Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660

(cherry picked from commit 0c548ea012bd592b1fc655b361de4fa0eeda2795)

CVE-2023-49100.patch

@@ -1,37 +0,0 @@
-From a7eff3477dcf3624c74f5217419b1a27b7ebd2aa Mon Sep 17 00:00:00 2001
-From: Manish Pandey <manish.pandey2@arm.com>
-Date: Thu, 26 Oct 2023 11:14:21 +0100
-Subject: fix(sdei): ensure that interrupt ID is valid
-
-As per SDEI spec (section 5.1.14.1), SDEI_INTERRUPT_BIND interface
-expects a valid PPI or SPI. SGI's are not allowed to be bounded.
-Current check in the code only checks for an SGI and returns invalid
-ID. This check is insufficient as it will not catch architecturally
-invalid interrupt IDs.
-
-Modify the check to ensure that interrupt is either PPI or SPI.
-
-Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-Change-Id: I52eb0a6d7f88a12f6816cff9b68fb3a7ca12cbb7
----
- services/std_svc/sdei/sdei_main.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c
-index 44178eddd3..0fd3c1d32c 100644
---- a/services/std_svc/sdei/sdei_main.c
-+++ b/services/std_svc/sdei/sdei_main.c
-@@ -710,8 +710,8 @@ static int sdei_interrupt_bind(unsigned int intr_num)
- 	sdei_ev_map_t *map;
- 	bool retry = true, shared_mapping;
- 
--	/* SGIs are not allowed to be bound */
--	if (plat_ic_is_sgi(intr_num) != 0)
-+	/* Interrupt must be either PPI or SPI */
-+	if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
- 		return SDEI_EINVAL;
- 
- 	shared_mapping = (plat_ic_is_spi(intr_num) != 0);
--- 
-cgit v1.2.3
-

CVE-2024-6285.patch

@@ -1,47 +0,0 @@
-From 9778b270e29bac3e16f57f9557098c45858c05de Mon Sep 17 00:00:00 2001
-From: Tobias Rist <tobias.rist@joynext.com>
-Date: Tue, 7 Mar 2023 09:40:37 +0100
-Subject: [PATCH] fix(rcar3-drivers): check for length underflow
-
-Origin: https://github.com/ARM-software/arm-trusted-firmware/commit/9778b270e29bac3e16f57f9557098c45858c05de
-https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
-
-Make sure the length of the payload is not longer than the
-DRAM size in check_load_area(), and make sure the payload
-end does not cross protected area start.
-
-Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
-Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
-Change-Id: I4d687be577a138352be9f92e5b0b6f596ffffba9
----
- drivers/renesas/common/io/io_rcar.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
-index c169923..603fefd 100644
---- a/drivers/renesas/common/io/io_rcar.c
-+++ b/drivers/renesas/common/io/io_rcar.c
-@@ -288,7 +288,7 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 
- 	prot_end = prot_start + DRAM_PROTECTED_SIZE;
- 
--	if (dst < dram_start || dst > dram_end - len) {
-+	if (dst < dram_start || len > dram_end || dst > dram_end - len) {
- 		ERROR("BL2: dst address is on the protected area.\n");
- 		result = IO_FAIL;
- 		goto done;
-@@ -301,8 +301,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 		goto done;
- 	}
- 
--	if (dst < prot_start && dst > prot_start - len) {
--		ERROR("BL2: loaded data is on the protected area.\n");
-+	if (len > prot_start || (dst < prot_start && dst > prot_start - len)) {
-+		ERROR("BL2: %s[%d] loaded data is on the protected area.\n",
-+			__func__, __LINE__);
- 		result = IO_FAIL;
- 		goto done;
- 	}
--- 
-2.33.0
-

CVE-2024-6287-1.patch

@@ -1,100 +0,0 @@
-From 6a96c18c474e6339fab93f54d52aa7dcc4b70e52 Mon Sep 17 00:00:00 2001
-From: Tobias Rist <tobias.rist@joynext.com>
-Date: Thu, 16 Mar 2023 21:31:15 +0900
-Subject: [PATCH] rcar-gen3: plat: BL2: check loaded NS image area
-
-Check if next NS image invades a previous loaded image.
-Correct non secure image area to avoid loading a NS image to secure
-
-Signed-off-by: Tobias Rist <tobias.rist@joynext.com>
-Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
----
- drivers/renesas/common/io/io_rcar.c    | 46 ++++++++++++++++++++++++--
- plat/renesas/common/include/rcar_def.h |  2 +-
- 2 files changed, 45 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
-index 1459ba28b2..1a32430847 100644
---- a/drivers/renesas/common/io/io_rcar.c
-+++ b/drivers/renesas/common/io/io_rcar.c
-@@ -84,6 +84,18 @@ typedef struct {
- #define RCAR_COUNT_LOAD_BL33		(2U)
- #define RCAR_COUNT_LOAD_BL33X		(3U)
- 
-+#define CHECK_IMAGE_AREA_CNT (5U)
-+#define BOOT_BL2_ADDR (0xE6304000U)
-+#define BOOT_BL2_LENGTH (0x19000U)
-+
-+typedef struct {
-+	uintptr_t dest;
-+	uintptr_t length;
-+} addr_loaded_t;
-+
-+static addr_loaded_t addr_loaded[CHECK_IMAGE_AREA_CNT] = { [0] = {BOOT_BL2_ADDR, BOOT_BL2_LENGTH} };
-+static uint32_t addr_loaded_cnt = 1;
-+
- static const plat_rcar_name_offset_t name_offset[] = {
- 	{BL31_IMAGE_ID, 0U, RCAR_ATTR_SET_ALL(0, 0, 0)},
- 
-@@ -268,9 +280,9 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 	uintptr_t prot_start, prot_end;
- 	int32_t result = IO_SUCCESS;
- 
--	dram_start = legacy ? DRAM1_BASE : DRAM_40BIT_BASE;
-+	dram_start = legacy ? DRAM1_NS_BASE : DRAM_40BIT_BASE;
- 
--	dram_end = legacy ? DRAM1_BASE + DRAM1_SIZE :
-+	dram_end = legacy ? DRAM1_NS_BASE + DRAM1_NS_SIZE :
- 	    DRAM_40BIT_BASE + DRAM_40BIT_SIZE;
- 
- 	prot_start = legacy ? DRAM_PROTECTED_BASE : DRAM_40BIT_PROTECTED_BASE;
-@@ -298,6 +310,36 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 		ERROR("BL2: Out of range : dst=0x%lx len=0x%lx\n", dst, len);
- 	}
- 
-+	if (addr_loaded_cnt >= CHECK_IMAGE_AREA_CNT) {
-+		ERROR("BL2: max loadable non secure images reached\n");
-+		result = IO_FAIL;
-+	}
-+	addr_loaded[addr_loaded_cnt].dest = dst;
-+	addr_loaded[addr_loaded_cnt].length = len;
-+	for(int n=0; n<addr_loaded_cnt; n++) {
-+		/* Check if next image invades a previous loaded image
-+		 *
-+		 * IMAGE n: area from previous image:	dest| IMAGE n |length
-+		 * IMAGE n+1: area from next image:	dst | IMAGE n |len
-+		 *
-+		 * 1. check:
-+		 *      | IMAGE n |
-+		 *           | IMAGE n+1 |
-+		 * 2. check:
-+		 *      | IMAGE n |
-+		 *  | IMAGE n+1 |
-+		 *
-+		 * */
-+		if (((dst > addr_loaded[n].dest) &&
-+		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
-+		    (((dst < addr_loaded[n].dest) &&
-+		      (dst + len)) > addr_loaded[n].dest)) {
-+			ERROR("BL2: image is inside a previous image area.\n");
-+			result = IO_FAIL;
-+		}
-+	}
-+	addr_loaded_cnt++;
-+
- 	return result;
- }
- 
-diff --git a/plat/renesas/common/include/rcar_def.h b/plat/renesas/common/include/rcar_def.h
-index 1b4527a9fc..38706a8373 100644
---- a/plat/renesas/common/include/rcar_def.h
-+++ b/plat/renesas/common/include/rcar_def.h
-@@ -31,7 +31,7 @@
- #define DRAM_LIMIT			ULL(0x0000010000000000)
- #define DRAM1_BASE			U(0x40000000)
- #define DRAM1_SIZE			U(0x80000000)
--#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x10000000))
-+#define DRAM1_NS_BASE			(DRAM1_BASE + U(0x08000000))
- #define DRAM1_NS_SIZE			(DRAM1_SIZE - DRAM1_NS_BASE)
- #define DRAM_40BIT_BASE			ULL(0x0400000000)
- #define DRAM_40BIT_SIZE			ULL(0x0400000000)

CVE-2024-6287-2.patch

@@ -1,41 +0,0 @@
-From 954d488a9798f8fda675c6b57c571b469b298f04 Mon Sep 17 00:00:00 2001
-From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
-Date: Sun, 23 Apr 2023 21:11:15 +0900
-Subject: [PATCH] rcar-gen3: plat: BL2: fix Incorrect Address Range Calculation
-
-Check against all address overlap cases
-
-Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
-Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
----
- drivers/renesas/common/io/io_rcar.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
-index 9b29a5be81..21ed411137 100644
---- a/drivers/renesas/common/io/io_rcar.c
-+++ b/drivers/renesas/common/io/io_rcar.c
-@@ -335,13 +335,18 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 		 * 2. check:
- 		 *      | IMAGE n |
- 		 *  | IMAGE n+1 |
-+		 * 3. check:
-+		 *      | IMAGE n |
-+		 *  |    IMAGE n+1    |
- 		 *
- 		 * */
--		if (((dst > addr_loaded[n].dest) &&
--		     (dst <  addr_loaded[n].dest + addr_loaded[n].length)) ||
--		    (((dst < addr_loaded[n].dest) &&
--		      (dst + len)) > addr_loaded[n].dest)) {
--			ERROR("BL2: image is inside a previous image area.\n");
-+		if (((dst >= addr_loaded[n].dest) &&
-+		     (dst <=  addr_loaded[n].dest + addr_loaded[n].length)) ||
-+		    ((dst + len >= addr_loaded[n].dest) &&
-+		     (dst + len <= addr_loaded[n].dest + addr_loaded[n].length)) ||
-+		    ((dst <= addr_loaded[n].dest) &&
-+		     (dst + len >= addr_loaded[n].dest + addr_loaded[n].length))) {
-+			ERROR("BL2: next image overlap a previous image area.\n");
- 			result = IO_FAIL;
- 		}
- 	}

CVE-2024-6563.patch

@@ -1,34 +0,0 @@
-From 235f85b654a031f7647e81b86fc8e4ffeb430164 Mon Sep 17 00:00:00 2001
-From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
-Date: Sun, 23 Apr 2023 21:37:42 +0900
-Subject: [PATCH] rcar-gen3: plat: BL2: Enhanced buffer protection
-
-If the parameter check is an error, the function is terminated immediately.
-
-Reviewed-by: Ilay Levi <Ilay.levi@cymotive.com>
-Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
----
- drivers/renesas/common/io/io_rcar.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
-index 45ef386..3ed5eaf 100644
---- a/drivers/renesas/common/io/io_rcar.c
-+++ b/drivers/renesas/common/io/io_rcar.c
-@@ -286,11 +286,13 @@ static int32_t check_load_area(uintptr_t dst, uintptr_t len)
- 	if (dst >= prot_start && dst < prot_end) {
- 		ERROR("BL2: dst address is on the protected area.\n");
- 		result = IO_FAIL;
-+		goto done;
- 	}
- 
- 	if (dst < prot_start && dst > prot_start - len) {
- 		ERROR("BL2: loaded data is on the protected area.\n");
- 		result = IO_FAIL;
-+		goto done;
- 	}
- done:
- 	if (result == IO_FAIL) {
--- 
-2.33.0
-

CVE-2024-6564.patch

@@ -1,42 +0,0 @@
-From c9fb3558410032d2660c7f3b7d4b87dec09fe2f2 Mon Sep 17 00:00:00 2001
-From: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
-Date: Mon, 3 Jul 2023 16:58:11 +0900
-Subject: [PATCH] rcar-gen3: plat: BL2: Fix to check "rcar_image_number"
- variable before use
-
-Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com>
-Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
----
- drivers/renesas/common/io/io_rcar.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
-index b1638a1e0..03a8f8212 100644
---- a/drivers/renesas/common/io/io_rcar.c
-+++ b/drivers/renesas/common/io/io_rcar.c
-@@ -496,17 +496,17 @@ static int32_t rcar_dev_init(io_dev_info_t *dev_info, const uintptr_t name)
- #endif
- 
- 	rcar_image_number = header[0];
--	for (i = 0; i < rcar_image_number + 2; i++) {
--		rcar_image_header[i] = header[i * 2 + 1];
--		rcar_image_header_prttn[i] = header[i * 2 + 2];
--	}
--
- 	if (rcar_image_number == 0 || rcar_image_number > RCAR_MAX_BL3X_IMAGE) {
- 		WARN("Firmware Image Package header check failed.\n");
- 		rc = IO_FAIL;
- 		goto error;
- 	}
- 
-+	for (i = 0; i < rcar_image_number + 2; i++) {
-+		rcar_image_header[i] = header[i * 2 + 1];
-+		rcar_image_header_prttn[i] = header[i * 2 + 2];
-+	}
-+
- 	rc = io_seek(handle, IO_SEEK_SET, offset + RCAR_SECTOR6_CERT_OFFSET);
- 	if (rc != IO_SUCCESS) {
- 		WARN("Firmware Image Package header failed to seek cert\n");
--- 
-2.20.1
-

arm-trusted-firmware.spec

@@ -1,24 +1,15 @@
 %global debug_package %{nil}
 
 Name:          arm-trusted-firmware
-Version:       2.9
-Release:       5
+Version:       2.12.1
+Release:       1
 Summary:       ARM Trusted Firmware
-License:       BSD
+License:       BSD-3-clause
 URL:           https://github.com/ARM-software/arm-trusted-firmware/wiki
-Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/v%{version}/%{name}-%{version}.tar.gz
-# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624
-Patch0:        CVE-2023-49100.patch
-# https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
-Patch1:        CVE-2024-6563.patch
-Patch2:        CVE-2024-6564.patch
-# https://github.com/renesas-rcar/arm-trusted-firmware/commit/6a96c18c474e6339fab93f54d52aa7dcc4b70e52
-Patch3:        CVE-2024-6287-1.patch
-# https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
-Patch4:        CVE-2024-6287-2.patch
-Patch5:        CVE-2024-6285.patch
+Source0:       https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz
 ExclusiveArch: aarch64
 BuildRequires: dtc
+BuildRequires: gcc openssl-devel
 
 %description
 Trusted Firmware-A is a reference implementation of secure world software
@@ -31,10 +22,11 @@ ARM Trusted Firmware for various ARMv8-A SoCs.
 
 
 %prep
-%autosetup -p1 -n %{name}-%{version}
+%autosetup -p1 -n %{name}-lts-v%{version}
 sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile
 
 %build
+export CC=gcc
 for soc in hikey hikey960 imx8qm imx8qx juno rk3368 rk3328 rpi3 sun50i_a64 sun50i_h6 zynqmp
 do
 make HOSTCC="%{CC} $RPM_OPT_FLAGS -fPIE -Wl,-z,relro,-z,now" CROSS_COMPILE="" PLAT=$(echo $soc) bl31
@@ -71,8 +63,49 @@ strip %{buildroot}/%{_datadir}/%{name}/rk3368/bl31.elf
 %{_datadir}/%{name}
 
 %changelog
-* Mon Dec 16 2024 wangkai <13474090681@163.com> - 2.9-5
-- Fix CVE-2024-6285
+* Thu Mar 20 2025 yaoxin <1024769339@qq.com> - 2.12.1-1
+- Update to 2.12.1 for fix CVE-2024-7881 and CVE-2024-5660
+
+* Wed Nov 27 2024 yaoxin <yao_xin001@hoperun.com> - 2.12.0-1
+- Update to 2.12.0
+- Bootloader Images:
+    * remove unused plat_try_next_boot_source
+- Architecture:
+    *Branch Record Buffer Extension (FEAT_BRBE)
+    * allow RME builds with BRBE
+- Arm:
+    * avoid stripping kernel trampoline
+    * add DRAM memory regions that linux kernel can share
+    * add optee specific mem-size attribute
+    * add secure uart interrupt in device region
+    * enable FEAT_MTE2
+    * fix the FF-A optee manifest by adding the boot info node
+    * update the memory size allocated to optee at EL1
+- Intel:
+    * add cache invalidation during BL31 initialization
+    * add in JTAG ID for Linux FCS
+    * add in missing ECC register
+    * add in watchdog for QSPI driver
+    * bridge ack timing issue causing fpga config hung
+    * correct macro naming
+    * f2sdram bridge quick write thru failed
+    * fix bridge enable and disable function
+    * fix CCU for cache maintenance
+    * flush L1/L2/L3/Sys cache before HPS cold reset
+    * implement soc and lwsoc bridge control for burst speed
+    * refactor SDMMC driver for Altera products
+    * remove redundant BIT_32 macro
+    * software workaround for bridge timeout
+    * update Agilex5 BL2 init flow and other misc changes
+    * update Agilex5 warm reset subroutines
+    * update all the platforms hand-off data offset value
+    * update CCU configuration for Agilex5 platform
+    * update mailbox SDM printout message
+    * update memcpy to memcpy_s ([e264b55]
+    * update outdated code for Linux direct boot
+    * update preloaded_bl33_base for legacy product
+    * update sip smc config addr for agilex5
+    * update the size with addition 0x8000 0000 base
 
 * Tue Oct 15 2024 yaoxin <yao_xin001@hoperun.com> - 2.9-4
 - Fix CVE-2024-6287