Changes to support building secure and normal MM mode images on FVP- AEMv8-AEMv8.
Management Mode (MM) provides a secure execution environment on Server and Clamshell platforms. It is specified in the Volume 4. PI specification. An implementation exists in the EDK2-Staging code base. In order to support MM on ARM, changes are required to both EDK2 and ARM Trusted Firmware. MM provides a management service rather than a security service. Hence it has to be isolated from any software stack e.g. Trusted OS that provides security services. The MM Image executes in S-EL0 on ARM platforms in a sandboxed environment. In future, there might be other sandboxed environments that co-exist with it. Each sandbox implements a Secure Firmware Service. The corresponding image is called a SFS_PAYLOAD.
This change adds an optional parameter ATF_SFS_PAYLOAD. ATF_SFS_PAYLOAD will be the path to management service in fd format (EDK2 Firmware Device).
Signed-off-by: Supreeth Venkatesh supreeth.venkatesh@arm.com --- Changes in v2: - Updated Commit Message to indicate concept of Secure Firmware Services is still in flux. - Changed internal variable in atf_build.sh file to SFS_OPTION from SFS_PAYLOAD. - Drop FIRMWARE_VER parameter for fvp_normal_mm platform. --- atf-build.sh | 14 ++++++++++++-- platforms.config | 22 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/atf-build.sh b/atf-build.sh index 0c4c09c..4d6afa0 100755 --- a/atf-build.sh +++ b/atf-build.sh @@ -60,12 +60,14 @@ function build_platform PLATFORM_ARCH="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o arch`" PLATFORM_IMAGE_DIR="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o uefi_image_dir`" PLATFORM_BUILDFLAGS="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_buildflags`" + PLATFORM_SFS_PAYLOAD="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_sfs_payload`"
if [ $VERBOSE -eq 1 ]; then echo "PLATFORM_NAME=$PLATFORM_NAME" echo "PLATFORM_ARCH=$PLATFORM_ARCH" echo "PLATFORM_IMAGE_DIR=$PLATFORM_IMAGE_DIR" echo "PLATFORM_BUILDFLAGS=$PLATFORM_BUILDFLAGS" + echo "PLATFORM_SFS_PAYLOAD=$PLATFORM_SFS_PAYLOAD" fi
unset BL30 BL31 BL32 BL33 @@ -118,6 +120,14 @@ function build_platform fi fi
+ if [ X"$PLATFORM_SFS_PAYLOAD" != X"" ]; then + # + # Since SFS cannot be exported or undefined, + # we parametrise it here + # + SFS_OPTION="SFS_PAYLOAD=$EDK2_DIR/$PLATFORM_SFS_PAYLOAD" + fi + # # Debug extraction handling # @@ -157,9 +167,9 @@ function build_platform # if [ $VERBOSE -eq 1 ]; then echo "Calling ARM Trusted Firmware build:" - echo "CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip" + echo "CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip" fi - CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip + CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip if [ $? -eq 0 ]; then # # Copy resulting images to UEFI image dir diff --git a/platforms.config b/platforms.config index ebf81df..17d4d86 100644 --- a/platforms.config +++ b/platforms.config @@ -51,6 +51,8 @@ # - BUILDFLAGS Any special flags you want to pass to the build command. # - ATF_BUILDFLAGS Any special flags you want to pass to the ARM Trusted # Firmware build command. +# - ATF_SFS_PAYLOAD Any special secure firmware service payload you want +# to pass to the ARM trusted Firmware build command. # - TOS_BUILDFLAGS Any special flags you want to pass to the Trusted OS # build command. # - EXTRA_FILES Any additional files to be copied to output dir. @@ -90,6 +92,26 @@ BUILD_ATF=yes UEFI_BIN=FVP_AARCH64_EFI.fd UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64
+# ARM FVP BASE AEMv8-A model +[fvp_secure_mm] +LONGNAME=aarch64 FVP RTSM for secure world mm mode image +DSC=StandaloneSmmPkg/StandaloneSmmPkg.dsc +ARCH=AARCH64 +UEFI_BIN=FVP_AARCH64_EFI_SECURE_MM.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Secure-MM + +[fvp_normal_mm] +LONGNAME=aarch64 FVP RTSM for normal world mm mode image +DSC=OpenPlatformPkg/Platforms/ARM/VExpress/ArmVExpress-FVP-AArch64.dsc +BUILDFLAGS=-D EDK2_OUT_DIR=Build/ArmVExpress-FVP-AArch64-Normal-MM -D EDK2_ENABLE_SMSC_91X=1 +ARCH=AARCH64 +BUILD_ATF=debug +UEFI_BIN=FVP_AARCH64_EFI.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Normal-MM +ATF_PLATFORM=fvp +ATF_SFS_PAYLOAD=Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESMM.fd +ATF_BUILDFLAGS=ARM_TSP_RAM_LOCATION=dram SFSD=mmd + [tc2] LONGNAME=Versatile Express TC2 BUILDFLAGS=-D ARM_BIGLITTLE_TC2=1
Hi Supreeth,
On Wed, Jan 18, 2017 at 05:56:12PM +0000, Supreeth Venkatesh wrote:
Changes to support building secure and normal MM mode images on FVP- AEMv8-AEMv8.
Management Mode (MM) provides a secure execution environment on Server and Clamshell platforms. It is specified in the Volume 4. PI specification. An implementation exists in the EDK2-Staging code base. In order to support MM on ARM, changes are required to both EDK2 and ARM Trusted Firmware. MM provides a management service rather than a security service. Hence it has to be isolated from any software stack e.g. Trusted OS that provides security services. The MM Image executes in S-EL0 on ARM platforms in a sandboxed environment. In future, there might be other sandboxed environments that co-exist with it. Each sandbox implements a Secure Firmware Service. The corresponding image is called a SFS_PAYLOAD.
This change adds an optional parameter ATF_SFS_PAYLOAD. ATF_SFS_PAYLOAD will be the path to management service in fd format (EDK2 Firmware Device).
Signed-off-by: Supreeth Venkatesh supreeth.venkatesh@arm.com
Changes in v2:
- Updated Commit Message to indicate concept of Secure Firmware Services is still in flux.
- Changed internal variable in atf_build.sh file to SFS_OPTION from SFS_PAYLOAD.
- Drop FIRMWARE_VER parameter for fvp_normal_mm platform.
atf-build.sh | 14 ++++++++++++-- platforms.config | 22 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/atf-build.sh b/atf-build.sh index 0c4c09c..4d6afa0 100755 --- a/atf-build.sh +++ b/atf-build.sh @@ -60,12 +60,14 @@ function build_platform PLATFORM_ARCH="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o arch`" PLATFORM_IMAGE_DIR="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o uefi_image_dir`" PLATFORM_BUILDFLAGS="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_buildflags`"
PLATFORM_SFS_PAYLOAD="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_sfs_payload`"
if [ $VERBOSE -eq 1 ]; then echo "PLATFORM_NAME=$PLATFORM_NAME" echo "PLATFORM_ARCH=$PLATFORM_ARCH" echo "PLATFORM_IMAGE_DIR=$PLATFORM_IMAGE_DIR" echo "PLATFORM_BUILDFLAGS=$PLATFORM_BUILDFLAGS"
echo "PLATFORM_SFS_PAYLOAD=$PLATFORM_SFS_PAYLOAD"
fi
unset BL30 BL31 BL32 BL33
@@ -118,6 +120,14 @@ function build_platform fi fi
- if [ X"$PLATFORM_SFS_PAYLOAD" != X"" ]; then
#
# Since SFS cannot be exported or undefined,
# we parametrise it here
#
SFS_OPTION="SFS_PAYLOAD=$EDK2_DIR/$PLATFORM_SFS_PAYLOAD"
- fi
- # # Debug extraction handling #
@@ -157,9 +167,9 @@ function build_platform # if [ $VERBOSE -eq 1 ]; then echo "Calling ARM Trusted Firmware build:"
echo "CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip"
fiecho "CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip"
- CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip
- CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip if [ $? -eq 0 ]; then # # Copy resulting images to UEFI image dir
diff --git a/platforms.config b/platforms.config index ebf81df..17d4d86 100644 --- a/platforms.config +++ b/platforms.config @@ -51,6 +51,8 @@ # - BUILDFLAGS Any special flags you want to pass to the build command. # - ATF_BUILDFLAGS Any special flags you want to pass to the ARM Trusted # Firmware build command. +# - ATF_SFS_PAYLOAD Any special secure firmware service payload you want +# to pass to the ARM trusted Firmware build command. # - TOS_BUILDFLAGS Any special flags you want to pass to the Trusted OS # build command. # - EXTRA_FILES Any additional files to be copied to output dir. @@ -90,6 +92,26 @@ BUILD_ATF=yes UEFI_BIN=FVP_AARCH64_EFI.fd UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64
+# ARM FVP BASE AEMv8-A model +[fvp_secure_mm] +LONGNAME=aarch64 FVP RTSM for secure world mm mode image +DSC=StandaloneSmmPkg/StandaloneSmmPkg.dsc +ARCH=AARCH64 +UEFI_BIN=FVP_AARCH64_EFI_SECURE_MM.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Secure-MM
+[fvp_normal_mm] +LONGNAME=aarch64 FVP RTSM for normal world mm mode image +DSC=OpenPlatformPkg/Platforms/ARM/VExpress/ArmVExpress-FVP-AArch64.dsc +BUILDFLAGS=-D EDK2_OUT_DIR=Build/ArmVExpress-FVP-AArch64-Normal-MM -D EDK2_ENABLE_SMSC_91X=1
As discussed, we need to add ARM_STANDALONE_MM_ENABLE=TRUE here.
cheers, Achin
+ARCH=AARCH64 +BUILD_ATF=debug +UEFI_BIN=FVP_AARCH64_EFI.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Normal-MM +ATF_PLATFORM=fvp +ATF_SFS_PAYLOAD=Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESMM.fd +ATF_BUILDFLAGS=ARM_TSP_RAM_LOCATION=dram SFSD=mmd
[tc2] LONGNAME=Versatile Express TC2 BUILDFLAGS=-D ARM_BIGLITTLE_TC2=1 -- 2.7.4
On Thu, 2017-01-19 at 11:40 +0000, Achin Gupta wrote:
Hi Supreeth,
On Wed, Jan 18, 2017 at 05:56:12PM +0000, Supreeth Venkatesh wrote:
Changes to support building secure and normal MM mode images on FVP- AEMv8-AEMv8.
Management Mode (MM) provides a secure execution environment on Server and Clamshell platforms. It is specified in the Volume 4. PI specification. An implementation exists in the EDK2-Staging code base. In order to support MM on ARM, changes are required to both EDK2 and ARM Trusted Firmware. MM provides a management service rather than a security service. Hence it has to be isolated from any software stack e.g. Trusted OS that provides security services. The MM Image executes in S-EL0 on ARM platforms in a sandboxed environment. In future, there might be other sandboxed environments that co- exist with it. Each sandbox implements a Secure Firmware Service. The corresponding image is called a SFS_PAYLOAD.
This change adds an optional parameter ATF_SFS_PAYLOAD. ATF_SFS_PAYLOAD will be the path to management service in fd format (EDK2 Firmware Device).
Signed-off-by: Supreeth Venkatesh supreeth.venkatesh@arm.com
Changes in v2: - Updated Commit Message to indicate concept of Secure Firmware Services is still in flux. - Changed internal variable in atf_build.sh file to SFS_OPTION from SFS_PAYLOAD. - Drop FIRMWARE_VER parameter for fvp_normal_mm platform.
atf-build.sh | 14 ++++++++++++-- platforms.config | 22 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/atf-build.sh b/atf-build.sh index 0c4c09c..4d6afa0 100755 --- a/atf-build.sh +++ b/atf-build.sh @@ -60,12 +60,14 @@ function build_platform PLATFORM_ARCH="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o arch`" PLATFORM_IMAGE_DIR="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o uefi_image_dir`" PLATFORM_BUILDFLAGS="`$TOOLS_DIR/parse-platforms.py $PLATFORM_CONFIG -p $1 get -o atf_buildflags`"
- PLATFORM_SFS_PAYLOAD="`$TOOLS_DIR/parse-platforms.py
$PLATFORM_CONFIG -p $1 get -o atf_sfs_payload`"
if [ $VERBOSE -eq 1 ]; then echo "PLATFORM_NAME=$PLATFORM_NAME" echo "PLATFORM_ARCH=$PLATFORM_ARCH" echo "PLATFORM_IMAGE_DIR=$PLATFORM_IMAGE_DIR" echo "PLATFORM_BUILDFLAGS=$PLATFORM_BUILDFLAGS"
echo "PLATFORM_SFS_PAYLOAD=$PLATFORM_SFS_PAYLOAD"
fi
unset BL30 BL31 BL32 BL33 @@ -118,6 +120,14 @@ function build_platform fi fi
- if [ X"$PLATFORM_SFS_PAYLOAD" != X"" ]; then
#
# Since SFS cannot be exported or undefined,
# we parametrise it here
#
SFS_OPTION="SFS_PAYLOAD=$EDK2_DIR/$PLATFORM_SFS_PA
YLOAD"
- fi
# # Debug extraction handling # @@ -157,9 +167,9 @@ function build_platform # if [ $VERBOSE -eq 1 ]; then echo "Calling ARM Trusted Firmware build:"
echo "CROSS_COMPILE="$CROSS_COMPILE" make
-j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip"
echo "CROSS_COMPILE="$CROSS_COMPILE" make
-j$NUM_THREADS PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip" fi
- CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS
PLAT="$ATF_PLATFORM" $SPD_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip
- CROSS_COMPILE="$CROSS_COMPILE" make -j$NUM_THREADS
PLAT="$ATF_PLATFORM" $SPD_OPTION $SFS_OPTION DEBUG=$DEBUG ${PLATFORM_BUILDFLAGS} all fip if [ $? -eq 0 ]; then # # Copy resulting images to UEFI image dir diff --git a/platforms.config b/platforms.config index ebf81df..17d4d86 100644 --- a/platforms.config +++ b/platforms.config @@ -51,6 +51,8 @@ # - BUILDFLAGS Any special flags you want to pass to the build command. # - ATF_BUILDFLAGS Any special flags you want to pass to the ARM Trusted # Firmware build command. +# - ATF_SFS_PAYLOAD Any special secure firmware service payload you want +# to pass to the ARM trusted Firmware build command. # - TOS_BUILDFLAGS Any special flags you want to pass to the Trusted OS # build command. # - EXTRA_FILES Any additional files to be copied to output dir. @@ -90,6 +92,26 @@ BUILD_ATF=yes UEFI_BIN=FVP_AARCH64_EFI.fd UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64
+# ARM FVP BASE AEMv8-A model +[fvp_secure_mm] +LONGNAME=aarch64 FVP RTSM for secure world mm mode image +DSC=StandaloneSmmPkg/StandaloneSmmPkg.dsc +ARCH=AARCH64 +UEFI_BIN=FVP_AARCH64_EFI_SECURE_MM.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Secure-MM
+[fvp_normal_mm] +LONGNAME=aarch64 FVP RTSM for normal world mm mode image +DSC=OpenPlatformPkg/Platforms/ARM/VExpress/ArmVExpress-FVP- AArch64.dsc +BUILDFLAGS=-D EDK2_OUT_DIR=Build/ArmVExpress-FVP-AArch64-Normal-MM -D EDK2_ENABLE_SMSC_91X=1
As discussed, we need to add ARM_STANDALONE_MM_ENABLE=TRUE here.
I expect this to be short term only until it is in prototype/staged phase. We should remove this later. I will send out v3 now.
cheers, Achin
+ARCH=AARCH64 +BUILD_ATF=debug +UEFI_BIN=FVP_AARCH64_EFI.fd +UEFI_IMAGE_DIR=ArmVExpress-FVP-AArch64-Normal-MM +ATF_PLATFORM=fvp +ATF_SFS_PAYLOAD=Build/StandaloneSmmPkg/DEBUG_GCC49/FV/STANDALONESM M.fd +ATF_BUILDFLAGS=ARM_TSP_RAM_LOCATION=dram SFSD=mmd
[tc2] LONGNAME=Versatile Express TC2 BUILDFLAGS=-D ARM_BIGLITTLE_TC2=1 -- 2.7.4