The contents of this header have been merged into the spm_mm_svc.h
header file.
Change-Id: I01530b2e4ec1b4c091ce339758025e2216e740a4
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Before adding any new SPM-related components we should first do
some cleanup around the existing SPM-MM implementation. The aim
is to make sure that any SPM-MM components have names that clearly
indicate that they are MM-related. Otherwise, when adding new SPM
code, it could quickly become confusing as it would be unclear to
which component the code belongs.
The secure_partition.h header is a clear example of this, as the
name is generic so it could easily apply to any SPM-related code,
when it is in fact SPM-MM specific.
This patch renames the file and the two structures defined within
it, and then modifies any references in files that use the header.
Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.
This patch removes:
- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions
Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.
Before: ENABLE_SPM=1 is required for using either implementation.
By default, the SPCI-based implementation is enabled and
this is overridden if SPM_MM=1.
After: ENABLE_SPM=1 enables the SPCI-based implementation.
SPM_MM=1 enables the MM-based implementation.
The two build flags are mutually exclusive.
Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.
Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Variable shadowing is, according to the C standard, permitted and valid
behaviour. However, allowing a local variable to take the same name as a
global one can cause confusion and can make refactoring and bug hunting
more difficult.
This patch moves -Wshadow from WARNING2 into the general warning group
so it is always used. It also fixes all warnings that this introduces
by simply renaming the local variable to a new name
Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
All other returns from this function unlock the responses_lock, so we
also should release the lock in this case.
Change-Id: Ie2cfa8755723fed79e809f9480190d11f373a217
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Enable dispatcher to save/restore unbanked timer registers. So that
both secure (OP-TEE) and non-secure (Linux) worlds can have independent
access control over timer registers.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I4d58d5ff8298587ed478c8433fcbc3aef538d668
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)
Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
The project has been renamed from "Arm Trusted Firmware (ATF)" to
"Trusted Firmware-A (TF-A)" long ago. A few references to the old
project name that still remained in various places have now been
removed.
This change doesn't affect any platform files. Any "ATF" references
inside platform files, still remain.
Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The spm_sp_get_by_uuid() function is used to look up the secure
partition that provides a given service.
Within this function, memcmp() is used to compare the service
UUIDs but it uses the size of the rdsvc->uuid pointer instead of
the size of its content (missing dereference). This means that only
a partial comparison is performed as UUIDs are 128 bits in length and
rdsvc->uuid is a uint32_t typed pointer.
Instead, use the size of the array pointed to by the svc_uuid parameter,
which will be the full 128 bits, for the comparison.
Change-Id: I258fb0cca3bf19f97b8f2a4c133981647cd050e4
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Now it is needed to use the full path of the common header files.
Commit 09d40e0e08 ("Sanitise includes across codebase") provides more
information.
Change-Id: Ifedc79d9f664d208ba565f5736612a3edd94c647
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Rather than using a fixed virtual address space size, read all regions
in the resource description of each partition and restrict the virtual
address space size to the one the partition actually needs.
This also allows SPM to take advantage of the extension ARMv8.4-TTST if
the virtual address space size is small enough.
Change-Id: I8646aa95e659136b58b44b040364cdee631f7e82
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Right now the virtual address space is fixed to
PLAT_VIRT_ADDR_SPACE_SIZE, so all base translation tables are the same
size and need the same alignment. The current code allocates the exact
space needed by this initial table.
However, a following patch is going to allow each partition to choose
the size of its address space based on the memory regions defined in
their resource description, so it isn't possible to determine this at
build time. As this optimization no longer applies, it has to be
removed.
Change-Id: Ia8d19f4981e1017e4ffe0ba136de73d701044cb0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This gives each Secure Partition complete freedom on its address space.
Previously, the memory used by the exception vectors was reserved and
couldn't be used. Also, it always had to be mapped, forcing SPM to
generate translation tables that included the exception vectors as well
as the Partition memory regions. With this change, partitions can reduce
their address space size easily.
Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of letting the code run until another error is reached, return
early.
Change-Id: I6277a8c65101d3e39b0540099c2a3063584a7dbd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Improved support for W=2 compilation flag by solving some nested-extern
and sign-compare warnings.
The libraries are compiling with warnings (which turn into errors with
the Werror flag).
Outside of libraries, some warnings cannot be fixed.
Change-Id: I06b1923857f2a6a50e93d62d0274915b268cef05
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Improved support for W=1 compilation flag by solving missing-prototypes
and old-style-definition warnings.
The libraries are compiling with warnings (which turn into errors with
the Werror flag).
Outside of libraries, some warnings cannot be fixed without heavy
structural changes.
Change-Id: I1668cf99123ac4195c2a6a1d48945f7a64c67f16
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
SSBS support is determined by checking ID_AA64PFR1_EL1 and not
ID_AA64PFR0_EL1.
FixesARM-Software/tf-issues#679
Change-Id: I8ecba13b850995ec6a6ede3c2a1e02e69a3a95db
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The GIC definitions used in this file have to be provided by the platform
but platform_def.h wasn't included.
Change-Id: I858cdf7e60c50577c8e798d64ec2cbc4f067f33b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Since commit 01fc1c24b9 ("BL31: Use helper function to save registers
in SMC handler") all the general-purpose registers are saved when
entering EL3. It isn't needed to save them here.
Change-Id: Ic540a5441b89b70888da587ab8fc3b2508cef8cc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rather than letting the Trusty makefile set the option to enable dynamic
translation tables, make platforms do it themselves.
This also allows platforms to replace the implementation of the
translation tables library as long as they use the same function
prototypes.
Change-Id: Ia60904f61709ac323addcb57f7a83391d9e21cd0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Commit 09d40e0e08 ("Sanitise includes across codebase") modified the
include paths of the TSP includes but it didn't remove the include path
from the makefile or did the same for TLK. This patch does the remaining
work.
Change-Id: Iecee2e88fabcd06989d35568c3a4c1f4e7d93572
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of having a custom implementation of setjmp() and longjmp() it
is better to follow the C standard.
The comments in setjmp.h are no longer needed as there are no deviations
from the expected one, so they have been removed.
All SDEI code that relied on them has been fixed to use the new function
prototypes and structs.
Change-Id: I6cd2e21cb5a5bcf81ba12283f2e4c067bd5172ca
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Trusty requires dynamic translation tables support, so the makefile of
Trusty itself should request it. Not doing so causes platforms such as
FVP to fail to build with Trusty. Other platforms like Tegra still build
because they use dynamic translation tables by default.
Change-Id: Id67d3b9e1f7d0547fa81e81cefa3faf1e0e6f876
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch dynamically maps the first page of trusty's code memory,
before accessing it to find out if we are running a 32-bit or 64-bit
image.
On Tegra platforms, this means we have to increase the mappings to
accomodate the new memmap entry.
Change-Id: If370d1e6cfcccd69b260134c1b462d8d17bee03d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
During System Suspend, the entire system loses its state. To allow Trusty
to save/restore its context and allow its TAs to participate in the suspend
process, it needs to look at the max affinity level being suspended. This
patch passes the max affinity level to Trusty to enable to do so.
Change-Id: If7838dae10c3f5a694baedb15ec56fbad41f2b36
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
c_rt_ctx is used to store current SP before the system goes
into suspend. The assert for its value being zero is not
really necessary as the value gets over-written eventually.
This patch removes assert(tlk_ctx->c_rt_ctx == 0) from the
System Suspend path, as a result.
Change-Id: If41f15e74ebbbfd82958d8e179114899b2ffb0a7
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
This patch adds support to handle following TLK SMCs:
{TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}
These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.
Brief:
TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
set up secure storage buffers.
TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
pass NS memory ranges to TLK.
TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
Verified Boot parameters to TLK.
Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
Reviewed-on: https://git-master.nvidia.com/r/1643851
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
This reverts commit 2f37046524 ("Add support for the SMC Calling
Convention 2.0").
SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.
The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.
Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When an unknown Trusty image is found, there's no point of still trying
to register the BL32 init handler. Instead, we just should bail out of
the trusty_setup() and allow the system to continue to boot.
Signed-off-by: David Lin <dtwlin@google.com>
Main Fixes:
Use int32_t replace int [Rule 4.6]
Added explicit casts (e.g. 0U) to integers in order for them to be
compatible with whatever operation they're used in [Rule 10.1]
Force operands of an operator to the same type category [Rule 10.4]
Fixed if statement conditional to be essentially boolean [Rule 14.4]
Voided non c-library functions whose return types are not used
[Rule 17.7]
Change-Id: I98caa330c371757eb2dfb9438448cb99115ed907
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
This implementation is no longer deprecated.
Change-Id: I68552d0fd5ba9f08fad4345e4657e8e3c5362a36
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The SPM implementation based on MM is going to be kept for the
foreseeable future.
Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Registered init handlers return a boolean int, not a return code,
so convert the result from the SPM init call before returning it.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Permit unaligned accesses while executing the secure partition
payload, so that we don't have to modify existing code that we
will host there. (The UEFI spec explicitly permits unaligned
accesses)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Corrects typos in core code, documentation files, drivers, Arm
platforms and services.
None of the corrections affect code; changes are limited to comments
and other documentation.
Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Expose the timer registers that are accessible at EL0 per the
architecture to the SPM payload running in secure EL0. Note
that this requires NS_TIMER_SWITCH to be enable for all users
of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Update some asserts that refer to #defines that only occur in
ARM platforms, preventing this code to be used on other platforms.
Instead, use a platform agnostic name, and update all the existing
users.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Also, add a disclaimer to explain that the current implementation of SPM
is a prototype that is going to undergo a lot of rework.
Change-Id: I303c1e61c51d9f286cc599fea565fc9ba5a996bf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old SMCs SP_MEMORY_ATTRIBUTES_{GET,SET}_AARCH64 have been removed in
favour of SPRT_MEMORY_PERM_ATTR_{GET,SET}_AARCH64.
Change-Id: Idb93cfa5461d0098df941037c5653f7c44b65227
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that the arguments passed during the SMC call don't comply with the
SPCI specifications. This will be fixed in following patches, but it is
needed to implement a few more SPCI SMCs to be able to do it. The
current code allows us to start testing it.
Change-Id: Ic13dcc54c40327df03be1b0f52e8a44f468f06b4
Co-authored-by: Jean-Paul Etienne <jean-paul.etienne@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This buffer is where all the responses from Secure Partitions are stored
until they are requested.
Change-Id: Iafeb8f0848c5ff6f3e187060cd3a47702484dc45
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Blocking calls can only succeed if the target Secure Partition is idle.
Change-Id: Iabeaa0b8d3e653fd8581fa086758936abfc1c772
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that the arguments passed during the SMC call don't comply with the
SPCI specifications. This will be fixed in following patches, but it is
needed to implement a few more SPCI SMCs to be able to do it. The
current code allows us to start testing it.
Change-Id: Ief0e75d072b311737fcdb0c6a60ba5b7406a9ee5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce SMCs that open and close handles according to the SPCI
specification.
Change-Id: I65f365f15612e01aa445e783e96e48ae275c39fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove interfaces based on MM_COMMUNICATE.
Change-Id: I628c884b91d9f4758269ea2c4dedc37a66bb93cf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SPM needs to map a number of regions on behalf of the secure partition.
Previously, it used to get a list of them from platform code using the
plat_get_secure_partition_mmap() API. Now it gets them from the resource
description structure.
The SPM<->SP shared buffer is mapped dynamically at EL3. This buffer is
used to pass information between SPM and SP, so it must be mapped at EL3
as well in order to be used by SPM.
Dynamic translation tables have been enabled when the Trusted Firmware
is compiled with SPM support.
Change-Id: I64ad335e931661812a0a60558e60372e1e5e6b72
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Read entrypoint of the Secure Partition from the resource description
struct.
Change-Id: Ie693c7b4d4fecafd85b6934d9d8c4232efb1dc55
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Load SP and RD from package instead of relying on RD being already
loaded in memory and the SP being loaded as a BL32 image.
Change-Id: I18d4fbf4597656c6a7e878e1d7c01a8a324f3f8a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is retrieved from the resource description now.
Change-Id: Iaae23945eb2c45305cdc6442853e42f4e04fe094
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is defined by the Secure Partition in the resource
description.
Change-Id: Ia7db90c5de8360a596106880d3f6a632a88d3ea8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current SPM is a prototype that only supports one secure partition
in EL0. The objective of SPM is to have multiple partitions. The current
MM interface isn't adequate for this, so it is needed to modify heavily
the code to add proper support for it.
However, there are platforms which are already using this (like SGI) and
removing the code would break it. For this reason, the current SPM code
has been duplicated in order to temporarily preserve compatibility. All
new improvements/changes to SPM will be done in the non-deprecated copy,
that may change without notice.
The new build option SPM_DEPRECATED has been introduced to select the SPM
implementation. It defaults to 1, that selects the deprecated SPM.
Change-Id: Ic9f80b53b450e97b4d3f47e4ef4a138ee8d87443
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.
With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.
When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.
For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.
Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Secure world execution nearly always expect a controlled exit to
Non-secure world. SDEI interrupts, although targets EL3, occur on behalf
of Non-secure world, and may have higher priority than Secure world
interrupts. Therefore they might preempt Secure execution, and yield
execution to Non-secure SDEI handler. Upon completion of SDEI event
handling (regardless of whether it's COPLETE or COMPLETE_AND_RESUME), we
must resume Secure execution if it was preempted.
Change-Id: I6edd991032588588427ba2fe6c3d7668f7080e3d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current secure partition design mandates that a) at a point, only
a single core can be executing in the secure partition, and b) a core
cannot be preempted by an interrupt while executing in secure
partition.
Ensure this by activating the SPM priority prior to entering the
parition. Deactivate the priority on return from the
partition.
Change-Id: Icb3473496d16b733564592eef06304a1028e4f5c
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch includes context.h from sdei_private.h to fix the
following compilation errors:
<snip>
In file included from services/std_svc/sdei/sdei_event.c:9:0:
services/std_svc/sdei/sdei_private.h: In function 'sdei_client_el':
services/std_svc/sdei/sdei_private.h:164:2: error: unknown type name 'cpu_context_t'
cpu_context_t *ns_ctx = cm_get_context(NON_SECURE);
^
services/std_svc/sdei/sdei_private.h:165:2: error: unknown type name 'el3_state_t'
el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx);
^
services/std_svc/sdei/sdei_private.h:165:2: error: implicit declaration of function 'get_el3state_ctx' [-Werror=implicit-function-declaration]
services/std_svc/sdei/sdei_private.h:165:25: error: initialization makes pointer from integer without a cast [-Werror]
el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx);
^
services/std_svc/sdei/sdei_private.h:167:2: error: implicit declaration of function 'read_ctx_reg' [-Werror=implicit-function-declaration]
return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ?
^
services/std_svc/sdei/sdei_private.h:167:33: error: 'CTX_SCR_EL3' undeclared (first use in this function)
return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ?
^
services/std_svc/sdei/sdei_private.h:167:33: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors
<snip>
Change-Id: Id0cad56accf81b19cb0d301784f3f086dd052722
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Ensure case clauses:
* Terminate with an unconditional break, return or goto statement.
* Use conditional break, return or goto statements as long as the end
of the case clause is unreachable; such case clauses must terminate
with assert(0) /* Unreachable */ or an unconditional __dead2 function
call
* Only fallthough when doing otherwise would result in less
readable/maintainable code; such case clauses must terminate with a
/* Fallthrough */ comment to make it clear this is the case and
indicate that a fallthrough is intended.
This reduces the chance of bugs appearing due to unintended flow through a
switch statement
Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The value used to signal failure is 0. It is needed to return a different
value on success.
Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The specification requires that, after wakeup from a CPU suspend, the
dispatcher must mask all events on the CPU. This patch adds the feature
to the SDEI dispatcher by subscribing to the PSCI suspend to power down
event, and masking all events on the PE.
Change-Id: I9fe1d1bc2a58379ba7bba953a8d8b275fc18902c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Some platforms might chose to take different actions depending on this
value; this is precisely the case for rcar-gen3.
Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.
Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The event lock for a shared event was being unlocked twice, and the
locking sequence for event complete was misplaced. This patch fixes both
issues.
Change-Id: Ie2fb15c6ec240af132d7d438946ca160bd5c63dc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I6235a355e006f0b1c7c1c4d811b3964a64d0434f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Functions provided by stdio.h such as printf and sprintf are available
in the codebase, but they add a lot of code to the final image if they
are used:
- AArch64: ~4KB
- AArch32: ~2KB in T32, ~3KB in A32
tf_printf and tf_snprintf are a lot more simple, but it is preferable
to use them when possible because they are also used in common code.
Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Changed the names for consistency with the rest of the library. Introduced
new helpers that manipulate the active translation tables context.
Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Fix the types of the arguments of trusty_generic_platform_smc()
to match the expected prototype of a runtime service handler
(see rt_svc_handle_t type).
Change-Id: Ie839d116ca924b4b018ea2abbef72a1073da2a32
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Instead of having a different initialization routine than the rest of
the codebase, use the common implementation.
Change-Id: I27c03b9905f3cf0af8810aad9e43092005387a1a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Fix mismatches between the format specifier and the corresponding
variable type.
Change-Id: Ib9004bd9baa9ba24a50000bea4f2418e1bf7e743
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.
This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.
Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The function end_sdei_explicit_dispatch() was intended to be
end_sdei_synchronous_dispatch() which does the opposite of
begin_sdei_synchronous_dispatch(). This patch fixes that.
No functional changes.
Change-Id: I141bd91eb342ecf4ddfd05b49513eee4549e7a56
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
commit 2ccfcb2ea5 ("SDEI: Determine client
EL from NS context's SCR_EL3") intended to read from SCR_EL3, but
wrongly read from SPSR_EL3 instead. This patch fixes that.
Change-Id: I8ffea39cc98ef59cb8e7a4c6ef4cb12011c58536
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The Commit cdb6ac94ec introduced a bug
because of which the SDEI dispatcher wrongly panic when an SDEI event
dispatched earlier as a result of interrupt. This patch fixes the check
for a bound interrupt.
Change-Id: If55c8f0422ff781731248bbbc9c1b59fa0d3c4b0
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currently, the dispatcher reads from SCR_EL3 register directly to
determine the EL of SDEI client. This is with the assumption that
SCR_EL3 is not modified throughout. However, with RAS work flows, it's
possible that SCR_EL3 register contains values corresponding to Secure
world, and therefore EL determination can go wrong. To mitigate this,
always read the register from the saved Non-secure context.
Change-Id: Ic85e4021deb18eb58757f676f9a001174998543a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
It may be needed to enter the Secure Partition through other means than
an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting
the necessary code from mm_communicate() and allowing other parts of the
code to use it.
Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only use synchronous calls to enter the Secure Partition in order to
simplify the SMC handling code.
Change-Id: Ia501a045585ee0836b9151141ad3bd11d0971be2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.
Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the context management library, cm_setup_context() takes the
information in ep_info to fill the registers x0-x7. This patch replaces
the current code that sets them manually by the correct initialization
code.
Change-Id: Id1fdf4681b154026c2e3af1f9b05b19582b7d16d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 5.7: A tag name shall be a unique identifier
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
Fixed For:
make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed
Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make PLAT=fvp SPD=tspd
Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Simplify the code of the SMC handler by extracting the code of
SP_EVENT_COMPLETE and MM_COMMUNICATE.
Change-Id: I9250a3f5e4b807b35c9d044592c1074a45ab9a07
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of just knowing if the Secure Partition is being initialized or
not, this generic state enum can be used to tell if the Secure Partition
is busy and to add more states in the future if needed.
Also, the spinlock of the secure_partition_context_t structure now only
protects against concurrent accesses to the state of the secure
partition. Previously, it used to lock down the whole structure, thus
preventing one CPU to access any of its fields while another CPU was
executing the partition.
Change-Id: I51215328e2ca8ea2452f92e4a1cb237415958b22
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current internal names are too long, which makes it hard to write
code as many lines overflow the limit and need to be split, which may
not help the reader.
Change-Id: I072bdc8f3dd125255063ffa7f02500e5228fc9a1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This is done in order to make it easier to read the file spm_main.c.
Change-Id: I21e765154c1682a319a3bc47a19a42fd736e910e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Move all information related to a Secure Partition to the struct
secure_partition_context_t.
This requires an in-depth refactor because most of the previous code of
SPM relied on global information.
Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This allows secure partitions to access these registers. This is
needed in some cases. For example, it has been reported that in order
to implement secure storage services, a secure partition needs to
encrypt/decrypt some authentication variables, which requires FP/SIMD
support.
Note that SPM will not do any saving/restoring of these registers on
behalf of the SP. This falls under the SP's responsibility.
Also note that if the SP gets preempted, it might not get a chance to
save/restore FP/SIMD registers first. This patch does not address this
problem. It only serves as a temporary solution to unblock development
on the secure partition side.
Change-Id: I3b8ccdebdac0219f6ac96ad66ab2be0be8374ad3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Since commit 031dbb1224 ("AArch32: Add essential Arch helpers"),
it is difficult to use consistent format strings for printf() family
between aarch32 and aarch64.
For example, uint64_t is defined as 'unsigned long long' for aarch32
and as 'unsigned long' for aarch64. Likewise, uintptr_t is defined
as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.
A problem typically arises when you use printf() in common code.
One solution could be, to cast the arguments to a type long enough
for both architectures. For example, if 'val' is uint64_t type,
like this:
printf("val = %llx\n", (unsigned long long)val);
Or, somebody may suggest to use a macro provided by <inttypes.h>,
like this:
printf("val = %" PRIx64 "\n", val);
But, both would make the code ugly.
The solution adopted in Linux kernel is to use the same typedefs for
all architectures. The fixed integer types in the kernel-space have
been unified into int-ll64, like follows:
typedef signed char int8_t;
typedef unsigned char uint8_t;
typedef signed short int16_t;
typedef unsigned short uint16_t;
typedef signed int int32_t;
typedef unsigned int uint32_t;
typedef signed long long int64_t;
typedef unsigned long long uint64_t;
[ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]
This gets along with the codebase shared between 32 bit and 64 bit,
with the data model called ILP32, LP64, respectively.
The width for primitive types is defined as follows:
ILP32 LP64
int 32 32
long 32 64
long long 64 64
pointer 32 64
'long long' is 64 bit for both, so it is used for defining uint64_t.
'long' has the same width as pointer, so for uintptr_t.
We still need an ifdef conditional for (s)size_t.
All 64 bit architectures use "unsigned long" size_t, and most 32 bit
architectures use "unsigned int" size_t. H8/300, S/390 are known as
exceptions; they use "unsigned long" size_t despite their architecture
is 32 bit.
One idea for simplification might be to define size_t as 'unsigned long'
across architectures, then forbid the use of "%z" string format.
However, this would cause a distortion between size_t and sizeof()
operator. We have unknowledge about the native type of sizeof(), so
we need a guess of it anyway. I want the following formula to always
return 1:
__builtin_types_compatible_p(size_t, typeof(sizeof(int)))
Fortunately, ARM is probably a majority case. As far as I know, all
32 bit ARM compilers use "unsigned int" size_t.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Commit 4c0d039076 ("Rework type usage in Trusted Firmware") changed
the type usage in struct declarations, but did not touch the definition
side. Fix the type mismatch.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd all
Change-Id: I0a16cf68fef29cf00ec0a52e47786f61d02ca4ae
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd all
Change-Id: I4e31c93d502d433806dfc521479d5d428468b37c
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Only return -1 if the workaround for CVE-2017-5715 is not compiled in.
Change-Id: I1bd07c57d22b4a13cf51b35be141a1f1ffb065ff
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.
Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch fixes the sanity check on the non-secure entrypoint value
returned by bl31_plat_get_next_image_ep_info(). This issue has been
reported by Coverity Scan Online:
CID 264893 (#1 of 1): Dereference null return value (NULL_RETURNS)
Dereferencing a null pointer ns_ep_info.
Change-Id: Ia0f64d8c8b005f042608f1422ecbd42bc90b2fb4
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
return either:
* -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
requires firmware mitigation for CVE-2017-5715 but the mitigation
is not compiled in.
* 0 to indicate that firmware mitigation is required, or
* 1 to indicate that no firmware mitigation is required.
This patch complies with v1.2 of the firmware interfaces
specification (ARM DEN 0070A).
Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined.
Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
An earlier patch extended ehf_allow_ns_preemption() API to also register
an error code to offer to Non-secure when a Yielding SMC is preempted by
SDEI interrupt. In TSPD's case, register the error code TSP_PREEMPTED.
Change-Id: I31992b6651f80694e83bc5092b044ef7a3eda690
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currently, when the client attempts to do SDEI_EVENT_COMPLETE or
SDEI_EVENT_COMPLETE_AND_RESUME, the dispatcher pops off the outstanding
dispatch context for sanity check. There are however other checks
following this, which could potentially return failure. If that happens,
by popping the context, the dispatcher has inadvertently discarded a
valid context.
This patch fixes this bug by inspecting (not actually popping) the
outstanding context. The context is popped only after all error checks
are completed.
Change-Id: Ie199f6442f871a8177a8247a0c646543bad76d21
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
After executing a TLBI a DSB is needed to ensure completion of the
TLBI.
rk3328: The MMU is allowed to load TLB entries for as long as it is
enabled. Because of this, the correct place to execute a TLBI is right
after disabling the MMU.
Change-Id: I8280f248d10b49a8c354a4ccbdc8f8345ac4c170
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This fixes all defects according to MISRA Rule 3.1: "The character
sequences /* and // shall not be used within a comment". This affects
all URLs in comments, so they have been removed:
- The link in `sdei_state.c` can also be found in the documentation file
`docs/sdei.rst`.
- The bug that the file `io_fip.c` talks about doesn't affect the
currently supported version of GCC, so it doesn't make sense to keep
the comment. Note that the version of GCC officially supported is the
one that comes with Linaro Release 17.10, which is GCC 6.2.
- The link in `tzc400.c` was broken, and it didn't correctly direct to
the Technical Reference Manual it should. The link has been replaced
by the title of the document, which is more convenient when looking
for the document.
Change-Id: I89f60c25f635fd4c008a5d3a14028f814c147bbe
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
Non-secure interrupt affects TSPs execution. When TSP is executing:
1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
at the TSP's exception vector, and TSP voluntarily preempts itself.
2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
trap to EL3, which preempts TSP execution.
When EL3 exception handling is in place (i.e.,
EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
with GICv3, pending NS interrupts while TSP is executing will be
signalled as FIQ (which traps to EL3). This situation necessitates the
same treatment applied to case (2) above.
Therefore, when EL3 exception handling is in place, additionally
require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.
Strictly speaking, this is not required on a system with GICv2, but the
same model is uniformly followed regardless, for simplicity.
Relevant documentation updated.
Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
When EL3 exception handling is in effect (i.e.,
EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure
execution. However, for yielding SMCs, preemption by Non-secure
interupts is intended.
This patch therefore adds a call to ehf_allow_ns_preemption() before
dispatching a Yielding SMC to TSP.
Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
SMCCC v1.1 comes with a relaxed calling convention for AArch64
callers. The caller only needs to save x0-x3 before doing an SMC
call.
This patch adds support for SMCCC_VERSION and SMCCC_ARCH_FEATURES.
Refer to "Firmware Interfaces for mitigating CVE_2017_5715 System
Software on Arm Systems"[0] for more information.
[0] https://developer.arm.com/-/media/developer/pdf/ARM%20DEN%200070A%20Firmware%20interfaces%20for%20mitigating%20CVE-2017-5715_V1.0.pdf
Change-Id: If5b1c55c17d6c5c7cb9c2c3ed355d3a91cdad0a9
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass
1 when called from the cpu on/off hooks.
Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The secure physical timer is inacessible from 32-bit S-EL1 (when EL3
is 64-bit) so trusty will use the non-secure physical timer in this
case. Linux will use the virtual timer instead of the physical timer
when started in EL1.
Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The original patch has been partly merged. This adds the missing
pieces.
Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Add smc calls to return gic base address and print to the debug
console. Allows running a generic trusty binary.
Change-Id: I4b6540f140f11432cdff43c3f5a2097df09dc9d1
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Rename SP_VERSION macros to MM_VERSION, which is the name used in the MM
specification [1]. Also, a few more helper macros have been added.
MM-specific definitions have been moved to their own header file.
[1] http://infocenter.arm.com/help/topic/com.arm.doc.den0060a/DEN0060A_ARM_MM_Interface_Specification.pdf
Change-Id: Ia10e48c7e81a7a1f5eeca29a5270cae740a4a88a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds support to receive function ID with NS world's
memory ranges to provide the memory snapshot to TLK.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The Secure Partition should be able to be used from any CPU, not just
the lead one. This patch point the secure contexts of all secondary
CPUs to the same one used by the lead CPU for the Secure Partition. This
way, they can also use it.
In order to prevent more than one CPU from using the Secure Partition at
the same time, a lock has been added.
Change-Id: Ica76373127c3626498b06c558a4874ce72201ff7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Whether a Secure Partition is being initialized or not is something
related to that specific partition, so it should be saved with the
rest of the information related to it.
Change-Id: Ie8a780f70df83fb03ef9c01ba37960208d9b5319
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This partially reverts commit d6b532b50f, keeping only the fixes to
the assertions. The changes related to the order of arguments passed
to the secure partition were not correct and violated the
specification of the SP_EVENT_COMPLETE SMC.
This patch also improves the MM_COMMUNICATE argument validation. The
cookie argument, as it comes from normal world, can't be trusted and thus
needs to always be validated at run time rather than using an assertion.
Also validate the communication buffer address and return
INVALID_PARAMETER if it is zero, as per the MM specification.
Fix a few typos in comments and use the "secure partition" terminology
rather than "secure payload".
Change-Id: Ice6b7b5494b729dd44611f9a93d362c55ab244f7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
A new platform define, `PLAT_SP_IMAGE_XLAT_SECTION_NAME`, has been
introduced to select the section where the translation tables used by
the S-EL1/S-EL0 are placed.
This define has been used to move the translation tables to DRAM secured
by TrustZone.
Most of the extra needed space in BL31 when SPM is enabled is due to the
large size of the translation tables. By moving them to this memory
region we can save 44 KiB.
A new argument has been added to REGISTER_XLAT_CONTEXT2() to specify the
region where the translation tables have to be placed by the linker.
Change-Id: Ia81709b4227cb8c92601f0caf258f624c0467719
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Common code mustn't include ARM platforms headers.
Change-Id: Ib6e4f5a77c2d095e6e8c3ad89c89cb1959cd3043
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
At present, both SDEI_PRIVATE_RESET and SDEI_SHARED_RESET returns
SDEI_PENDING if they fail to unregister an event. The SDEI specification
however requires that the APIs return SDEI_EDENY in these cases. This
patch fixes the return codes for the reset APIs.
Change-Id: Ic14484c91fa8396910387196c256d1ff13d03afd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The defines have been renamed to match the names used in the
documentation.
Change-Id: I2f18b65112d2db040a89d5a8522e9790c3e21628
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The SDEI specification requires that binding a client interrupt
dispatches SDEI Normal priority event. This means that dynamic events
can't have Critical priority. Add asserts for this.
Change-Id: I0bdd9e0e642fb2b61810cb9f4cbfbd35bba521d1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The parameters passed to the Secure world from the Secure Partition
Manager when invoking SP_COMMUNICATE_AARCH32/64 were incorrect, as well
as the checks done on them.
Change-Id: I26e8c80cad0b83437db7aaada3d0d9add1c53a78
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The code was incorrectly reading from ID_AA64PRF0_EL1 instead of
ID_AA64MMFR0_EL1 causing the supported granularity sizes returned by the
code to be wrong.
This wasn't causing any problem because it's just used to check the
alignment of the base of the buffer shared between Non-secure and Secure
worlds, and it was aligned to more than 64 KiB, which is the maximum
granularity supported by the architecture.
Change-Id: Icc0d949d9521cc0ef13afb753825c475ea62d462
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This allows for other EL3 components to schedule an SDEI event dispatch
to Normal world upon the next ERET. The API usage constrains are set out
in the SDEI dispatcher documentation.
Documentation to follow.
Change-Id: Id534bae0fd85afc94523490098c81f85c4e8f019
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The implementation currently supports only interrupt-based SDEI events,
and supports all interfaces as defined by SDEI specification version
1.0 [1].
Introduce the build option SDEI_SUPPORT to include SDEI dispatcher in
BL31.
Update user guide and porting guide. SDEI documentation to follow.
[1] http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
Change-Id: I758b733084e4ea3b27ac77d0259705565842241a
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The MP info struct is placed right after the boot info struct. However,
when calculating the address of the MP info, the size of the boot info
struct was being multiplied by the size of the MP boot info. This left
a big gap of empty space between the structs.
This didn't break any code because the boot info struct has a pointer to
the MP info struct. It was just wasting space.
Change-Id: I1668e3540d9173261968f6740623549000bd48db
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:
- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.
A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.
The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:
- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
Secure Partition.
- Implementing a well defined interface that is used by the normal world
and other secure services for accessing the services exported by a
Secure Partition.
- Implementing a well defined interface that is used by a Secure
Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
Partition to fulfil a service request.
Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A line in the upstream SPDs is only compiled in in `DEBUG` builds. This
line is used to help with assertions and so assertion failures can
happen in release builds with assertions enabled. Use
`ENABLE_ASSERTIONS` instead of `DEBUG`.
This bug was introduced in commit aa61368eb5, which introduced the build
option `ENABLE_ASSERTIONS`.
Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Currently, Trusty OS/LK implemented FPU context switch in internal
thread switch but does not implement the proper mechanism for world
switch. This commit just simply saves/restores FPU registes in world
switch to prevent FPU context from being currupted when Trusty OS uses
VFP in its applications.
It should be noted that the macro *CTX_INCLUDE_FPREGS* must be defined
in trusty.mk if Trusty OS uses VFP
Signed-off-by: Aijun Sun <aijun.sun@spreadtrum.com>
Pass device tree pointer to OP-TEE in x2. bl2 is expected to fill in the
device tree pointer in args.arg3. Passing 0 means that device tree is
unavailable.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
ARM TF need transfer information about pageable image load address
and memory limit to OPTEE. OPTEE will relocate the pageable image
to where it's needed.
The legacy OP-TEE images that do not include header information
are not affected.
Change-Id: Id057efbbc894de7c36b2209b391febea4729c455
Signed-off-by: Edison Ai <edison.ai@arm.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch enables the 'sign-compare' flag, to enable warning/errors
for comparisons between signed/unsigned variables. The warning has
been enabled for all the Tegra platforms, to start with.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd
A previous patch introduced a new define for yielding SMC call type.
This patch updates the secure payload dispatchers (except the TSPD) to
use this new define and also migrates the code to use the new
terminology.
Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf
Signed-off-by: David Cunado <david.cunado@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
This patch adds a new define for yielding SMC call type and deprecates
the current standard SMC call type. The tsp is migrated to use this new
terminology and, additionally, the documentation and code comments are
updated to use this new terminology.
Change-Id: I0d7cc0224667ee6c050af976745f18c55906a793
Signed-off-by: David Cunado <david.cunado@arm.com>
SMC_RET0 should only be used when the SMC code works as a function that
returns void. If the code of the SMC uses SMC_RET1 to return a value to
signify success and doesn't return anything in case of an error (or the
other way around) SMC_RET1 should always be used to return clearly
identifiable values.
This patch fixes two cases in which the code used SMC_RET0 instead of
SMC_RET1.
It also introduces the define SMC_OK to use when an SMC must return a
value to tell that it succeeded, the same way as SMC_UNK is used in case
of failure.
Change-Id: Ie4278b51559e4262aced13bbde4e844023270582
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch removes support for running Trusty in the AARCH32 mode as
all platforms use it in only AARCH64 mode.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch uses the stack end to start saving the CPU context
during world switch. The previous logic, used the stack start
to save the context, thus overwriting the other members of the
context.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
If Trusty is not running on the device, then Verified Boot is
not supported and the NS layer will fail gracefully later during
boot. This patch just returns success for the case when Trusty is
not running on the device and the bootloader issues SET_ROT_PARAMS
call during boot, so that we can at least boot non-Android images.
Change-Id: I40fc249983df80fb8cc5be5e4ce94c99d5b5f17d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch checks if standard SMC calls, meant for TLK, are issued
only on the boot CPU. TLK is UP Trusted OS stack and so we need this
check to avoid the NS world calling into TLK from any other CPU.
The previous check tied TLK to CPU0, but the boot CPU can be other
than CPU0 in some scenarios.
Change-Id: I75eaafa32471ce19e9920433c2f97b6b5fc02d86
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Paul Beesley
Justin Chadwell
Sumit Garg
Julius Werner
John Tsichritzis
Ambroise Vincent
Antonio Nino Diaz
Dimitris Papastamos
Varun Wadekar
Stephen Wolfe
Mihir Joshi
David Lin
Anthony Zhou
Soby Mathew
Ard Biesheuvel
Jeenu Viswambharan
Sughosh Ganu
Daniel Boulby
Jorge Ramirez-Ortiz
Sandrine Bailleux
danh-arm
Roberto Vargas
Masahiro Yamada
Joel Hutton
Jonathan Wright
davidcunado-arm
Arve Hjønnevåg
Aijun Sun
Jens Wiklander
Edison Ai
Isla Mitchell