As part of the RFC:
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/13651,
this patch adds the 'cm_prepare_el3_exit_ns' function. The function is
a wrapper to 'cm_prepare_el3_exit' function for Non-secure state.
When EL2 sysregs context exists (CTX_INCLUDE_EL2_REGS is
enabled) EL1 and EL2 sysreg values are restored from the context
instead of directly updating the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9b071030576bb05500d54090e2a03b3f125d1653
As parent_node is unsigned, we have to use %u and not %d.
This avoids warning when -Wformat-signedness is enabled.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I5ab7acb33227d720b2c8a4ec013435442b219a44
psci_cpu_suspend unconditionally calls psci_validate_power_state, which
asserts that the platform implements ops->validate_power_state. To avoid
a failure at runtime, do not expose CPU_SUSPEND unless that callback is
implemented. This also allows a platform to provide SYSTEM_SUSPEND
without providing CPU_SUSPEND.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: I5dafb7845f482ab3af03a9de562def41dd70189e
In psci_setup.c psci_init_pwr_domain_node() takes an unsigned
char as node_idx which limits it to initialising only the first
256 CPUs. As the calling function does not check for a limit of
256 I think this is a bug so change the unsigned char to
uint16_t and change the cast from the calling site in
populate_power_domain_tree().
Also update the non_cpu_pwr_domain_node structure lock_index
to uint16_t and update the function signature for psci_lock_init()
appropriately.
Finally add a define PSCI_MAX_CPUS_INDEX to psci_private.h and add
a CASSERT to psci_setup.c to make sure PLATFORM_CORE_COUNT cannot
exceed the index value.
Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
Change-Id: I9e26842277db7483fd698b46bbac62aa86e71b45
Usually, C has no problem up-converting types to larger bit sizes. MISRA
rule 10.7 requires that you not do this, or be very explicit about this.
This resolves the following required rule:
bl1/aarch64/bl1_context_mgmt.c:81:[MISRA C-2012 Rule 10.7 (required)]<None>
The width of the composite expression "0U | ((mode & 3U) << 2U) | 1U |
0x3c0U" (32 bits) is less that the right hand operand
"18446744073709547519ULL" (64 bits).
This also resolves MISRA defects such as:
bl2/aarch64/bl2arch_setup.c:18:[MISRA C-2012 Rule 12.2 (required)]
In the expression "3U << 20", shifting more than 7 bits, the number
of bits in the essential type of the left expression, "3U", is
not allowed.
Further, MISRA requires that all shifts don't overflow. The definition of
PAGE_SIZE was (1U << 12), and 1U is 8 bits. This caused about 50 issues.
This fixes the violation by changing the definition to 1UL << 12. Since
this uses 32bits, it should not create any issues for aarch32.
This patch also contains a fix for a build failure in the sun50i_a64
platform. Specifically, these misra fixes removed a single and
instruction,
92407e73 and x19, x19, #0xffffffff
from the cm_setup_context function caused a relocation in
psci_cpus_on_start to require a linker-generated stub. This increased the
size of the .text section and caused an alignment later on to go over a
page boundary and round up to the end of RAM before placing the .data
section. This sectionn is of non-zero size and therefore causes a link
error.
The fix included in this reorders the functions during link time
without changing their ording with respect to alignment.
Change-Id: I76b4b662c3d262296728a8b9aab7a33b02087f16
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
And from crash_console_flush.
We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.
Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
The API can be used to invoke a 'stop_func' callback for all
other cores from any initiating core. Optionally it can also
wait for other cores to power down. There may be various use
of such API by platform. Ex: Platform may use this to power
down all other cores from a crashed core.
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Change-Id: I4f9dc8a38d419f299c021535d5f1bcc6883106f9
Fixes for the following MISRA violations:
- Missing explicit parentheses on sub-expression
- An identifier or macro name beginning with an
underscore, shall not be declared
- Type mismatch in BL1 SMC handlers and tspd_main.c
Change-Id: I7a92abf260da95acb0846b27c2997b59b059efc4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
NOTE for platform integrators:
API `plat_psci_stat_get_residency()` third argument
`last_cpu_idx` is changed from "signed int" to the
"unsigned int" type.
Issue / Trouble points
1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places leading to coverity issues.
2. Underlying platform API's return cpu_idx as `unsigned int`
and comparison is performed with platform specific defines
`PLAFORM_xxx` which is not consistent
Misra Rule 10.4:
The value of a complex expression of integer type may only be cast to
a type that is narrower and of the same signedness as the underlying
type of the expression.
Based on above points, cpu_idx is kept as `unsigned int` to match
the API's and low-level functions and platform defines are updated
where ever required
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
Same SoC has different personality by creating different number of:
- cores
- clusters.
As a result, the platform specific power domain tree will be created
after identify the personality of the SoC.
Hence, platform specific power domain tree may not be same for all the
personality of the soc.
Thus, psci library code will deduce the 'plat_core_count', while
populating the power domain tree topology and return the number of
cores.
PLATFORM_CORE_COUNT will still be valid for a SoC, such that
psci_plat_core_count <= PLATFORM_CORE_COUNT.
PLATFORM_CORE_COUNT will continued to be defined by platform to create
the data structures.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I1f5c47647631cae2dcdad540d64cf09757db7185
This PSCI hook is similar to pwr_domain_on_finish but is
guaranteed to be invoked with the respective core and cluster are
participating in coherency. This will be necessary to safely invoke
the new GICv3 API which modifies shared GIC data structures concurrently.
Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
which returns 128-bit value and uses Generic timer physical counter
value to increase the randomness of the generated key.
The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
pauth_disable_el1()` and `pauth_disable_el3()` functions disable
PAuth for EL1 and EL3 respectively;
`pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
`save_gp_registers()` and `pauth_context_save()`;
`restore_gp_pauth_registers()` replaces `pauth_context_restore()`
and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
for 12 uint64_t PAuth registers instead of 10 by removal of macro
CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
in `msr spsel` instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places. This change is to unify the
cpu_idx as `unsigned int` as underlying API;s `plat_my_core_pos`
returns `unsigned int`
It was discovered via coverity issue CID 354715
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I4f0adb0c596ff1177210c5fe803bff853f2e54ce
GCC diagnostics were added to ignore array boundaries, instead
of ignoring GCC warning current code will check for array boundaries
and perform and array update only for valid elements.
Resolves: `CID 246574` `CID 246710` `CID 246651`
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I7530ecf7a1707351c6ee87e90cc3d33574088f57
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)
Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>
When acquiring or releasing the power domain locks for a given CPU the
parent nodes are looked up by walking the up the PD tree list on both the
acquire and release path, only one set of lookups is needed. Fetch the
parent nodes first and pass this list into both the acquire and release
functions to avoid the double lookup.
This also allows us to not have to do this lookup after coherency has
been exited during the core power down sequence. The shared struct
psci_cpu_pd_nodes is not placed in coherent memory like is done
for psci_non_cpu_pd_nodes and doing so would negatively affect
performance. With this patch we remove the need to have it in coherent
memory by moving the access out of psci_release_pwr_domain_locks().
Signed-off-by: Andrew F. Davis <afd@ti.com>
Change-Id: I7b9cfa9d31148dea0f5e21091c8b45ef7fe4c4ab
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.
Add a macro which makes a variable 'speculation safe', using the
__builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.
The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.
Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a
ISB
DSB SY
sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a
CSEL tracker, tracker, XZR, [cond];
AND safeval,tracker;
CSDB
sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations
The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.
Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
Some platforms can only resume from system suspend from the boot
CPU, hence they should only enter that state from that same core.
The following commit presents an interface that allows the platform to
reject system suspend entry near its very last stage (last CPU).
When a platform enables its caches before it accesses the
psci_non_cpu_pd_nodes structure then explicit cache maintenance
is not needed.
Signed-off-by: Andrew F. Davis <afd@ti.com>
The MMU is not disabled in this path, update the comment to
reflect this. Also clarify that both paths call prepare_cpu_pwr_dwn(),
but the second path does stack cache maintenance.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Mark the initialization functions in BL31, such as context management,
EHF, RAS and PSCI as __init so that they can be reclaimed by the
platform when no longer needed
Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
During cold boot, the initial translation tables are created with data
caches disabled, so all modifications go to memory directly. After the
MMU is enabled and data cache is enabled, any modification to the tables
goes to data cache, and eventually may get flushed to memory.
If CPU0 modifies the tables while CPU1 is off, CPU0 will have the
modified tables in its data cache. When CPU1 is powered on, the MMU is
enabled, then it enables coherency, and then it enables the data cache.
Until this is done, CPU1 isn't in coherency, and the translation tables
it sees can be outdated if CPU0 still has some modified entries in its
data cache.
This can be a problem in some cases. For example, the warm boot code
uses only the tables mapped during cold boot, which don't normally
change. However, if they are modified (and a RO page is made RW, or a XN
page is made executable) the CPU will see the old attributes and crash
when it tries to access it.
This doesn't happen in systems with HW_ASSISTED_COHERENCY or
WARMBOOT_ENABLE_DCACHE_EARLY. In these systems, the data cache is
enabled at the same time as the MMU. As soon as this happens, the CPU is
in coherency.
There was an attempt of a fix in psci_helpers.S, but it didn't solve the
problem. That code has been deleted. The code was introduced in commit
<264410306381> ("Invalidate TLB entries during warm boot").
Now, during a map or unmap operation, the memory associated to each
modified table is flushed. Traversing a table will also flush it's
memory, as there is no way to tell in the current implementation if the
table that has been traversed has also been modified.
Change-Id: I4b520bca27502f1018878061bc5fb82af740bb92
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
If either USE_COHERENT_MEM or HW_ASSISTED_COHERENCY being true
should cause us to not enter the ifdef block, then the logic
is not correct here. Posibly bad use of De Morgan's law?
Fix this.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Use a _ prefix for Macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Initializes each element of the last_cpu_in_non_cpu_pd array in PSCI
stat implementation to -1, the reset value. This satisfies MISRA rule
9.3.
Previously, only the first element of the array was initialized to -1.
Change-Id: I666c71e6c073710c67c6d24c07a219b1feb5b773
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
During the warm boot sequence:
1. The MMU is enabled with the data cache disabled. The MMU table walker
is set up to access the translation tables as in cacheable memory,
but its accesses are non-cacheable because SCTLR_EL3.C controls them
as well.
2. The interconnect is set up and the CPU enters coherency with the
rest of the system.
3. The data cache is enabled.
If the support for dynamic translation tables is enabled and another CPU
makes changes to a region, the changes may only be present in the data
cache, not in RAM. The CPU that is booting isn't in coherency with the
rest of the system, so the table walker of that CPU isn't either. This
means that it may read old entries from RAM and it may have invalid TLB
entries corresponding to the dynamic mappings.
This is not a problem for the boot code because the mapping is 1:1 and
the regions are static. However, the code that runs after the boot
sequence may need to access the dynamically mapped regions.
This patch invalidates all TLBs during warm boot when the dynamic
translation tables support is enabled to prevent this problem.
Change-Id: I80264802dc0aa1cb3edd77d0b66b91db6961af3d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
On some platforms it may be necessary to discover the SMCCC version
via a PSCI features call.
Change-Id: I95281ac2263ca9aefda1809eb03464fbdb8ac24d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Zelalem Aweke
Yann Gautier
Samuel Holland
Graeme Gregory
Joanna Farley
Jimmy Brisson
Sandeep Tripathy
Andrew Walbran
Deepika Bhavnani
Pankaj Gupta
Madhukar Pappireddy
Soby Mathew
Alexei Fedorov
Julius Werner
Andrew F. Davis
Antonio Nino Diaz
Joel Hutton
ldts
Daniel Boulby
Roberto Vargas
Dimitris Papastamos
Jonathan Wright
davidcunado-arm