arm-trusted-firmware/lib/cpus/aarch64/cortex_a75.S

/*
 * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <arch.h>
#include <asm_macros.S>
#include <cortex_a75.h>
#include <cpuamu.h>
#include <cpu_macros.S>

func cortex_a75_reset_func
#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715
	mrs	x0, id_aa64pfr0_el1
	ubfx	x0, x0, #ID_AA64PFR0_CSV2_SHIFT, #ID_AA64PFR0_CSV2_LENGTH
	/*
	 * If the field equals to 1 then branch targets trained in one
	 * context cannot affect speculative execution in a different context.
	 */
	cmp	x0, #1
	beq	1f

	adr	x0, workaround_bpiall_vbar0_runtime_exceptions
	msr	vbar_el3, x0
1:
#endif

#if ENABLE_AMU
	/* Make sure accesses from EL0/EL1 and EL2 are not trapped to EL3 */
	mrs	x0, actlr_el3
	orr	x0, x0, #CORTEX_A75_ACTLR_AMEN_BIT
	msr	actlr_el3, x0
	isb

	/* Make sure accesses from EL0/EL1 are not trapped to EL2 */
	mrs	x0, actlr_el2
	orr	x0, x0, #CORTEX_A75_ACTLR_AMEN_BIT
	msr	actlr_el2, x0
	isb

	/* Enable group0 counters */
	mov	x0, #CORTEX_A75_AMU_GROUP0_MASK
	msr	CPUAMCNTENSET_EL0, x0
	isb

	/* Enable group1 counters */
	mov	x0, #CORTEX_A75_AMU_GROUP1_MASK
	msr	CPUAMCNTENSET_EL0, x0
	isb
#endif
	ret
endfunc cortex_a75_reset_func

func check_errata_cve_2017_5715
	mrs	x0, id_aa64pfr0_el1
	ubfx	x0, x0, #ID_AA64PFR0_CSV2_SHIFT, #ID_AA64PFR0_CSV2_LENGTH
	/*
	 * If the field equals to 1 then branch targets trained in one
	 * context cannot affect speculative execution in a different context.
	 */
	cmp	x0, #1
	beq	1f

#if WORKAROUND_CVE_2017_5715
	mov	x0, #ERRATA_APPLIES
#else
	mov	x0, #ERRATA_MISSING
#endif
	ret
1:
	mov	x0, #ERRATA_NOT_APPLIES
	ret
endfunc check_errata_cve_2017_5715

	/* ---------------------------------------------
	 * HW will do the cache maintenance while powering down
	 * ---------------------------------------------
	 */
func cortex_a75_core_pwr_dwn
	/* ---------------------------------------------
	 * Enable CPU power down bit in power control register
	 * ---------------------------------------------
	 */
	mrs	x0, CORTEX_A75_CPUPWRCTLR_EL1
	orr	x0, x0, #CORTEX_A75_CORE_PWRDN_EN_MASK
	msr	CORTEX_A75_CPUPWRCTLR_EL1, x0
	isb
	ret
endfunc cortex_a75_core_pwr_dwn

#if REPORT_ERRATA
/*
 * Errata printing function for Cortex A75. Must follow AAPCS.
 */
func cortex_a75_errata_report
	stp	x8, x30, [sp, #-16]!

	bl	cpu_get_rev_var
	mov	x8, x0

	/*
	 * Report all errata. The revision-variant information is passed to
	 * checking functions of each errata.
	 */
	report_errata WORKAROUND_CVE_2017_5715, cortex_a75, cve_2017_5715

	ldp	x8, x30, [sp], #16
	ret
endfunc cortex_a75_errata_report
#endif

	/* ---------------------------------------------
	 * This function provides cortex_a75 specific
	 * register information for crash reporting.
	 * It needs to return with x6 pointing to
	 * a list of register names in ascii and
	 * x8 - x15 having values of registers to be
	 * reported.
	 * ---------------------------------------------
	 */
.section .rodata.cortex_a75_regs, "aS"
cortex_a75_regs:  /* The ascii list of register names to be reported */
	.asciz	"cpuectlr_el1", ""

func cortex_a75_cpu_reg_dump
	adr	x6, cortex_a75_regs
	mrs	x8, CORTEX_A75_CPUECTLR_EL1
	ret
endfunc cortex_a75_cpu_reg_dump

declare_cpu_ops cortex_a75, CORTEX_A75_MIDR, \
	cortex_a75_reset_func, \
	cortex_a75_core_pwr_dwn
Add support for Cortex-A75 and Cortex-A55 CPUs Both Cortex-A75 and Cortex-A55 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are considerably simpler. Change-Id: I68b30e6e1ebe7c041d5e67f39c59f08575fc7ecc Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2016-11-09 16:29:02 +00:00			`/*`
Print erratum application report for CVE-2017-5715 Even though the workaround for CVE-2017-5715 is not a CPU erratum, the code is piggybacking on the errata framework to print whether the workaround was applied, missing or not needed. Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-01-16 10:32:47 +00:00			`* Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved.`
Add support for Cortex-A75 and Cortex-A55 CPUs Both Cortex-A75 and Cortex-A55 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are considerably simpler. Change-Id: I68b30e6e1ebe7c041d5e67f39c59f08575fc7ecc Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2016-11-09 16:29:02 +00:00			`*`
			`* SPDX-License-Identifier: BSD-3-Clause`
			`*/`

			`#include <arch.h>`
			`#include <asm_macros.S>`
			`#include <cortex_a75.h>`
Refactor AMU support for Cortex A75 This patch also fixes the assumption that the counters are disabled on the resume path. This is incorrect as the AMU counters are enabled early in the CPU reset function before `cpuamu_context_restore()` runs. Change-Id: I38a94eb166a523f00de18e86860434ffccff2131 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-02-14 10:28:36 +00:00			`#include <cpuamu.h>`
			`#include <cpu_macros.S>`
Add hooks to save/restore AMU context for Cortex A75 Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-12-11 11:45:35 +00:00
Implement support for the Activity Monitor Unit on Cortex A75 The Cortex A75 has 5 AMU counters. The first three counters are fixed and the remaining two are programmable. A new build option is introduced, `ENABLE_AMU`. When set, the fixed counters will be enabled for use by lower ELs. The programmable counters are currently disabled. Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-10-16 11:40:10 +01:00			`func cortex_a75_reset_func`
Workaround for CVE-2017-5715 on Cortex A73 and A75 Invalidate the Branch Target Buffer (BTB) on entry to EL3 by temporarily dropping into AArch32 Secure-EL1 and executing the `BPIALL` instruction. This is achieved by using 3 vector tables. There is the runtime vector table which is used to handle exceptions and 2 additional tables which are required to implement this workaround. The additional tables are `vbar0` and `vbar1`. The sequence of events for handling a single exception is as follows: 1) Install vector table `vbar0` which saves the CPU context on entry to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode with the MMU disabled and I$ enabled. This is the default vector table. 2) Before doing an ERET into Secure-EL1, switch vbar to point to another vector table `vbar1`. This is required to restore EL3 state when returning from the workaround, before proceeding with normal EL3 exception handling. 3) While in Secure-EL1, the `BPIALL` instruction is executed and an SMC call back to EL3 is performed. 4) On entry to EL3 from Secure-EL1, the saved context from step 1) is restored. The vbar is switched to point to `vbar0` in preparation to handle further exceptions. Finally a branch to the runtime vector table entry is taken to complete the handling of the original exception. This workaround is enabled by default on the affected CPUs. NOTE ==== There are 4 different stubs in Secure-EL1. Each stub corresponds to an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a different value in `R0` before doing an SMC call back into EL3. Without this piece of information it would not be possible to know what the original exception type was as we cannot use `ESR_EL3` to distinguish between IRQs and FIQs. Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-12-18 13:46:21 +00:00			`#if IMAGE_BL31 && WORKAROUND_CVE_2017_5715`
Use PFR0 to identify need for mitigation of CVE-2017-5915 If the CSV2 field reads as 1 then branch targets trained in one context cannot affect speculative execution in a different context. In that case skip the workaround on Cortex A75. Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-01-02 15:53:01 +00:00			`mrs x0, id_aa64pfr0_el1`
			`ubfx x0, x0, #ID_AA64PFR0_CSV2_SHIFT, #ID_AA64PFR0_CSV2_LENGTH`
			`/*`
			`* If the field equals to 1 then branch targets trained in one`
			`* context cannot affect speculative execution in a different context.`
			`*/`
			`cmp x0, #1`
			`beq 1f`

Workaround for CVE-2017-5715 on Cortex A73 and A75 Invalidate the Branch Target Buffer (BTB) on entry to EL3 by temporarily dropping into AArch32 Secure-EL1 and executing the `BPIALL` instruction. This is achieved by using 3 vector tables. There is the runtime vector table which is used to handle exceptions and 2 additional tables which are required to implement this workaround. The additional tables are `vbar0` and `vbar1`. The sequence of events for handling a single exception is as follows: 1) Install vector table `vbar0` which saves the CPU context on entry to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode with the MMU disabled and I$ enabled. This is the default vector table. 2) Before doing an ERET into Secure-EL1, switch vbar to point to another vector table `vbar1`. This is required to restore EL3 state when returning from the workaround, before proceeding with normal EL3 exception handling. 3) While in Secure-EL1, the `BPIALL` instruction is executed and an SMC call back to EL3 is performed. 4) On entry to EL3 from Secure-EL1, the saved context from step 1) is restored. The vbar is switched to point to `vbar0` in preparation to handle further exceptions. Finally a branch to the runtime vector table entry is taken to complete the handling of the original exception. This workaround is enabled by default on the affected CPUs. NOTE ==== There are 4 different stubs in Secure-EL1. Each stub corresponds to an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a different value in `R0` before doing an SMC call back into EL3. Without this piece of information it would not be possible to know what the original exception type was as we cannot use `ESR_EL3` to distinguish between IRQs and FIQs. Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-12-18 13:46:21 +00:00			`adr x0, workaround_bpiall_vbar0_runtime_exceptions`
			`msr vbar_el3, x0`
Use PFR0 to identify need for mitigation of CVE-2017-5915 If the CSV2 field reads as 1 then branch targets trained in one context cannot affect speculative execution in a different context. In that case skip the workaround on Cortex A75. Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-01-02 15:53:01 +00:00			`1:`
Workaround for CVE-2017-5715 on Cortex A73 and A75 Invalidate the Branch Target Buffer (BTB) on entry to EL3 by temporarily dropping into AArch32 Secure-EL1 and executing the `BPIALL` instruction. This is achieved by using 3 vector tables. There is the runtime vector table which is used to handle exceptions and 2 additional tables which are required to implement this workaround. The additional tables are `vbar0` and `vbar1`. The sequence of events for handling a single exception is as follows: 1) Install vector table `vbar0` which saves the CPU context on entry to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode with the MMU disabled and I$ enabled. This is the default vector table. 2) Before doing an ERET into Secure-EL1, switch vbar to point to another vector table `vbar1`. This is required to restore EL3 state when returning from the workaround, before proceeding with normal EL3 exception handling. 3) While in Secure-EL1, the `BPIALL` instruction is executed and an SMC call back to EL3 is performed. 4) On entry to EL3 from Secure-EL1, the saved context from step 1) is restored. The vbar is switched to point to `vbar0` in preparation to handle further exceptions. Finally a branch to the runtime vector table entry is taken to complete the handling of the original exception. This workaround is enabled by default on the affected CPUs. NOTE ==== There are 4 different stubs in Secure-EL1. Each stub corresponds to an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a different value in `R0` before doing an SMC call back into EL3. Without this piece of information it would not be possible to know what the original exception type was as we cannot use `ESR_EL3` to distinguish between IRQs and FIQs. Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-12-18 13:46:21 +00:00			`#endif`

Implement support for the Activity Monitor Unit on Cortex A75 The Cortex A75 has 5 AMU counters. The first three counters are fixed and the remaining two are programmable. A new build option is introduced, `ENABLE_AMU`. When set, the fixed counters will be enabled for use by lower ELs. The programmable counters are currently disabled. Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-10-16 11:40:10 +01:00			`#if ENABLE_AMU`
			`/* Make sure accesses from EL0/EL1 and EL2 are not trapped to EL3 */`
			`mrs x0, actlr_el3`
			`orr x0, x0, #CORTEX_A75_ACTLR_AMEN_BIT`
			`msr actlr_el3, x0`
			`isb`

			`/* Make sure accesses from EL0/EL1 are not trapped to EL2 */`
			`mrs x0, actlr_el2`
			`orr x0, x0, #CORTEX_A75_ACTLR_AMEN_BIT`
			`msr actlr_el2, x0`
			`isb`

			`/* Enable group0 counters */`
			`mov x0, #CORTEX_A75_AMU_GROUP0_MASK`
			`msr CPUAMCNTENSET_EL0, x0`
			`isb`

			`/* Enable group1 counters */`
			`mov x0, #CORTEX_A75_AMU_GROUP1_MASK`
			`msr CPUAMCNTENSET_EL0, x0`
			`isb`
			`#endif`
			`ret`
			`endfunc cortex_a75_reset_func`

Print erratum application report for CVE-2017-5715 Even though the workaround for CVE-2017-5715 is not a CPU erratum, the code is piggybacking on the errata framework to print whether the workaround was applied, missing or not needed. Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-01-16 10:32:47 +00:00			`func check_errata_cve_2017_5715`
			`mrs x0, id_aa64pfr0_el1`
			`ubfx x0, x0, #ID_AA64PFR0_CSV2_SHIFT, #ID_AA64PFR0_CSV2_LENGTH`
			`/*`
			`* If the field equals to 1 then branch targets trained in one`
			`* context cannot affect speculative execution in a different context.`
			`*/`
			`cmp x0, #1`
			`beq 1f`

			`#if WORKAROUND_CVE_2017_5715`
			`mov x0, #ERRATA_APPLIES`
			`#else`
			`mov x0, #ERRATA_MISSING`
			`#endif`
			`ret`
			`1:`
			`mov x0, #ERRATA_NOT_APPLIES`
			`ret`
			`endfunc check_errata_cve_2017_5715`

Add support for Cortex-A75 and Cortex-A55 CPUs Both Cortex-A75 and Cortex-A55 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are considerably simpler. Change-Id: I68b30e6e1ebe7c041d5e67f39c59f08575fc7ecc Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2016-11-09 16:29:02 +00:00			`/* ---------------------------------------------`
			`* HW will do the cache maintenance while powering down`
			`* ---------------------------------------------`
			`*/`
			`func cortex_a75_core_pwr_dwn`
			`/* ---------------------------------------------`
			`* Enable CPU power down bit in power control register`
			`* ---------------------------------------------`
			`*/`
			`mrs x0, CORTEX_A75_CPUPWRCTLR_EL1`
			`orr x0, x0, #CORTEX_A75_CORE_PWRDN_EN_MASK`
			`msr CORTEX_A75_CPUPWRCTLR_EL1, x0`
			`isb`
			`ret`
			`endfunc cortex_a75_core_pwr_dwn`

Print erratum application report for CVE-2017-5715 Even though the workaround for CVE-2017-5715 is not a CPU erratum, the code is piggybacking on the errata framework to print whether the workaround was applied, missing or not needed. Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2018-01-16 10:32:47 +00:00			`#if REPORT_ERRATA`
			`/*`
			`* Errata printing function for Cortex A75. Must follow AAPCS.`
			`*/`
			`func cortex_a75_errata_report`
			`stp x8, x30, [sp, #-16]!`

			`bl cpu_get_rev_var`
			`mov x8, x0`

			`/*`
			`* Report all errata. The revision-variant information is passed to`
			`* checking functions of each errata.`
			`*/`
			`report_errata WORKAROUND_CVE_2017_5715, cortex_a75, cve_2017_5715`

			`ldp x8, x30, [sp], #16`
			`ret`
			`endfunc cortex_a75_errata_report`
			`#endif`

Add support for Cortex-A75 and Cortex-A55 CPUs Both Cortex-A75 and Cortex-A55 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are considerably simpler. Change-Id: I68b30e6e1ebe7c041d5e67f39c59f08575fc7ecc Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2016-11-09 16:29:02 +00:00			`/* ---------------------------------------------`
			`* This function provides cortex_a75 specific`
			`* register information for crash reporting.`
			`* It needs to return with x6 pointing to`
			`* a list of register names in ascii and`
			`* x8 - x15 having values of registers to be`
			`* reported.`
			`* ---------------------------------------------`
			`*/`
			`.section .rodata.cortex_a75_regs, "aS"`
			`cortex_a75_regs: /* The ascii list of register names to be reported */`
			`.asciz "cpuectlr_el1", ""`

			`func cortex_a75_cpu_reg_dump`
			`adr x6, cortex_a75_regs`
			`mrs x8, CORTEX_A75_CPUECTLR_EL1`
			`ret`
			`endfunc cortex_a75_cpu_reg_dump`

			`declare_cpu_ops cortex_a75, CORTEX_A75_MIDR, \`
Implement support for the Activity Monitor Unit on Cortex A75 The Cortex A75 has 5 AMU counters. The first three counters are fixed and the remaining two are programmable. A new build option is introduced, `ENABLE_AMU`. When set, the fixed counters will be enabled for use by lower ELs. The programmable counters are currently disabled. Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com> 2017-10-16 11:40:10 +01:00			`cortex_a75_reset_func, \`
Add support for Cortex-A75 and Cortex-A55 CPUs Both Cortex-A75 and Cortex-A55 CPUs use the ARM DynamIQ Shared Unit (DSU). The power-down and power-up sequences are therefore mostly managed in hardware, and required software operations are considerably simpler. Change-Id: I68b30e6e1ebe7c041d5e67f39c59f08575fc7ecc Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com> 2016-11-09 16:29:02 +00:00			`cortex_a75_core_pwr_dwn`