The value used to signal failure is 0. It is needed to return a different
value on success.
Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Since commit 031dbb1224 ("AArch32: Add essential Arch helpers"),
it is difficult to use consistent format strings for printf() family
between aarch32 and aarch64.
For example, uint64_t is defined as 'unsigned long long' for aarch32
and as 'unsigned long' for aarch64. Likewise, uintptr_t is defined
as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.
A problem typically arises when you use printf() in common code.
One solution could be, to cast the arguments to a type long enough
for both architectures. For example, if 'val' is uint64_t type,
like this:
printf("val = %llx\n", (unsigned long long)val);
Or, somebody may suggest to use a macro provided by <inttypes.h>,
like this:
printf("val = %" PRIx64 "\n", val);
But, both would make the code ugly.
The solution adopted in Linux kernel is to use the same typedefs for
all architectures. The fixed integer types in the kernel-space have
been unified into int-ll64, like follows:
typedef signed char int8_t;
typedef unsigned char uint8_t;
typedef signed short int16_t;
typedef unsigned short uint16_t;
typedef signed int int32_t;
typedef unsigned int uint32_t;
typedef signed long long int64_t;
typedef unsigned long long uint64_t;
[ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]
This gets along with the codebase shared between 32 bit and 64 bit,
with the data model called ILP32, LP64, respectively.
The width for primitive types is defined as follows:
ILP32 LP64
int 32 32
long 32 64
long long 64 64
pointer 32 64
'long long' is 64 bit for both, so it is used for defining uint64_t.
'long' has the same width as pointer, so for uintptr_t.
We still need an ifdef conditional for (s)size_t.
All 64 bit architectures use "unsigned long" size_t, and most 32 bit
architectures use "unsigned int" size_t. H8/300, S/390 are known as
exceptions; they use "unsigned long" size_t despite their architecture
is 32 bit.
One idea for simplification might be to define size_t as 'unsigned long'
across architectures, then forbid the use of "%z" string format.
However, this would cause a distortion between size_t and sizeof()
operator. We have unknowledge about the native type of sizeof(), so
we need a guess of it anyway. I want the following formula to always
return 1:
__builtin_types_compatible_p(size_t, typeof(sizeof(int)))
Fortunately, ARM is probably a majority case. As far as I know, all
32 bit ARM compilers use "unsigned int" size_t.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Commit 4c0d039076 ("Rework type usage in Trusted Firmware") changed
the type usage in struct declarations, but did not touch the definition
side. Fix the type mismatch.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This patch fixes the sanity check on the non-secure entrypoint value
returned by bl31_plat_get_next_image_ep_info(). This issue has been
reported by Coverity Scan Online:
CID 264893 (#1 of 1): Dereference null return value (NULL_RETURNS)
Dereferencing a null pointer ns_ep_info.
Change-Id: Ia0f64d8c8b005f042608f1422ecbd42bc90b2fb4
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass
1 when called from the cpu on/off hooks.
Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The secure physical timer is inacessible from 32-bit S-EL1 (when EL3
is 64-bit) so trusty will use the non-secure physical timer in this
case. Linux will use the virtual timer instead of the physical timer
when started in EL1.
Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The original patch has been partly merged. This adds the missing
pieces.
Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Currently, Trusty OS/LK implemented FPU context switch in internal
thread switch but does not implement the proper mechanism for world
switch. This commit just simply saves/restores FPU registes in world
switch to prevent FPU context from being currupted when Trusty OS uses
VFP in its applications.
It should be noted that the macro *CTX_INCLUDE_FPREGS* must be defined
in trusty.mk if Trusty OS uses VFP
Signed-off-by: Aijun Sun <aijun.sun@spreadtrum.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd
A previous patch introduced a new define for yielding SMC call type.
This patch updates the secure payload dispatchers (except the TSPD) to
use this new define and also migrates the code to use the new
terminology.
Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf
Signed-off-by: David Cunado <david.cunado@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
This patch removes support for running Trusty in the AARCH32 mode as
all platforms use it in only AARCH64 mode.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch uses the stack end to start saving the CPU context
during world switch. The previous logic, used the stack start
to save the context, thus overwriting the other members of the
context.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
If Trusty is not running on the device, then Verified Boot is
not supported and the NS layer will fail gracefully later during
boot. This patch just returns success for the case when Trusty is
not running on the device and the bootloader issues SET_ROT_PARAMS
call during boot, so that we can at least boot non-Android images.
Change-Id: I40fc249983df80fb8cc5be5e4ce94c99d5b5f17d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch passes the boot parameters, provided by the previous
bootloader, to the Trusted OS via X0, X1 and X2.
Original change by: Wayne Lin <wlin@nvidia.com>
Change-Id: I2039612a8a8226158babfd505ce8c31c4212319c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
In multi-guest trusty environment, all guest's SMCs will be
forwarded to Trusty. This change only allows 1 guest's SMC
to be forwarded at a time and returns 'busy' status to all
other requests.
Change-Id: I2144467d11e3680e28ec816adeec2766bca114d4
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
According to the ARM DEN0028A spec, hypervisor ID(VMID) should be stored
in x7 (or w7). This patch gets this value from the context and passes it
to Trusty. In order to do so, introduce new macros to pass five to eight
parameters to the Trusted OS.
Change-Id: I101cf45d0712e1e880466b2274f9a48af755c9fa
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch uses the OEN_TAP_START aperture for all the standard
calls being passed to Trusty.
Change-Id: Id78d01c7f48e4f54855600d7c789ffbfb898c541
Signed-off-by: Amith <aramachan@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Add a debug assertion in the initialization function of Trusty's SPD
to check for the presence of Trusty. If Trusty is absent then the SPD's
setup function already detects it and returns an error code so the init
function will never been called. Therefore, a debug assertion is enough
to catch this improbable error case.
Change-Id: Id20013e9291cdeef7827b919de2a22455f6cd9f9
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch fixes the following coding style error reported
by the checkpatch.pl script:
Bad function definition - void el3_exit() should probably
be void el3_exit(void)
There is another one but it's a false positive so there's no
point in fixing it:
space prohibited after that '&' (ctx:WxW)
+#define SMC_NR(entity, fn, fastcall, smc64) ((((fastcall) & 0x1) << 31) | \
^
Change-Id: I34de0337c7216dabd16395879f13845a60ee6df0
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
In release builds, the Trusty SPD fails to build because of an unused
variable. Note that this warning message doesn't show in debug builds
because INFO() messages are not compiled out like in release mode.
This patch fixes this issue by removing this variable and using its
value in place directly in the INFO() macro call.
Change-Id: I1f552421181a09412315eef4eaca586012022018
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch adds the secure payload dispatcher for interacting
with Google's Trusty TEE. Documentation for Trusty can be found
at https://source.android.com/security/trusty
Original authors:
-----------------
* Arve Hjønnevåg <arve@android.com>
* Michael Ryleev <gmar@google.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Antonio Nino Diaz
Masahiro Yamada
Sandrine Bailleux
Arve Hjønnevåg
Aijun Sun
Isla Mitchell
David Cunado
dp-arm
Varun Wadekar
Wayne Lin
Anthony Zhou
Amith