Coverity: copy coverity code from tf-a-ci-scripts
This is a complete copy of the two folders [1,2], based on working dir
from commit [3]. Several pieces DO NOT fit in TF-M, i.e. exclude
paths, toolchain, coverity 'build cmd', etc. but we introduce the code as
'it is' from TF-A project for completeness, then following commits would do
proper changes based on this code.
The Coverity Scan is an static analysis tool that works at 'tree
level' and it scans compiled code.
This is part of the tasks intended for milestone 2 (M2) defined at [4].
[1]
https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tree/script/tf-coverity
[2]
https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tree/coverity
[3]
https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/commit/?id=97e2ef03aa6aa3ca9cb40e63a14765bda2c105c6
[4] https://developer.trustedfirmware.org/w/collaboration/openci/
Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
Change-Id: I90ce8f1e9fcecc54cf80c759073e57f10e339c9c
diff --git a/coverity/MISRA_c2012_1_ARM_TF.config b/coverity/MISRA_c2012_1_ARM_TF.config
new file mode 100644
index 0000000..b5e802c
--- /dev/null
+++ b/coverity/MISRA_c2012_1_ARM_TF.config
@@ -0,0 +1,47 @@
+//
+// Copyright (c) 2019, Arm Limited. All rights reserved.
+//
+// SPDX-License-Identifier: BSD-3-Clause
+//
+
+// Default enabled rules are:
+
+// Parse warnings and recoverable warnings related:
+// Rule 2.1, Rule 2.2, Rule 3.1, Rule 3.2, Rule 4.2, Rule 5.3, Rule 5.7, Rule 8.2, Rule 17.3, Rule 20.9, Rule 20.14,
+
+// Other default enabled rules:
+// Directive 4.4, Directive 4.7, Directive 4.12, Rule 1.2, Rule 5.1, Rule 5.2, Rule 5.4, Rule 5.5, Rule 8.1, Rule 9.1,
+// Rule 8.14, Rule 13.6, Rule 15.6, Rule 16.2, Rule 16.3, Rule 16.4, Rule 16.5, Rule 16.6, Rule 16.7, Rule 17.1,
+// Rule 17.4, Rule 17.6, Rule 19.1, Rule 19.2, Rule 21.4, Rule 21.5, Rule 21.6, Rule 21.7, Rule 21.8, Rule 21.9,
+// Rule 21.10, Rule 21.11, Rule 21.12, Rule 22.1, Rule 22.2, Rule 22.4, Rule 22.5, Rule 22.6.
+
+// You can disable the above rules (except mandatory rules) by adding "deviation"s and "reason"s in "deviations" field.
+// Mandatory rules: 9.1, 13.6, 17.3, 17.4, 17.6, 19.1, 22.2, 22.4, 22.5, 22.6.
+
+{
+ version : "2.0",
+ standard : "c2012",
+ title: "Coverity Compliance",
+ deviations : [
+ // Remove these deviations once you’re ready to go to level 2
+ { deviation: "Rule 2.4", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 2.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 2.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Directive 4.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Directive 4.8", reason: "We can't comply with this (advisory) rule without invasive changes to the codebase." },
+ { deviation: "Directive 4.9", reason: "This (advisory) rule flags assert(), CASSERT(), INFO()..." },
+ { deviation: "Rule 5.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 5.8", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 11.4", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 11.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 16.1", reason: "This rule is a superset of rule 16.3 which we cannot comply with." },
+ { deviation: "Rule 16.3", reason: "We make extensive use of unconditional return within switch clauses." },
+ { deviation: "Rule 17.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 21.6", reason: "This rule is currently disabled in the analysis configuration." }
+ ]
+}
diff --git a/coverity/MISRA_c2012_2_ARM_TF.config b/coverity/MISRA_c2012_2_ARM_TF.config
new file mode 100644
index 0000000..98b19a0
--- /dev/null
+++ b/coverity/MISRA_c2012_2_ARM_TF.config
@@ -0,0 +1,67 @@
+//
+// Copyright (c) 2019, Arm Limited. All rights reserved.
+//
+// SPDX-License-Identifier: BSD-3-Clause
+//
+
+// Default enabled rules are:
+
+// Parse warnings and recoverable warnings related:
+// Rule 2.1, Rule 2.2, Rule 3.1, Rule 3.2, Rule 4.2, Rule 5.3, Rule 5.7, Rule 8.2, Rule 17.3, Rule 20.9, Rule 20.14,
+
+// Other default enabled rules:
+// Directive 4.4, Directive 4.7, Directive 4.12, Rule 1.2, Rule 5.1, Rule 5.2, Rule 5.4, Rule 5.5, Rule 8.1, Rule 9.1,
+// Rule 8.14, Rule 13.6, Rule 15.6, Rule 16.2, Rule 16.3, Rule 16.4, Rule 16.5, Rule 16.6, Rule 16.7, Rule 17.1,
+// Rule 17.4, Rule 17.6, Rule 19.1, Rule 19.2, Rule 21.4, Rule 21.5, Rule 21.6, Rule 21.7, Rule 21.8, Rule 21.9,
+// Rule 21.10, Rule 21.11, Rule 21.12, Rule 22.1, Rule 22.2, Rule 22.4, Rule 22.5, Rule 22.6.
+
+// You can disable the above rules (except mandatory rules) by adding "deviation"s and "reason"s in "deviations" field.
+// Mandatory rules: 9.1, 13.6, 17.3, 17.4, 17.6, 19.1, 22.2, 22.4, 22.5, 22.6.
+
+{
+ version : "2.0",
+ standard : "c2012",
+ title: "Coverity Compliance",
+ deviations : [
+ // Remove these deviations once you’re ready to go to level 2
+
+ // Deviations: Optional, skipped in full scan as issues might be present in existing code base
+ { deviation: "Rule 1.2", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 2.3", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 5.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.11", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.13", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 10.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 10.3", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 10.4", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 11.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 17.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 17.8", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 19.2", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 20.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 20.8", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 20.9", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 20.10", reason: "This rule is currently disabled in the analysis configuration." },
+
+ // Deviations: Not Enforced, can be skipped for new code as well
+ { deviation: "Rule 2.4", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 2.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 2.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Directive 4.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Directive 4.8", reason: "We can't comply with this (advisory) rule without invasive changes to the codebase." },
+ { deviation: "Directive 4.9", reason: "This (advisory) rule flags assert(), CASSERT(), INFO()..." },
+ { deviation: "Rule 5.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 5.8", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 8.7", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 11.4", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 11.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.5", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 15.6", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 16.1", reason: "This rule is a superset of rule 16.3 which we cannot comply with." },
+ { deviation: "Rule 16.3", reason: "We make extensive use of unconditional return within switch clauses." },
+ { deviation: "Rule 17.1", reason: "This rule is currently disabled in the analysis configuration." },
+ { deviation: "Rule 21.6", reason: "This rule is currently disabled in the analysis configuration." }
+ ]
+}
diff --git a/coverity/run_coverity.sh b/coverity/run_coverity.sh
new file mode 100755
index 0000000..b772b7e
--- /dev/null
+++ b/coverity/run_coverity.sh
@@ -0,0 +1,201 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+#
+# Run Coverity on a source tree.
+# Then:
+# - either produce a tarball ready to be submitted to Coverity Scan Online
+# [online mode]
+# - or locally analyze and create a text report and HTML pages of the analysis
+# [offline mode]
+#
+# The following arguments must be passed to this script:
+# 1. The command to use to build the software (this can be a script).
+# 2. The mode: "online" or "offline".
+# 3. The name of the output file to produce.
+# In the online mode, this should be a tarball name.
+# In the offline mode, this should be a text file name.
+# 4. In the offline mode, the path to the source tree to analyze.
+#
+# Assumptions:
+# The following tools are loaded in the PATH:
+# - the Coverity tools (cov-configure, cov-build, and so on);
+# - the AArch64 cross-toolchain;
+# - the AArch32 cross-toolchain.
+
+# Bail out as soon as an error is encountered
+set -e
+
+
+function do_check_tools()
+{
+ local mode="$1"
+
+ echo
+ echo "Checking all required tools are available..."
+ echo
+
+ # Print version of the Coverity tools.
+ # This also serves as a check that the tools are available.
+ cov-configure --ident
+ cov-build --ident
+ if [[ "$mode" == "offline" ]]; then
+ cov-analyze --ident
+ fi
+
+ # Check that the AArch64 cross-toolchain is available.
+ aarch64-none-elf-gcc --version
+
+ # Check that the AArch32 cross-toolchain is available.
+ arm-none-eabi-gcc --version
+
+ echo
+ echo "Checks complete."
+ echo
+}
+
+
+function do_configure()
+{
+ # Create Coverity's configuration directory and its intermediate directory.
+ rm -rf cov-config cov-int
+ mkdir cov-config cov-int
+
+ # Generate Coverity's configuration files.
+ #
+ # This needs to be done for each compiler.
+ # Each invocation of the cov-configure command adds a compiler configuration in
+ # its own subdirectory, and the top XML configuration file contains an include
+ # directive for that compiler-specific configuration.
+ # 1) AArch64 compiler
+ cov-configure \
+ --comptype gcc \
+ --template \
+ --compiler aarch64-none-elf-gcc \
+ --config cov-config/config.xml
+ # 2) AArch32 compiler
+ cov-configure \
+ --comptype gcc \
+ --template \
+ --compiler arm-none-eabi-gcc \
+ --config cov-config/config.xml
+}
+
+
+function do_build()
+{
+ local build_cmd=("$*")
+
+ echo
+ echo "* The software will be built using the following command line:"
+ echo "$build_cmd"
+ echo
+
+ # Build the instrumented binaries.
+ cov-build \
+ --config cov-config/config.xml \
+ --dir cov-int \
+ $build_cmd
+
+ echo
+ echo "Build complete."
+ echo
+}
+
+
+function do_analyze()
+{
+ local out="$1"
+ local src_tree="$2"
+ local profile="$3"
+ out="${profile}_${out}"
+
+ echo
+ echo "Starting the local analysis..."
+ echo " (Profile: $profile)"
+ echo
+ echo "The results will be saved into '$out'."
+ echo
+
+ results_dir=$(pwd)
+ cd "$src_tree"
+
+ # Analyze the instrumented binaries.
+ # Get the analysis settings from the right profile file.
+ cov-analyze \
+ $(cat $(dirname "$0")/coverity_profile_${profile}) \
+ ${analysis_settings[@]} \
+ --dir "$results_dir/cov-int" \
+ --verbose 0 \
+ --redirect stdout,"$results_dir/$out"
+
+ # Generate HTML pages
+ cov-format-errors \
+ --html-output "$results_dir/results/html/${profile}" \
+ --filesort \
+ --dir "$results_dir/cov-int"
+
+ # Generate text report
+ mkdir -p "$results_dir/results/text"
+ cov-format-errors \
+ --emacs-style \
+ --filesort \
+ --dir "$results_dir/cov-int" \
+ > "$results_dir/results/text/${profile}"
+ cd -
+ echo "Analysis complete."
+}
+
+
+function create_results_tarball()
+{
+ local tarball_name="$1"
+
+ echo
+ echo "Creating the tarball containing the results of the analysis..."
+ echo
+ tar -czvf "$tarball_name" cov-int/
+ echo
+ echo "Complete."
+ echo
+}
+
+
+###############################################################################
+PHASE="$1"
+echo "Coverity: phase '$PHASE'"
+shift
+
+case $PHASE in
+ check_tools)
+ ANALYSIS_MODE="$1"
+ do_check_tools "$ANALYSIS_MODE"
+ ;;
+
+ configure)
+ do_configure
+ ;;
+
+ build)
+ do_build "$1"
+ ;;
+
+ analyze)
+ OUTPUT_FILE="$1"
+ SOURCE_TREE="$2"
+ ANALYSIS_PROFILE="$3"
+ do_analyze "$OUTPUT_FILE" "$SOURCE_TREE" "$ANALYSIS_PROFILE"
+ ;;
+
+ package)
+ OUTPUT_FILE="$1"
+ create_results_tarball "$OUTPUT_FILE"
+ ;;
+
+ *)
+ echo "Invalid phase '$PHASE'"
+esac
diff --git a/script/tf-coverity/common-def.sh b/script/tf-coverity/common-def.sh
new file mode 100644
index 0000000..ea54d18
--- /dev/null
+++ b/script/tf-coverity/common-def.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+JENKINS_URL=https://jenkins.oss.arm.com/
+
+# mbed TLS source tag to checkout when building Trusted Firmware with Trusted
+# Board Boot support.
+MBED_TLS_SOURCES_TAG="mbedtls-2.18.0"
+
+ARMCLANG_PATH=/arm/warehouse/Distributions/FA/ARMCompiler/6.8/25/standalone-linux-x86_64-rel/bin/armclang
+CRYPTOCELL_LIB_PATH=/arm/projectscratch/ssg/trusted-fw/dummy-crypto-lib
diff --git a/script/tf-coverity/cov-2019.03-fix.patch b/script/tf-coverity/cov-2019.03-fix.patch
new file mode 100755
index 0000000..cc7a06a
--- /dev/null
+++ b/script/tf-coverity/cov-2019.03-fix.patch
@@ -0,0 +1,16 @@
+--- cov-analysis-linux64-2019.03/config/templates/gnu/compiler-compat-arm-intrin.h 2019-12-12 16:13:12.807998525 -0600
++++ cov-analysis-linux64-2019.03/config/templates/gnu/compiler-compat-arm-intrin_new.h 2019-12-12 16:14:23.559761391 -0600
+@@ -1373,11 +1373,11 @@
+ typedef signed char int8_t;
+ typedef short int int16_t;
+ typedef int int32_t;
+-typedef long int int64_t;
++typedef signed long long int64_t;
+ typedef unsigned char uint8_t;
+ typedef short unsigned int uint16_t;
+ typedef unsigned int uint32_t;
+-typedef long unsigned int uint64_t;
++typedef unsigned long long uint64_t;
+
+ __Int8x8_t __builtin_aarch64_tbl3v8qi(__builtin_aarch64_simd_oi, __Int8x8_t);
+ __Float32x2_t __builtin_aarch64_absv2sf(__Float32x2_t);
diff --git a/script/tf-coverity/coverity_tf_conf.py b/script/tf-coverity/coverity_tf_conf.py
new file mode 100644
index 0000000..5be7c7d
--- /dev/null
+++ b/script/tf-coverity/coverity_tf_conf.py
@@ -0,0 +1,57 @@
+#
+# Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+#
+# This file lists the source files that are expected to be excluded from
+# Coverity's analysis, and the reason why.
+#
+
+# The expected format is an array of tuples (filename_pattern, description).
+# - filename_pattern is a Python regular expression (as in the 're' module)
+# describing the file(s) to exclude.
+# - description aims at providing the reason why the files are expected
+# to be excluded.
+exclude_paths = [
+ ("drivers/arm/tzc/tzc_common_private.c", "File included, actually indirectly analyzed"),
+ ("drivers/marvell/comphy/phy-comphy-3700.c", "File is actually analyzed. False positive"),
+ ("drivers/marvell/comphy/phy-comphy-cp110.c", "File is actually analyzed. False positive"),
+ ("drivers/marvell/gwin.c", "Not used by any upstream marvell platform"),
+ ("drivers/marvell/mochi/ap807_setup.c", "Not used by any upstream marvell platform"),
+ ("drivers/renesas/rcar/ddr/ddr_b/boot_init_dram_config.c",
+ "It is used as a header file and is included in boot_init_dram.c .Since it is not explicitly compiled, such file cannot be converted into an instrumented binary for further analysis"),
+ ("drivers/auth/cryptocell/713/.*", "There is no dummy library to support 713 for now. This can be removed once we have this library in place"),
+ ("drivers/st/scmi-msg/.*", "Not used by any upstream platform"),
+
+ ("plat/arm/board/fvp/fconf/fconf_nt_config_getter.c", "Not currently used. Future functionality"),
+ ("plat/marvell/armada/a8k/common/plat_bl1_setup.c", "Not used by any upstream marvell platform"),
+ ("plat/mediatek/common/custom/oem_svc.c", "Used only by mt6795 which is unsupported platform"),
+ ("plat/mediatek/mt6795/.*", "This platform fails to build and is not supported by mediatek"),
+ ("plat/mediatek/mt8173/plat_mt_gic.c", "Deprecated code"),
+ ("plat/nvidia/tegra/common/tegra_gicv3.c", "Not used by any upstream nvidia platform"),
+ ("plat/qemu/common/sp_min/sp_min_setup.c", "Not used in any upstream platform - see GENFW-2164"),
+ ("plat/rockchip/rk3399/drivers/m0/.*", "Work around the lack of support for the M0 compiler in the scripts"),
+
+ # The following block is excluding files that are impossible to include in a build due to a missing file
+ # this should be removed as soon as it would be possible to build stingray platform with SCP_BL2 option
+ ("drivers/brcm/iproc_gpio.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("drivers/brcm/scp.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("drivers/brcm/spi/iproc_qspi.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("drivers/brcm/spi/iproc_spi.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("drivers/brcm/spi_flash.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("drivers/brcm/spi_sf.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/board/common/bcm_elog_ddr.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/board/stingray/src/brcm_pm_ops.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/board/stingray/src/ncsi.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/board/stingray/src/scp_cmd.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/board/stingray/src/scp_utils.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/common/brcm_mhu.c", "Cannot be built due to the missing m0_ipc.h file"),
+ ("plat/brcm/common/brcm_scpi.c", "Cannot be built due to the missing m0_ipc.h file"),
+
+ ("lib/compiler-rt/.*", "3rd party libraries will not be fixed"),
+ ("lib/libfdt/.*", "3rd party libraries will not be fixed"),
+
+ ("tools/.*", "Host tools"),
+]
diff --git a/script/tf-coverity/run_coverity_on_tf.py b/script/tf-coverity/run_coverity_on_tf.py
new file mode 100755
index 0000000..b087c61
--- /dev/null
+++ b/script/tf-coverity/run_coverity_on_tf.py
@@ -0,0 +1,272 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2019, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+#
+# Run the Coverity tool on the Trusted Firmware and produce a tarball ready to
+# be submitted to Coverity Scan Online.
+#
+
+import sys
+import argparse
+import urllib.request
+import tarfile
+import os
+import subprocess
+import re
+import utils
+import coverity_tf_conf
+
+
+def tarball_name(filename):
+ "Isolate the tarball name without the filename's extension."
+ # Handle a selection of "composite" extensions
+ for ext in [".tar.gz", ".tar.bz2"]:
+ if filename.endswith(ext):
+ return filename[:-len(ext)]
+ # For all other extensions, let the vanilla splitext() function handle it
+ return os.path.splitext(filename)[0]
+
+assert tarball_name("foo.gz") == "foo"
+assert tarball_name("bar.tar.gz") == "bar"
+assert tarball_name("baz.tar.bz2") == "baz"
+
+
+def get_coverity_tool():
+ coverity_tarball = "cov-analysis-linux64-2019.03.tar.gz"
+ url = "http://files.oss.arm.com/downloads/tf-a/" + coverity_tarball
+ print("Downloading Coverity Build tool from %s..." % url)
+ file_handle = urllib.request.urlopen(url)
+ output = open(coverity_tarball, "wb")
+ output.write(file_handle.read())
+ output.close()
+ print("Download complete.")
+
+ print("\nUnpacking tarball %s..." % coverity_tarball)
+ tarfile.open(coverity_tarball).extractall()
+ print("Tarball unpacked.")
+
+ print("\nNow please load the Coverity tool in your PATH...")
+ print("E.g.:")
+ cov_dir_name = tarball_name(coverity_tarball)
+ cov_dir_path = os.path.abspath(os.path.join(cov_dir_name, "bin"))
+ print(" export PATH=%s$PATH" % (cov_dir_path + os.pathsep))
+
+ # Patch is needed for coverity version 2019.03
+ patch_file = os.path.abspath(os.path.join(__file__, os.pardir, "cov-2019.03-fix.patch"))
+ cov_file = os.path.abspath(os.path.join(cov_dir_name, "config",
+ "templates", "gnu", "compiler-compat-arm-intrin.h"))
+ print("Patching file")
+ print(cov_file)
+ utils.exec_prog("patch", [cov_file, "-i", patch_file],
+ out=subprocess.PIPE, out_text_mode=True)
+
+def print_coverage(coverity_dir, tf_dir, exclude_paths=[], log_filename=None):
+ analyzed = []
+ not_analyzed = []
+ excluded = []
+
+ # Print the coverage report to a file (or stdout if no file is specified)
+ if log_filename is not None:
+ log_file = open(log_filename, "w")
+ else:
+ log_file = sys.stdout
+
+ # Get the list of files analyzed by Coverity.
+ #
+ # To do that, we examine the build log file Coverity generated and look for
+ # compilation lines. These are the lines starting with "COMPILING:" or
+ # "EXECUTING:". We consider only those lines that actually compile C files,
+ # i.e. lines of the form:
+ # gcc -c file.c -o file.o
+ # This filters out other compilation lines like generation of dependency files
+ # (*.d) and such.
+ # We then extract the C filename.
+ coverity_build_log = os.path.join(coverity_dir, "build-log.txt")
+ with open(coverity_build_log, encoding="utf-8") as build_log:
+ for line in build_log:
+ line = re.sub('//','/', line)
+ results = re.search("(?:COMPILING|EXECUTING):.*-c *(.*\.c).*-o.*\.o", line)
+ if results is not None:
+ filename = results.group(1)
+ if filename not in analyzed:
+ analyzed.append(filename)
+
+ # Now get the list of C files in the Trusted Firmware source tree.
+ # Header files and assembly files are ignored, as well as anything that
+ # matches the patterns list in the exclude_paths[] list.
+ # Build a list of files that are in this source tree but were not analyzed
+ # by comparing the 2 sets of files.
+ all_files_count = 0
+ old_cwd = os.path.abspath(os.curdir)
+ os.chdir(tf_dir)
+ git_process = utils.exec_prog("git", ["ls-files", "*.c"],
+ out=subprocess.PIPE, out_text_mode=True)
+ for filename in git_process.stdout:
+ # Remove final \n in filename
+ filename = filename.strip()
+
+ def is_excluded(filename, excludes):
+ for pattern in excludes:
+ if re.match(pattern[0], filename):
+ excluded.append((filename, pattern[1]))
+ return True
+ return False
+
+ if is_excluded(filename, exclude_paths):
+ continue
+
+ # Keep track of the number of C files in the source tree. Used to
+ # compute the coverage percentage at the end.
+ all_files_count += 1
+ if filename not in analyzed:
+ not_analyzed.append(filename)
+ os.chdir(old_cwd)
+
+ # Compute the coverage percentage
+ # Note: The 1.0 factor here is used to make a float division instead of an
+ # integer one.
+ percentage = (1 - ((1.0 * len(not_analyzed) ) / all_files_count)) * 100
+
+ #
+ # Print a report
+ #
+ log_file.write("Files coverage: %d%%\n\n" % percentage)
+ log_file.write("Analyzed %d files\n" % len(analyzed))
+
+ if len(excluded) > 0:
+ log_file.write("\n%d files were ignored on purpose:\n" % len(excluded))
+ for exc in excluded:
+ log_file.write(" - {0:50} (Reason: {1})\n".format(exc[0], exc[1]))
+
+ if len(not_analyzed) > 0:
+ log_file.write("\n%d files were not analyzed:\n" % len(not_analyzed))
+ for f in not_analyzed:
+ log_file.write(" - %s\n" % f)
+ log_file.write("""
+===============================================================================
+Please investigate why the above files are not run through Coverity.
+
+There are 2 possible reasons:
+
+1) The build coverage is insufficient. Please review the tf-cov-make script to
+ add the missing build config(s) that will involve the file in the build.
+
+2) The file is expected to be ignored, for example because it is deprecated
+ code. Please update the TF Coverity configuration to list the file and
+ indicate the reason why it is safe to ignore it.
+===============================================================================
+""")
+ log_file.close()
+
+
+def parse_cmd_line(argv, prog_name):
+ parser = argparse.ArgumentParser(
+ prog=prog_name,
+ description="Run Coverity on Trusted Firmware",
+ epilog="""
+ Please ensure the AArch64 & AArch32 cross-toolchains are loaded in your
+ PATH. Ditto for the Coverity tools. If you don't have the latter then
+ you can use the --get-coverity-tool to download them for you.
+ """)
+ parser.add_argument("--tf", default=None,
+ metavar="<Trusted Firmware source dir>",
+ help="Specify the location of ARM Trusted Firmware sources to analyze")
+ parser.add_argument("--get-coverity-tool", default=False,
+ help="Download the Coverity build tool and exit",
+ action="store_true")
+ parser.add_argument("--mode", choices=["offline", "online"], default="online",
+ help="Choose between online or offline mode for the analysis")
+ parser.add_argument("--output", "-o",
+ help="Name of the output file containing the results of the analysis")
+ parser.add_argument("--build-cmd", "-b",
+ help="Command used to build TF through Coverity")
+ parser.add_argument("--analysis-profile", "-p",
+ action="append", nargs=1,
+ help="Analysis profile for a local analysis")
+ args = parser.parse_args(argv)
+
+ # Set a default name for the output file if none is provided.
+ # If running in offline mode, this will be a text file;
+ # If running in online mode, this will be a tarball name.
+ if not args.output:
+ if args.mode == "offline":
+ args.output = "arm-tf-coverity-report.txt"
+ else:
+ args.output = "arm-tf-coverity-results.tgz"
+
+ return args
+
+
+if __name__ == "__main__":
+ prog_name = sys.argv[0]
+ args = parse_cmd_line(sys.argv[1:], prog_name)
+
+ # If the user asked to download the Coverity build tool then just do that
+ # and exit.
+ if args.get_coverity_tool:
+ # If running locally, use the commercial version of Coverity from the
+ # EUHPC cluster.
+ if args.mode == "offline":
+ print("To load the Coverity tools, use the following command:")
+ print("export PATH=/arm/tools/coverity/static-analysis/8.7.1/bin/:$PATH")
+ else:
+ get_coverity_tool()
+ sys.exit(0)
+
+ if args.tf is None:
+ print("ERROR: Please specify the Trusted Firmware sources using the --tf option.",
+ file=sys.stderr)
+ sys.exit(1)
+
+ # Get some important paths in the platform-ci scripts
+ tf_scripts_dir = os.path.abspath(os.path.dirname(prog_name))
+ tf_coverity_dir = os.path.join(os.path.normpath(
+ os.path.join(tf_scripts_dir, os.pardir, os.pardir)),"coverity")
+
+ if not args.build_cmd:
+ tf_build_script = os.path.join(tf_scripts_dir, "tf-cov-make")
+ args.build_cmd = tf_build_script + " " + args.tf
+
+ run_coverity_script = os.path.join(tf_coverity_dir, "run_coverity.sh")
+
+ ret = subprocess.call([run_coverity_script, "check_tools", args.mode])
+ if ret != 0:
+ sys.exit(1)
+
+ ret = subprocess.call([run_coverity_script, "configure"])
+ if ret != 0:
+ sys.exit(1)
+
+ ret = subprocess.call([run_coverity_script, "build", args.build_cmd])
+ if ret != 0:
+ sys.exit(1)
+
+ if args.mode == "online":
+ ret = subprocess.call([run_coverity_script, "package", args.output])
+ else:
+ for profile in args.analysis_profile:
+ ret = subprocess.call([run_coverity_script, "analyze",
+ args.output,
+ args.tf,
+ profile[0]])
+ if ret != 0:
+ break
+ if ret != 0:
+ print("An error occured (%d)." % ret, file=sys.stderr)
+ sys.exit(ret)
+
+ print("-----------------------------------------------------------------")
+ print("Results can be found in file '%s'" % args.output)
+ if args.mode == "online":
+ print("This tarball can be uploaded at Coverity Scan Online:" )
+ print("https://scan.coverity.com/projects/arm-software-arm-trusted-firmware/builds/new?tab=upload")
+ print("-----------------------------------------------------------------")
+
+ print_coverage("cov-int", args.tf, coverity_tf_conf.exclude_paths, "tf_coverage.log")
+ with open("tf_coverage.log") as log_file:
+ for line in log_file:
+ print(line, end="")
diff --git a/script/tf-coverity/tf-cov-make b/script/tf-coverity/tf-cov-make
new file mode 100755
index 0000000..67a244f
--- /dev/null
+++ b/script/tf-coverity/tf-cov-make
@@ -0,0 +1,479 @@
+#! /bin/sh
+#
+# Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+#
+# This script builds the TF in different configs.
+# Rather than telling cov-build to build TF using a simple 'make all' command,
+# the goal here is to combine several build flags to analyse more of our source
+# code in a single 'build'. The Coverity Scan service does not have the notion
+# of separate types of build - there is just one linear sequence of builds in
+# the project history.
+#
+
+# Bail out as soon as an error is encountered.
+set -e
+
+TF_SOURCES=$1
+if [ ! -d "$TF_SOURCES" ]; then
+ echo "ERROR: '$TF_SOURCES' does not exist or is not a directory"
+ echo "Usage: $(basename "$0") <trusted-firmware-directory>"
+ exit 1
+fi
+
+export CROSS_COMPILE=aarch64-none-elf-
+
+# Get mbed TLS library code to build Trusted Firmware with Trusted Board Boot
+# support. The version of mbed TLS to use here must be the same as when
+# building TF in the usual context.
+if [ ! -d mbedtls ]; then
+ git clone https://github.com/ARMmbed/mbedtls.git
+fi
+cd mbedtls
+containing_dir="$(readlink -f "$(dirname "$0")/")"
+. $containing_dir/common-def.sh
+git checkout "$MBED_TLS_SOURCES_TAG"
+cd -
+TBB_OPTIONS="TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR=$(pwd)/mbedtls"
+ARM_TBB_OPTIONS="$TBB_OPTIONS ARM_ROTPK_LOCATION=devel_rsa"
+
+cd "$TF_SOURCES"
+
+# Clean TF source dir to make sure we don't analyse temporary files.
+make distclean
+
+#
+# Build TF in different configurations to get as much coverage as possible
+#
+
+# We need to clean the platform build between each configuration because Trusted
+# Firmware's build system doesn't track build options dependencies and won't
+# rebuild the files affected by build options changes.
+clean_build()
+{
+ local flags="$*"
+ echo "Building TF with the following build flags:"
+ echo " $flags"
+ make $flags clean
+ make $flags all
+ echo "Build config complete."
+ echo
+}
+
+# Defines common flags between platforms
+common_flags() {
+ local release="${1:-}"
+
+ # default to debug mode, unless a parameter is passed to the function
+ debug="DEBUG=1"
+ [ -n "$release" ] && debug=""
+
+ echo " -j $debug -s "
+}
+
+#
+# FVP platform
+# We'll use the following flags for all FVP builds.
+#
+fvp_common_flags="$(common_flags) PLAT=fvp"
+
+# Try all possible SPDs.
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} ARM_TSP_RAM_LOCATION=dram SPD=tspd
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} ARM_TSP_RAM_LOCATION=dram SPD=tspd TSP_INIT_ASYNC=1 \
+ TSP_NS_INTR_ASYNC_PREEMPT=1
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} SPD=opteed
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} SPD=tlkd
+
+# Dualroot chain of trust.
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} SPD=tspd COT=dualroot
+
+clean_build $fvp_common_flags SPD=trusty
+clean_build $fvp_common_flags SPD=trusty TRUSTY_SPD_WITH_GENERIC_SERVICES=1
+
+# SDEI
+clean_build $fvp_common_flags SDEI_SUPPORT=1 EL3_EXCEPTION_HANDLING=1
+
+# SDEI with fconf
+clean_build $fvp_common_flags SDEI_IN_FCONF=1 SDEI_SUPPORT=1 EL3_EXCEPTION_HANDLING=1
+
+# Secure interrupt descriptors with fconf
+clean_build $fvp_common_flags SEC_INT_DESC_IN_FCONF=1
+
+# Without coherent memory
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} ARM_TSP_RAM_LOCATION=dram SPD=tspd USE_COHERENT_MEM=0
+
+# Using PSCI extended State ID format rather than the original format
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} ARM_TSP_RAM_LOCATION=dram SPD=tspd PSCI_EXTENDED_STATE_ID=1 \
+ ARM_RECOM_STATE_ID_ENC=1
+
+# Alternative boot flows (This changes some of the platform initialisation code)
+clean_build $fvp_common_flags EL3_PAYLOAD=0x80000000
+clean_build $fvp_common_flags PRELOADED_BL33_BASE=0x80000000
+
+# Using the SP804 timer instead of the Generic Timer
+clean_build $fvp_common_flags FVP_USE_SP804_TIMER=1
+
+# Using the CCN driver and multi cluster topology
+clean_build $fvp_common_flags FVP_CLUSTER_COUNT=4
+
+# PMF
+clean_build $fvp_common_flags ENABLE_PMF=1
+
+# stack protector
+clean_build $fvp_common_flags ENABLE_STACK_PROTECTOR=strong
+
+# AArch32 build
+clean_build $fvp_common_flags CROSS_COMPILE=arm-none-eabi- \
+ ARCH=aarch32 AARCH32_SP=sp_min \
+ RESET_TO_SP_MIN=1 PRELOADED_BL33_BASE=0x80000000
+clean_build $fvp_common_flags CROSS_COMPILE=arm-none-eabi- \
+ ARCH=aarch32 AARCH32_SP=sp_min
+
+# Xlat tables lib version 1 (AArch64 and AArch32)
+clean_build $fvp_common_flags ARM_XLAT_TABLES_LIB_V1=1 RECLAIM_INIT_CODE=0
+clean_build $fvp_common_flags CROSS_COMPILE=arm-none-eabi- \
+ ARCH=aarch32 AARCH32_SP=sp_min ARM_XLAT_TABLES_LIB_V1=1 RECLAIM_INIT_CODE=0
+
+# SPM support based on Management Mode Interface Specification
+clean_build $fvp_common_flags SPM_MM=1 EL3_EXCEPTION_HANDLING=1
+
+# SPM support with TOS(optee) as SPM sitting at S-EL1
+clean_build $fvp_common_flags SPD=spmd SPMD_SPM_AT_SEL2=0
+
+# SPM support with Secure hafnium as SPM sitting at S-EL2
+# SP_LAYOUT_FILE is used only during FIP creation but build won't progress
+# if we have NULL value to it, so passing a dummy string.
+clean_build $fvp_common_flags SPD=spmd SPMD_SPM_AT_SEL2=1 ARM_ARCH_MINOR=4 \
+ CTX_INCLUDE_EL2_REGS=1 SP_LAYOUT_FILE=dummy
+
+#BL2 at EL3 support
+clean_build $fvp_common_flags BL2_AT_EL3=1
+clean_build $fvp_common_flags CROSS_COMPILE=arm-none-eabi- \
+ ARCH=aarch32 AARCH32_SP=sp_min BL2_AT_EL3=1
+
+# RAS Extension Support
+clean_build $fvp_common_flags EL3_EXCEPTION_HANDLING=1 \
+ FAULT_INJECTION_SUPPORT=1 HANDLE_EA_EL3_FIRST=1 RAS_EXTENSION=1 \
+ SDEI_SUPPORT=1
+
+# Hardware Assisted Coherency(DynamIQ)
+clean_build $fvp_common_flags FVP_CLUSTER_COUNT=1 FVP_MAX_CPUS_PER_CLUSTER=8 \
+ HW_ASSISTED_COHERENCY=1 USE_COHERENT_MEM=0
+
+# Pointer Authentication Support
+clean_build $fvp_common_flags CTX_INCLUDE_PAUTH_REGS=1 \
+ ARM_ARCH_MINOR=5 EL3_EXCEPTION_HANDLING=1 BRANCH_PROTECTION=1 SDEI_SUPPORT=1 SPD=tspd TSP_NS_INTR_ASYNC_PREEMPT=1
+
+# Undefined Behaviour Sanitizer
+# Building with UBSAN SANITIZE_UB=on increases the executable size.
+# Hence it is only properly supported in bl31 with RESET_TO_BL31 enabled
+make $fvp_common_flags clean
+make $fvp_common_flags SANITIZE_UB=on RESET_TO_BL31=1 bl31
+
+# debugfs feature
+clean_build $fvp_common_flags DEBUG=1 USE_DEBUGFS=1
+
+# MPAM feature
+clean_build $fvp_common_flags ENABLE_MPAM_FOR_LOWER_ELS=1
+
+# Using GICv3.1 driver with extended PPI and SPI range
+clean_build $fvp_common_flags GIC_EXT_INTID=1
+
+# Using GICv4 features with extended PPI and SPI range
+clean_build $fvp_common_flags GIC_ENABLE_V4_EXTN=1 GIC_EXT_INTID=1
+
+# Measured Boot
+clean_build $fvp_common_flags ${ARM_TBB_OPTIONS} MEASURED_BOOT=1
+
+#
+# Juno platform
+# We'll use the following flags for all Juno builds.
+#
+juno_common_flags="$(common_flags) PLAT=juno"
+clean_build $juno_common_flags SPD=tspd ${ARM_TBB_OPTIONS}
+clean_build $juno_common_flags EL3_PAYLOAD=0x80000000
+clean_build $juno_common_flags ENABLE_STACK_PROTECTOR=strong
+clean_build $juno_common_flags CSS_USE_SCMI_SDS_DRIVER=0
+clean_build $juno_common_flags SPD=tspd ${ARM_TBB_OPTIONS} ARM_CRYPTOCELL_INTEG=1 CCSBROM_LIB_PATH=${CRYPTOCELL_LIB_PATH} KEY_SIZE=2048
+
+#
+# System Guidance for Infrastructure platform SGI575
+# Enable build config with RAS_EXTENSION to cover more files
+make $(common_flags) PLAT=sgi575 ${ARM_TBB_OPTIONS} EL3_EXCEPTION_HANDLING=1 FAULT_INJECTION_SUPPORT=1 \
+ HANDLE_EA_EL3_FIRST=1 RAS_EXTENSION=1 SDEI_SUPPORT=1 SPM_MM=1 all
+#
+# System Guidance for Mobile platform SGM775
+#
+make $(common_flags) PLAT=sgm775 ${ARM_TBB_OPTIONS} SPD=tspd \
+ CSS_USE_SCMI_SDS_DRIVER=1 all
+
+#
+# System Guidance for Infrastructure platform RD-N1-Edge-Dual
+#
+make $(common_flags) PLAT=rdn1edge CSS_SGI_CHIP_COUNT=2 ${ARM_TBB_OPTIONS} all
+
+#
+# System Guidance for Infrastructure platform RD-E1Edge
+#
+make $(common_flags) PLAT=rde1edge ${ARM_TBB_OPTIONS} CSS_SGI_CHIP_COUNT=1 all
+
+#
+# System Guidance for Infrastructure platform RD-Daniel
+#
+make $(common_flags) PLAT=rddaniel ${ARM_TBB_OPTIONS} all
+
+#
+# System Guidance for Infrastructure platform RD-Danielxlr
+#
+make $(common_flags) PLAT=rddanielxlr ${ARM_TBB_OPTIONS} CSS_SGI_CHIP_COUNT=4 all
+
+#
+# Neoverse N1 SDP platform
+#
+make $(common_flags) PLAT=n1sdp ${ARM_TBB_OPTIONS} all
+
+#
+# FVP VE platform
+#
+make $(common_flags) PLAT=fvp_ve AARCH32_SP=sp_min ARCH=aarch32 \
+ CROSS_COMPILE=arm-none-eabi- ARM_ARCH_MAJOR=7 \
+ ARM_CORTEX_A5=yes ARM_XLAT_TABLES_LIB_V1=1 \
+ FVP_HW_CONFIG_DTS=fdts/fvp-ve-Cortex-A5x1.dts all
+
+#
+# A5 DesignStart Platform
+#
+make $(common_flags) PLAT=a5ds AARCH32_SP=sp_min ARCH=aarch32 \
+ ARM_ARCH_MAJOR=7 ARM_CORTEX_A5=yes ARM_XLAT_TABLES_LIB_V1=1 \
+ CROSS_COMPILE=arm-none-eabi- FVP_HW_CONFIG_DTS=fdts/a5ds.dts
+
+#
+# Corstone700 Platform
+#
+
+corstone700_common_flags="CROSS_COMPILE=arm-none-eabi- \
+ $(common_flags) \
+ PLAT=corstone700 \
+ ARCH=aarch32 \
+ RESET_TO_SP_MIN=1 \
+ AARCH32_SP=sp_min \
+ ARM_LINUX_KERNEL_AS_BL33=0 \
+ ARM_PRELOADED_DTB_BASE=0x80400000 \
+ ENABLE_PIE=1 \
+ ENABLE_STACK_PROTECTOR=all \
+ all"
+
+echo "Info: Building Corstone700 FVP ..."
+
+make TARGET_PLATFORM=fvp ${corstone700_common_flags}
+
+echo "Info: Building Corstone700 FPGA ..."
+
+make TARGET_PLATFORM=fpga ${corstone700_common_flags}
+
+#
+# Arm internal FPGA port
+#
+make PLAT=arm_fpga $(common_flags) CROSS_COMPILE=aarch64-none-elf- \
+ FPGA_PRELOADED_DTB_BASE=0x88000000 PRELOADED_BL33_BASE=0x82080000 all
+
+#
+# Total Compute platform
+#
+make $(common_flags) PLAT=tc0 ${ARM_TBB_OPTIONS} all
+
+# Partners' platforms.
+# Enable as many features as possible.
+# We don't need to clean between each build here because we only do one build
+# per platform so we don't hit the build flags dependency problem.
+
+make PLAT=mt8173 $(common_flags) all
+make PLAT=mt8183 $(common_flags) all
+
+make PLAT=rk3288 CROSS_COMPILE=arm-none-eabi- \
+ $(common_flags) ARCH=aarch32 AARCH32_SP=sp_min all
+make PLAT=rk3368 $(common_flags) COREBOOT=1 all
+make PLAT=rk3399 $(common_flags) COREBOOT=1 PLAT_RK_DP_HDCP=1 all
+make PLAT=rk3328 $(common_flags) COREBOOT=1 PLAT_RK_SECURE_DDR_MINILOADER=1 all
+make PLAT=px30 $(common_flags) PLAT_RK_SECURE_DDR_MINILOADER=1 all
+
+# Although we do several consecutive builds for the Tegra platform below, we
+# don't need to clean between each one because the Tegra makefiles specify
+# a different build directory per SoC.
+make PLAT=tegra TARGET_SOC=t210 $(common_flags) all
+make PLAT=tegra TARGET_SOC=t132 $(common_flags) all
+make PLAT=tegra TARGET_SOC=t186 $(common_flags) all
+make PLAT=tegra TARGET_SOC=t194 $(common_flags) all
+
+# For the Xilinx platform, artificially increase the extents of BL31 memory
+# (using the platform-specific build options ZYNQMP_ATF_MEM_{BASE,SIZE}).
+# If we keep the default values, BL31 doesn't fit when it is built with all
+# these build flags.
+make PLAT=zynqmp $(common_flags) \
+ RESET_TO_BL31=1 SPD=tspd \
+ ZYNQMP_ATF_MEM_BASE=0xFFFC0000 ZYNQMP_ATF_MEM_SIZE=0x00040000 \
+ all
+
+# Build both for silicon (default) and virtual QEMU platform.
+clean_build PLAT=versal $(common_flags)
+clean_build PLAT=versal $(common_flags) VERSAL_PLATFORM=versal_virt
+
+# Platforms from Allwinner
+make PLAT=sun50i_a64 $(common_flags) all
+make PLAT=sun50i_h6 $(common_flags) all
+
+# Platforms from i.MX
+make AARCH32_SP=optee ARCH=aarch32 ARM_ARCH_MAJOR=7 ARM_CORTEX_A7=yes \
+ CROSS_COMPILE=arm-none-eabi- PLAT=warp7 ${TBB_OPTIONS} \
+ $(common_flags) all
+make AARCH32_SP=optee ARCH=aarch32 CROSS_COMPILE=arm-none-eabi- PLAT=picopi \
+ $(common_flags) all
+make PLAT=imx8mm $(common_flags) all
+make PLAT=imx8mn $(common_flags) all
+make PLAT=imx8mp $(common_flags) all
+
+# Temporarily building in release mode until the following ticket is resolved:
+# https://developer.trustedfirmware.org/T626
+# make PLAT=imx8mq $(common_flags) all
+make PLAT=imx8mq $(common_flags release) all
+
+make PLAT=imx8qm $(common_flags) all
+make PLAT=imx8qx $(common_flags) all
+
+# Platforms from Intel
+make PLAT=stratix10 $(common_flags) all
+make PLAT=agilex $(common_flags) all
+
+# Platforms from Broadcom
+clean_build PLAT=stingray $(common_flags) BOARD_CFG=bcm958742t INCLUDE_EMMC_DRIVER_ERASE_CODE=1
+clean_build PLAT=stingray $(common_flags) BOARD_CFG=bcm958742t-ns3 INCLUDE_EMMC_DRIVER_ERASE_CODE=1
+
+# Platforms from Marvell
+make PLAT=a3700 $(common_flags) SCP_BL2=/dev/null all
+# Source files from mv-ddr-marvell repository are necessary
+# to build below four platforms
+wget http://files.oss.arm.com/downloads/tf-a/mv-ddr-marvell/mv-ddr-marvell-a881467ef0f0185e6570dd0483023fde93cbb5f5.tar.gz 2> /dev/null
+tar -xzf mv-ddr-marvell-a881467ef0f0185e6570dd0483023fde93cbb5f5.tar.gz 2> /dev/null
+mv mv-ddr-marvell drivers/marvell/mv_ddr
+
+# These platforms from Marvell have dependency on GCC-6.2.1 toolchain
+make PLAT=a80x0 DEBUG=1 SCP_BL2=/dev/null \
+ CROSS_COMPILE=/arm/pdsw/tools/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- all
+make PLAT=a80x0_mcbin DEBUG=1 SCP_BL2=/dev/null \
+ CROSS_COMPILE=/arm/pdsw/tools/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- all
+make PLAT=a70x0 DEBUG=1 SCP_BL2=/dev/null \
+ CROSS_COMPILE=/arm/pdsw/tools/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- all
+make PLAT=a70x0_amc DEBUG=1 SCP_BL2=/dev/null \
+ CROSS_COMPILE=/arm/pdsw/tools/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- all
+make PLAT=a80x0_puzzle DEBUG=1 SCP_BL2=/dev/null \
+ CROSS_COMPILE=/arm/pdsw/tools/gcc-linaro-6.2.1-2016.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- all
+
+# Removing the source files
+rm -rf drivers/marvell/mv_ddr 2> /dev/null
+
+# Platforms from Meson
+make PLAT=gxbb $(common_flags) all
+make PLAT=gxl $(common_flags) all
+make PLAT=g12a $(common_flags) all
+
+# Platforms from Renesas
+# Renesas R-Car D3 Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile LIFEC_DBSC_PROTECT_ENABLE=0 LSI=D3 \
+ MBEDTLS_DIR=$(pwd)/mbedtls PMIC_ROHM_BD9571=0 \
+ RCAR_AVS_SETTING_ENABLE=0 SPD=none RCAR_LOSSY_ENABLE=0 \
+ RCAR_SA0_SIZE=0 RCAR_SYSTEM_SUSPEND=0 TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car H3 Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile MBEDTLS_DIR=$(pwd)/mbedtls LSI=H3 \
+ MACHINE=ulcb PMIC_LEVEL_MODE=0 RCAR_DRAM_LPDDR4_MEMCONF=0 \
+ RCAR_DRAM_SPLIT=1 RCAR_GEN3_ULCB=1 SPD=opteed \
+ TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car H3N Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile MBEDTLS_DIR=$(pwd)/mbedtls LSI=H3N \
+ SPD=opteed TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car M3 Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile MBEDTLS_DIR=$(pwd)/mbedtls LSI=M3 \
+ MACHINE=ulcb PMIC_LEVEL_MODE=0 RCAR_DRAM_LPDDR4_MEMCONF=0 \
+ RCAR_DRAM_SPLIT=2 RCAR_GEN3_ULCB=1 SPD=opteed \
+ TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car M3N Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile MBEDTLS_DIR=$(pwd)/mbedtls LSI=M3N \
+ MACHINE=ulcb PMIC_LEVEL_MODE=0 RCAR_DRAM_LPDDR4_MEMCONF=0 \
+ RCAR_GEN3_ULCB=1 SPD=opteed TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car E3 Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ BL33=Makefile MBEDTLS_DIR=$(pwd)/mbedtls LSI=E3 \
+ RCAR_AVS_SETTING_ENABLE=0 RCAR_DRAM_DDR3L_MEMCONF=0 \
+ RCAR_SA0_SIZE=0 SPD=opteed TRUSTED_BOARD_BOOT=1
+
+# Renesas R-Car V3M Automotive SoC
+clean_build PLAT=rcar $(common_flags) BL32=Makefile \
+ MBEDTLS_DIR=$(pwd)/mbedtls BL33=Makefile LSI=V3M MACHINE=eagle \
+ PMIC_ROHM_BD9571=0 RCAR_DRAM_SPLIT=0 RCAR_SYSTEM_SUSPEND=0 \
+ AVS_SETTING_ENABLE=0 SPD=none TRUSTED_BOARD_BOOT=1
+
+# Platforms from ST
+make PLAT=stm32mp1 CROSS_COMPILE=arm-none-eabi- \
+ $(common_flags) ARM_ARCH_MAJOR=7 STM32MP_EMMC=1 \
+ STM32MP_RAW_NAND=1 STM32MP_SDMMC=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
+ ARCH=aarch32 AARCH32_SP=sp_min ENABLE_STACK_PROTECTOR=strong bl1 bl2 bl32
+
+# Platforms from TI
+make PLAT=k3 $(common_flags) all
+
+clean_build PLAT=qemu $(common_flags) ${TBB_OPTIONS}
+# Use GICV3 driver
+clean_build PLAT=qemu $(common_flags) QEMU_USE_GIC_DRIVER=QEMU_GICV3 \
+ ENABLE_STACK_PROTECTOR=strong
+# Use encrypted FIP feature.
+clean_build PLAT=qemu $(common_flags) ${TBB_OPTIONS} \
+ BL32_RAM_LOCATION=tdram DECRYPTION_SUPPORT=aes_gcm ENCRYPT_BL31=1 \
+ ENCRYPT_BL32=1 FW_ENC_STATUS=0 SPD=opteed
+
+clean_build PLAT=qemu_sbsa $(common_flags)
+
+# For hikey enable PMF to include all files in the platform port
+make PLAT=hikey $(common_flags) ${TBB_OPTIONS} ENABLE_PMF=1 all
+make PLAT=hikey960 $(common_flags) ${TBB_OPTIONS} all
+make PLAT=poplar $(common_flags) all
+
+# Platforms from Socionext
+clean_build PLAT=uniphier $(common_flags) ${TBB_OPTIONS} SPD=tspd
+clean_build PLAT=uniphier $(common_flags) FIP_GZIP=1
+
+clean_build PLAT=synquacer $(common_flags) SPM_MM=1 \
+ EL3_EXCEPTION_HANDLING=1 PRELOADED_BL33_BASE=0x0
+
+# Support for SCP Message Interface protocol with platform specific drivers
+clean_build PLAT=synquacer $(common_flags) \
+ PRELOADED_BL33_BASE=0x0 SQ_USE_SCMI_DRIVER=1
+
+make PLAT=poplar $(common_flags) all
+
+# Raspberry Pi Platforms
+make PLAT=rpi3 $(common_flags) ${TBB_OPTIONS} \
+ ENABLE_STACK_PROTECTOR=strong PRELOADED_BL33_BASE=0xDEADBEEF all
+make PLAT=rpi4 $(common_flags) all
+
+# Cannot use $(common_flags) for LS1043 platform, as then
+# the binaries do not fit in memory.
+clean_build PLAT=ls1043 SPD=opteed ENABLE_STACK_PROTECTOR=strong
+clean_build PLAT=ls1043 SPD=tspd
+
+# A113D (AXG) platform.
+clean_build PLAT=axg $(common_flags) SPD=opteed
+clean_build PLAT=axg $(common_flags) AML_USE_ATOS=1
+
+cd ..
diff --git a/script/tf-coverity/utils.py b/script/tf-coverity/utils.py
new file mode 100644
index 0000000..f86667f
--- /dev/null
+++ b/script/tf-coverity/utils.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2019, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+import subprocess
+
+def exec_prog(prog, args=[], out=None, out_text_mode=False):
+ # Build the command line to execute
+ cmd = [ prog ] + args
+
+ # Spawn process.
+ # Note: The standard error output is captured into the same file handle as
+ # for stdout.
+ process = subprocess.Popen(cmd, stdout=out, stderr=subprocess.STDOUT,
+ universal_newlines=out_text_mode, bufsize=0)
+ print("Spawned process with PID %u" % process.pid)
+ return process