The previous delegating/undelegating sequence was incorrect as per the
specification DDI0615, "Architecture Reference Manual Supplement, The
Realm Management Extension (RME), for Armv9-A" Sections A1.1.1 and
A1.1.2
Off topic:
- cleaning the gpt_is_gpi_valid and gpt_check_pass_overlap
Change-Id: Idb64d0a2e6204f1708951137062847938ab5e0ac
Signed-off-by: Robert Wakim <robert.wakim@arm.com>
Introduced by FF-A v1.1 we must forward a call to FFA_VERSION
to the SPMC so that the ffa version of the caller can be stored
for later use. Since the return of FFA_VERSION is not wrapped in
a FF-A call we need to use a direct message request to do this
forwarding. For the spmd_handler in the SPMC to hand off to the
correct function we use w2 to specify a target framework function.
Therefore we must update PSCI CPU_OFF to do this as well.
Change-Id: Ibaa6832b66f1597b3d65aa8986034f0c5916016d
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The original design prevented the primary CPU from doing a
warm boot sequence. This patch allows the primary to do warm
boot as well.
Signed-off-by: Mark Dykes <mark.dykes@arm.com>
Change-Id: I6baa50c3dff3051ff8b3e5a922d340634f651867
This patch enable/disable SVE/FPU for Realms depending
upon it's state in NS.
When this feature is enabled, traps to EL3 on SVE/FPU access from
Realms are disabled. However, RMM must ensure that the Realm <-> NS
SVE/FPU registers are not corrupted by each other and Realms do
not leak information to NS.
Change-Id: I0a27a055787976507017b72879ba6458f066624e
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
This patch allocates the RMI and GTSI FIDs from the reserved
range in Standard Secure Service call range of SMCCC.
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Change-Id: I82e77778882194c2a78ca6340788d53bab7c3a50
The RMI command handling in RMMD did not preserve x4 to x7 when
returning to NS caller. Although this is allowed for SMCCCv1.0, this is
not correct as per v1.1. This fixes the same by differentiating the
onward and backward path during SMC handling.
This patch also fixes an issue with the backward path wherein the first
argument was being truncated to 32 bits.
Change-Id: Ibc85d574d5a2178a763975ddb32e456a12e7dc88
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
As spm_mm cannot handle SVE/SME usage in NS world so its better to give
compilation error when ENABLE_SVE_FOR_NS=1 or ENABLE_SME_FOR_NS=1.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I69dbb272ca681bb020501342008eda20d4c0b096
This patch adds two new compile time options to enable SME in TF-A:
ENABLE_SME_FOR_NS and ENABLE_SME_FOR_SWD for use in non-secure and
secure worlds respectively. Setting ENABLE_SME_FOR_NS=1 will enable
SME for non-secure worlds and trap SME, SVE, and FPU/SIMD instructions
in secure context. Setting ENABLE_SME_FOR_SWD=1 will disable these
traps, but support for SME context management does not yet exist in
SPM so building with SPD=spmd will fail.
The existing ENABLE_SVE_FOR_NS and ENABLE_SVE_FOR_SWD options cannot
be used with SME as it is a superset of SVE and will enable SVE and
FPU/SIMD along with SME.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Iaaac9d22fe37b4a92315207891da848a8fd0ed73
sha 4ce3e99a3 introduced printf format specifiers for fixed width
types, which uses PRI*64 instead of "ll" for 64 bit values.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I30472411467061d58cc6ee22407ed3bad2552751
Use long instead of long long on aarch64 for 64_t stdint types.
Introduce inttypes.h to properly support printf format specifiers for
fixed width types for such change.
Change-Id: I0bca594687a996fde0a9702d7a383055b99f10a1
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Updated FFA_FEATURES according to FF-A v1.1 in SPMC can also be used
to retrieve feature information, and should now accept other arguments
than just FF-A call IDs.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I02cc24a31ab3092ec1ce6fed1a9649ffe7136782
Assert condition:
1 Register secure timer(ppi=29) for sdei nmi watchdog;
2 kernel panic and then kdump;
While kdump, kernel mask all cores sdei, secure timer trigger
and go to handle_masked_trigger() and assert here:
assert(se->affinity == my_mpidr);
As kernel register with flag=0, mpidr=0 and TF-A set flag to
SDEI_REGF_RM_PE but leave mpidr=0. So set mpidr to fix his
assert issue.
Signed-off-by: Ming Huang <huangming@linux.alibaba.com>
Change-Id: Ia9182f40bde94fb004b46e2a72b186eb0ef05166
Define a handler in the SPMD to route secure interrupts occurring while
the normal world runs. On a Group1 Secure interrupt (with a GICv3 or a
Group0 interrupt on GICv2), the normal world is pre-empted to EL3 and
redirected to the SPMD/SPMC for further handling.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Change-Id: I1350d74048c5549a2af8da0ba004c08512cc006a
SDEI specified event numbers in hexadecimal format.
Change event number format to hexadecimal to make
it easier for the reader to recognize the proper event.
Change-Id: Iac7a91d0910316e0ad54a8f09bc17209e8c6adf6
Signed-off-by: Vasyl Gomonovych <vgomonovych@marvell.com>
This patch updates and refactors the GPT library and fixes bugs.
- Support all combinations of PGS, PPS, and L0GPTSZ parameters.
- PPS and PGS are set at runtime, L0GPTSZ is read from GPCCR_EL3.
- Use compiler definitions to simplify code.
- Renaming functions to better suit intended uses.
- MMU enabled before GPT APIs called.
- Add comments to make function usage more clear in GPT library.
- Added _rme suffix to file names to differentiate better from the
GPT file system code.
- Renamed gpt_defs.h to gpt_rme_private.h to better separate private
and public code.
- Renamed gpt_core.c to gpt_rme.c to better conform to TF-A precedent.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I4cbb23b0f81e697baa9fb23ba458aa3f7d1ed919
The changes include:
- A new build option (ENABLE_RME) to enable FEAT_RME
- New image called RMM. RMM is R-EL2 firmware that manages Realms.
When building TF-A, a path to RMM image can be specified using
the "RMM" build flag. If RMM image is not provided, TRP is built
by default and used as RMM image.
- Support for RMM image in fiptool
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I017c23ef02e465a5198baafd665a60858ecd1b25
TRP is a small test payload that implements Realm Monitor
Management (RMM) functionalities. RMM runs in the Realm world
(R-EL2) and manages the execution of Realm VMs and their
interaction with the hypervisor in Normal world.
TRP is used to test the interface between RMM and Normal world
software, known as Realm Management Interface (RMI). Current
functions includes returning RMM version and transitioning
granules from Non-secure to Realm world and vice versa.
More information about RMM can be found at:
https://developer.arm.com/documentation/den0125/latest
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Ic7b9a1e1f3142ef6458d40150d0b4ba6bd723ea2
This patch introduces the RMM dispatcher into BL31. This
will be the mechanism that will enable communication to
take place between the Realm and non-secure world. Currently
gives the capability for granules to be
transitioned from non-secure type to realm and vice versa.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Signed-off-by: Subhasish Ghosh <subhasish.ghosh@arm.com>
Change-Id: I1fdc99a4bdd42bc14911aa0c6954b131de309511
Defining SMC IDs for FF-A v1.1 notifications functionality, and adding
them to SPMD SMC handler, to ensure calls are forwarded to the SPMC.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: Icc88aded0fd33507f7795e996bd4ff1c2fe679c8
This change refactors the SPMD to setup SPMC CPU contexts once and early
from spmd_spmc_init (single call to cm_setup_context rather than on each
and every warm boot).
Pass the core linear ID through a GP register as an implementation
defined behavior helping FF-A adoption to legacy TOSes (essentially
when secure virtualization is not used).
A first version of this change was originally submitted by Lukas [1].
Pasting below the original justification:
Our TEE, Kinibi, is used to receive the core linear ID in the x3
register of booting secondary cores.
This patch is necessary to bring up secondary cores with Kinibi as an
SPMC in SEL1.
In Kinibi, the TEE is mostly platform-independent and all platform-
specifics like topology is concentrated in TF-A of our customers.
That is why we don't have the MPIDR - linear ID mapping in Kinibi.
We need the correct linear ID to program the GICv2 target register,
for example in power management case.
It is not needed on GICv3/v4, because of using a fixed mapping from
MPIDR to ICDIPTR/GICD_ITARGETSRn register.
For debug and power management purpose, we also want a unified view to
linear id between Linux and the TEE.
E.g. to disable a core, to see what cores are printing a trace /
an event.
In the past, Kinibi had several other designs, but the complexity was
getting out of control:
* Platform-specific assembler macros in the kernel.
* A per-core SMC from Linux to tell the linear ID after the boot.
* With DynamiQ, it seems SIPs were playing with MPIDR register values,
reusing them between cores and changing them during boot.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/10235
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
Change-Id: Ifa8fa208e9b8eb1642c80b5f7b54152dadafa75e
Consider a RAS scenario:
Enter EL3 by sync exception, then call spm_mm_sp_call() enter
EL0s to handle this error, then call sdei_dispatch_event() to
inform OS. Finally, return back to OS from sync exception flow.
Similar flow is sgi_ras_intr_handler() in sgi_ras.c.
The icc_pmr_el1 register will be change in above flow:
1 cm_el1_sysregs_context_save(NON_SECURE);
-> ehf_exited_normal_world();
##icc_pmr_el1: 0xf8 => 0x80
2 spm_mm_sp_call();
3 sdei_dispatch_event();
4 ehf_activate_priority(sdei_event_priority(map));
##icc_pmr_el1: 0x80 => 0x60
5 restore_and_resume_ns_context();
-> ehf_exited_normal_world();
##return due to has_valid_pri_activations(pe_data) == 1
6 ehf_deactivate_priority(sdei_event_priority(map));
##icc_pmr_el1: 0x60 => 0x80
The icc_pmr_el1 was rewrote from 0xf8 to 0x80. This issue will
result in OS hang when eret to OS from RAS flow.
Move ehf_activate_priority(sdei_event_priority(map)) after
restore_and_resume_ns_context() can fix this issue.
Signed-off-by: Ming Huang <huangming@linux.alibaba.com>
Change-Id: If01ec55cf0aabf1594dece1ad50d3ec3406cdabc
The SDEI specification now says that during an SDEI
event handler dispatch the SPSR should be set according
to the TakeException() pseudocode function defined in
the Arm Architecture Reference Manual. This patch sets
the SPSR according to the function given in
ARM DDI 0487F.c page J1-7635
Change-Id: Id2f8f2464fd69c701d81626162827e5c4449b658
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The SPMC at S-EL2 manages S-EL1 execution contexts for SPs. The
currently running SP vCPU state is always saved when the SPMC exits to
SPMD. A fresh vCPU context is always restored when the SPMC is entered
from the SPMD and a SP resumed. For performance optimization reasons
this permits omitting the saving/restoring of the S-EL1 context from
within the EL3 SPMD on entering/exiting the SPMC. The S-EL2 SPMC and
NS-EL1 context save/restore remain done in the SPMD.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I66413ed5983913791ff5c9fc03c590ee65c6ccd7
Add SMC wrappers for handshaking the existence
and basic parameter validation for the SMCCC/PCI
API. The actual read/write/segment validation is
implemented by a given platform which will enable
the API by defining SMC_PCI_SUPPORT.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Change-Id: I4485ad0fe6003cec6f5eedef688914d100513c21
The SMCCC, part 3 indicates that only the bottom
32-bits of a 32-bit SMC call are valid. The upper
bits must be zero. Lets enforce that so standard
service code can assume its been called that way.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Change-Id: I1bac50fbdc3b6ddca5fe2d1d1f96166a65ac4eb4
Handle calls to the FFA_SPM_ID_GET interface. If FFA_SPM_ID_GET is
invoked from the non-secure physical FF-A instance, return the SPMC id
(defined in the SPMC manifest). If FFA_SPM_ID_GET is invoked from
the secure physical FF-A instance (e.g. the SPMC), return the SPMD id.
Change-Id: Id6d4e96b1da2510386d344e09c4553dba01227ec
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Standard Secure Services, complying to the SMCCC specification, are
discoverable: Any user can do the SMC call, and derive from the return
value (-1) if the service is implemented. Consequently we should not
*warn* if BL31 does not implement a service, as some services (TRNG, for
instance) might never be implemented for devices, as they are lacking
hardware.
Short of dropping the existing warning message altogether, change the
level to VERBOSE, which should prevent it actually being printed in
normal situations.
This removes the pointless TF-A messages on the console when booting
Linux, as modern kernels now call the SOCID and the TRNG service
unconditionally.
Change-Id: I08b0b02e0f46322ebe0b40b3991c3c9b5bed4f97
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
In the case of a SP pre-empted by a non-secure interrupt, the SPMC
returns to the SPMD through the FFA_INTERRUPT ABI. It is then forwarded
to the normal world driver hinting the SP has to be resumed after the
non-secure interrupt has been serviced.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I51a694dddcb8ea30fa84e1f11d018bc2abec0a56
The current SPM_MM implementations expects the SP image addresses
as static macros. This means platforms wanting to use dynamically
allocated memory addresses are left out. This patch gets sp_boot_info
at the beginning of spm_sp_setup function and uses member variables
of sp_boot_info to setup the context. So member variables of
struct sp_boot_info and consequently the context can be initialized
by static macros or dynamiclly allocated memory address..
Change-Id: I1cb75190ab8026b845ae20a9c6cc416945b5d7b9
Signed-off-by: Mayur Gudmeti <mgudmeti@nvidia.com>
FF-A specification states that error codes should be typed int32_t.
SPMD's uses uint64_t for return values, which if assigned with a signed
type would have sign extension, and change the size of the return from
32-bit to 64-bit.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I288ab2ffec8330a2fe1f21df14e22c34bd83ced3
Add a lock and spin lock/unlock calls when accessing the fields of the
SPMD PM structure.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9bab705564dc1ba003c29512b1f9be5f126fbb0d
Remove the former impdef SPMD service for SPMC entry point
registration. Replace with FFA_SECONDARY_EP_REGISTER ABI
providing a single entry point address into the SPMC for
primary and secondary cold boot.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I067adeec25fc12cdae90c15a616903b4ac4d4d83
when updata routing of an SDEI event, if the registration flags
is SDEI_REGF_RM_PE, need to updata the affinity of shared event.
Signed-off-by: Tony Xie <tony.xie@rock-chips.com>
Change-Id: Ie5d7cc4199253f6af1c28b407f712caac3092d06
The code to check for the presence of the TRNG service relies on
toolchain garbage collection, which is not enabled with -O0.
Add #ifdef guards around the call to the TRNG service handler to
cover builds without optimisation as well.
Change-Id: I08ece2005ea1c8fa96afa13904a851dec6b24216
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This adds the TRNG Firmware Interface Service to the standard
service dispatcher. This includes a method for dispatching entropy
requests to platforms and includes an entropy pool implementation to
avoid dropping any entropy requested from the platform.
Change-Id: I71cadb3cb377a507652eca9e0d68714c973026e9
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch provides the changes listed below:
- Adds new bit fields definitions for SCTLR_EL1/2 registers
- Corrects the name of SCTLR_EL1/2.[20] bit field from
SCTLR_UWXN_BIT to SCTLR_TSCXT_BIT
- Adds FEAT_PANx bit field definitions and their possible
values for ID_AA64MMFR1_EL1 register.
- Adds setting of SCTLR_EL1.SPAN bit to preserve PSTATE.PAN
on taking an exception to EL1 in spm_sp_setup() function
(services\std_svc\spm_mm\spm_mm_setup.c)
Change-Id: If51f20e7995c649126a7728a4d0867041fdade19
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
With -Wsign-compare, compilers issue a warning in the SPMD code:
====================
services/std_svc/spmd/spmd_pm.c:35:22: error: comparison of integer
expressions of different signedness: 'int' and 'unsigned int'
[-Werror=sign-compare]
35 | if ((id < 0) || (id >= PLATFORM_CORE_COUNT)) {
| ^~
cc1: all warnings being treated as errors
====================
Since we just established that "id" is positive, we can safely cast it
to an unsigned type to make the comparison have matching types.
Change-Id: I6ef24804c88136d7e3f15de008e4fea854f10ffe
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
spmd_get_context_by_mpidr was using potentially negative value as an
array index. plat_core_pos_by_mpidr could return -1 on failure which is
utilized by some platforms.
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Change-Id: I7f8827e77f18da389c9cafdc1fc841aba9f03120
This patch removes the assert that expects the SPMC PC
value to be same as BL32_BASE. This assumption is not
true for all platforms e.g. Tegra, and so will be removed
from the SPMD.
Platforms can always add this check to the platform files,
if required.
Change-Id: Ic40620b43d160feb4f72f4af18e6d01861d4bf37
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Define SPMD PM hooks for warm boot and off events. svc_on_finish handler
enters the SPMC at the entry point defined by the secondary EP register
service. The svc_off handler notifies the SPMC that a physical core is
being turned off through a notification message.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I2609a75a0c6ffb9f6313fc09553be2b29a41de59
Upon booting, the SPMC running on the primary core shall register the
secondary core entry points to which a given secondary core being woken
up shall jump to into the SPMC . The current implementation assumes the
SPMC calls a registering service implemented in the SPMD for each core
identified by its MPIDR. This can typically happen in a simple loop
implemented in the early SPMC initialization routines by passing each
core identifier associated with an entry point address and context
information.
This service is implemented on top of a more generic SPMC<=>SPMD
interface using direct request/response message passing as defined by
the FF-A specification.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Change-Id: I1f70163b6b5cee0880bd2004e1fec41e3780ba35
FF-A interface to handle SPMC to SPMD direct messages requests.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Change-Id: Ia707a308c55561a31dcfa86e554ea1c9e23f862a
This patch defines and registers the SPMD PM handler hooks.
This is intended to relay boot and PM events to the SPMC.
Change-Id: If5a758d22b8d2152cbbb83a0cad563b5e1c6bd49
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch adds SPMC states used by the SPMD to track SPMC boot phases
specifically on secondary cores.
Change-Id: If97af7352dda7f04a8e46a56892a2aeddcfab91b
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch provides a helper to get the entry_point_info
structure used by the boot CPU as it is used to initialise
the SPMC context on secondary CPUs.
Change-Id: I99087dc7a86a7258e545d24a2ff06aa25170f00c
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change handler of FFA version interface:
- Return SPMD's version if the origin of the call is secure;
- Return SPMC's version if origin is non-secure.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I0d1554da79b72b1e02da6cc363a2288119c32f44
Core spm_mm code expects the translation tables are located in the
inner & outer WBWA & shareable memory.
REGISTER_XLAT_CONTEXT2 macro is used to specify the translation
table section in spm_mm.
In the commit 363830df1c (xlat_tables_v2: merge
REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}), REGISTER_XLAT_CONTEXT2
macro explicitly specifies the base xlat table goes into .bss by default.
This change affects the existing SynQuacer spm_mm implementation.
plat/socionext/synquacer/include/plat.ld.S linker script intends to
locate ".bss.sp_base_xlat_table" into "sp_xlat_table" section,
but this implementation is no longer available.
This patch adds the base table section name parameter for
REGISTER_XLAT_CONTEXT2 so that platform can specify the
inner & outer WBWA & shareable memory for spm_mm base xlat table.
If PLAT_SP_IMAGE_BASE_XLAT_SECTION_NAME is not defined, base xlat table
goes into .bss by default, the result is same as before.
Change-Id: Ie0e1a235e5bd4288dc376f582d6c44c5df6d31b2
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
SPCI is renamed as PSA FF-A which stands for Platform Security
Architecture Firmware Framework for A class processors.
This patch replaces the occurrence of SPCI with PSA FF-A(in documents)
or simply FFA(in code).
Change-Id: I4ab10adb9ffeef1ff784641dfafd99f515133760
Signed-off-by: J-Alves <joao.alves@arm.com>
This patch introduces dynamic configuration for SDEI setup and is supported
when the new build flag SDEI_IN_FCONF is enabled. Instead of using C arrays
and processing the configuration at compile time, the config is moved to
dts files. It will be retrieved at runtime during SDEI init, using the fconf
layer.
Change-Id: If5c35a7517ba00a9f258d7f3e7c8c20cee169a31
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
Co-authored-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Currently BL2 passes TOS_FW_CONFIG address and size through registers to
BL31. This corresponds to SPMC manifest load address and size. The SPMC
manifest is mapped in BL31 by dynamic mapping. This patch removes BL2
changes from generic code (which were enclosed by SPD=spmd) and retrieves
SPMC manifest size directly from within SPMD. The SPMC manifest load
address is still passed through a register by generic code.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I35c5abd95c616ae25677302f0b1d0c45c51c042f
As a follow-up to bdd2596d4, and related to SPM Dispatcher
EL3 component and SPM Core S-EL2/S-EL1 component: update
with cosmetic and coding rules changes. In addition:
-Add Armv8.4-SecEL2 arch detection helper.
-Add an SPMC context (on current core) get helper.
-Return more meaningful error return codes.
-Remove complexity in few spmd_smc_handler switch-cases.
-Remove unused defines and structures from spmd_private.h
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I99e642450b0dafb19d3218a2f0e2d3107e8ca3fe
This patch introduces the `SPCI_ID_GET` interface which will return the
ID of the calling SPCI component. Returns 0 for requests from the
non-secure world and the SPCI component ID as specified in the manifest
for secure world requests.
Change-Id: Icf81eb1d0e1d7d5c521571e04972b6e2d356e0d1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Added SPMD_SPM_AT_SEL2 build command line parameter.
Set to 1 to run SPM at S-EL2.
Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled).
Removed runtime EL from SPM core manifest.
Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch adds EL2 registers that are supported up to ARMv8.6.
ARM_ARCH_MINOR has to specified to enable save/restore routine.
Note: Following registers are still not covered in save/restore.
* AMEVCNTVOFF0<n>_EL2
* AMEVCNTVOFF1<n>_EL2
* ICH_AP0R<n>_EL2
* ICH_AP1R<n>_EL2
* ICH_LR<n>_EL2
Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
NOTE: Not all EL-2 system registers are saved/restored.
This subset includes registers recognized by ARMv8.0
Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch adds support to initialise the SPM dispatcher as a standard
secure service. It also registers a handler for SPCI SMCs exported by
the SPM dispatcher.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I2183adf826d08ff3fee9aee75f021021162b6477
This patch adds a rudimentary SPM dispatcher component in EL3.
It does the following:
- Consumes the TOS_FW_CONFIG to determine properties of the SPM core
component
- Initialises the SPM core component which resides in the BL32 image
- Implements a handler for SPCI calls from either security state. Some
basic validation is done for each call but in most cases it is simply
forwarded as-is to the "other" security state.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I7d116814557f7255f4f4ebb797d1619d4fbab590
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
679db7080129fb48ace43a08873eceabfd092aa1
It is demonstrated in a SafeSide example:
https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cchttps://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
The contents of this header have been merged into the spm_mm_svc.h
header file.
Change-Id: I01530b2e4ec1b4c091ce339758025e2216e740a4
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Before adding any new SPM-related components we should first do
some cleanup around the existing SPM-MM implementation. The aim
is to make sure that any SPM-MM components have names that clearly
indicate that they are MM-related. Otherwise, when adding new SPM
code, it could quickly become confusing as it would be unclear to
which component the code belongs.
The secure_partition.h header is a clear example of this, as the
name is generic so it could easily apply to any SPM-related code,
when it is in fact SPM-MM specific.
This patch renames the file and the two structures defined within
it, and then modifies any references in files that use the header.
Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.
This patch removes:
- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions
Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.
Before: ENABLE_SPM=1 is required for using either implementation.
By default, the SPCI-based implementation is enabled and
this is overridden if SPM_MM=1.
After: ENABLE_SPM=1 enables the SPCI-based implementation.
SPM_MM=1 enables the MM-based implementation.
The two build flags are mutually exclusive.
Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.
Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Variable shadowing is, according to the C standard, permitted and valid
behaviour. However, allowing a local variable to take the same name as a
global one can cause confusion and can make refactoring and bug hunting
more difficult.
This patch moves -Wshadow from WARNING2 into the general warning group
so it is always used. It also fixes all warnings that this introduces
by simply renaming the local variable to a new name
Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
All other returns from this function unlock the responses_lock, so we
also should release the lock in this case.
Change-Id: Ie2cfa8755723fed79e809f9480190d11f373a217
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)
Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
The spm_sp_get_by_uuid() function is used to look up the secure
partition that provides a given service.
Within this function, memcmp() is used to compare the service
UUIDs but it uses the size of the rdsvc->uuid pointer instead of
the size of its content (missing dereference). This means that only
a partial comparison is performed as UUIDs are 128 bits in length and
rdsvc->uuid is a uint32_t typed pointer.
Instead, use the size of the array pointed to by the svc_uuid parameter,
which will be the full 128 bits, for the comparison.
Change-Id: I258fb0cca3bf19f97b8f2a4c133981647cd050e4
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Rather than using a fixed virtual address space size, read all regions
in the resource description of each partition and restrict the virtual
address space size to the one the partition actually needs.
This also allows SPM to take advantage of the extension ARMv8.4-TTST if
the virtual address space size is small enough.
Change-Id: I8646aa95e659136b58b44b040364cdee631f7e82
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Right now the virtual address space is fixed to
PLAT_VIRT_ADDR_SPACE_SIZE, so all base translation tables are the same
size and need the same alignment. The current code allocates the exact
space needed by this initial table.
However, a following patch is going to allow each partition to choose
the size of its address space based on the memory regions defined in
their resource description, so it isn't possible to determine this at
build time. As this optimization no longer applies, it has to be
removed.
Change-Id: Ia8d19f4981e1017e4ffe0ba136de73d701044cb0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This gives each Secure Partition complete freedom on its address space.
Previously, the memory used by the exception vectors was reserved and
couldn't be used. Also, it always had to be mapped, forcing SPM to
generate translation tables that included the exception vectors as well
as the Partition memory regions. With this change, partitions can reduce
their address space size easily.
Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of letting the code run until another error is reached, return
early.
Change-Id: I6277a8c65101d3e39b0540099c2a3063584a7dbd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Improved support for W=2 compilation flag by solving some nested-extern
and sign-compare warnings.
The libraries are compiling with warnings (which turn into errors with
the Werror flag).
Outside of libraries, some warnings cannot be fixed.
Change-Id: I06b1923857f2a6a50e93d62d0274915b268cef05
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>