Commit Graph

288 Commits

Author SHA1 Message Date
Antonio Nino Diaz 5a22e461b5 Fix MISRA defects in log helpers
No functional changes.

Change-Id: I850f08718abb69d5d58856b0e3de036266d8c2f4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-30 16:22:52 +01:00
Dimitris Papastamos dcf95e7e90
Merge pull request #1542 from antonio-nino-diaz-arm/an/bl31-misra
Some MISRA fixes in BL31, cci and smmu
2018-08-30 16:18:49 +01:00
Antonio Nino Diaz 819df3fc09 Fix MISRA defects in some common headers
Change-Id: I8fbb4c785e7e07c7241e0c399a9b65161985c9df
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-30 09:22:33 +01:00
Antonio Nino Diaz 3e530d8ea8 backtrace: Print backtrace in assert() and panic()
When any of these functions is called the backtrace will be printed to
the console.

Change-Id: Id60842df824b320c485a9323ed6b80600f4ebe35
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-30 09:21:53 +01:00
Douglas Raillard 0c62883f7e backtrace: Introduce backtrace function
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.

The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.

The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.

Sample output of a backtrace at EL3:

    BACKTRACE: START: function_name
    0: EL3: 0x798
    1: EL3: 0x538
    2: EL3: 0x550
    3: EL3: 0x55c
    4: EL3: 0x568
    5: EL3: 0x5a8
    6: EL3: 0xf4
    BACKTRACE: END: function_name

In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.

Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2018-08-30 09:21:53 +01:00
Antonio Nino Diaz 870ce3ddd3 libc: Move tf_printf and tf_snprintf to libc
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.

Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-22 10:26:05 +01:00
Antonio Nino Diaz cb6dbfe3dc tf_printf: Return number of printed characters
The C standard says that printf() has to return the number of characters
it has printed.

Change-Id: I0ef50b1d6766d140724ac0a2fa2c5d023431f984
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-22 10:26:05 +01:00
Antonio Nino Diaz 93c78ed231 libc: Fix all includes in codebase
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.

Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-22 10:26:05 +01:00
Jeenu Viswambharan b634fa910e SiP: MISRA fixes for execution state switch
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.

No functional changes.

Change-Id: I707dbec9b34b802397e99da2f5ae738165d6feba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-08-20 09:05:39 +01:00
Roberto Vargas 5accce5bcc Add support for romlib in the build system
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..

Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-08-03 11:31:42 +01:00
Sandrine Bailleux cf24229e6e Run compiler on debug macros for type checking
Even if the log output is too low for a message to be printed out on
the console by the debug macros, it should still be evaluated by the
compiler to get some type checking and validation of the format
specifiers. To do so, introduce the no_tf_log() macro that encloses
the call to tf_log() in an always-false condition.

This avoids the problem of discovering build issues only when we build
the firmware with the right LOG_LEVEL value.

Change-Id: Ic0fd252ab691d0187fd925756a4837aca1cbfd7b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2018-07-13 11:31:05 +02:00
Roberto Vargas a9203edae7 Add end_vector_entry assembler macro
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.

This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.

Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-07-11 09:23:00 +01:00
Roberto Vargas b2805dabaa Remove .func and .endfunc assembler directives
These directives are only used when stabs debugging information
is used, but we use ELF which uses DWARF debugging information.
Clang assembler doesn't support these directives, and removing
them makes the code more compatible with clang.

Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-07-11 09:22:56 +01:00
Dimitris Papastamos d48f193d11
Merge pull request #1429 from jeenu-arm/mmu-direct
Enable MMU without stack for xlat v2/DynamIQ
2018-06-27 12:59:47 +01:00
Jeenu Viswambharan 0cc7aa8964 xlat v2: Split MMU setup and enable
At present, the function provided by the translation library to enable
MMU constructs appropriate values for translation library, and programs
them to the right registers. The construction of initial values,
however, is only required once as both the primary and secondaries
program the same values.

Additionally, the MMU-enabling function is written in C, which means
there's an active stack at the time of enabling MMU. On some systems,
like Arm DynamIQ, having active stack while enabling MMU during warm
boot might lead to coherency problems.

This patch addresses both the above problems by:

  - Splitting the MMU-enabling function into two: one that sets up
    values to be programmed into the registers, and another one that
    takes the pre-computed values and writes to the appropriate
    registers. With this, the primary effectively calls both functions
    to have the MMU enabled, but secondaries only need to call the
    latter.

  - Rewriting the function that enables MMU in assembly so that it
    doesn't use stack.

This patch fixes a bunch of MISRA issues on the way.

Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-06-27 11:31:30 +01:00
Antonio Nino Diaz 4ab2c0a49d Document ep_info attribute flags
The meaning of them wasn't clear in the header file, it was needed to
search the code for the places where they are used.

Add parentheses to macros in the same header.

Change-Id: I700bc0fd75ccfc0a34f439cb3b2692861bb73b9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-06-26 21:43:00 +01:00
Daniel Boulby d3775d46a4 Fix MISRA Rule 5.3 Part 1
Conflict with function name and variable name within that function.
Change the name of the function from image_size to get_image_size
to remove conflict and make the function fit the normal project
naming convention.

Rule 5.3:  An identifier declared in an inner scope shall not
           hide an identifier declared in an outer scope

Fixed For:
    make LOG_LEVEL=50 PLAT=fvp

Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
2018-06-12 13:21:36 +01:00
Dimitris Papastamos 0d018306d4
Merge pull request #1386 from soby-mathew/sm/dyn_bl31
Extend dynamic configuration
2018-05-23 12:45:13 +01:00
Qixiang Xu 79c17995aa Correct some typo errors in comment
File: include/common/aarch64/el3_common_macros.S

Change-Id: I619401e961a3f627ad8864781b5f90bc747c3ddb
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
2018-05-22 16:19:17 +08:00
Soby Mathew 209a60cca5 Allow disabling authentication dynamically
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.

Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-05-18 12:26:37 +01:00
Jeenu Viswambharan 14c6016ad5 AArch64: Introduce RAS handling
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.

This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.

With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.

When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.

Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-05-04 08:33:17 +01:00
Antonio Nino Diaz 2f37046524 Add support for the SMC Calling Convention 2.0
Due to differences in the bitfields of the SMC IDs, it is not possible
to support SMCCC 1.X and 2.0 at the same time.

The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
option that specifies the major version of the SMCCC that the Trusted
Firmware supports. The only two allowed values are 1 and 2, and it
defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.

Note: Support for SMCCC v2.0 is an experimental feature to enable
prototyping of secure partition specifications. Support for this
convention is disabled by default and could be removed without notice.

Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-04-23 15:43:29 +01:00
Dimitris Papastamos 336ece6a87
Merge pull request #1357 from antonio-nino-diaz-arm/an/fix-misra
Fix some MISRA defects in SPM code
2018-04-18 10:54:26 +01:00
Antonio Nino Diaz b3323cd6bd Fix some MISRA defects in SPM code
Change-Id: I989c1f4aef8e3cb20d5d19e6347575e6449bb60b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-04-17 15:10:18 +01:00
Dimitris Papastamos 8b37120065
Merge pull request #1356 from robertovargas-arm/misra-changes
Misra changes
2018-04-16 15:04:28 +01:00
Roberto Vargas 735181b634 Fix MISRA rule 8.3 Part 4
Rule 8.3: All declarations of an object or function shall
          use the same names and type qualifiers

Fixed for:
	make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
	     GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
	     ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all

Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-04-13 14:01:56 +01:00
Jiafei Pan b4ad976844 fix instruction address range limitation
For the adr instruction, it require the label's offset from the
address of this instruction must be in the range +/-1MB. If the
option "BL2_IN_XIP_MEM" is set to '1', in some cases, BL2's RW
memory will not in the range of +/-1MB from BL2's RO memory region.
so we need to use ldr instruction to cover this case.

Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
2018-04-07 10:13:59 +08:00
Jiafei Pan 7d173fc594 Add support for BL2 in XIP memory
In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
like BL1. In these use-cases, it is necessary to initialize the RW sections
in RAM, while leaving the RO sections in place. This patch enable this
use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
is only supported when BL2_AT_EL3 is 1.

Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
2018-04-07 10:12:21 +08:00
Joel Hutton 9f85f9e379 Clean usage of void pointers to access symbols
Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.

Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
2018-03-27 13:20:27 +01:00
Antonio Nino Diaz 085e80ec11 Rename 'smcc' to 'smccc'
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.

Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.

Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-03-21 10:49:27 +00:00
Roberto Vargas 1af540ef2a Fix MISRA rule 8.4 Part 1
Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined

Fixed for:
	make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all

Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-02-28 17:19:55 +00:00
Roberto Vargas 7fabe1a899 Fix MISRA rule 8.4 in common code
Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined.

Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-02-28 17:18:46 +00:00
Roberto Vargas 9fb8af33c4 Fix MISRA rule 8.3 in common code
Rule 8.3: All declarations of an object or function shall
          use the same names and type qualifiers.

Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-02-28 17:18:21 +00:00
Soby Mathew da5f274572 Dynamic cfg: MISRA fixes
Change-Id: I1d85b76af002b8b672fcaeca94939b7420bc8243
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-02-26 16:31:11 +00:00
Soby Mathew cab0b5b045 ARM Platforms: Load HW_CONFIG in BL2
The patch adds the necessary changes to load HW_CONFIG in BL2 for
ARM Platforms :

1. The load address of HW_CONFIG is specified via the `hw_config_addr`
property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size`
property defines the maximum size to be expected for the HW_CONFIG.
The `arm_dyn_cfg_helpers.c` and corresponding header implements
utility functions to parse these DT properties defined.
The `arm_dyn_cfg.c` implements wrappers to these helpers to enable
them to be invoked from ARM platform layer.

2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is
the list of images to be loaded by BL2.

3. The `libfdt` sources are now included when BL2 is built

4. A new helper `populate_next_bl_params_config()` is introduced in
desc_image_load.c to populate the subsequent executable BL images
with the `hw_config` and the corresponding `fw_config` if available.
The `plat_get_next_bl_params()` API for ARM platforms is modified to
invoke this new helper.

5. The implementation of `bl2_early_platform_setup2()` is modified to
consider `arg0` as well in addition to `arg1` passed from BL1.

6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt.

Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-02-26 16:31:11 +00:00
Soby Mathew e5674e1fd6 Dynamic cfg: Introduce fdt wrappers
Change-Id: I9b1cdaf2430a1998a69aa366ea1461224a3d43dc
Co-Authoured-by: Jeenu Viswambharan <Jeenu.Viswambharan@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-02-26 16:31:11 +00:00
Soby Mathew bf9ce61be0 Add dynamic config image IDs
Change-Id: I147031dea9487dc1976e31ad40c89b221e44edbc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-02-26 16:31:11 +00:00
Soby Mathew 6d31020e90 Dynamic cfg: Add HW and TB_FW configs to CoT
This patch adds image IDs to `hw_config` and `tb_fw_config` and
includes them in the default Chain Of Trust (CoT).

Change-Id: If7bb3e9be8a5e48be76614b35bf43d58fc7fed12
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2018-02-26 16:31:10 +00:00
davidcunado-arm 5b75b4a725
Merge pull request #1173 from etienne-lms/armv7-qemu
support to boot OP-TEE on AArch32/Armv7+example with Cortex-A15/Qemu
2018-02-07 11:57:19 +08:00
Etienne Carriere 3fe81dcf5d aarch32: use lr as bl32 boot argument on aarch32 only systems
Add 'lr_svc' as a boot parameter in AArch32 bl1. This is used by Optee
and Trusty to get the non-secure entry point on AArch32 platforms.

This change is not ported in AArch64 mode where the BL31, not BL32,
is in charge of booting the non secure image (BL33).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2018-02-02 13:16:18 +01:00
Masahiro Yamada 2e379d2f1b image_decompress: add APIs for decompressing images
These APIs are used by platforms that need to decompress images.

image_decompress_init():
  This registers a temporary buffer and a decompressor callback.
  This should be called from platform init code.

image_decompress_prepare():
  This should be called before each compressed image is loaded.  The
  best location to call this will be bl*_plat_handle_pre_image_load().

image_decompress():
  This should be called after each compressed image is loaded.  The
  best location to call this will be bl*_plat_handle_post_image_load().

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2018-02-02 00:19:08 +09:00
davidcunado-arm d95eb476d5
Merge pull request #1228 from dp-arm/dp/cve_2017_5715
Workarounds for CVE-2017-5715 on A9/A15 and A17 + serial console reporting
2018-01-25 00:06:50 +00:00
davidcunado-arm 040f1e6987
Merge pull request #1193 from jwerner-chromium/JW_coreboot
New console API and coreboot support [v4]
2018-01-24 14:31:53 +00:00
davidcunado-arm 0d3a27e7f6
Merge pull request #1200 from robertovargas-arm/bl2-el3
Add BL2_AT_EL3 build option
2018-01-19 13:40:12 +00:00
Dimitris Papastamos 7343505d96 sp_min: Implement workaround for CVE-2017-5715
This patch introduces two workarounds for ARMv7 systems.  The
workarounds need to be applied prior to any `branch` instruction in
secure world.  This is achieved using a custom vector table where each
entry is an `add sp, sp, #1` instruction.

On entry to monitor mode, once the sequence of `ADD` instructions is
executed, the branch target buffer (BTB) is invalidated.  The bottom
bits of `SP` are then used to decode the exception entry type.

A side effect of this change is that the exception vectors are
installed before the CPU specific reset function.  This is now
consistent with how it is done on AArch64.

Note, on AArch32 systems, the exception vectors are typically tightly
integrated with the secure payload (e.g. the Trusted OS).  This
workaround will need porting to each secure payload that requires it.

The patch to modify the AArch32 per-cpu vbar to the corresponding
workaround vector table according to the CPU type will be done in a
later patch.

Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
2018-01-18 10:36:18 +00:00
Roberto Vargas d1f7292e43 Mark functions defined in assembly files
This patch change the name of the section containing the functions
defined in assembly files from text.* to text.asm.*. This change
makes possible to select in the linker script the functions
defined in those files.

Change-Id: If35e44ef1b43ffd951dfac5e052db75d7198e2e0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-01-18 09:57:16 +00:00
Roberto Vargas b1d27b484f bl2-el3: Add BL2_EL3 image
This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1.  This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.

Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-01-18 09:42:35 +00:00
Dimitris Papastamos f62ad32269 Workaround for CVE-2017-5715 on Cortex A57 and A72
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
and enabling the MMU.  To achieve this without performing any branch
instruction, a per-cpu vbar is installed which executes the workaround
and then branches off to the corresponding vector entry in the main
vector table.  A side effect of this change is that the main vbar is
configured before any reset handling.  This is to allow the per-cpu
reset function to override the vbar setting.

This workaround is enabled by default on the affected CPUs.

Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
2018-01-11 10:26:15 +00:00
Julius Werner 9536bae6df Add new function-pointer-based console API
This patch overhauls the console API to allow for multiple console
instances of different drivers that are active at the same time. Instead
of binding to well-known function names (like console_core_init),
consoles now provide a register function (e.g. console_16550_register())
that will hook them into the list of active consoles. All console
operations will be dispatched to all consoles currently in the list.

The new API will be selected by the build-time option MULTI_CONSOLE_API,
which defaults to ${ERROR_DEPRECATED} for now. The old console API code
will be retained to stay backwards-compatible to older platforms, but
should no longer be used for any newly added platforms and can hopefully
be removed at some point in the future.

The new console API is intended to be used for both normal (bootup) and
crash use cases, freeing platforms of the need to set up the crash
console separately. Consoles can be individually configured to be active
active at boot (until first handoff to EL2), at runtime (after first
handoff to EL2), and/or after a crash. Console drivers should set a sane
default upon registration that can be overridden with the
console_set_scope() call. Code to hook up the crash reporting mechanism
to this framework will be added with a later patch.

This patch only affects AArch64, but the new API could easily be ported
to AArch32 as well if desired.

Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-12-12 15:00:34 -08:00
davidcunado-arm 211d307c6b
Merge pull request #1178 from davidcunado-arm/dc/enable_sve
Enable SVE for Non-secure world
2017-12-11 12:29:47 +00:00
Soby Mathew 76163b3a7a Unify cache flush code path after image load
Previously the cache flush happened in 2 different places in code
depending on whether TRUSTED_BOARD_BOOT is enabled or not. This
patch unifies this code path for both the cases. The `load_image()`
function is now made an internal static function.

Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-12-05 16:04:45 +00:00
David Cunado 1a853370ff Enable SVE for Non-secure world
This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.

If SVE is implemented, EL3 will do the following:

- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.

- Exit from Non-secure world: SIMD, FP and SVE functionality is
  disabled. As SIMD and FP registers are part of the SVE Z-registers
  then any use of SIMD / FP functionality would corrupt the SVE
  registers.

The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.

This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.

Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.

Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.

Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: David Cunado <david.cunado@arm.com>
2017-11-30 17:45:09 +00:00
davidcunado-arm 71f8a6a9b0
Merge pull request #1145 from etienne-lms/rfc-armv7-2
Support ARMv7 architectures
2017-11-23 23:41:24 +00:00
Dimitris Papastamos 281a08cc64 Refactor Statistical Profiling Extensions implementation
Factor out SPE operations in a separate file.  Use the publish
subscribe framework to drain the SPE buffers before entering secure
world.  Additionally, enable SPE before entering normal world.

A side effect of this change is that the profiling buffers are now
only drained when a transition from normal world to secure world
happens.  Previously they were drained also on return from secure
world, which is unnecessary as SPE is not supported in S-EL1.

Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
2017-11-20 09:55:01 +00:00
Antonio Nino Diaz 2fccb22804 SPM: Introduce Secure Partition Manager
A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:

- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.

A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.

The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:

- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
  Secure Partition.
- Implementing a well defined interface that is used by the normal world
  and other secure services for accessing the services exported by a
  Secure Partition.
- Implementing a well defined interface that is used by a Secure
  Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
  Partition to fulfil a service request.

Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2017-11-08 18:05:14 +00:00
Etienne Carriere 64cc6e91e8 ARMv7 may not support Virtualization Extensions
ARMv7-A Virtualization extensions brings new instructions and resources
that were supported by later architectures. Reference ARM ARM Issue C.c
[DDI0406C_C].

ERET and extended MSR/MRS instructions, as specified in [DDI0406C_C] in
ID_PFR1 description of bits[15:12] (Virtualization Extensions):
 A value of 0b0001 implies implementation of the HVC, ERET, MRS
 (Banked register), and MSR (Banked register) instructions. The ID_ISARs
 do not identify whether these instructions are implemented.

UDIV/SDIV were introduced with the Virtualization extensions, even if
not strictly related to the virtualization extensions.

If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_VIRTUALIZATION to enable virtualization
extension related resources.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2017-11-08 14:38:33 +01:00
Etienne Carriere 908cf70597 ARMv7 does not support SDCR
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2017-11-08 13:49:32 +01:00
Etienne Carriere 0147bef523 ARMv7 does not support STL instruction
Also need to add a SEV instruction in ARMv7 spin_unlock which
is implicit in ARMv8.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2017-11-08 13:49:29 +01:00
Jeenu Viswambharan c639e8ebee GIC: Allow specifying interrupt properties
The GIC driver initialization currently allows an array of interrupts to
be configured as secure. Future use cases would require more interrupt
configuration other than just security, such as priority.

This patch introduces a new interrupt property array as part of both
GICv2 and GICv3 driver data. The platform can populate the array with
interrupt numbers and respective properties. The corresponding driver
initialization iterates through the array, and applies interrupt
configuration as required.

This capability, and the current way of supplying array (or arrays, in
case of GICv3) of secure interrupts, are however mutually exclusive.
Henceforth, the platform should supply either:

  - A list of interrupts to be mapped as secure (the current way).
    Platforms that do this will continue working as they were. With this
    patch, this scheme is deprecated.

  - A list of interrupt properties (properties include interrupt group).
    Individual interrupt properties are specified via. descriptors of
    type 'interrupt_prop_desc_t', which can be populated with the macro
    INTR_PROP_DESC().

A run time assert checks that the platform doesn't specify both.

Henceforth the old scheme of providing list of secure interrupts is
deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
that the interrupt properties are supplied instead of an array of secure
interrupts.

Add a section to firmware design about configuring secure interrupts.

Fixes ARM-software/tf-issues#262

Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2017-10-16 16:50:02 +01:00
Soby Mathew 7f56e9a31c Implement log framework
This patch gives users control over logging messages printed from the C
code using the LOG macros defined in debug.h Users now have the ability
to reduce the log_level at run time using the tf_log_set_max_level()
function. The default prefix string can be defined by platform by
overriding the `plat_log_get_prefix()` platform API which is also
introduced in this patch.

The new log framework results in saving of some RO data. For example,
when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
framework also adds about 108 bytes of code to the release build of FVP.

Fixes ARM-software/tf-issues#462

Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
Co-authored-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-09-11 15:37:24 +01:00
Soby Mathew 2d7e82823d Introduce tf_vprintf() and tf_string_print()
This patch introduces tf_vprintf() and tf_string_print() APIs
which is needed by the logging framework introduced in a later
patch.

Change-Id: Ie4240443d0e04e070502b51e371e546dd469fd33
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-09-11 15:35:41 +01:00
davidcunado-arm 2867ca3707 Merge pull request #1078 from douglas-raillard-arm/dr/add_cfi_vector_entry
Add CFI debug info to vector entries
2017-09-07 00:45:59 +01:00
davidcunado-arm 413115e152 Merge pull request #1019 from etienne-lms/log-size
CPU_DATA_LOG2SIZE depends on cache line size
2017-09-07 00:40:59 +01:00
Etienne Carriere 86606eb51e cpu log buffer size depends on cache line size
Platform may use specific cache line sizes. Since CACHE_WRITEBACK_GRANULE
defines the platform specific cache line size, it is used to define the
size of the cpu data structure CPU_DATA_SIZE aligned on cache line size.

Introduce assembly macro 'mov_imm' for AArch32 to simplify implementation
of function '_cpu_data_by_index'.

Change-Id: Ic2d49ffe0c3e51649425fd9c8c99559c582ac5a1
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2017-09-01 10:22:20 +02:00
Douglas Raillard 31823b6961 Add CFI debug info to vector entries
Add Call Frame Information assembler directives to vector entries so
that debuggers display the backtrace of functions that triggered a
synchronous exception. For example, a function triggering a data abort
will be easier to debug if the backtrace can be displayed from a
breakpoint at the beginning of the synchronous exception vector.

DS-5 needs CFI otherwise it will not attempt to display the backtrace.
Other debuggers might have other needs. These debug information are
stored in the ELF file but not in the final binary.

Change-Id: I32dc4e4b7af02546c93c1a45c71a1f6d710d36b1
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2017-08-31 13:33:37 +01:00
Masahiro Yamada fed18b3aec asm_macros: set the default assembly code alignment to 4 byte
Assembly routines are usually defined by using "func" and "endfunc":

    func foo
      ...
    endfunc foo

Currently, the "func" macro does not specify ".align" directive
by default.  It causes unaligned instruction under some circumstances.

As far as I tested, this problem happens for GCC 5 or older.  It did
not happen for GCC 6 or newer.  Taking into account that GCC 4.x / 5.x
is still used, make sure that assembly code is at least 4 byte aligned.

[ How to reproduce the problem ]

For example, use GCC 5.3 downloaded from Linaro:
http://releases.linaro.org/components/toolchain/binaries/5.3-2016.05/
aarch64-linux-gnu/gcc-linaro-5.3.1-2016.05-x86_64_aarch64-linux-gnu.tar.xz

Expand mbedtls-2.4.2 to the current directory.

Try the following:

  $ git log --oneline -1
  77544ef Merge pull request #1071 from jeenu-arm/syntax-fix
  $ aarch64-linux-gnu-gcc --version | head -1
  aarch64-linux-gnu-gcc (Linaro GCC 5.3-2016.05) 5.3.1 20160412
  $ make CROSS_COMPILE=aarch64-linux-gnu- PLAT=uniphier \
    TRUSTED_BOARD_BOOT=1 MBEDTLS_DIR=mbedtls-2.4.2
    ( snip build log )
  $ aarch64-linux-gnu-nm build/uniphier/release/bl1/bl1.elf | grep handler
  00000000800088f4 T bl1_fwu_smc_handler
  00000000800084c8 T bl1_smc_handler
  000000008000a6e0 t _panic_handler
  000000008000a8e0 W plat_error_handler
  000000008000a8e8 W plat_panic_handler
  000000008000a8d8 W plat_reset_handler
  000000008000a39f T reset_handler
  000000008000a367 t smc_handler
  000000008000a2ef t smc_handler64

You will notice "smc_handler64", "reset_handler", etc. are not properly
aligned.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2017-08-31 18:45:19 +09:00
Julius Werner 64726e6d61 Add new alignment parameter to func assembler macro
Assembler programmers are used to being able to define functions with a
specific aligment with a pattern like this:

    .align X
  myfunction:

However, this pattern is subtly broken when instead of a direct label
like 'myfunction:', you use the 'func myfunction' macro that's standard
in Trusted Firmware. Since the func macro declares a new section for the
function, the .align directive written above it actually applies to the
*previous* section in the assembly file, and the function it was
supposed to apply to is linked with default alignment.

An extreme case can be seen in Rockchip's plat_helpers.S which contains
this code:

  [...]
  endfunc plat_crash_console_putc

  .align 16
  func platform_cpu_warmboot
  [...]

This assembles into the following plat_helpers.o:

  Sections:
  Idx Name                             Size  [...]  Algn
   9 .text.plat_crash_console_putc 00010000  [...]  2**16
  10 .text.platform_cpu_warmboot   00000080  [...]  2**3

As can be seen, the *previous* function actually got the alignment
constraint, and it is also 64KB big even though it contains only two
instructions, because the .align directive at the end of its section
forces the assembler to insert a giant sled of NOPs. The function we
actually wanted to align has the default constraint. This code only
works at all because the linker just happens to put the two functions
right behind each other when linking the final image, and since the end
of plat_crash_console_putc is aligned the start of platform_cpu_warmboot
will also be. But it still wastes almost 64KB of image space
unnecessarily, and it will break under certain circumstances (e.g. if
the plat_crash_console_putc function becomes unused and its section gets
garbage-collected out).

There's no real way to fix this with the existing func macro. Code like

 func myfunc
 .align X

happens to do the right thing, but is still not really correct code
(because the function label is inserted before the .align directive, so
the assembler is technically allowed to insert padding at the beginning
of the function which would then get executed as instructions if the
function was called). Therefore, this patch adds a new parameter with a
default value to the func macro that allows overriding its alignment.

Also fix up all existing instances of this dangerous antipattern.

Change-Id: I5696a07e2fde896f21e0e83644c95b7b6ac79a10
Signed-off-by: Julius Werner <jwerner@chromium.org>
2017-08-15 16:37:08 -07:00
Summer Qin 71fb396440 Support Trusted OS firmware extra images in TF tools
Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.

Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>
2017-08-09 18:06:05 +08:00
dp-arm d832aee900 aarch64: Enable Statistical Profiling Extensions for lower ELs
SPE is only supported in non-secure state.  Accesses to SPE specific
registers from SEL1 will trap to EL3.  During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained.  This is to
avoid a potential invalid memory access in SEL1.

SPE is architecturally specified only for AArch64.

Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-06-22 10:33:19 +01:00
David Cunado 18f2efd67d Fully initialise essential control registers
This patch updates the el3_arch_init_common macro so that it fully
initialises essential control registers rather then relying on hardware
to set the reset values.

The context management functions are also updated to fully initialise
the appropriate control registers when initialising the non-secure and
secure context structures and when preparing to leave EL3 for a lower
EL.

This gives better alignement with the ARM ARM which states that software
must initialise RES0 and RES1 fields with 0 / 1.

This patch also corrects the following typos:

"NASCR definitions" -> "NSACR definitions"

Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
Signed-off-by: David Cunado <david.cunado@arm.com>
2017-06-21 17:57:54 +01:00
Varun Wadekar 030567e6f5 include: add U()/ULL() macros for constants
This patch uses the U() and ULL() macros for constants, to fix some
of the signed-ness defects flagged by the MISRA scanner.

Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
2017-06-14 17:00:30 -07:00
davidcunado-arm 572e141327 Merge pull request #949 from antonio-nino-diaz-arm/an/printf-memory
Reduce code size when building with Trusted Board Boot enabled
2017-05-30 10:56:47 +01:00
Antonio Nino Diaz da5241cb15 Introduce `tf_snprintf`
This is a reduced version of `snprintf` that only supports formats '%d',
'%i' and '%u'. It can be used when the full `snprintf` is not needed in
order to save memory. If it finds an unknown format specifier, it
prints an error message and panics.

Change-Id: I2cb06fcdf74cda2c43caf73ae0762a91499fc04e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2017-05-24 10:47:05 +01:00
Masahiro Yamada 2a6c1a8f9a fip: move headers shared between TF and fiptool to include/tools_share
Some header files need to be shared between TF and host programs.
For fiptool, two headers are copied to the tools/fiptool directory,
but it looks clumsy.

This commit introduces a new directory, include/tools_share, which
collects headers that should be shared between TF and host programs.

This will clarify the interface exposed to host tools.  We should
add new headers to this directory only when we really need to do so.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2017-05-23 23:58:47 +09:00
dp-arm 82cb2c1ad9 Use SPDX license identifiers
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-05-03 09:39:28 +01:00
Scott Branden 0f22bef31d Merge branch 'integration' into tf_issue_461 2017-04-29 08:36:12 -07:00
Scott Branden 53d9c9c85b Move defines in utils.h to utils_def.h to fix shared header compile issues
utils.h is included in various header files for the defines in it.
Some of the other header files only contain defines.  This allows the
header files to be shared between host and target builds for shared defines.

Recently types.h has been included in utils.h as well as some function
prototypes.

Because of the inclusion of types.h conflicts exist building host tools
abd these header files now.  To solve this problem,
move the defines to utils_def.h and have this included by utils.h and
change header files to only include utils_def.h and not pick up the new
types.h being introduced.

Fixes ARM-software/tf-issues#461

Signed-off-by: Scott Branden <scott.branden@broadcom.com>

Remove utils_def.h from utils.h

This patch removes utils_def.h from utils.h as it is not required.
And also makes a minor change to ensure Juno platform compiles.

Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
2017-04-29 08:30:05 -07:00
davidcunado-arm 484acce376 Merge pull request #910 from dp-arm/dp/AArch32-juno-port
Add AArch32 support for Juno
2017-04-21 17:10:27 +01:00
Yatharth Kochar dc787588a5 AArch32: Add support for ARM Cortex-A53/57/72 MPCore Processor
This patch adds AArch32 state support for ARM Cortex-A53,
Cortex-A57 and Cortex-A72 MPCore Processor in the CPU specific
operations framework.

NOTE: CPU errata handling code is not present in this patch.

Change-Id: I01eb3e028e40dde37565707ebc99e06e7a0c113d
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-04-20 15:05:21 +01:00
Antonio Nino Diaz 044bb2faab Remove build option `ASM_ASSERTION`
The build option `ENABLE_ASSERTIONS` should be used instead. That way
both C and ASM assertions can be enabled or disabled together.

All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
been replaced by `ENABLE_ASSERTIONS`.

ASM_ASSERTION has been removed from the user guide.

Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2017-04-20 09:58:28 +01:00
davidcunado-arm ed7562521b Merge pull request #886 from dp-arm/dp/stack-protector
Add support for GCC stack protection
2017-04-06 10:20:47 +01:00
Douglas Raillard 51faada71a Add support for GCC stack protection
Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2017-03-31 13:58:48 +01:00
Soby Mathew 5dffb46c9c Re-factor header files for easier PSCI library integration
This patch re-factors the following headers to make it easier to
integrate the PSCI library with an AArch32 Secure Payload :

  *  bl_common.h : The entry point information and the param
     header data structures are factored out into separate
     headers ep_info.h and param_headers.h
  *  psci.h : The PSCI library interfaces are factored out
     into the new header psci_lib.h
  *  context_mgmt.h : The header file is modified to not include
     arch.h when compiled for AArch32 mode.

No functional changes are introduced by this patch.

Change-Id: I5e21a843c0af2ba8e47dee4e577cf95929be8cd4
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
2017-03-27 15:53:44 +01:00
danh-arm 1a80e88526 Merge pull request #841 from dp-arm/dp/debug-regs
Disable secure self-hosted debug
2017-02-20 13:58:48 +00:00
dp-arm 85e93ba093 Disable secure self-hosted debug via MDCR_EL3/SDCR
Trusted Firmware currently has no support for secure self-hosted
debug.  To avoid unexpected exceptions, disable software debug
exceptions, other than software breakpoint instruction exceptions,
from all exception levels in secure state.  This applies to both
AArch32 and AArch64 EL3 initialization.

Change-Id: Id097e54a6bbcd0ca6a2be930df5d860d8d09e777
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2017-02-15 09:37:33 +00:00
Douglas Raillard 308d359b26 Introduce unified API to zero memory
Introduce zeromem_dczva function on AArch64 that can handle unaligned
addresses and make use of DC ZVA instruction to zero a whole block at a
time. This zeroing takes place directly in the cache to speed it up
without doing external memory access.

Remove the zeromem16 function on AArch64 and replace it with an alias to
zeromem. This zeromem16 function is now deprecated.

Remove the 16-bytes alignment constraint on __BSS_START__ in
firmware-design.md as it is now not mandatory anymore (it used to comply
with zeromem16 requirements).

Change the 16-bytes alignment constraints in SP min's linker script to a
8-bytes alignment constraint as the AArch32 zeromem implementation is now
more efficient on 8-bytes aligned addresses.

Introduce zero_normalmem and zeromem helpers in platform agnostic header
that are implemented this way:
* AArch32:
	* zero_normalmem: zero using usual data access
	* zeromem: alias for zero_normalmem
* AArch64:
	* zero_normalmem: zero normal memory  using DC ZVA instruction
	                  (needs MMU enabled)
	* zeromem: zero using usual data access

Usage guidelines: in most cases, zero_normalmem should be preferred.

There are 2 scenarios where zeromem (or memset) must be used instead:
* Code that must run with MMU disabled (which means all memory is
  considered device memory for data accesses).
* Code that fills device memory with null bytes.

Optionally, the following rule can be applied if performance is
important:
* Code zeroing small areas (few bytes) that are not secrets should use
  memset to take advantage of compiler optimizations.

  Note: Code zeroing security-related critical information should use
  zero_normalmem/zeromem instead of memset to avoid removal by
  compilers' optimizations in some cases or misbehaving versions of GCC.

Fixes ARM-software/tf-issues#408

Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2017-02-06 17:01:39 +00:00
Jeenu Viswambharan b38bc68b9e Allow spin locks to be defined from assembly
At present, spin locks can only defined from C files. Add some macros
such that they can be defined from assembly files too.

Change-Id: I64f0c214062f5c15b3c8b412c7f25c908e87d970
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2017-01-30 14:53:17 +00:00
Masahiro Yamada 3d8256b2a1 Use #ifdef for IMAGE_BL* instead of #if
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.

For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true.  (Options passed by $(call add_define,)
are the cases.)

For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.

Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
follows:

  $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))

  $(OBJ): $(2)
          @echo "  CC      $$<"
          $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@

This means, IMAGE_BL* is defined when building the corresponding
image, but *undefined* for the other images.

So, IMAGE_BL* belongs to the latter group where we should use #ifdef
or #ifndef.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2017-01-24 01:01:21 +09:00
danh-arm bd83b41a30 Merge pull request #791 from jeenu-arm/asm-assert-32
AArch32: Print ASM_ASSERT and panic messages
2016-12-20 17:00:32 +00:00
Sandrine Bailleux 99c5ebafbe Export is_mem_free() function
The is_mem_free() function used to be local to bl_common.c.
This patch exports it so that it can be used outside of bl_common.c.

Change-Id: I01dcb4229f3a36f56a4724b567c5e6c416dc5e98
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2016-12-20 11:43:10 +00:00
Jeenu Viswambharan e12cb61f0e AArch32: Print ASM_ASSERT and panic messages
ASM_ASSERT failure and panic messages are suppressed at present. This
patch enables printing the PC location for panic messages, and file name
and line number upon assembly assert failure.

Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2016-12-19 11:57:12 +00:00
danh-arm 1b5fa6ef10 Merge pull request #774 from jeenu-arm/no-return-macro
Define and use no_ret macro where no return is expected
2016-12-12 14:29:01 +00:00
Jeenu Viswambharan a806dad58c Define and use no_ret macro where no return is expected
There are many instances in ARM Trusted Firmware where control is
transferred to functions from which return isn't expected. Such jumps
are made using 'bl' instruction to provide the callee with the location
from which it was jumped to. Additionally, debuggers infer the caller by
examining where 'lr' register points to. If a 'bl' of the nature
described above falls at the end of an assembly function, 'lr' will be
left pointing to a location outside of the function range. This misleads
the debugger back trace.

This patch defines a 'no_ret' macro to be used when jumping to functions
from which return isn't expected. The macro ensures to use 'bl'
instruction for the jump, and also, for debug builds, places a 'nop'
instruction immediately thereafter (unless instructed otherwise) so as
to leave 'lr' pointing within the function range.

Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2016-12-05 14:55:35 +00:00
David Cunado 939f66d6c4 Reset EL2 and EL3 configurable controls
This patch resets EL2 and EL3 registers that have architecturally
UNKNOWN values on reset and that also provide EL2/EL3 configuration
and trap controls.

Specifically, the EL2 physical timer is disabled to prevent timer
interrups into EL2 - CNTHP_CTL_EL2 and CNTHP_CTL for AArch64 and AArch32,
respectively.

Additionally, for AArch64, HSTR_EL2 is reset to avoid unexpected traps of
non-secure access to certain system registers at EL1 or lower.

For AArch32, the patch also reverts the reset to SDCR which was
incorrectly added in a previous change.

Change-Id: If00eaa23afa7dd36a922265194ccd6223187414f
Signed-off-by: David Cunado <david.cunado@arm.com>
2016-12-01 16:17:39 +00:00
Douglas Raillard b91d935fee Add CFI debug frame information for ASM functions
This allows the debugger to print the callstack when there is an
assembly function in the callstack.

It will work as long as the CFA pointer (frame pointer) location is not
modified (i.e. x29 is not touched in AArch64 state). It is the case in
almost all assembly functions, so this patch improves the average
debugging experience. Call stacks from the debugger should still be
interpreted with care. In more complex functions, one could use .cfi*
directives to inform the debugger about the new location of the CFA
pointer.

Change-Id: I9dabfbc033b45e8528e67f4823c17de7bf02fa24
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
2016-11-21 16:59:26 +00:00
David Cunado 495f3d3c51 Reset debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR
In order to avoid unexpected traps into EL3/MON mode, this patch
resets the debug registers, MDCR_EL3 and MDCR_EL2 for AArch64,
and SDCR and HDCR for AArch32.

MDCR_EL3/SDCR is zero'ed when EL3/MON mode is entered, at the
start of BL1 and BL31/SMP_MIN.

For MDCR_EL2/HDCR, this patch zero's the bits that are
architecturally UNKNOWN values on reset. This is done when
exiting from EL3/MON mode but only on platforms that support
EL2/HYP mode but choose to exit to EL1/SVC mode.

Fixes ARM-software/tf-issues#430

Change-Id: Idb992232163c072faa08892251b5626ae4c3a5b6
Signed-off-by: David Cunado <david.cunado@arm.com>
2016-11-09 15:45:06 +00:00
Yatharth Kochar 9c1dceb106 AArch32: Add `memcpy4` function in assembly
At present the `el3_entrypoint_common` macro uses `memcpy`
function defined in lib/stdlib/mem.c file, to copy data
from ROM to RAM for BL1. Depending on the compiler being
used the stack could potentially be used, in `memcpy`,
for storing the local variables. Since the stack is
initialized much later in `el3_entrypoint_common` it
may result in unknown behaviour.

This patch adds `memcpy4` function definition in assembly so
that it can be used before the stack is initialized and it
also replaces `memcpy` by `memcpy4` in `el3_entrypoint_common`
macro, to copy data from ROM to RAM for BL1.

Change-Id: I3357a0e8095f05f71bbbf0b185585d9499bfd5e0
2016-09-28 14:03:47 +01:00
Soby Mathew f426fc0519 PSCI: Introduce PSCI Library argument structure
This patch introduces a `psci_lib_args_t` structure which must be
passed into `psci_setup()` which is then used to initialize the PSCI
library. The `psci_lib_args_t` is a versioned structure so as to enable
compatibility checks during library initialization. Both BL31 and SP_MIN
are modified to use the new structure.

SP_MIN is also modified to add version string and build message as part
of its cold boot log just like the other BLs in Trusted Firmware.

NOTE: Please be aware that this patch modifies the prototype of
`psci_setup()`, which breaks compatibility with EL3 Runtime Firmware
(excluding BL31 and SP_MIN) integrated with the PSCI Library.

Change-Id: Ic3761db0b790760a7ad664d8a437c72ea5edbcd6
2016-09-22 17:07:20 +01:00
Yatharth Kochar 1a0a3f0622 AArch32: Common changes needed for BL1/BL2
This patch adds common changes to support AArch32 state in
BL1 and BL2. Following are the changes:

* Added functions for disabling MMU from Secure state.
* Added AArch32 specific SMC function.
* Added semihosting support.
* Added reporting of unhandled exceptions.
* Added uniprocessor stack support.
* Added `el3_entrypoint_common` macro that can be
  shared by BL1 and BL32 (SP_MIN) BL stages. The
  `el3_entrypoint_common` is similar to the AArch64
  counterpart with the main difference in the assembly
  instructions and the registers that are relevant to
  AArch32 execution state.
* Enabled `LOAD_IMAGE_V2` flag in Makefile for
  `ARCH=aarch32` and added check to make sure that
  platform has not overridden to disable it.

Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
2016-09-21 16:27:15 +01:00
Yatharth Kochar 7260022636 Add new version of image loading.
This patch adds capability to load BL images based on image
descriptors instead of hard coded way of loading BL images.
This framework is designed such that it can be readily adapted
by any BL stage that needs to load images.

In order to provide the above capability the following new
platform functions are introduced:

  bl_load_info_t *plat_get_bl_image_load_info(void);
    This function returns pointer to the list of images that the
    platform has populated to load.

  bl_params_t *plat_get_next_bl_params(void);
    This function returns a pointer to the shared memory that the
    platform has kept aside to pass trusted firmware related
    information that next BL image needs.

  void plat_flush_next_bl_params(void);
    This function flushes to main memory all the params that
    are passed to next image.

  int bl2_plat_handle_post_image_load(unsigned int image_id)
    This function can be used by the platforms to update/use
    image information for given `image_id`.

`desc_image_load.c` contains utility functions which can be used
by the platforms to generate, load and executable, image list
based on the registered image descriptors.

This patch also adds new version of `load_image/load_auth_image`
functions in-order to achieve the above capability.

Following are the changes for the new version as compared to old:
  - Refactor the signature and only keep image_id and image_info_t
    arguments. Removed image_base argument as it is already passed
    through image_info_t. Given that the BL image base addresses and
    limit/size are already provided by the platforms, the meminfo_t
    and entry_point_info arguments are not needed to provide/reserve
    the extent of free memory for the given BL image.

  - Added check for the image size against the defined max size.
    This is needed because the image size could come from an
    unauthenticated source (e.g. the FIP header).
    To make this check, new member is added to the image_info_t
    struct for identifying the image maximum size.

New flag `LOAD_IMAGE_V2` is added in the Makefile.
Default value is 0.

NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when
      `LOAD_IMAGE_V2` is enabled.

Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
2016-09-20 16:16:42 +01:00
Soby Mathew e33b78a658 AArch32: Add support in TF libraries
This patch adds AArch32 support to cpu ops, context management,
per-cpu data and spinlock libraries. The `entrypoint_info`
structure is modified to add support for AArch32 register
arguments. The CPU operations for AEM generic cpu in AArch32
mode is also added.

Change-Id: I1e52e79f498661d8f31f1e7b3a29e222bc7a4483
2016-08-10 12:35:46 +01:00
Soby Mathew 1ae0a49a37 AArch32: Add API to invoke runtime service handler
This patch adds an API in runtime service framework to
invoke the registered handler corresponding to the SMC function
identifier. This is helpful for AArch32 because the number of
arguments required by the handler is more than registers
available as per AArch32 program calling conventions and
requires the use of stack. Hence this new API will do the
necessary argument setup and invoke the appropriate
handler. Although this API is primarily intended for AArch32,
it can be used for AArch64 as well.

Change-Id: Iefa15947fe5a1df55b0859886e677446a0fd7241
2016-08-10 12:35:46 +01:00
Soby Mathew f24307dec4 AArch32: Add assembly helpers
This patch adds various assembly helpers for AArch32 like :

* cache management : Functions to flush, invalidate and clean
cache by MVA. Also helpers to do cache operations by set-way
are also added.

* stack management: Macros to declare stack and get the current
stack corresponding to current CPU.

* Misc: Macros to access co processor registers in AArch32,
macros to define functions in assembly, assert macros, generic
`do_panic()` implementation and function to zero block of memory.

Change-Id: I7b78ca3f922c0eda39beb9786b7150e9193425be
2016-08-10 12:35:46 +01:00
Soby Mathew 738b1fd7c0 Rearrange assembly helper macros
This patch moves assembler macros which are not architecture specific
to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
into `aarch64` specific folder.

Change-Id: I444a1ee3346597bf26a8b827480cd9640b38c826
2016-07-19 10:19:08 +01:00
Soby Mathew cf0b1492ed Introduce PSCI Library Interface
This patch introduces the PSCI Library interface. The major changes
introduced are as follows:

* Earlier BL31 was responsible for Architectural initialization during cold
boot via bl31_arch_setup() whereas PSCI was responsible for the same during
warm boot. This functionality is now consolidated by the PSCI library
and it does Architectural initialization via psci_arch_setup() during both
cold and warm boots.

* Earlier the warm boot entry point was always `psci_entrypoint()`. This was
not flexible enough as a library interface. Now PSCI expects the runtime
firmware to provide the entry point via `psci_setup()`. A new function
`bl31_warm_entrypoint` is introduced in BL31 and the previous
`psci_entrypoint()` is deprecated.

* The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
defines from the Trusted Firmware SMC helpers. The former is now in a new
header file `smcc.h` and the SMC helpers are moved to Architecture specific
header.

* The CPU context is used by PSCI for context initialization and
restoration after power down (PSCI Context). It is also used by BL31 for SMC
handling and context management during Normal-Secure world switch (SMC
Context). The `psci_smc_handler()` interface is redefined to not use SMC
helper macros thus enabling to decouple the PSCI context from EL3 runtime
firmware SMC context. This enables PSCI to be integrated with other runtime
firmware using a different SMC context.

NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
invoked prior to architectural setup. It is highly unlikely that the platform
setup will depend on architectural setup and cause any failure. Please be
be aware of this change in sequence.

Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
2016-07-19 10:19:01 +01:00
Soby Mathew 532ed61838 Introduce `el3_runtime` and `PSCI` libraries
This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` respectively. This enables PSCI to be built independently from
BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
PSCI library sources and gets included by `bl31.mk`. Other changes which
are done as part of this patch are:

* The runtime services framework is now moved to the `common/` folder to
  enable reuse.
* The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
  specific folder.
* The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
  to `plat/common` folder. The original file location now has a stub which
  just includes the file from new location to maintain platform compatibility.

Most of the changes wouldn't affect platform builds as they just involve
changes to the generic bl1.mk and bl31.mk makefiles.

NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.

Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
2016-07-18 17:52:15 +01:00
Soby Mathew da554d7439 Fix coding guideline warnings
This patch fixes some coding guideline warnings reported by the checkpatch
script. Only files related to upcoming feature development have been fixed.

Change-Id: I26fbce75c02ed62f00493ed6c106fe7c863ddbc5
2016-07-18 17:52:15 +01:00
Soby Mathew 4c0d039076 Rework type usage in Trusted Firmware
This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:

* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
  whether AArch64 or AArch32.
* Use generic C types where-ever possible.

In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.

Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
2016-07-18 17:52:15 +01:00
danh-arm aadb1350ee Merge pull request #662 from sandrine-bailleux-arm/sb/rodata-xn
Map read-only data as execute-never
2016-07-15 18:55:43 +01:00
Sandrine Bailleux 5d1c104f9a Introduce SEPARATE_CODE_AND_RODATA build flag
At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.

This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.

This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.

 - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
   the read-only section still looks like this (padding omitted):

   |        ...        |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script provides the limits of the whole
   read-only section.

 - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
   read-only data are swapped, such that the code and exception
   vectors are contiguous, followed by the read-only data. This
   gives the following new layout (padding omitted):

   |        ...        |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script now exports 2 sets of addresses
   instead: the limits of the code and the limits of the read-only
   data. Refer to the Firmware Design guide for more details. This
   provides platform code with a finer-grained view of the image
   layout and allows it to map these 2 regions with the appropriate
   access permissions.

Note that SEPARATE_CODE_AND_RODATA applies to all BL images.

Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
2016-07-08 14:55:11 +01:00
Sandrine Bailleux ed81f3ebbf Introduce utils.h header file
This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.

For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.

bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.

Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
2016-07-08 14:37:11 +01:00
Soby Mathew 663db206f8 Derive stack alignment from CACHE_WRITEBACK_GRANULE
The per-cpu stacks should be aligned to the cache-line size and
the `declare_stack` helper in asm_macros.S macro assumed a
cache-line size of 64 bytes. The platform defines the cache-line
size via CACHE_WRITEBACK_GRANULE macro. This patch modifies
`declare_stack` helper macro to derive stack alignment from the
platform defined macro.

Change-Id: I1e1b00fc8806ecc88190ed169f4c8d3dd25fe95b
2016-07-08 09:58:10 +01:00
danh-arm 8d8c61ea75 Merge pull request #636 from soby-mathew/sm/cpu_ctx_rem_aarch32_regs
Build option to include AArch32 registers in cpu context
2016-06-03 15:12:37 +01:00
Soby Mathew 8cd16e6b5b Build option to include AArch32 registers in cpu context
The system registers that are saved and restored in CPU context include
AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
AArch64-only (i.e. on hardware that does not implement AArch32, or at
least not at EL1 and higher ELs) platform leads to an exception. This patch
introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
include these AArch32 systems registers in the cpu context or not. By default
this build option is set to 1 to ensure compatibility. AArch64-only platforms
must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
verify this.

Fixes ARM-software/tf-issues#386

Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
2016-06-03 10:50:52 +01:00
Sandrine Bailleux 79627dc372 Fill exception vectors with zero bytes
The documentation of the GNU assembler specifies the following about
the .align assembler directive:
 "the padding bytes are normally zero. However, on some systems, if
 the section is marked as containing code and the fill value is
 omitted, the space is filled with no-op instructions."
(see https://sourceware.org/binutils/docs/as/Align.html)

When building Trusted Firmware, the AArch64 GNU assembler uses a
mix of zero bytes and no-op instructions as the padding bytes to
align exception vectors.

This patch mandates to use zero bytes to be stored in the padding
bytes in the exception vectors. In the AArch64 instruction set, no
valid instruction encodes as zero so this effectively inserts
illegal instructions. Should this code end up being executed for
any reason, it would crash immediately. This gives us an extra
protection against misbehaving code at no extra cost.

Change-Id: I4f2abb39d0320ca0f9d467fc5af0cb92ae297351
2016-05-26 17:04:39 +01:00
Sandrine Bailleux e0ae9fab61 Introduce some helper macros for exception vectors
This patch introduces some assembler macros to simplify the
declaration of the exception vectors. It abstracts the section
the exception code is put into as well as the alignments
constraints mandated by the ARMv8 architecture. For all TF images,
the exception code has been updated to make use of these macros.

This patch also updates some invalid comments in the exception
vector code.

Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
2016-05-26 17:04:39 +01:00
Sandrine Bailleux 10c252c14b Fix build error with optimizations disabled (-O0)
If Trusted Firmware is built with optimizations disabled (-O0), the
linker throws the following error:

    undefined reference to 'xxx'

Where 'xxx' is a raw inline function defined in a header file. The
reason is that, with optimizations disabled, GCC may decide to skip
the inlining. If that is the case, an external definition to the
compilation unit must be provided. Because no external definition
is present, the linker throws the error.

This patch fixes the problem by declaring the following inline
functions static, so the internal definition is used:
 - cm_set_next_context()
 - bakery_lock_init()

Note that building the TF with optimizations disabled when Trusted
Board Boot is enabled is currently unsupported, as this makes the BL2
image too big to fit in memory without any adjustment of its base
address. Similarly, disabling optimizations for debug builds on FVP
is unsupported at the moment.

Change-Id: I284a9f84cc8df96a0c1a52dfe05c9e8544c0cefe
2016-04-14 16:24:03 +01:00
Soby Mathew 99e58f9e69 Enable SCR_EL3.SIF bit
This patch enables the SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and
BL31 common architectural setup code. When in secure state, this disables
instruction fetches from Non-secure memory.

NOTE: THIS COULD BREAK PLATFORMS THAT HAVE SECURE WORLD CODE EXECUTING FROM
NON-SECURE MEMORY, BUT THIS IS CONSIDERED UNLIKELY AND IS A SERIOUS SECURITY
RISK.

Fixes ARM-Software/tf-issues#372

Change-Id: I684e84b8d523c3b246e9a5fabfa085b6405df319
2016-04-07 16:30:45 +01:00
Gerald Lejeune adb4fcfb4c Enable asynchronous abort exceptions during boot
Asynchronous abort exceptions generated by the platform during cold boot are
not taken in EL3 unless SCR_EL3.EA is set.

Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture
initialisation. Further write accesses to SCR_EL3 preserve these bits during
cold boot.

A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions
being trapped by EL3 after cold boot or not.

For further reference SError Interrupts are also known as asynchronous external
aborts.

On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in
EL3 whatever the SCR_EL3.EA value is.

Fixes arm-software/tf-issues#368

Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
2016-03-30 17:26:23 +02:00
Soby Mathew 1319e7b193 Make cpu operations warning a VERBOSE print
The assembler helper function `print_revision_warning` is used when a
CPU specific operation is enabled in the debug build (e.g. an errata
workaround) but doesn't apply to the executing CPU's revision/part number.
However, in some cases the system integrator may want a single binary to
support multiple platforms with different IP versions, only some of which
contain a specific erratum.  In this case, the warning can be emitted very
frequently when CPUs are being powered on/off.

This patch modifies this warning print behaviour so that it is emitted only
when LOG_LEVEL >= LOG_LEVEL_VERBOSE. The `debug.h` header file now contains
guard macros so that it can be included in assembly code.

Change-Id: Ic6e7a07f128dcdb8498a5bfdae920a8feeea1345
2016-03-22 10:00:42 +00:00
Antonio Nino Diaz 1c3ea103d2 Remove all non-configurable dead loops
Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.

Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().

All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.

Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
2016-03-14 16:41:18 +00:00
danh-arm b6fc25e027 Merge pull request #541 from antonio-nino-diaz-arm/an/secondary-cpu-init
Initialize secondary CPUs during cold boot
2016-03-09 08:45:23 +00:00
Antonio Nino Diaz 4e85e4fd11 Initialize secondary CPUs during cold boot
The previous reset code in BL1 performed the following steps in
order:

1. Warm/Cold boot detection.
   If it's a warm boot, jump to warm boot entrypoint.

2. Primary/Secondary CPU detection.
   If it's a secondary CPU, jump to plat_secondary_cold_boot_setup(),
   which doesn't return.

3. CPU initialisations (cache, TLB...).

4. Memory and C runtime initialization.

For a secondary CPU, steps 3 and 4 are never reached. This shouldn't
be a problem in most cases, since current implementations of
plat_secondary_cold_boot_setup() either panic or power down the
secondary CPUs.

The main concern is the lack of secondary CPU initialization when
bare metal EL3 payloads are used in case they don't take care of this
initialisation themselves.

This patch moves the detection of primary/secondary CPU after step 3
so that the CPU initialisations are performed per-CPU, while the
memory and the C runtime initialisation are only performed on the
primary CPU. The diagrams used in the ARM Trusted Firmware Reset
Design documentation file have been updated to reflect the new boot
flow.

Platforms ports might be affected by this patch depending on the
behaviour of plat_secondary_cold_boot_setup(), as the state of the
platform when entering this function will be different.

Fixes ARM-software/tf-issues#342

Change-Id: Icbf4a0ee2a3e5b856030064472f9fa6696f2eb9e
2016-03-07 09:23:38 +00:00
Yatharth Kochar 843ddee4aa Fix the inconsistencies in bl1_tbbr_image_descs[]
This patch fixes inconsistencies in bl1_tbbr_image_descs[]
and miscellaneous fixes in Firmware Update code.

Following are the changes:
* As part of the original FWU changes, a `copied_size`
  field was added to `image_info_t`. This was a subtle binary
  compatibility break because it changed the size of the
  `bl31_params_t` struct, which could cause problems if
  somebody used different versions of BL2 or BL31, one with
  the old `image_info_t` and one with the new version.
  This patch put the `copied_size` within the `image_desc_t`.
* EXECUTABLE flag is now stored in `ep_info.h.attr` in place
  of `image_info.h.attr`, associating it to an entrypoint.
* The `image_info.image_base` is only relevant for secure
  images that are copied from non-secure memory into secure
  memory. This patch removes initializing `image_base` for
  non secure images in the bl1_tbbr_image_descs[].
* A new macro `SET_STATIC_PARAM_HEAD` is added for populating
  bl1_tbbr_image_descs[].ep_info/image_info.h members statically.
  The version, image_type and image attributes are now
  populated using this new macro.
* Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct
  usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c.
* Refactoring of code/macros related to SECURE and EXECUTABLE flags.

NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t`
      OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr`
      OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE
      BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY.

Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d
2016-02-22 18:17:34 +00:00
Soren Brinkmann 70ecb564fd Migrate __warn_deprecated -> __deprecated
Use the new __deprecated macro from the generic cdefs header and remove
the deprecated __warn_deprecated.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
2016-01-14 10:55:17 -08:00
Soby Mathew b313d755a7 Rearrange fields in TF data structures to reduce padding
This patch rearranges fields of the `image_desc_t` & `auth_img_desc_t`
data structures to reduce padding between the fields and thereby
save memory.

NOTE: Platform ports which anonymously initialize these structures
should be aware of the rearrangement and do the required
modification.

Change-Id: I428b5429632797b31d5bd306174599c07e24c060
2016-01-13 09:39:40 +00:00
Juan Castillo d178637d2b Remove dashes from image names: 'BL3-x' --> 'BL3x'
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

    https://github.com/ARM-software/arm-trusted-firmware/wiki

Changes apply to output messages, comments and documentation.

non-ARM platform files have been left unmodified.

Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
2015-12-14 12:31:37 +00:00
Juan Castillo f59821d512 Replace all SCP FW (BL0, BL3-0) references
This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):

    BL0          -->  SCP_BL1
    BL30, BL3-0  -->  SCP_BL2
    bl30         -->  scp_bl2

This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.

IMPORTANT: build option to specify the SCP FW image has changed:

    BL30 --> SCP_BL2

IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:

    BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
    BL30_BASE --> SCP_BL2_BASE
    bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
    bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()

Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
2015-12-14 12:31:16 +00:00
Juan Castillo 516beb585c TBB: apply TBBR naming convention to certificates and extensions
This patch applies the TBBR naming convention to the certificates
and the corresponding extensions defined by the CoT:

    * Certificate UUID names
    * Certificate identifier names
    * OID names

Changes apply to:

    * Generic code (variables and defines)
    * The default certificate identifiers provided in the generic
      code
    * Build system
    * ARM platforms port
    * cert_create tool internal definitions
    * fip_create and cert_create tools command line options
    * Documentation

IMPORTANT: this change breaks the compatibility with platforms
that use TBBR. The platform will need to adapt the identifiers
and OIDs to the TBBR naming convention introduced by this patch:

Certificate UUIDs:

    UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
    UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
    UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
    UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
    UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
    UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
    UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT

Certificate identifiers:

    BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
    BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
    BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
    BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
    BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
    BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
    BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
    BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
    BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID

OIDs:

    TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
    NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
    BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
    TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
    NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
    BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
    BL30_HASH_OID --> SCP_FW_HASH_OID
    BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
    BL31_HASH_OID --> SOC_AP_FW_HASH_OID
    BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
    BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
    BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
    BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
    BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
    SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
    NS_BL2U_HASH_OID --> FWU_HASH_OID

Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
2015-12-14 12:29:44 +00:00
Yatharth Kochar 2d4d220311 FWU: Add FWU support to `fip_create` tool
Firmware Update (FWU) introduces a new set of images called
SCP_BL2U, BL2U and NS_BL2U, which can be packed in a FWU FIP file.

This patch introduces new UUIDs for the Firmware Update images
and extends the 'fip'create' tool so that these new images can be
packed in a FIP file.

Change-Id: I7c60211b4f3cc265411efb131e6d3c624768f522
2015-12-09 17:41:19 +00:00
Yatharth Kochar 9003fa0b0c FWU: Add Generic BL2U FWU image support in BL2
The Firmware Update (FWU) feature needs support for an optional
secure world image, BL2U, to allow additional secure world
initialization required by FWU, for example DDR initialization.

This patch adds generic framework support to create BL2U.

NOTE: A platform makefile must supply additional `BL2U_SOURCES`
      to build the bl2u target. A subsequent patch adds bl2u
      support for ARM platforms.

Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413
2015-12-09 17:41:19 +00:00
Yatharth Kochar 48bfb88eb6 FWU: Add Generic Firmware Update framework support in BL1
Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific code detects that it is needed.

This patch adds support for FWU feature support in BL1 which is
included by enabling `TRUSTED_BOARD_BOOT` compile time flag.

This patch adds bl1_fwu.c which contains all the core operations
of FWU, which are; SMC handler, image copy, authentication, execution
and resumption. It also adds bl1.h introducing #defines for all
BL1 SMCs.

Following platform porting functions are introduced:

int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
unsigned int flags);
	This function can be used to add platform specific memory checks
	for the provided base/size for the given security state.
	The weak definition will invoke `assert()` and return -ENOMEM.

__dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
	This function can be used to initiate platform specific procedure
	to mark completion of the FWU process.
	The weak definition waits forever calling `wfi()`.

plat_bl1_common.c contains weak definitions for above functions.

FWU process starts when platform detects it and return the image_id
other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
`bl1_main()`.

NOTE: User MUST provide platform specific real definition for
bl1_plat_mem_check() in order to use it for Firmware update.

Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
2015-12-09 17:41:18 +00:00
Yatharth Kochar 7baff11fb5 Add descriptor based image management support in BL1
As of now BL1 loads and execute BL2 based on hard coded information
provided in BL1. But due to addition of support for upcoming Firmware
Update feature, BL1 now require more flexible approach to load and
run different images using information provided by the platform.

This patch adds new mechanism to load and execute images based on
platform provided image id's. BL1 now queries the platform to fetch
the image id of the next image to be loaded and executed. In order
to achieve this, a new struct image_desc_t was added which holds the
information about images, such as: ep_info and image_info.

This patch introduces following platform porting functions:

unsigned int bl1_plat_get_next_image_id(void);
	This is used to identify the next image to be loaded
	and executed by BL1.

struct image_desc *bl1_plat_get_image_desc(unsigned int image_id);
	This is used to retrieve the image_desc for given image_id.

void bl1_plat_set_ep_info(unsigned int image_id,
struct entry_point_info *ep_info);
	This function allows platforms to update ep_info for given
	image_id.

The plat_bl1_common.c file provides default weak implementations of
all above functions, the `bl1_plat_get_image_desc()` always return
BL2 image descriptor, the `bl1_plat_get_next_image_id()` always return
BL2 image ID and `bl1_plat_set_ep_info()` is empty and just returns.
These functions gets compiled into all BL1 platforms by default.

Platform setup in BL1, using `bl1_platform_setup()`, is now done
_after_ the initialization of authentication module. This change
provides the opportunity to use authentication while doing the
platform setup in BL1.

In order to store secure/non-secure context, BL31 uses percpu_data[]
to store context pointer for each core. In case of BL1 only the
primary CPU will be active hence percpu_data[] is not required to
store the context pointer.

This patch introduce bl1_cpu_context[] and bl1_cpu_context_ptr[] to
store the context and context pointers respectively. It also also
re-defines cm_get_context() and cm_set_context() for BL1 in
bl1/bl1_context_mgmt.c.

BL1 now follows the BL31 pattern of using SP_EL0 for the C runtime
environment, to support resuming execution from a previously saved
context.

NOTE: THE `bl1_plat_set_bl2_ep_info()` PLATFORM PORTING FUNCTION IS
      NO LONGER CALLED BY BL1 COMMON CODE. PLATFORMS THAT OVERRIDE
      THIS FUNCTION MAY NEED TO IMPLEMENT `bl1_plat_set_ep_info()`
      INSTEAD TO MAINTAIN EXISTING BEHAVIOUR.

Change-Id: Ieee4c124b951c2e9bc1c1013fa2073221195d881
2015-12-09 17:41:18 +00:00
Yatharth Kochar bbf8f6f95b Move context management code to common location
The upcoming Firmware Update feature needs transitioning across
Secure/Normal worlds to complete the FWU process and hence requires
context management code to perform this task.

Currently context management code is part of BL31 stage only.
This patch moves the code from (include)/bl31 to (include)/common.
Some function declarations/definitions and macros have also moved
to different files to help code sharing.

Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
2015-12-09 17:41:18 +00:00
Yatharth Kochar 5698c5b3db Remove `RUN_IMAGE` usage as opcode passed to next EL.
The primary usage of `RUN_IMAGE` SMC function id, used by BL2 is to
make a request to BL1 to execute BL31. But BL2 also uses it as
opcode to check if it is allowed to execute which is not the
intended usage of `RUN_IMAGE` SMC.

This patch removes the usage of `RUN_IMAGE` as opcode passed to
next EL to check if it is allowed to execute.

Change-Id: I6aebe0415ade3f43401a4c8a323457f032673657
2015-12-09 17:41:18 +00:00
Soby Mathew 7a24cba5c2 Replace build macro WARN_DEPRECATED with ERROR_DEPRECATED
This patch changes the build time behaviour when using deprecated API within
Trusted Firmware. Previously the use of deprecated APIs would only trigger a
build warning (which was always treated as a build error), when
WARN_DEPRECATED = 1. Now, the use of deprecated C declarations will always
trigger a build time warning. Whether this warning is treated as error or not
is determined by the build flag ERROR_DEPRECATED which is disabled by default.
When the build flag ERROR_DEPRECATED=1, the invocation of deprecated API or
inclusion of deprecated headers will result in a build error.

Also the deprecated context management helpers in context_mgmt.c are now
conditionally compiled depending on the value of ERROR_DEPRECATED flag
so that the APIs themselves do not result in a build error when the
ERROR_DEPRECATED flag is set.

NOTE: Build systems that use the macro WARN_DEPRECATED must migrate to
using ERROR_DEPRECATED, otherwise deprecated API usage will no longer
trigger a build error.

Change-Id: I843bceef6bde979af7e9b51dddf861035ec7965a
2015-11-24 11:15:41 +00:00
Sandrine Bailleux 68a68c925f Introduce print_entry_point_info() function
This patch introduces a new function called 'print_entry_point_info'
that prints an entry_point_t structure for debugging purposes.
As such, it can be used to display the entry point address, SPSR and
arguments passed from a firmware image to the next one.

This function is now called in the following images transitions:
 - BL1 to BL2
 - BL1 to BL31
 - BL31 to the next image (typically BL32 or BL33)

The following changes have been introduced:

 - Fix the output format of the SPSR value : SPSR is a 32-bit value,
   not a 64-bit one.

 - Print all arguments values.
   The entry_point_info_t structure allows to pass up to 8 arguments.
   In most cases, only the first 2 arguments were printed.
   print_entry_point_info() now prints all of them as 'VERBOSE'
   traces.

Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-11-02 09:23:05 +00:00
Juan Castillo 78460a05e4 Use standard errno definitions in load_auth_image()
This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.

It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.

Change-Id: I1228477346d3876151c05b470d9669c37fd231be
2015-10-23 16:57:52 +01:00
Achin Gupta 54dc71e7ec Make generic code work in presence of system caches
On the ARMv8 architecture, cache maintenance operations by set/way on the last
level of integrated cache do not affect the system cache. This means that such a
flush or clean operation could result in the data being pushed out to the system
cache rather than main memory. Another CPU could access this data before it
enables its data cache or MMU. Such accesses could be serviced from the main
memory instead of the system cache. If the data in the sysem cache has not yet
been flushed or evicted to main memory then there could be a loss of
coherency. The only mechanism to guarantee that the main memory will be updated
is to use cache maintenance operations to the PoC by MVA(See section D3.4.11
(System level caches) of ARMv8-A Reference Manual (Issue A.g/ARM DDI0487A.G).

This patch removes the reliance of Trusted Firmware on the flush by set/way
operation to ensure visibility of data in the main memory. Cache maintenance
operations by MVA are now used instead. The following are the broad category of
changes:

1. The RW areas of BL2/BL31/BL32 are invalidated by MVA before the C runtime is
   initialised. This ensures that any stale cache lines at any level of cache
   are removed.

2. Updates to global data in runtime firmware (BL31) by the primary CPU are made
   visible to secondary CPUs using a cache clean operation by MVA.

3. Cache maintenance by set/way operations are only used prior to power down.

NOTE: NON-UPSTREAM TRUSTED FIRMWARE CODE SHOULD MAKE EQUIVALENT CHANGES IN
ORDER TO FUNCTION CORRECTLY ON PLATFORMS WITH SUPPORT FOR SYSTEM CACHES.

Fixes ARM-software/tf-issues#205

Change-Id: I64f1b398de0432813a0e0881d70f8337681f6e9a
2015-09-14 22:09:40 +01:00
Vikram Kanigiri a2f8b16650 Ensure BL2 security state is secure
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
run in secure world otherwise BL3-1/BL3-2 have to execute from
non-secure memory. Hence, This patch removes the change_security_state()
call in bl1_run_bl2() and replaces it with an assert to confirm
the BL2 as secure.

Fixes ARM-software/tf-issues#314

Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
2015-09-02 13:48:45 +01:00
danh-arm 468f808cb8 Merge pull request #368 from jcastillo-arm/jc/genfw/1126
TBB: abort boot if BL3-2 cannot be authenticated
2015-08-21 15:28:30 +01:00
Juan Castillo fedbc0497b TBB: abort boot if BL3-2 cannot be authenticated
BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.

This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.

In case of authentication error, the memory region used to store
the image is wiped clean.

Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
2015-08-20 16:44:02 +01:00
Soby Mathew 58523c076a PSCI: Add documentation and fix plat_is_my_cpu_primary()
This patch adds the necessary documentation updates to porting_guide.md
for the changes in the platform interface mandated as a result of the new
PSCI Topology and power state management frameworks. It also adds a
new document `platform-migration-guide.md` to aid the migration of existing
platform ports to the new API.

The patch fixes the implementation and callers of
plat_is_my_cpu_primary() to use w0 as the return parameter as implied by
the function signature rather than x0 which was used previously.

Change-Id: Ic11e73019188c8ba2bd64c47e1729ff5acdcdd5b
2015-08-13 23:48:07 +01:00
Soby Mathew 85a181ce38 PSCI: Migrate TF to the new platform API and CM helpers
This patch migrates the rest of Trusted Firmware excluding Secure Payload and
the dispatchers to the new platform and context management API. The per-cpu
data framework APIs which took MPIDRs as their arguments are deleted and only
the ones which take core index as parameter are retained.

Change-Id: I839d05ad995df34d2163a1cfed6baa768a5a595d
2015-08-13 23:48:06 +01:00
Soby Mathew 5c8babcd70 PSCI: Add deprecated API for SPD when compatibility is disabled
This patch defines deprecated platform APIs to enable Trusted
Firmware components like Secure Payload and their dispatchers(SPD)
to continue to build and run when platform compatibility is disabled.
This decouples the migration of platform ports to the new platform API
from SPD and enables them to be migrated independently. The deprecated
platform APIs defined in this patch are : platform_get_core_pos(),
platform_get_stack() and platform_set_stack().

The patch also deprecates MPIDR based context management helpers like
cm_get_context_by_mpidr(), cm_set_context_by_mpidr() and cm_init_context().
A mechanism to deprecate APIs and identify callers of these APIs during
build is introduced, which is controlled by the build flag WARN_DEPRECATED.
If WARN_DEPRECATED is defined to 1, the users of the deprecated APIs will be
flagged either as a link error for assembly files or compile time warning
for C files during build.

Change-Id: Ib72c7d5dc956e1a74d2294a939205b200f055613
2015-08-13 23:48:06 +01:00
Soby Mathew 674878464a PSCI: Switch to the new PSCI frameworks
This commit does the switch to the new PSCI framework implementation replacing
the existing files in PSCI folder with the ones in PSCI1.0 folder. The
corresponding makefiles are modified as required for the new implementation.
The platform.h header file is also is switched to the new one
as required by the new frameworks. The build flag ENABLE_PLAT_COMPAT defaults
to 1 to enable compatibility layer which let the existing platform ports to
continue to build and run with minimal changes.

The default weak implementation of platform_get_core_pos() is now removed from
platform_helpers.S and is provided by the compatibility layer.

Note: The Secure Payloads and their dispatchers still use the old platform
and framework APIs and hence it is expected that the ENABLE_PLAT_COMPAT build
flag will remain enabled in subsequent patch. The compatibility for SPDs using
the older APIs on platforms migrated to the new APIs will be added in the
following patch.

Change-Id: I18c51b3a085b564aa05fdd98d11c9f3335712719
2015-08-13 23:47:57 +01:00
Soby Mathew 12d0d00d1e PSCI: Introduce new platform and CM helper APIs
This patch introduces new platform APIs and context management helper APIs
to support the new topology framework based on linear core position. This
framework will be introduced in the follwoing patch and it removes the
assumption that the MPIDR based affinity levels map directly to levels
in a power domain tree. The new platforms APIs and context management
helpers based on core position are as described below:

* plat_my_core_pos() and plat_core_pos_by_mpidr()

These 2 new mandatory platform APIs are meant to replace the existing
'platform_get_core_pos()' API. The 'plat_my_core_pos()' API returns the
linear index of the calling core and 'plat_core_pos_by_mpidr()' returns
the linear index of a core specified by its MPIDR. The latter API will also
validate the MPIDR passed as an argument and will return an error code (-1)
if an invalid MPIDR is passed as the argument. This enables the caller to
safely convert an MPIDR of another core to its linear index without querying
the PSCI topology tree e.g. during a call to PSCI CPU_ON.

Since the 'plat_core_pos_by_mpidr()' API verifies an MPIDR, which is always
platform specific, it is no longer possible to maintain a default implementation
of this API. Also it might not be possible for a platform port to verify an
MPIDR before the C runtime has been setup or the topology has been initialized.
This would prevent 'plat_core_pos_by_mpidr()' from being callable prior to
topology setup. As a result, the generic Trusted Firmware code does not call
this API before the topology setup has been done.

The 'plat_my_core_pos' API should be able to run without a C runtime.
Since this API needs to return a core position which is equal to the one
returned by 'plat_core_pos_by_mpidr()' API for the corresponding MPIDR,
this too cannot have default implementation and is a mandatory API for
platform ports. These APIs will be implemented by the ARM reference platform
ports later in the patch stack.

* plat_get_my_stack() and plat_set_my_stack()

These APIs are the stack management APIs which set/return stack addresses
appropriate for the calling core. These replace the 'platform_get_stack()' and
'platform_set_stack()' APIs. A default weak MP version and a global UP version
of these APIs are provided for the platforms.

* Context management helpers based on linear core position

A set of new context management(CM) helpers viz cm_get_context_by_index(),
cm_set_context_by_index(), cm_init_my_context() and cm_init_context_by_index()
are defined which are meant to replace the old helpers which took MPIDR
as argument. The old CM helpers are implemented based on the new helpers to
allow for code consolidation and will be deprecated once the switch to the new
framework is done.

Change-Id: I89758632b370c2812973a4b2efdd9b81a41f9b69
2015-08-13 16:17:58 +01:00
Juan Castillo 1779ba6b97 TBB: switch to the new authentication framework
This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.

A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.

The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.

The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.

On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.

REMOVED BUILD OPTIONS:

  * 'AUTH_MOD'

Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
2015-06-25 08:53:27 +01:00
Juan Castillo dff93c8675 TBB: add TBBR Chain of Trust
This patch adds a CoT based on the Trusted Board Boot Requirements
document*. The CoT consists of an array of authentication image
descriptors indexed by the image identifiers.

A new header file with TBBR image identifiers has been added.
Platforms that use the TBBR (i.e. ARM platforms) may reuse these
definitions as part of their platform porting.

PLATFORM PORT - IMPORTANT:

Default image IDs have been removed from the platform common
definitions file (common_def.h). As a consequence, platforms that
used those common definitons must now either include the IDs
provided by the TBBR header file or define their own IDs.

*The NVCounter authentication method has not been implemented yet.

Change-Id: I7c4d591863ef53bb0cd4ce6c52a60b06fa0102d5
2015-06-25 08:53:27 +01:00
Juan Castillo 16948ae1d9 Use numbers to identify images instead of names
The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.

This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.

As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.

A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.

Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.

The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.

IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.

Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
2015-06-25 08:53:26 +01:00