andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
arm-trusted-firmware/bl31/aarch64/runtime_exceptions.S

622 lines
17 KiB
ArmAsm
Raw Normal View History

ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
/*
refactor(el3-runtime): add prepare_el3_entry func In the next patch we add an extra step of setting the PSTATE registers to a known state on el3 entry. In this patch we create the function prepare_el3_entry to wrap the steps needed for before el3 entry. For now this is only save_gp_pmcr_pauth_regs. Change-Id: Ie26dc8d89bfaec308769165d2649e84d41be196c Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2022-01-19 11:20:05 +00:00
* Copyright (c) 2013-2022, ARM Limited and Contributors. All rights reserved.
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*
Use SPDX license identifiers To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-05-03 09:38:09 +01:00
* SPDX-License-Identifier: BSD-3-Clause
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <platform_def.h>
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
#include <arch.h>
Make use of user/system includes more consistent Make codebase consistent in its use of #include "" syntax for user includes and #include <> syntax for system includes. Fixes ARM-software/tf-issues#65 Change-Id: If2f7c4885173b1fd05ac2cde5f1c8a07000c7a33
2014-04-09 13:13:04 +01:00
#include <asm_macros.S>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <bl31/ea_handle.h>
#include <bl31/interrupt_mgmt.h>
#include <common/runtime_svc.h>
Reduce deep nesting of header files Reduce the number of header files included from other header files as much as possible without splitting the files. Use forward declarations where possible. This allows removal of some unnecessary "#ifndef __ASSEMBLY__" statements. Also, review the .c and .S files for which header files really need including and reorder the #include statements alphabetically. Fixes ARM-software/tf-issues#31 Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
2014-04-09 13:14:54 +01:00
#include <context.h>
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
#include <el3_common_macros.S>
Sanitise includes across codebase Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-12-14 00:18:21 +00:00
#include <lib/el3_runtime/cpu_data.h>
#include <lib/smccc.h>
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
.globl runtime_exceptions
Workaround for CVE-2017-5715 on Cortex A57 and A72 Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling and enabling the MMU. To achieve this without performing any branch instruction, a per-cpu vbar is installed which executes the workaround and then branches off to the corresponding vector entry in the main vector table. A side effect of this change is that the main vbar is configured before any reset handling. This is to allow the per-cpu reset function to override the vbar setting. This workaround is enabled by default on the affected CPUs. Change-Id: I97788d38463a5840a410e3cea85ed297a1678265 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
2017-11-30 14:53:53 +00:00
.globl sync_exception_sp_el0
.globl irq_sp_el0
.globl fiq_sp_el0
.globl serror_sp_el0
.globl sync_exception_sp_elx
.globl irq_sp_elx
.globl fiq_sp_elx
.globl serror_sp_elx
.globl sync_exception_aarch64
.globl irq_aarch64
.globl fiq_aarch64
.globl serror_aarch64
.globl sync_exception_aarch32
.globl irq_aarch32
.globl fiq_aarch32
.globl serror_aarch32
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
/*
* Macro that prepares entry to EL3 upon taking an exception.
*
* With RAS_EXTENSION, this macro synchronizes pending errors with an ESB
* instruction. When an error is thus synchronized, the handling is
* delegated to platform EA handler.
*
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
* Without RAS_EXTENSION, this macro synchronizes pending errors using
* a DSB, unmasks Asynchronous External Aborts and saves X30 before
* setting the flag CTX_IS_IN_EL3.
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
*/
.macro check_and_unmask_ea
#if RAS_EXTENSION
/* Synchronize pending External Aborts */
esb
/* Unmask the SError interrupt */
msr daifclr, #DAIF_ABT_BIT
/*
* Explicitly save x30 so as to free up a register and to enable
* branching
*/
str x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
/* Check for SErrors synchronized by the ESB instruction */
mrs x30, DISR_EL1
tbz x30, #DISR_A_BIT, 1f
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
/*
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
* Save general purpose and ARMv8.3-PAuth registers (if enabled).
* If Secure Cycle Counter is not disabled in MDCR_EL3 when
* ARMv8.5-PMU is implemented, save PMCR_EL0 and disable Cycle Counter.
fix(el3-runtime): set unset pstate bits to default During a transition to a higher EL some of the PSTATE bits are not set by hardware, this means that their state may be leaked from lower ELs. This patch sets those bits to a default value upon entry to EL3. This patch was tested using a debugger to check the PSTATE values are correctly set. As well as adding a test in the next patch to ensure the PSTATE in lower ELs is still maintained after this change. Change-Id: Ie546acbca7b9aa3c86bd68185edded91b2a64ae5 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2021-05-25 18:09:34 +01:00
* Also set the PSTATE to a known state.
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
*/
refactor(el3-runtime): add prepare_el3_entry func In the next patch we add an extra step of setting the PSTATE registers to a known state on el3 entry. In this patch we create the function prepare_el3_entry to wrap the steps needed for before el3 entry. For now this is only save_gp_pmcr_pauth_regs. Change-Id: Ie26dc8d89bfaec308769165d2649e84d41be196c Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2022-01-19 11:20:05 +00:00
bl prepare_el3_entry
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
RAS: Move EA handling to a separate file A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-05 15:24:45 +01:00
bl handle_lower_el_ea_esb
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
/* Restore general purpose, PMCR_EL0 and ARMv8.3-PAuth registers */
bl restore_gp_pmcr_pauth_regs
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
1:
#else
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
/*
* For SoCs which do not implement RAS, use DSB as a barrier to
* synchronize pending external aborts.
*/
dsb sy
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
/* Unmask the SError interrupt */
msr daifclr, #DAIF_ABT_BIT
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
/* Use ISB for the above unmask operation to take effect immediately */
isb
/*
* Refer Note 1. No need to restore X30 as both handle_sync_exception
* and handle_interrupt_exception macro which follow this macro modify
* X30 anyway.
*/
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
str x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
mov x30, #1
str x30, [sp, #CTX_EL3STATE_OFFSET + CTX_IS_IN_EL3]
dmb sy
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
#endif
.endm
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#if !RAS_EXTENSION
/*
* Note 1: The explicit DSB at the entry of various exception vectors
* for handling exceptions from lower ELs can inadvertently trigger an
* SError exception in EL3 due to pending asynchronous aborts in lower
* ELs. This will end up being handled by serror_sp_elx which will
* ultimately panic and die.
* The way to workaround is to update a flag to indicate if the exception
* truly came from EL3. This flag is allocated in the cpu_context
* structure and located at offset "CTX_EL3STATE_OFFSET + CTX_IS_IN_EL3"
* This is not a bullet proof solution to the problem at hand because
* we assume the instructions following "isb" that help to update the
* flag execute without causing further exceptions.
*/
/* ---------------------------------------------------------------------
* This macro handles Asynchronous External Aborts.
* ---------------------------------------------------------------------
*/
.macro handle_async_ea
/*
* Use a barrier to synchronize pending external aborts.
*/
dsb sy
/* Unmask the SError interrupt */
msr daifclr, #DAIF_ABT_BIT
/* Use ISB for the above unmask operation to take effect immediately */
isb
/* Refer Note 1 */
str x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
mov x30, #1
str x30, [sp, #CTX_EL3STATE_OFFSET + CTX_IS_IN_EL3]
dmb sy
b handle_lower_el_async_ea
.endm
/*
* This macro checks if the exception was taken due to SError in EL3 or
* because of pending asynchronous external aborts from lower EL that got
* triggered due to explicit synchronization in EL3. Refer Note 1.
*/
.macro check_if_serror_from_EL3
/* Assumes SP_EL3 on entry */
str x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
ldr x30, [sp, #CTX_EL3STATE_OFFSET + CTX_IS_IN_EL3]
cbnz x30, exp_from_EL3
/* Handle asynchronous external abort from lower EL */
b handle_lower_el_async_ea
exp_from_EL3:
/* Jump to plat_handle_el3_ea which does not return */
.endm
#endif
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
* This macro handles Synchronous exceptions.
* Only SMC exceptions are supported.
* ---------------------------------------------------------------------
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
*/
.macro handle_sync_exception
Add PMF instrumentation points in TF In order to quantify the overall time spent in the PSCI software implementation, an initial collection of PMF instrumentation points has been added. Instrumentation has been added to the following code paths: - Entry to PSCI SMC handler. The timestamp is captured as early as possible during the runtime exception and stored in memory before entering the PSCI SMC handler. - Exit from PSCI SMC handler. The timestamp is captured after normal return from the PSCI SMC handler or if a low power state was requested it is captured in the bl31 warm boot path before return to normal world. - Entry to low power state. The timestamp is captured before entry to a low power state which implies either standby or power down. As these power states are mutually exclusive, only one timestamp is defined to describe both. It is possible to differentiate between the two power states using the PSCI STAT interface. - Exit from low power state. The timestamp is captured after a standby or power up operation has completed. To calculate the number of cycles spent running code in Trusted Firmware one can perform the following calculation: (exit_psci - enter_psci) - (exit_low_pwr - enter_low_pwr). The resulting number of cycles can be converted to time given the frequency of the counter. Change-Id: Ie3b8f3d16409b6703747093b3a2d5c7429ad0166 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2016-09-19 11:18:44 +01:00
#if ENABLE_RUNTIME_INSTRUMENTATION
/*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* Read the timestamp value and store it in per-cpu data. The value
* will be extracted from per-cpu data by the C level SMC handler and
* saved to the PMF timestamp region.
Add PMF instrumentation points in TF In order to quantify the overall time spent in the PSCI software implementation, an initial collection of PMF instrumentation points has been added. Instrumentation has been added to the following code paths: - Entry to PSCI SMC handler. The timestamp is captured as early as possible during the runtime exception and stored in memory before entering the PSCI SMC handler. - Exit from PSCI SMC handler. The timestamp is captured after normal return from the PSCI SMC handler or if a low power state was requested it is captured in the bl31 warm boot path before return to normal world. - Entry to low power state. The timestamp is captured before entry to a low power state which implies either standby or power down. As these power states are mutually exclusive, only one timestamp is defined to describe both. It is possible to differentiate between the two power states using the PSCI STAT interface. - Exit from low power state. The timestamp is captured after a standby or power up operation has completed. To calculate the number of cycles spent running code in Trusted Firmware one can perform the following calculation: (exit_psci - enter_psci) - (exit_low_pwr - enter_low_pwr). The resulting number of cycles can be converted to time given the frequency of the counter. Change-Id: Ie3b8f3d16409b6703747093b3a2d5c7429ad0166 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2016-09-19 11:18:44 +01:00
*/
mrs x30, cntpct_el0
str x29, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
mrs x29, tpidr_el3
str x30, [x29, #CPU_DATA_PMF_TS0_OFFSET]
ldr x29, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X29]
#endif
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
mrs x30, esr_el3
ubfx x30, x30, #ESR_EC_SHIFT, #ESR_EC_LENGTH
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* Handle SMC exceptions separately from other synchronous exceptions */
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
cmp x30, #EC_AARCH32_SMC
b.eq smc_handler32
cmp x30, #EC_AARCH64_SMC
b.eq smc_handler64
RAS: Move EA handling to a separate file A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-05 15:24:45 +01:00
/* Synchronous exceptions other than the above are assumed to be EA */
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
ldr x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
RAS: Move EA handling to a separate file A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-05 15:24:45 +01:00
b enter_lower_el_sync_ea
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
.endm
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
* This macro handles FIQ or IRQ interrupts i.e. EL3, S-EL1 and NS
* interrupts.
* ---------------------------------------------------------------------
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
*/
.macro handle_interrupt_exception label
Add ARMv8.3-PAuth registers to CPU context ARMv8.3-PAuth adds functionality that supports address authentication of the contents of a register before that register is used as the target of an indirect branch, or as a load. This feature is supported only in AArch64 state. This feature is mandatory in ARMv8.3 implementations. This feature adds several registers to EL1. A new option called CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save them during Non-secure <-> Secure world switches. This option must be enabled if the hardware has the registers or the values will be leaked during world switches. To prevent leaks, this patch also disables pointer authentication in the Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will be trapped in EL3. Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-31 11:58:00 +00:00
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
/*
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
* Save general purpose and ARMv8.3-PAuth registers (if enabled).
* If Secure Cycle Counter is not disabled in MDCR_EL3 when
* ARMv8.5-PMU is implemented, save PMCR_EL0 and disable Cycle Counter.
fix(el3-runtime): set unset pstate bits to default During a transition to a higher EL some of the PSTATE bits are not set by hardware, this means that their state may be leaked from lower ELs. This patch sets those bits to a default value upon entry to EL3. This patch was tested using a debugger to check the PSTATE values are correctly set. As well as adding a test in the next patch to ensure the PSTATE in lower ELs is still maintained after this change. Change-Id: Ie546acbca7b9aa3c86bd68185edded91b2a64ae5 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2021-05-25 18:09:34 +01:00
* Also set the PSTATE to a known state.
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
*/
refactor(el3-runtime): add prepare_el3_entry func In the next patch we add an extra step of setting the PSTATE registers to a known state on el3 entry. In this patch we create the function prepare_el3_entry to wrap the steps needed for before el3 entry. For now this is only save_gp_pmcr_pauth_regs. Change-Id: Ie26dc8d89bfaec308769165d2649e84d41be196c Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2022-01-19 11:20:05 +00:00
bl prepare_el3_entry
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
Add support for pointer authentication The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-02-19 11:53:51 +00:00
#if ENABLE_PAUTH
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
/* Load and program APIAKey firmware key */
bl pauth_load_bl31_apiakey
Add support for pointer authentication The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-02-19 11:53:51 +00:00
#endif
Add ARMv8.3-PAuth registers to CPU context ARMv8.3-PAuth adds functionality that supports address authentication of the contents of a register before that register is used as the target of an indirect branch, or as a load. This feature is supported only in AArch64 state. This feature is mandatory in ARMv8.3 implementations. This feature adds several registers to EL1. A new option called CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save them during Non-secure <-> Secure world switches. This option must be enabled if the hardware has the registers or the values will be leaked during world switches. To prevent leaks, this patch also disables pointer authentication in the Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will be trapped in EL3. Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-31 11:58:00 +00:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* Save the EL3 system registers needed to return from this exception */
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
mrs x0, spsr_el3
mrs x1, elr_el3
stp x0, x1, [sp, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
/* Switch to the runtime stack i.e. SP_EL0 */
ldr x2, [sp, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP]
mov x20, sp
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
msr spsel, #MODE_SP_EL0
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
mov sp, x2
/*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* Find out whether this is a valid interrupt type.
* If the interrupt controller reports a spurious interrupt then return
* to where we came from.
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
*/
Further renames of platform porting functions Rename the ic_* platform porting functions to plat_ic_* to be consistent with the other functions in platform.h. Also rename bl31_get_next_image_info() to bl31_plat_get_next_image_ep_info() and remove the duplicate declaration in bl31.h. Change-Id: I4851842069d3cff14c0a468daacc0a891a7ede84
2014-05-27 16:17:21 +01:00
bl plat_ic_get_pending_interrupt_type
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
cmp x0, #INTR_TYPE_INVAL
b.eq interrupt_exit_\label
/*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* Get the registered handler for this interrupt type.
* A NULL return value could be 'cause of the following conditions:
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* a. An interrupt of a type was routed correctly but a handler for its
* type was not registered.
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* b. An interrupt of a type was not routed correctly so a handler for
* its type was not registered.
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* c. An interrupt of a type was routed correctly to EL3, but was
* deasserted before its pending state could be read. Another
* interrupt of a different type pended at the same time and its
* type was reported as pending instead. However, a handler for this
* type was not registered.
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* a. and b. can only happen due to a programming error. The
* occurrence of c. could be beyond the control of Trusted Firmware.
* It makes sense to return from this exception instead of reporting an
* error.
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
*/
bl get_interrupt_type_handler
Fix handling of spurious interrupts in BL3_1 There are couple of issues with how the interrupt routing framework in BL3_1 handles spurious interrupts. 1. In the macro 'handle_interrupt_exception', if a spurious interrupt is detected by plat_ic_get_pending_interrupt_type(), then execution jumps to 'interrupt_exit_\label'. This macro uses the el3_exit() function to return to the original exception level. el3_exit() attempts to restore the SPSR_EL3 and ELR_EL3 registers with values from the current CPU context. Since these registers were not saved in this code path, it programs stale values into these registers. This leads to unpredictable behaviour after the execution of the ERET instruction. 2. When an interrupt is routed to EL3, it could be de-asserted before the GICC_HPPIR is read in plat_ic_get_pending_interrupt_type(). There could be another interrupt pending at the same time e.g. a non-secure interrupt. Its type will be returned instead of the original interrupt. This would result in a call to get_interrupt_type_handler(). The firmware will panic if the handler for this type of interrupt has not been registered. This patch fixes the first problem by saving SPSR_EL3 and ELR_EL3 early in the 'handle_interrupt_exception' macro, instead of only doing so once the validity of the interrupt has been determined. The second problem is fixed by returning execution back to the lower exception level through the 'interrupt_exit_\label' label instead of treating it as an error condition. The 'interrupt_error_\label' label has been removed since it is no longer used. Fixes ARM-software/tf-issues#305 Change-Id: I81c729a206d461084db501bb81b44dff435021e8
2015-05-13 17:57:18 +01:00
cbz x0, interrupt_exit_\label
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
mov x21, x0
mov x0, #INTR_ID_UNAVAILABLE
/* Set the current security state in the 'flags' parameter */
mrs x2, scr_el3
ubfx x1, x2, #0, #1
/* Restore the reference to the 'handle' i.e. SP_EL3 */
mov x2, x20
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* x3 will point to a cookie (not used now) */
Pass 'cookie' parameter to interrupt handler in BL3-1 The interrupt handling routine in BL3-1 expects a cookie as its last parameter which was not being passed when invoking the interrupt handler in BL3-1. This patch fixes that by passing a dummy cookie parameter in the x3 register. Fixes ARM-software/tf-issues#171 Change-Id: Ic98abbbd9f849e6f1c55343e865b5e0a4904a1c5
2014-05-27 16:54:31 +01:00
mov x3, xzr
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
/* Call the interrupt type handler */
blr x21
interrupt_exit_\label:
/* Return from exception, possibly in a different security state */
b el3_exit
.endm
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_base runtime_exceptions
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
* Current EL with SP_EL0 : 0x0 - 0x200
* ---------------------------------------------------------------------
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry sync_exception_sp_el0
Add UBSAN support and handlers This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
2019-08-20 11:01:52 +01:00
#ifdef MONITOR_TRAPS
stp x29, x30, [sp, #-16]!
mrs x30, esr_el3
ubfx x30, x30, #ESR_EC_SHIFT, #ESR_EC_LENGTH
/* Check for BRK */
cmp x30, #EC_BRK
b.eq brk_handler
ldp x29, x30, [sp], #16
#endif /* MONITOR_TRAPS */
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* We don't expect any synchronous exceptions from EL3 */
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_exception
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry sync_exception_sp_el0
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry irq_sp_el0
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* EL3 code is non-reentrant. Any asynchronous exception is a serious
* error. Loop infinitely.
*/
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_interrupt
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry irq_sp_el0
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry fiq_sp_el0
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_interrupt
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry fiq_sp_el0
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry serror_sp_el0
RAS: Introduce handler for EL3 EAs External Aborts while executing in EL3 is fatal in nature. This patch allows for the platform to define a handler for External Aborts received while executing in EL3. A default implementation is added which falls back to platform unhandled exception. Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-06 16:50:06 +01:00
no_ret plat_handle_el3_ea
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry serror_sp_el0
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
* Current EL with SP_ELx: 0x200 - 0x400
* ---------------------------------------------------------------------
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry sync_exception_sp_elx
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* This exception will trigger if anything went wrong during a previous
* exception entry or exit or while handling an earlier unexpected
* synchronous exception. There is a high probability that SP_EL3 is
* corrupted.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_exception
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry sync_exception_sp_elx
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry irq_sp_elx
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_interrupt
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry irq_sp_elx
Add exception vector guards This patch adds guards so that an exception vector exceeding 32 instructions will generate a compile-time error. This keeps the exception handlers in check from spilling over. Change-Id: I7aa56dd0071a333664e2814c656d3896032046fe
2014-02-07 15:53:18 +00:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry fiq_sp_elx
Fix x30 reporting for unhandled exceptions Some error paths that lead to a crash dump will overwrite the value in the x30 register by calling functions with the no_ret macro, which resolves to a BL instruction. This is not very useful and not what the reader would expect, since a crash dump should usually show all registers in the state they were in when the exception happened. This patch replaces the offending function calls with a B instruction to preserve the value in x30. Change-Id: I2a3636f2943f79bab0cd911f89d070012e697c2a Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-07-27 22:59:34 +01:00
b report_unhandled_interrupt
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry fiq_sp_elx
Add exception vector guards This patch adds guards so that an exception vector exceeding 32 instructions will generate a compile-time error. This keeps the exception handlers in check from spilling over. Change-Id: I7aa56dd0071a333664e2814c656d3896032046fe
2014-02-07 15:53:18 +00:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry serror_sp_elx
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#if !RAS_EXTENSION
check_if_serror_from_EL3
#endif
RAS: Introduce handler for EL3 EAs External Aborts while executing in EL3 is fatal in nature. This patch allows for the platform to define a handler for External Aborts received while executing in EL3. A default implementation is added which falls back to platform unhandled exception. Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-06 16:50:06 +01:00
no_ret plat_handle_el3_ea
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry serror_sp_elx
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
Miscellaneous documentation fixes This patch gathers miscellaneous minor fixes to the documentation, and comments in the source code. Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b Co-Authored-By: Soby Mathew <soby.mathew@arm.com> Co-Authored-By: Dan Handley <dan.handley@arm.com>
2014-08-06 11:27:23 +01:00
* Lower EL using AArch64 : 0x400 - 0x600
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* ---------------------------------------------------------------------
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry sync_exception_aarch64
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* This exception vector will be the entry point for SMCs and traps
* that are unhandled at lower ELs most commonly. SP_EL3 should point
* to a valid cpu context where the general purpose and system register
* state can be saved.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
handle_sync_exception
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry sync_exception_aarch64
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry irq_aarch64
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
handle_interrupt_exception irq_aarch64
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry irq_aarch64
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry fiq_aarch64
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
handle_interrupt_exception fiq_aarch64
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry fiq_aarch64
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry serror_aarch64
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#if RAS_EXTENSION
AArch64: Introduce External Abort handling At present, any External Abort routed to EL3 is reported as an unhandled exception and cause a panic. This patch enables ARM Trusted Firmware to handle External Aborts routed to EL3. With this patch, when an External Abort is received at EL3, its handling is delegated to plat_ea_handler() function. Platforms can provide their own implementation of this function. This patch adds a weak definition of the said function that prints out a message and just panics. In order to support handling External Aborts at EL3, the build option HANDLE_EA_EL3_FIRST must be set to 1. Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to compilation; this patch fixes that too. Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2017-11-30 12:54:15 +00:00
msr daifclr, #DAIF_ABT_BIT
RAS: Move EA handling to a separate file A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-05 15:24:45 +01:00
b enter_lower_el_async_ea
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#else
handle_async_ea
#endif
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry serror_aarch64
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
Miscellaneous documentation fixes This patch gathers miscellaneous minor fixes to the documentation, and comments in the source code. Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b Co-Authored-By: Soby Mathew <soby.mathew@arm.com> Co-Authored-By: Dan Handley <dan.handley@arm.com>
2014-08-06 11:27:23 +01:00
* Lower EL using AArch32 : 0x600 - 0x800
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* ---------------------------------------------------------------------
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
*/
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry sync_exception_aarch32
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* This exception vector will be the entry point for SMCs and traps
* that are unhandled at lower ELs most commonly. SP_EL3 should point
* to a valid cpu context where the general purpose and system register
* state can be saved.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
handle_sync_exception
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry sync_exception_aarch32
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry irq_aarch32
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
handle_interrupt_exception irq_aarch32
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry irq_aarch32
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry fiq_aarch32
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
AArch64: Introduce RAS handling RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-04-04 16:07:11 +01:00
check_and_unmask_ea
Introduce interrupt handling framework in BL3-1 This patch adds a common handler for FIQ and IRQ exceptions in the BL3-1 runtime exception vector table. This function determines the interrupt type and calls its handler. A crash is reported if an inconsistency in the interrupt management framework is detected. In the event of a spurious interrupt, execution resumes from the instruction where the interrupt was generated. This patch also removes 'cm_macros.S' as its contents have been moved to 'runtime_exceptions.S' Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
2014-05-09 11:07:09 +01:00
handle_interrupt_exception fiq_aarch32
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry fiq_aarch32
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Introduce some helper macros for exception vectors This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-24 16:56:03 +01:00
vector_entry serror_aarch32
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
apply_at_speculative_wa
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#if RAS_EXTENSION
AArch64: Introduce External Abort handling At present, any External Abort routed to EL3 is reported as an unhandled exception and cause a panic. This patch enables ARM Trusted Firmware to handle External Aborts routed to EL3. With this patch, when an External Abort is received at EL3, its handling is delegated to plat_ea_handler() function. Platforms can provide their own implementation of this function. This patch adds a weak definition of the said function that prints out a message and just panics. In order to support handling External Aborts at EL3, the build option HANDLE_EA_EL3_FIRST must be set to 1. Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to compilation; this patch fixes that too. Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2017-11-30 12:54:15 +00:00
msr daifclr, #DAIF_ABT_BIT
RAS: Move EA handling to a separate file A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-07-05 15:24:45 +01:00
b enter_lower_el_async_ea
Fix exception handlers in BL31: Use DSB to synchronize pending EA For SoCs which do not implement RAS, use DSB as a barrier to synchronize pending external aborts at the entry and exit of exception handlers. This is needed to isolate the SErrors to appropriate context. However, this introduces an unintended side effect as discussed in the https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 A summary of the side effect and a quick workaround is provided as part of this patch and summarized here: The explicit DSB at the entry of various exception vectors in BL31 for handling exceptions from lower ELs can inadvertently trigger an SError exception in EL3 due to pending asyncrhonouus aborts in lower ELs. This will end up being handled by serror_sp_elx in EL3 which will ultimately panic and die. The way to workaround is to update a flag to indicate if the exception truly came from EL3. This flag is allocated in the cpu_context structure. This is not a bullet proof solution to the problem at hand because we assume the instructions following "isb" that help to update the flag (lines 100-102 & 139-141) execute without causing further exceptions. Change-Id: I4d345b07d746a727459435ddd6abb37fda24a9bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-07-24 09:27:12 +01:00
#else
handle_async_ea
#endif
Add end_vector_entry assembler macro Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-17 11:31:43 +01:00
end_vector_entry serror_aarch32
Add exception vector guards This patch adds guards so that an exception vector exceeding 32 instructions will generate a compile-time error. This keeps the exception handlers in check from spilling over. Change-Id: I7aa56dd0071a333664e2814c656d3896032046fe
2014-02-07 15:53:18 +00:00
Add UBSAN support and handlers This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
2019-08-20 11:01:52 +01:00
#ifdef MONITOR_TRAPS
.section .rodata.brk_string, "aS"
brk_location:
.asciz "Error at instruction 0x"
brk_message:
.asciz "Unexpected BRK instruction with value 0x"
#endif /* MONITOR_TRAPS */
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* ---------------------------------------------------------------------
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
* The following code handles secure monitor calls.
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* Depending upon the execution state from where the SMC has been
* invoked, it frees some general purpose registers to perform the
* remaining tasks. They involve finding the runtime service handler
* that is the target of the SMC & switching to runtime stacks (SP_EL0)
* before calling the handler.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
* Note that x30 has been explicitly saved and can be used here
* ---------------------------------------------------------------------
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
Place assembler functions in separate sections This extends the --gc-sections behaviour to the many assembler support functions in the firmware images by placing each function into its own code section. This is achieved by creating a 'func' macro used to declare each function label. Fixes ARM-software/tf-issues#80 Change-Id: I301937b630add292d2dec6d2561a7fcfa6fec690
2014-03-18 13:46:55 +00:00
func smc_handler
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
smc_handler32:
/* Check whether aarch32 issued an SMC64 */
tbnz x0, #FUNCID_CC_SHIFT, smc_prohibited
smc_handler64:
Add ARMv8.3-PAuth registers to CPU context ARMv8.3-PAuth adds functionality that supports address authentication of the contents of a register before that register is used as the target of an indirect branch, or as a load. This feature is supported only in AArch64 state. This feature is mandatory in ARMv8.3 implementations. This feature adds several registers to EL1. A new option called CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save them during Non-secure <-> Secure world switches. This option must be enabled if the hardware has the registers or the values will be leaked during world switches. To prevent leaks, this patch also disables pointer authentication in the Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will be trapped in EL3. Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-31 11:58:00 +00:00
/* NOTE: The code below must preserve x0-x4 */
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
/*
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
* Save general purpose and ARMv8.3-PAuth registers (if enabled).
* If Secure Cycle Counter is not disabled in MDCR_EL3 when
* ARMv8.5-PMU is implemented, save PMCR_EL0 and disable Cycle Counter.
fix(el3-runtime): set unset pstate bits to default During a transition to a higher EL some of the PSTATE bits are not set by hardware, this means that their state may be leaked from lower ELs. This patch sets those bits to a default value upon entry to EL3. This patch was tested using a debugger to check the PSTATE values are correctly set. As well as adding a test in the next patch to ensure the PSTATE in lower ELs is still maintained after this change. Change-Id: Ie546acbca7b9aa3c86bd68185edded91b2a64ae5 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2021-05-25 18:09:34 +01:00
* Also set the PSTATE to a known state.
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
*/
refactor(el3-runtime): add prepare_el3_entry func In the next patch we add an extra step of setting the PSTATE registers to a known state on el3 entry. In this patch we create the function prepare_el3_entry to wrap the steps needed for before el3 entry. For now this is only save_gp_pmcr_pauth_regs. Change-Id: Ie26dc8d89bfaec308769165d2649e84d41be196c Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2022-01-19 11:20:05 +00:00
bl prepare_el3_entry
AArch64: Disable Secure Cycle Counter This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-08-13 15:17:53 +01:00
Add support for pointer authentication The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-02-19 11:53:51 +00:00
#if ENABLE_PAUTH
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
/* Load and program APIAKey firmware key */
bl pauth_load_bl31_apiakey
Add support for pointer authentication The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-02-19 11:53:51 +00:00
#endif
Add ARMv8.3-PAuth registers to CPU context ARMv8.3-PAuth adds functionality that supports address authentication of the contents of a register before that register is used as the target of an indirect branch, or as a load. This feature is supported only in AArch64 state. This feature is mandatory in ARMv8.3 implementations. This feature adds several registers to EL1. A new option called CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save them during Non-secure <-> Secure world switches. This option must be enabled if the hardware has the registers or the values will be leaked during world switches. To prevent leaks, this patch also disables pointer authentication in the Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will be trapped in EL3. Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2019-01-31 11:58:00 +00:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* Populate the parameters for the SMC handler.
* We already have x0-x4 in place. x5 will point to a cookie (not used
* now). x6 will point to the context structure (SP_EL3) and x7 will
runtime_exceptions: Save x4-x29 unconditionally In preparation for SMCCC v1.1 support, save x4 to x29 unconditionally. Previously we expected callers coming from AArch64 mode to preserve x8-x17. This is no longer the case with SMCCC v1.1 as AArch64 callers only need to save x0-x3. Change-Id: Ie62d620776533969ff4a02c635422f1b9208be9c Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
2018-01-22 11:53:04 +00:00
* contain flags we need to pass to the handler.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
mov x5, xzr
mov x6, sp
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
Add support for the SMC Calling Convention 2.0 Due to differences in the bitfields of the SMC IDs, it is not possible to support SMCCC 1.X and 2.0 at the same time. The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build option that specifies the major version of the SMCCC that the Trusted Firmware supports. The only two allowed values are 1 and 2, and it defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it. Note: Support for SMCCC v2.0 is an experimental feature to enable prototyping of secure partition specifications. Support for this convention is disabled by default and could be removed without notice. Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-04-23 15:43:29 +01:00
* Restore the saved C runtime stack value which will become the new
* SP_EL0 i.e. EL3 runtime stack. It was saved in the 'cpu_context'
* structure prior to the last ERET from EL3.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
Add support for the SMC Calling Convention 2.0 Due to differences in the bitfields of the SMC IDs, it is not possible to support SMCCC 1.X and 2.0 at the same time. The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build option that specifies the major version of the SMCCC that the Trusted Firmware supports. The only two allowed values are 1 and 2, and it defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it. Note: Support for SMCCC v2.0 is an experimental feature to enable prototyping of secure partition specifications. Support for this convention is disabled by default and could be removed without notice. Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-04-23 15:43:29 +01:00
ldr x12, [x6, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP]
/* Switch to SP_EL0 */
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
msr spsel, #MODE_SP_EL0
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* Save the SPSR_EL3, ELR_EL3, & SCR_EL3 in case there is a world
* switch during SMC handling.
* TODO: Revisit if all system registers can be saved later.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
mrs x16, spsr_el3
mrs x17, elr_el3
mrs x18, scr_el3
stp x16, x17, [x6, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
Remove coherent stack usage from the warm boot path This patch uses stacks allocated in normal memory to enable the MMU early in the warm boot path thus removing the dependency on stacks allocated in coherent memory. Necessary cache and stack maintenance is performed when a cpu is being powered down and up. This avoids any coherency issues that can arise from reading speculatively fetched stale stack memory from another CPUs cache. These changes affect the warm boot path in both BL3-1 and BL3-2. The EL3 system registers responsible for preserving the MMU state are not saved and restored any longer. Static values are used to program these system registers when a cpu is powered on or resumed from suspend. Change-Id: I8357e2eb5eb6c5f448492c5094b82b8927603784
2014-06-26 09:58:52 +01:00
str x18, [x6, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3]
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
feat(rme): add Realm security state definition FEAT_RME introduces two additional security states, Root and Realm security states. This patch adds Realm security state awareness to SMCCC helpers and entry point info structure. Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com> Change-Id: I9cdefcc1aa71259b2de46e5fb62b28d658fa59bd
2021-07-08 23:13:09 +01:00
/* Clear flag register */
mov x7, xzr
#if ENABLE_RME
/* Copy SCR_EL3.NSE bit to the flag to indicate caller's security */
ubfx x7, x18, #SCR_NSE_SHIFT, 1
/*
* Shift copied SCR_EL3.NSE bit by 5 to create space for
* SCR_EL3.NS bit. Bit 5 of the flag correspondes to
* the SCR_EL3.NSE bit.
*/
lsl x7, x7, #5
#endif /* ENABLE_RME */
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
/* Copy SCR_EL3.NS bit to the flag to indicate caller's security */
bfi x7, x18, #0, #1
mov sp, x12
Rework smc_unknown return code path in smc_handler The intention of this patch is to leverage the existing el3_exit() return routine for smc_unknown return path rather than a custom set of instructions. In order to leverage el3_exit(), the necessary counteraction (i.e., saving the system registers apart from GP registers) must be performed. Hence a series of instructions which save system registers( like SPSR_EL3, SCR_EL3 etc) to stack are moved to the top of group of instructions which essentially decode the OEN from the smc function identifier and obtain the specific service handler in rt_svc_descs_array. This ensures that the control flow for both known and unknown smc calls will be similar. Change-Id: I67f94cfcba176bf8aee1a446fb58a4e383905a87 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2019-05-08 21:41:41 +01:00
/* Get the unique owning entity number */
ubfx x16, x0, #FUNCID_OEN_SHIFT, #FUNCID_OEN_WIDTH
ubfx x15, x0, #FUNCID_TYPE_SHIFT, #FUNCID_TYPE_WIDTH
orr x16, x16, x15, lsl #FUNCID_OEN_WIDTH
/* Load descriptor index from array of indices */
Changes necessary to support SEPARATE_NOBITS_REGION feature Since BL31 PROGBITS and BL31 NOBITS sections are going to be in non-adjacent memory regions, potentially far from each other, some fixes are needed to support it completely. 1. adr instruction only allows computing the effective address of a location only within 1MB range of the PC. However, adrp instruction together with an add permits position independent address of any location with 4GB range of PC. 2. Since BL31 _RW_END_ marks the end of BL31 image, care must be taken that it is aligned to page size since we map this memory region in BL31 using xlat_v2 lib utils which mandate alignment of image size to page granularity. Change-Id: I3451cc030d03cb2032db3cc088f0c0e2c84bffda Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2020-01-27 21:32:15 +00:00
adrp x14, rt_svc_descs_indices
add x14, x14, :lo12:rt_svc_descs_indices
Rework smc_unknown return code path in smc_handler The intention of this patch is to leverage the existing el3_exit() return routine for smc_unknown return path rather than a custom set of instructions. In order to leverage el3_exit(), the necessary counteraction (i.e., saving the system registers apart from GP registers) must be performed. Hence a series of instructions which save system registers( like SPSR_EL3, SCR_EL3 etc) to stack are moved to the top of group of instructions which essentially decode the OEN from the smc function identifier and obtain the specific service handler in rt_svc_descs_array. This ensures that the control flow for both known and unknown smc calls will be similar. Change-Id: I67f94cfcba176bf8aee1a446fb58a4e383905a87 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2019-05-08 21:41:41 +01:00
ldrb w15, [x14, x16]
/* Any index greater than 127 is invalid. Check bit 7. */
tbnz w15, 7, smc_unknown
/*
* Get the descriptor using the index
* x11 = (base + off), w15 = index
*
* handler = (base + off) + (index << log2(size))
*/
adr x11, (__RT_SVC_DESCS_START__ + RT_SVC_DESC_HANDLE)
lsl w10, w15, #RT_SVC_SIZE_LOG2
ldr x15, [x11, w10, uxtw]
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/*
* Call the Secure Monitor Call handler and then drop directly into
* el3_exit() which will program any remaining architectural state
* prior to issuing the ERET to the desired lower EL.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
#if DEBUG
cbz x15, rt_svc_fw_critical_error
#endif
blr x15
Move context management code to common location The upcoming Firmware Update feature needs transitioning across Secure/Normal worlds to complete the FWU process and hence requires context management code to perform this task. Currently context management code is part of BL31 stage only. This patch moves the code from (include)/bl31 to (include)/common. Some function declarations/definitions and macros have also moved to different files to help code sharing. Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
2015-10-02 17:56:48 +01:00
b el3_exit
ARMv8 Trusted Firmware release v0.2
2013-10-25 09:08:21 +01:00
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
smc_unknown:
/*
Rework smc_unknown return code path in smc_handler The intention of this patch is to leverage the existing el3_exit() return routine for smc_unknown return path rather than a custom set of instructions. In order to leverage el3_exit(), the necessary counteraction (i.e., saving the system registers apart from GP registers) must be performed. Hence a series of instructions which save system registers( like SPSR_EL3, SCR_EL3 etc) to stack are moved to the top of group of instructions which essentially decode the OEN from the smc function identifier and obtain the specific service handler in rt_svc_descs_array. This ensures that the control flow for both known and unknown smc calls will be similar. Change-Id: I67f94cfcba176bf8aee1a446fb58a4e383905a87 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2019-05-08 21:41:41 +01:00
* Unknown SMC call. Populate return value with SMC_UNK and call
* el3_exit() which will restore the remaining architectural state
* i.e., SYS, GP and PAuth registers(if any) prior to issuing the ERET
* to the desired lower EL.
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
*/
Redefine SMC_UNK as -1 instead of 0xFFFFFFFF According to the SMC Calling Convention (ARM DEN0028B): The Unknown SMC Function Identifier is a sign-extended value of (-1) that is returned in R0, W0 or X0 register. The value wasn't sign-extended because it was defined as a 32-bit unsigned value (0xFFFFFFFF). SMC_PREEMPT has been redefined as -2 for the same reason. NOTE: This might be a compatibility break for some AArch64 platforms that don't follow the previous version of the SMCCC (ARM DEN0028A) correctly. That document specifies that only the bottom 32 bits of the returned value must be checked. If a platform relies on the top 32 bits of the result being 0 (so that SMC_UNK is 0x00000000FFFFFFFF), it will have to fix its code to comply with the SMCCC. Change-Id: I7f7b109f6b30c114fe570aa0ead3c335383cb54d Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-02-14 14:22:29 +00:00
mov x0, #SMC_UNK
Rework smc_unknown return code path in smc_handler The intention of this patch is to leverage the existing el3_exit() return routine for smc_unknown return path rather than a custom set of instructions. In order to leverage el3_exit(), the necessary counteraction (i.e., saving the system registers apart from GP registers) must be performed. Hence a series of instructions which save system registers( like SPSR_EL3, SCR_EL3 etc) to stack are moved to the top of group of instructions which essentially decode the OEN from the smc function identifier and obtain the specific service handler in rt_svc_descs_array. This ensures that the control flow for both known and unknown smc calls will be similar. Change-Id: I67f94cfcba176bf8aee1a446fb58a4e383905a87 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
2019-05-08 21:41:41 +01:00
str x0, [x6, #CTX_GPREGS_OFFSET + CTX_GPREG_X0]
b el3_exit
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
smc_prohibited:
runtime_exceptions: Update AT speculative workaround As per latest mailing communication [1], we decided to update AT speculative workaround implementation in order to disable page table walk for lower ELs(EL1 or EL0) immediately after context switching to EL3 from lower ELs. Previous implementation of AT speculative workaround is available here: 45aecff00 AT speculative workaround is updated as below: 1. Avoid saving and restoring of SCTLR and TCR registers for EL1 in context save and restore routine respectively. 2. On EL3 entry, save SCTLR and TCR registers for EL1. 3. On EL3 entry, update EL1 system registers to disable stage 1 page table walk for lower ELs (EL1 and EL0) and enable EL1 MMU. 4. On EL3 exit, restore SCTLR and TCR registers for EL1 which are saved in step 2. [1]: https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2020-07-23 12:43:25 +01:00
restore_ptw_el1_sys_regs
ldp x28, x29, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X28]
Preserve x19-x29 across world switch for exception handling Previously exception handlers in BL3-1, X19-X29 were not saved and restored on every SMC/trap into EL3. Instead these registers were 'saved as needed' as a side effect of the A64 ABI used by the C compiler. That approach failed when world switching but was not visible with the TSP/TSPD code because the TSP is 64-bit, did not clobber these registers when running and did not support pre-emption by normal world interrupts. These scenarios showed that the values in these registers can be passed through a world switch, which broke the normal and trusted world assumptions about these registers being preserved. The Ideal solution saves and restores these registers when a world switch occurs - but that type of implementation is more complex. So this patch always saves and restores these registers on entry and exit of EL3. Fixes ARM-software/tf-issues#141 Change-Id: I9a727167bbc594454e81cf78a97ca899dfb11c27
2014-04-30 15:36:37 +01:00
ldr x30, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_LR]
Redefine SMC_UNK as -1 instead of 0xFFFFFFFF According to the SMC Calling Convention (ARM DEN0028B): The Unknown SMC Function Identifier is a sign-extended value of (-1) that is returned in R0, W0 or X0 register. The value wasn't sign-extended because it was defined as a 32-bit unsigned value (0xFFFFFFFF). SMC_PREEMPT has been redefined as -2 for the same reason. NOTE: This might be a compatibility break for some AArch64 platforms that don't follow the previous version of the SMCCC (ARM DEN0028A) correctly. That document specifies that only the bottom 32 bits of the returned value must be checked. If a platform relies on the top 32 bits of the result being 0 (so that SMC_UNK is 0x00000000FFFFFFFF), it will have to fix its code to comply with the SMCCC. Change-Id: I7f7b109f6b30c114fe570aa0ead3c335383cb54d Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-02-14 14:22:29 +00:00
mov x0, #SMC_UNK
Prevent speculative execution past ERET Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8 https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61 https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2 https://github.com/OP-TEE/optee_os/commit/abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a It is demonstrated in a SafeSide example: https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c Signed-off-by: Anthony Steinhauser <asteinhauser@google.com> Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
2020-01-07 23:44:06 +00:00
exception_return
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
#if DEBUG
Add support for handling runtime service requests This patch uses the reworked exception handling support to handle runtime service requests through SMCs following the SMC calling convention. This is a giant commit since all the changes are inter-related. It does the following: 1. Replace the old exception handling mechanism with the new one 2. Enforce that SP_EL0 is used C runtime stacks. 3. Ensures that the cold and warm boot paths use the 'cpu_context' structure to program an ERET into the next lower EL. 4. Ensures that SP_EL3 always points to the next 'cpu_context' structure prior to an ERET into the next lower EL 5. Introduces a PSCI SMC handler which completes the use of PSCI as a runtime service Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852 Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-06 10:36:15 +00:00
rt_svc_fw_critical_error:
Cosmetic change to exception table * Move comments on unhandled exceptions at the right place. * Reformat the existing comments to highlight the start of each block of 4 entries in the exception table to ease navigation (lines of dash reserved for head comments). * Reflow comments to 80 columns. Change-Id: I5ab88a93d0628af8e151852cb5b597eb34437677 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-09 17:48:27 +00:00
/* Switch to SP_ELx */
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
msr spsel, #MODE_SP_ELX
Define and use no_ret macro where no return is expected There are many instances in ARM Trusted Firmware where control is transferred to functions from which return isn't expected. Such jumps are made using 'bl' instruction to provide the callee with the location from which it was jumped to. Additionally, debuggers infer the caller by examining where 'lr' register points to. If a 'bl' of the nature described above falls at the end of an assembly function, 'lr' will be left pointing to a location outside of the function range. This misleads the debugger back trace. This patch defines a 'no_ret' macro to be used when jumping to functions from which return isn't expected. The macro ensures to use 'bl' instruction for the jump, and also, for debug builds, places a 'nop' instruction immediately thereafter (unless instructed otherwise) so as to leave 'lr' pointing within the function range. Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0 Co-authored-by: Douglas Raillard <douglas.raillard@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2016-11-30 15:21:11 +00:00
no_ret report_unhandled_exception
Refactor ARMv8.3 Pointer Authentication support code This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2019-09-13 14:11:59 +01:00
#endif
Add support to indicate size and end of assembly functions In order for the symbol table in the ELF file to contain the size of functions written in assembly, it is necessary to report it to the assembler using the .size directive. To fulfil the above requirements, this patch introduces an 'endfunc' macro which contains the .endfunc and .size directives. It also adds a .func directive to the 'func' assembler macro. The .func/.endfunc have been used so the assembler can fail if endfunc is omitted. Fixes ARM-Software/tf-issues#295 Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc Signed-off-by: Kévin Petit <kevin.petit@arm.com>
2015-03-24 14:03:57 +00:00
endfunc smc_handler
Add UBSAN support and handlers This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
2019-08-20 11:01:52 +01:00
/* ---------------------------------------------------------------------
* The following code handles exceptions caused by BRK instructions.
* Following a BRK instruction, the only real valid cause of action is
* to print some information and panic, as the code that caused it is
* likely in an inconsistent internal state.
*
* This is initially intended to be used in conjunction with
* __builtin_trap.
* ---------------------------------------------------------------------
*/
#ifdef MONITOR_TRAPS
func brk_handler
/* Extract the ISS */
mrs x10, esr_el3
ubfx x10, x10, #ESR_ISS_SHIFT, #ESR_ISS_LENGTH
/* Ensure the console is initialized */
bl plat_crash_console_init
adr x4, brk_location
bl asm_print_str
mrs x4, elr_el3
bl asm_print_hex
bl asm_print_newline
adr x4, brk_message
bl asm_print_str
mov x4, x10
mov x5, #28
bl asm_print_hex_bits
bl asm_print_newline
no_ret plat_panic_handler
endfunc brk_handler
#endif /* MONITOR_TRAPS */