diff --git a/CVE-2023-49100.patch b/CVE-2023-49100.patch deleted file mode 100644 index 0afed3b030641fe7c4aa954d41766ea67d111063..0000000000000000000000000000000000000000 --- a/CVE-2023-49100.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001 -From: Manish Pandey -Date: Thu, 26 Oct 2023 11:14:21 +0100 -Subject: fix(sdei): ensure that interrupt ID is valid - -As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface -expects a valid PPI or SPI. SGI's are not allowed to be bounded. -Current check in the code only checks for an SGI and returns invalid -ID. This check is insufficient as it will not catch architecturally -invalid interrupt IDs. - -Modify the check to ensure that interrupt is either PPI or SPI. - -Signed-off-by: Manish Pandey -Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7 ---- - services/std_svc/sdei/sdei_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c -index 44178eddd3..0fd3c1d32c 100644 ---- a/services/std_svc/sdei/sdei_main.c -+++ b/services/std_svc/sdei/sdei_main.c -@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num) - sdei_ev_map_t *map; - bool retry = true, shared_mapping; - -- /* SGIs are not allowed to be bound */ -- if (plat_ic_is_sgi(intr_num) != 0) -+ /* Interrupt must be either PPI or SPI */ -+ if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num))) - return SDEI_EINVAL; - - shared_mapping = (plat_ic_is_spi(intr_num) != 0); --- -cgit v1.2.3 - diff --git a/CVE-2024-6285.patch b/CVE-2024-6285.patch deleted file mode 100644 index 9b2a369a541f34bc4ecae5732c6556ebefe04122..0000000000000000000000000000000000000000 --- a/CVE-2024-6285.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001 -From: Tobias Rist -Date: Tue, 7 Mar 2023 09:40:37 +0100 -Subject: [PATCH] fix(rcar3-drivers): check for length underflow - -Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de -https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b - -Make sure the length of the payload is not longer than the -DRAM size in check_load_area(), and make sure the payload -end does not cross protected area start. - -Signed-off-by: Tobias Rist -Signed-off-by: Yoshifumi Hosoya -Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9 ---- - drivers/renesas/common/io/io_rcar.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c -index c169923..603fefd 100644 ---- a/drivers/renesas/common/io/io_rcar.c -+++ b/drivers/renesas/common/io/io_rcar.c -@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - - prot_end = prot_start + DRAM_PROTECTED_SIZE; - -- if (dst < dram_start || dst > dram_end - len) { -+ if (dst < dram_start || len > dram_end || dst > dram_end - len) { - ERROR("BL2: dst address is on the protected area.\n"); - result = IO_FAIL; - goto done; -@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - goto done; - } - -- if (dst < prot_start && dst > prot_start - len) { -- ERROR("BL2: loaded data is on the protected area.\n"); -+ if (len > prot_start || (dst < prot_start && dst > prot_start - len)) { -+ ERROR("BL2: %s[%d] loaded data is on the protected area.\n", -+ __func__, __LINE__); - result = IO_FAIL; - goto done; - } --- -2.33.0 - diff --git a/CVE-2024-6287-1.patch b/CVE-2024-6287-1.patch deleted file mode 100644 index 8d00e749c9bd0846e572acf2a8f28a123f808ba4..0000000000000000000000000000000000000000 --- a/CVE-2024-6287-1.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001 -From: Tobias Rist -Date: Thu, 16 Mar 2023 21:31:15 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area - -Check if next NS image invades a previous loaded image. -Correct non secure image area to avoid loading a NS image to secure - -Signed-off-by: Tobias Rist -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/common/io/io_rcar.c | 46 ++++++++++++++++++++++++-- - plat/renesas/common/include/rcar_def.h | 2 +- - 2 files changed, 45 insertions(+), 3 deletions(-) - -diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c -index 1459ba28b2..1a32430847 100644 ---- a/drivers/renesas/common/io/io_rcar.c -+++ b/drivers/renesas/common/io/io_rcar.c -@@ -84,6 +84,18 @@ typedef struct { - #define RCAR_COUNT_LOAD_BL33 (2U) - #define RCAR_COUNT_LOAD_BL33X (3U) - -+#define CHECK_IMAGE_AREA_CNT (5U) -+#define BOOT_BL2_ADDR (0xE6304000U) -+#define BOOT_BL2_LENGTH (0x19000U) -+ -+typedef struct { -+ uintptr_t dest; -+ uintptr_t length; -+} addr_loaded_t; -+ -+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} }; -+static uint32_t addr_loaded_cnt = 1; -+ - static const plat_rcar_name_offset_t name_offset[] = { - {BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)}, - -@@ -268,9 +280,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - uintptr_t prot_start, prot_end; - int32_t result = IO_SUCCESS; - -- dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE; -+ dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE; - -- dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE : -+ dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE : - DRAM_40BIT_BASE + DRAM_40BIT_SIZE; - - prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE; -@@ -298,6 +310,36 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len); - } - -+ if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) { -+ ERROR("BL2: max loadable non secure images reached\n"); -+ result = IO_FAIL; -+ } -+ addr_loaded[addr_loaded_cnt].dest = dst; -+ addr_loaded[addr_loaded_cnt].length = len; -+ for(int n=0; n addr_loaded[n].dest) && -+ (dst < addr_loaded[n].dest + addr_loaded[n].length)) || -+ (((dst < addr_loaded[n].dest) && -+ (dst + len)) > addr_loaded[n].dest)) { -+ ERROR("BL2: image is inside a previous image area.\n"); -+ result = IO_FAIL; -+ } -+ } -+ addr_loaded_cnt++; -+ - return result; - } - -diff --git a/plat/renesas/common/include/rcar_def.h b/plat/renesas/common/include/rcar_def.h -index 1b4527a9fc..38706a8373 100644 ---- a/plat/renesas/common/include/rcar_def.h -+++ b/plat/renesas/common/include/rcar_def.h -@@ -31,7 +31,7 @@ - #define DRAM_LIMIT ULL(0x0000010000000000) - #define DRAM1_BASE U(0x40000000) - #define DRAM1_SIZE U(0x80000000) --#define DRAM1_NS_BASE (DRAM1_BASE + U(0x10000000)) -+#define DRAM1_NS_BASE (DRAM1_BASE + U(0x08000000)) - #define DRAM1_NS_SIZE (DRAM1_SIZE - DRAM1_NS_BASE) - #define DRAM_40BIT_BASE ULL(0x0400000000) - #define DRAM_40BIT_SIZE ULL(0x0400000000) diff --git a/CVE-2024-6287-2.patch b/CVE-2024-6287-2.patch deleted file mode 100644 index d67279b3bb7f6fd49a87727a92f39b06e8b488e5..0000000000000000000000000000000000000000 --- a/CVE-2024-6287-2.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001 -From: Yoshifumi Hosoya -Date: Sun, 23 Apr 2023 21:11:15 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation - -Check against all address overlap cases - -Reviewed-by: Tomer Fichman -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/common/io/io_rcar.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c -index 9b29a5be81..21ed411137 100644 ---- a/drivers/renesas/common/io/io_rcar.c -+++ b/drivers/renesas/common/io/io_rcar.c -@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - * 2. check: - * | IMAGE n | - * | IMAGE n+1 | -+ * 3. check: -+ * | IMAGE n | -+ * | IMAGE n+1 | - * - * */ -- if (((dst > addr_loaded[n].dest) && -- (dst < addr_loaded[n].dest + addr_loaded[n].length)) || -- (((dst < addr_loaded[n].dest) && -- (dst + len)) > addr_loaded[n].dest)) { -- ERROR("BL2: image is inside a previous image area.\n"); -+ if (((dst >= addr_loaded[n].dest) && -+ (dst <= addr_loaded[n].dest + addr_loaded[n].length)) || -+ ((dst + len >= addr_loaded[n].dest) && -+ (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) || -+ ((dst <= addr_loaded[n].dest) && -+ (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) { -+ ERROR("BL2: next image overlap a previous image area.\n"); - result = IO_FAIL; - } - } diff --git a/CVE-2024-6563.patch b/CVE-2024-6563.patch deleted file mode 100644 index 835f08be302d5751d08f5a8e1681eb43562c440b..0000000000000000000000000000000000000000 --- a/CVE-2024-6563.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001 -From: Yoshifumi Hosoya -Date: Sun, 23 Apr 2023 21:37:42 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection - -If the parameter check is an error, the function is terminated immediately. - -Reviewed-by: Ilay Levi -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/common/io/io_rcar.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c -index 45ef386..3ed5eaf 100644 ---- a/drivers/renesas/common/io/io_rcar.c -+++ b/drivers/renesas/common/io/io_rcar.c -@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len) - if (dst >= prot_start && dst < prot_end) { - ERROR("BL2: dst address is on the protected area.\n"); - result = IO_FAIL; -+ goto done; - } - - if (dst < prot_start && dst > prot_start - len) { - ERROR("BL2: loaded data is on the protected area.\n"); - result = IO_FAIL; -+ goto done; - } - done: - if (result == IO_FAIL) { --- -2.33.0 - diff --git a/CVE-2024-6564.patch b/CVE-2024-6564.patch deleted file mode 100644 index 07af54dd4d4a126d315e23f0955e1f1c5dc219ec..0000000000000000000000000000000000000000 --- a/CVE-2024-6564.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001 -From: Yoshifumi Hosoya -Date: Mon, 3 Jul 2023 16:58:11 +0900 -Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number" - variable before use - -Reviewed-by: Tomer Fichman -Signed-off-by: Yoshifumi Hosoya ---- - drivers/renesas/common/io/io_rcar.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c -index b1638a1e0..03a8f8212 100644 ---- a/drivers/renesas/common/io/io_rcar.c -+++ b/drivers/renesas/common/io/io_rcar.c -@@ -496,17 +496,17 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name) - #endif - - rcar_image_number = header[0]; -- for (i = 0; i < rcar_image_number + 2; i++) { -- rcar_image_header[i] = header[i * 2 + 1]; -- rcar_image_header_prttn[i] = header[i * 2 + 2]; -- } -- - if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) { - WARN("Firmware Image Package header check failed.\n"); - rc = IO_FAIL; - goto error; - } - -+ for (i = 0; i < rcar_image_number + 2; i++) { -+ rcar_image_header[i] = header[i * 2 + 1]; -+ rcar_image_header_prttn[i] = header[i * 2 + 2]; -+ } -+ - rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET); - if (rc != IO_SUCCESS) { - WARN("Firmware Image Package header failed to seek cert\n"); --- -2.20.1 - diff --git a/arm-trusted-firmware-2.9.tar.gz b/arm-trusted-firmware-2.12.1.tar.gz similarity index 45% rename from arm-trusted-firmware-2.9.tar.gz rename to arm-trusted-firmware-2.12.1.tar.gz index 0486db367cb2e7ee5612772a35c1c9b04bb92095..8673417199b8e5bef282f2974ccf65a1fa70ae54 100644 Binary files a/arm-trusted-firmware-2.9.tar.gz and b/arm-trusted-firmware-2.12.1.tar.gz differ diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 67a1c042f2b9a357a29eecd487aaa1e3ae3b3bc8..70867fbdee8c164cc4f6a8ac55ebce58615f40b9 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,24 +1,15 @@ %global debug_package %{nil} Name: arm-trusted-firmware -Version: 2.9 -Release: 5 +Version: 2.12.1 +Release: 1 Summary: ARM Trusted Firmware -License: BSD +License: BSD-3-clause URL: https://github.com/ARM-software/arm-trusted-firmware/wiki -Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}/%{name}-%{version}.tar.gz -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624 -Patch0: CVE-2023-49100.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164 -Patch1: CVE-2024-6563.patch -Patch2: CVE-2024-6564.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52 -Patch3: CVE-2024-6287-1.patch -# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 -Patch4: CVE-2024-6287-2.patch -Patch5: CVE-2024-6285.patch +Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz ExclusiveArch: aarch64 BuildRequires: dtc +BuildRequires: gcc openssl-devel %description Trusted Firmware-A is a reference implementation of secure world software @@ -31,10 +22,11 @@ ARM Trusted Firmware for various ARMv8-A SoCs. %prep -%autosetup -p1 -n %{name}-%{version} +%autosetup -p1 -n %{name}-lts-v%{version} sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile %build +export CC=gcc for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp do make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31 @@ -71,8 +63,49 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf %{_datadir}/%{name} %changelog -* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.9-5 -- Fix CVE-2024-6285 +* Thu Mar 20 2025 yaoxin <1024769339@qq.com> - 2.12.1-1 +- Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660 + +* Wed Nov 27 2024 yaoxin - 2.12.0-1 +- Update to 2.12.0 +- Bootloader Images: + * remove unused plat_try_next_boot_source +- Architecture: + *Branch Record Buffer Extension (FEAT_BRBE) + * allow RME builds with BRBE +- Arm: + * avoid stripping kernel trampoline + * add DRAM memory regions that linux kernel can share + * add optee specific mem-size attribute + * add secure uart interrupt in device region + * enable FEAT_MTE2 + * fix the FF-A optee manifest by adding the boot info node + * update the memory size allocated to optee at EL1 +- Intel: + * add cache invalidation during BL31 initialization + * add in JTAG ID for Linux FCS + * add in missing ECC register + * add in watchdog for QSPI driver + * bridge ack timing issue causing fpga config hung + * correct macro naming + * f2sdram bridge quick write thru failed + * fix bridge enable and disable function + * fix CCU for cache maintenance + * flush L1/L2/L3/Sys cache before HPS cold reset + * implement soc and lwsoc bridge control for burst speed + * refactor SDMMC driver for Altera products + * remove redundant BIT_32 macro + * software workaround for bridge timeout + * update Agilex5 BL2 init flow and other misc changes + * update Agilex5 warm reset subroutines + * update all the platforms hand-off data offset value + * update CCU configuration for Agilex5 platform + * update mailbox SDM printout message + * update memcpy to memcpy_s ([e264b55] + * update outdated code for Linux direct boot + * update preloaded_bl33_base for legacy product + * update sip smc config addr for agilex5 + * update the size with addition 0x8000 0000 base * Tue Oct 15 2024 yaoxin - 2.9-4 - Fix CVE-2024-6287