+ messages in thread
From: Jon Mason @ 2022-06-15 15:18 UTC (permalink / raw)
To: Andrey Zhizhikin; +Cc: meta-arm, jon.mason, ross.burton
On Wed, Jun 15, 2022 at 04:18:30PM +0200, Andrey Zhizhikin wrote:
> Hello Jon,
>
> On Wed, Jun 15, 2022 at 5:03 AM Jon Mason <jdmason@kudzu.us> wrote:
> >
> > On Mon, Jun 13, 2022 at 01:20:16PM +0000, Andrey Zhizhikin wrote:
> > > Upstream has version v2.7 released, upgrade recipe to pick up new
> > > version.
> > >
> > > Drop local patches as they are already applied upstream, namely:
> > > - build-deps-upgrade-to-mbed-TLS-2.28.0.patch is covered by upstream
> > > commit a93084be95 ("build(deps): upgrade to mbed TLS 2.28.0")
> > >
> > > - ssl.patch is covered by upstream commit 0a956f8180 ("fix(fiptool):
> > > respect OPENSSL_DIR")
> > >
> > > Rename bbappends in meta-arm-bsp to match new PV.
> > >
> > > Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
> >
> > Thank you for sending this patch out. I had one queued up internally
> > which did the same thing, and had a few extra changes. I sent this
> > out for review. Please take a look and verify it does everything you
> > need. It passes our CI.
>
> No problem, thanks for following this one up!
>
> I needed the v2.7 upgrade of TF-A because it have support for
> `imx8mp-lpddr4-evk` machine from meta-freescale layer.
>
> I've introduced the possibility to use upstream TF-A in the layer,
> and in order to test the functionality this update was required.
>
> I've verified your upgrade with `imx8mm-lpddr4-evk` and
> `imx8mp-lpddr4-evk` machines, and they are both operable with
> your new version.
>
> Your version appears to be way better, as you've taken care of `-tc`
> patches and clang builds, which I did not include in simply due to
> the fact this was not used by machines I was working on.
So much hair pulled out doing it (and there's not much left to pull).
I would've pushed earlier, but I went down the rabbit hole of trying
to get the latest mbedtls (3.1) working with it. I abandoned that and
just pushed what I had once I saw someone actually wanted it :)
>
> >
> > Welcome, and I look forward to more patches from you.
>
> Sure, thanks for the invite! :-)
>
> >
> > Thanks,
> > Jon
> >
> > > ---
> > > ...s_2.6.bbappend => tf-a-tests_2.7.bbappend} | 0
> > > ...append => trusted-firmware-a_2.7.bbappend} | 0
> > > ...uild-deps-upgrade-to-mbed-TLS-2.28.0.patch | 72 -------------------
> > > .../trusted-firmware-a/files/ssl.patch | 52 --------------
> > > .../{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} | 4 +-
> > > .../trusted-firmware-a/trusted-firmware-a.inc | 4 +-
> > > ...are-a_2.6.bb => trusted-firmware-a_2.7.bb} | 4 +-
> > > 7 files changed, 5 insertions(+), 131 deletions(-)
> > > rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bbappend => tf-a-tests_2.7.bbappend} (100%)
> > > rename meta-arm-bsp/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bbappend => trusted-firmware-a_2.7.bbappend} (100%)
> > > delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > > delete mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > > rename meta-arm/recipes-bsp/trusted-firmware-a/{tf-a-tests_2.6.bb => tf-a-tests_2.7.bb} (94%)
> > > rename meta-arm/recipes-bsp/trusted-firmware-a/{trusted-firmware-a_2.6.bb => trusted-firmware-a_2.7.bb} (85%)
> > >
> > > diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> > > similarity index 100%
> > > rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bbappend
> > > rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bbappend
> > > diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> > > similarity index 100%
> > > rename from meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bbappend
> > > rename to meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bbappend
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > > deleted file mode 100644
> > > index 058423c..0000000
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/build-deps-upgrade-to-mbed-TLS-2.28.0.patch
> > > +++ /dev/null
> > > @@ -1,72 +0,0 @@
> > > -Upstream-Status: Backport
> > > -Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> > > -
> > > -From a93084be95634b66b917f1c8baf403067dc75c5d Mon Sep 17 00:00:00 2001
> > > -From: Sandrine Bailleux <sandrine.bailleux@arm.com>
> > > -Date: Thu, 21 Apr 2022 10:21:29 +0200
> > > -Subject: [PATCH] build(deps): upgrade to mbed TLS 2.28.0
> > > -
> > > -Upgrade to the latest and greatest 2.x release of Mbed TLS library
> > > -(i.e. v2.28.0) to take advantage of their bug fixes.
> > > -
> > > -Note that the Mbed TLS project published version 3.x some time
> > > -ago. However, as this is a major release with API breakages, upgrading
> > > -to 3.x might require some more involved changes in TF-A, which we are
> > > -not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
> > > -release of TF-A.
> > > -
> > > -Actually, the upgrade this time simply boils down to including the new
> > > -source code module 'constant_time.c' into the firmware.
> > > -
> > > -To quote mbed TLS v2.28.0 release notes [1]:
> > > -
> > > - The mbedcrypto library includes a new source code module
> > > - constant_time.c, containing various functions meant to resist timing
> > > - side channel attacks. This module does not have a separate
> > > - configuration option, and functions from this module will be
> > > - included in the build as required.
> > > -
> > > -As a matter of fact, if one is attempting to link TF-A against mbed
> > > -TLS v2.28.0 without the present patch, one gets some linker errors
> > > -due to missing symbols from this new module.
> > > -
> > > -Apart from this, none of the items listed in mbed TLS release
> > > -notes [1] directly affect TF-A. Special note on the following one:
> > > -
> > > - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
> > > - exceeds 2^32.
> > > -
> > > -In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
> > > -feature is enabled with AES-GCM as the authenticated decryption
> > > -algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
> > > -which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
> > > -32-bit value which by definition is always less than 2**32. Therefore,
> > > -we are immune to this bug.
> > > -
> > > -With this upgrade, the size of BL1 and BL2 binaries does not appear to
> > > -change on a standard sample test build (with trusted boot and measured
> > > -boot enabled).
> > > -
> > > -[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
> > > -
> > > -Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
> > > -Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
> > > ----
> > > - drivers/auth/mbedtls/mbedtls_common.mk | 1 +
> > > - 1 file changed, 1 insertion(+)
> > > -
> > > -diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
> > > -index 0a4775d00..3eb41617f 100644
> > > ---- a/drivers/auth/mbedtls/mbedtls_common.mk
> > > -+++ b/drivers/auth/mbedtls/mbedtls_common.mk
> > > -@@ -48,6 +48,7 @@ LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
> > > - rsa_internal.c \
> > > - x509.c \
> > > - x509_crt.c \
> > > -+ constant_time.c \
> > > - )
> > > -
> > > - # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
> > > ---
> > > -2.25.1
> > > -
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > > deleted file mode 100644
> > > index cdabd1b..0000000
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/files/ssl.patch
> > > +++ /dev/null
> > > @@ -1,52 +0,0 @@
> > > -fiptool: respect OPENSSL_DIR
> > > -
> > > -fiptool links to libcrypto, so as with the other tools it should respect
> > > -OPENSSL_DIR for include/library paths.
> > > -
> > > -Upstream-Status: Submitted
> > > -Signed-off-by: Ross Burton <ross.burton@arm.com>
> > > -
> > > -diff --git a/Makefile b/Makefile
> > > -index ec6f88585..2d3b9fc26 100644
> > > ---- a/Makefile
> > > -+++ b/Makefile
> > > -@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
> > > -
> > > - ${FIPTOOL}: FORCE
> > > - ifdef UNIX_MK
> > > -- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
> > > -+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH}
> > > - else
> > > - # Clear the MAKEFLAGS as we do not want
> > > - # to pass the gnumake flags to nmake.
> > > -diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile
> > > -index 11d2e7b0b..7c2a08379 100644
> > > ---- a/tools/fiptool/Makefile
> > > -+++ b/tools/fiptool/Makefile
> > > -@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT}
> > > - PROJECT := $(notdir ${FIPTOOL})
> > > - OBJECTS := fiptool.o tbbr_config.o
> > > - V ?= 0
> > > -+OPENSSL_DIR := /usr
> > > -+
> > > -
> > > - override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700
> > > - HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99
> > > -@@ -20,7 +22,7 @@ ifeq (${DEBUG},1)
> > > - else
> > > - HOSTCCFLAGS += -O2
> > > - endif
> > > --LDLIBS := -lcrypto
> > > -+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto
> > > -
> > > - ifeq (${V},0)
> > > - Q := @
> > > -@@ -28,7 +30,7 @@ else
> > > - Q :=
> > > - endif
> > > -
> > > --INCLUDE_PATHS := -I../../include/tools_share
> > > -+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include
> > > -
> > > - HOSTCC ?= gcc
> > > -
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > > similarity index 94%
> > > rename from meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> > > rename to meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > > index 2da6116..e4d3880 100644
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.6.bb
> > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.7.bb
> > > @@ -8,8 +8,8 @@ inherit deploy
> > > COMPATIBLE_MACHINE ?= "invalid"
> > >
> > > SRC_URI = "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https;branch=master"
> > > -# post v2.6 snapshot
> > > -SRCREV ?= "af5a517ae9f295455122109100fe5d55668e8eaf"
> > > +# v2.7 snapshot
> > > +SRCREV ?= "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67"
> > > PV .= "+git${SRCPV}"
> > >
> > > DEPENDS += "optee-os"
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > > index 510a7d4..dfb5675 100644
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > > @@ -5,9 +5,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
> > >
> > > inherit deploy
> > >
> > > -SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master \
> > > - file://ssl.patch \
> > > - file://build-deps-upgrade-to-mbed-TLS-2.28.0.patch"
> > > +SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa;branch=master"
> > >
> > > UPSTREAM_CHECK_GITTAGREGEX = "^v(?P<pver>\d+(\.\d+)+)$"
> > >
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > > similarity index 85%
> > > rename from meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> > > rename to meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > > index 89a9214..537ec32 100644
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.6.bb
> > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.7.bb
> > > @@ -1,7 +1,7 @@
> > > require trusted-firmware-a.inc
> > >
> > > -# TF-A v2.6
> > > -SRCREV_tfa = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
> > > +# TF-A v2.7
> > > +SRCREV_tfa = "35f4c7295bafeb32c8bcbdfb6a3f2e74a57e732b"
> > >
> > > LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
> > >
> > > --
> > > 2.25.1
> > >
> > >
>
>
>
> --
> Regards,
> Andrey.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-15 15:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-13 13:20 [meta-arm][PATCH] arm/trusted-firmware-a: upgrade to v2.7 Andrey Zhizhikin
2022-06-15 3:03 ` Jon Mason
2022-06-15 14:18 ` Andrey Zhizhikin
2022-06-15 15:18 ` Jon Mason
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.