On ARM platforms, the maximum size of the address space is limited
to 32-bits as defined in arm_def.h. In order to access DRAM2, which
is defined beyond the 32-bit address space, the maximum address space
is increased to 36-bits in AArch64. It is possible to increase the
virtual space for AArch32, but it is more difficult and not supported
for now.
NOTE - the actual maximum memory address space is platform dependent
and is checked at run-time by querying the PARange field in the
ID_AA64MMFR0_EL1 register.
Change-Id: I6cb05c78a63b1fed96db9a9773faca04a5b93d67
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
mem_protect needs some kind of non-volatile memory because it has
to remember its state across reset and power down events.
The most suitable electronic part for this feature is a NVRAM
which should be only accesible from the secure world. Juno and
FVP lack such hardware and for this reason the MEM_PROTECT
functionality is implemented with Flash EEPROM memory on both
boards, even though this memory is accesible from the non-secure
world. This is done only to show a full implementation of
these PSCI features, but an actual system shouldn't use a
non-secure NVRAM to implement it.
The EL3 runtime software will write the mem_protect flag and BL2
will read and clear the memory ranges if enabled. It is done in
BL2 because it reduces the time that TF needs access to the full
non-secure memory.
The memory layout of both boards is defined using macros which
take different values in Juno and FVP platforms. Generic platform
helpers are added that use the platform specific macros to generate
a mem_region_t that is valid for the platform.
Change-Id: I2c6818ac091a2966fa07a52c5ddf8f6fde4941e9
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch does the required changes to enable CSS platforms
to build and use the SDS framework. Since SDS is always coupled with
SCMI protocol, the preexisting SCMI build flag is now renamed to
`CSS_USE_SCMI_SDS_DRIVER` which will enable both SCMI and SDS on
CSS platforms. Also some of the workarounds applied for SCMI are
now removed with SDS in place.
Change-Id: I94e8b93f05e3fe95e475c5501c25bec052588a9c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The `KEY_ALG` variable is used to select the algorithm for key
generation by `cert_create` tool for signing the certificates. This
variable was previously undocumented and did not have a global default
value. This patch corrects this and also adds changes to derive the
value of `TF_MBEDTLS_KEY_ALG` based on `KEY_ALG` if it not set by the
platform. The corresponding assignment of these variables are also now
removed from the `arm_common.mk` makefile.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I78e2d6f4fc04ed5ad35ce2266118afb63127a5a4
Trusted OS may have extra images to be loaded. Load them one by one
and do the parsing. In this patch, ARM TF need to load up to 3 images
for optee os: header, pager and paged images. Header image is the info
about optee os and images. Pager image include pager code and data.
Paged image include the paging parts using virtual memory.
Change-Id: Ia3bcfa6d8a3ed7850deb5729654daca7b00be394
Signed-off-by: Summer Qin <summer.qin@arm.com>
Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.
Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>
ARM CPUs with multi-threading implementation has more than one
Processing Element in a single physical CPU. Such an implementation will
reflect the following changes in the MPIDR register:
- The MT bit set;
- Affinity levels pertaining to cluster and CPUs occupy one level
higher than in a single-threaded implementation, and the lowest
affinity level pertains to hardware threads. MPIDR affinity level
fields essentially appear shifted to left than otherwise.
The FVP port henceforth assumes that both properties above to be
concomitant on a given FVP platform.
To accommodate for varied MPIDR formats at run time, this patch
re-implements the FVP platform-specific functions that translates MPIDR
values to a linear indices, along with required validation. The same
treatment is applied for GICv3 MPIDR hashing function as well.
An FVP-specific build option FVP_MAX_PE_PER_CPU is introduced which
specifies the maximum number of threads implemented per CPU. For
backwards compatibility, its value defaults to 1.
Change-Id: I729b00d3e121d16ce9a03de4f9db36dfac580e3f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This fix modifies the order of #includes in ARM standard platforms
to meet the ARM TF coding standard.
Change-Id: Ide19aad6233babda4eea2d17d49e523645fed1b2
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:
* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
the CryptoCell crypto driver for Trusted Board boot.
* The TrustZone filter settings for Non Secure DRAM is modified
to allow CryptoCell to read this memory. This is required to
authenticate BL33 which is loaded into the Non Secure DDR.
* The CSS platforms are modified to use coherent stacks in BL1 and BL2
when CryptoCell crypto is selected. This is because CryptoCell makes
use of DMA to transfer data and the CryptoCell SBROM library allocates
buffers on the stack during signature/hash verification.
Change-Id: I1e6f6dcd1899784f1edeabfa2a9f279bbfb90e31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
SPE is only supported in non-secure state. Accesses to SPE specific
registers from SEL1 will trap to EL3. During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained. This is to
avoid a potential invalid memory access in SEL1.
SPE is architecturally specified only for AArch64.
Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
On ARM platforms before exiting from SP_MIN ensure that
the default console is switched to the runtime serial port.
Change-Id: I0ca0d42cc47e345d56179eac16aa3d6712767c9b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Since ARM_DRAM2_BASE is above the 32-bit limit, the condition
is always false. Wrap this condition in an ifndef to avoid
warnings during compilation.
Change-Id: Ideabb6c65de6c62474ed03eb29df4b049d5316be
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
This options enables an implementation of SHA-256 that has a smaller
code footprint (~1.6 KB less) but is also ~30% slower. For ARM
platforms, code size is currently considered more important than
execution speed in the mbed TLS crypto module.
Added a small note about this option to the documentation of the
authentication framework.
Change-Id: I4c0b221ea5d3466465261316ba07b627fa01b233
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The header tbbr_oid.h contains OIDs obtained by ARM Ltd.
so there is no good reason to use platform_oid.h
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Add support for firmware upgrade on AArch32.
This patch has been tested on the FVP models.
NOTE: Firmware upgrade on Juno AArch32 is not currently supported.
Change-Id: I1ca8078214eaf86b46463edd14740120af930aec
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>
A previous patch superseded the MBEDTLS_KEY_ALG. This patch updates
the ARM platforms to use the new TF_MBEDTLS_KEY_ALG define.
Change-Id: Ie0e1bc272e127e879ac58e7cfcbe268751d7688e
Signed-off-by: David Cunado <david.cunado@arm.com>
A new file added as part of arm-trusted-firmware#927 was missing the
SPDX license identifier - this patch adds the missing identifier.
Change-Id: Id1355f2bdca930b7e65bb54eff7e6c764ebb0d96
Signed-off-by: David Cunado <david.cunado@arm.com>
In AArch64, privileged exception levels control the execution state
(a.k.a. register width) of the immediate lower Exception Level; i.e.
whether the lower exception level executes in AArch64 or AArch32 state.
For an exception level to have its execution state changed at run time,
it must request the change by raising a synchronous exception to the
higher exception level.
This patch implements and adds such a provision to the ARM SiP service,
by which an immediate lower exception level can request to switch its
execution state. The execution state is switched if the request is:
- raised from non-secure world;
- raised on the primary CPU, before any secondaries are brought online
with CPU_ON PSCI call;
- raised from an exception level immediately below EL3: EL2, if
implemented; otherwise NS EL1.
If successful, the SMC doesn't return to the caller, but to the entry
point supplied with the call. Otherwise, the caller will observe the SMC
returning with STATE_SW_E_DENIED code. If ARM Trusted Firmware is built
for AArch32, the feature is not supported, and the call will always
fail.
For the ARM SiP service:
- Add SMC function IDs for both AArch32 and AArch64;
- Increment the SiP service minor version to 2;
- Adjust the number of supported SiP service calls.
Add documentation for ARM SiP service.
FixesARM-software/tf-issues#436
Change-Id: I4347f2d6232e69fbfbe333b340fcd0caed0a4cea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Replace all instances of checks with the new macro.
Change-Id: I0eec39b9376475a1a9707a3115de9d36f88f8a2a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Following steps are required to boot JUNO in AArch32 state:
1> BL1, in AArch64 state, loads BL2.
2> BL2, in AArch64 state, initializes DDR.
Loads SP_MIN & BL33 (AArch32 executable)images.
Calls RUN_IMAGE SMC to go back to BL1.
3> BL1 writes AArch32 executable opcodes, to load and branch
at the entrypoint address of SP_MIN, at HI-VECTOR address and
then request for warm reset in AArch32 state using RMR_EL3.
This patch makes following changes to facilitate above steps:
* Added assembly function to carry out step 3 above.
* Added region in TZC that enables Secure access to the
HI-VECTOR(0xFFFF0000) address space.
* AArch32 image descriptor is used, in BL2, to load
SP_MIN and BL33 AArch32 executable images.
A new flag `JUNO_AARCH32_EL3_RUNTIME` is introduced that
controls above changes. By default this flag is disabled.
NOTE: BL1 and BL2 are not supported in AArch32 state for JUNO.
Change-Id: I091d56a0e6d36663e6d9d2bb53c92c672195d1ec
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
ARM platforms have migrated to the translation tables library v2.
However, for testing purposes, it can be useful to temporarily switch
back to the old version.
This patch introduces the option `ARM_XLAT_TABLES_LIB_V1`, that switches
to v1 of the library when is set to 1. By default, it is 0, so that ARM
platforms use the new version unless specifically stated.
Updated User Guide.
Change-Id: I53d3c8dd97706f6af9c6fca0364a88ef341efd31
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This API makes sure that all the characters sent to the crash console
are output before returning from it.
Porting guide updated.
Change-Id: I1785f970a40f6aacfbe592b6a911b1f249bb2735
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch modifies some of the functions in ARM platform layer to cater
for the case when multi-threading `MT` is set in MPIDR. A new build flag
`ARM_PLAT_MT` is added, and when enabled, the functions accessing MPIDR
now assume that the `MT` bit is set for the platform and access the bit
fields accordingly.
Also, a new API plat_arm_get_cpu_pe_count is added when `ARM_PLAT_MT` is
enabled, returning the PE count within the physical cpu corresponding to
`mpidr`.
Change-Id: I04ccf212ac3054a60882761f4087bae299af13cb
Signed-off-by: Summer Qin <summer.qin@arm.com>
These source file definitions should be defined in generic
Makefiles so that all platforms can benefit. Ensure that the
symbols are properly marked as weak so they can be overridden
by platforms.
NOTE: This change is a potential compatibility break for
non-upstream platforms.
Change-Id: I7b892efa9f2d6d216931360dc6c436e1d10cffed
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Modify ARM common makefile to use version 2 of the translation tables
library and include the new header in C files.
Simplify header dependencies related to this library to simplify the
change.
The following table contains information about the size increase in
bytes for BL1 after applying this patch. The code has been compiled for
different configurations of FVP in AArch64 mode with compiler GCC 4.9.3
20150413. The sizes have been calculated with the output of `nm` by
adding the size of all regions and comparing the total size before and
after the change. They are sumarized in the table below:
text bss data total
Release +660 -20 +88 +728
Debug +740 -20 +242 +962
Debug (LOG_LEVEL=50) +1120 -20 +317 +1417
Change-Id: I539e307f158ab71e3a8b771640001fc1bf431b29
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces the following three platform interfaces:
* void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)
This is an optional hook that platforms can implement in order
to perform accounting before entering a low power state. This
typically involves capturing a timestamp.
* void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)
This is an optional hook that platforms can implement in order
to perform accounting after exiting from a low power state. This
typically involves capturing a timestamp.
* u_register_t plat_psci_stat_get_residency(unsigned int lvl,
const psci_power_state_t *state_info,
unsigned int last_cpu_index)
This is an optional hook that platforms can implement in order
to calculate the PSCI stat residency.
If any of these interfaces are overridden by the platform, it is
recommended that all of them are.
By default `ENABLE_PSCI_STAT` is disabled. If `ENABLE_PSCI_STAT`
is set but `ENABLE_PMF` is not set then an alternative PSCI stat
collection backend must be provided. If both are set, then default
weak definitions of these functions are provided, using PMF to
calculate the residency.
NOTE: Previously, platforms did not have to explicitly set
`ENABLE_PMF` since this was automatically done by the top-level
Makefile.
Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Replace all use of memset by zeromem when zeroing moderately-sized
structure by applying the following transformation:
memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
As the Trusted Firmware is compiled with -ffreestanding, it forbids the
compiler from using __builtin_memset and forces it to generate calls to
the slow memset implementation. Zeromem is a near drop in replacement
for this use case, with a more efficient implementation on both AArch32
and AArch64.
Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.
For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true. (Options passed by $(call add_define,)
are the cases.)
For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.
For AARCH32/AARCH64, these macros are defined in the top-level
Makefile as follows:
ifeq (${ARCH},aarch32)
$(eval $(call add_define,AARCH32))
else
$(eval $(call add_define,AARCH64))
endif
This means only one of the two is defined. So, AARCH32/AARCH64
belongs to the latter group where we should use #ifdef or #ifndef.
The conditionals are mostly coded correctly, but I see some mistakes.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.
For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true. (Options passed by $(call add_define,)
are the cases.)
For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.
Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
follows:
$(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
$(OBJ): $(2)
@echo " CC $$<"
$$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
This means, IMAGE_BL* is defined when building the corresponding
image, but *undefined* for the other images.
So, IMAGE_BL* belongs to the latter group where we should use #ifdef
or #ifndef.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
We have lots of duplicated defines (and comment blocks too).
Move them to include/plat/common/common_def.h.
While we are here, suffix the end address with _END instead of
_LIMIT. The _END is a better fit to indicate the linker-derived
real end address.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The usage of _LIMIT seems odd here, so rename as follows:
BL_CODE_LIMIT --> BL_CODE_END
BL_RO_DATA_LIMIT --> BL_RO_DATA_END
BL1_CODE_LIMIT --> BL1_CODE_END
BL1_RO_DATA_LIMIT --> BL1_RO_DATA_END
Basically, we want to use _LIMIT and _END properly as follows:
*_SIZE + *_MAX_SIZE = *_LIMIT
*_SIZE + *_SIZE = *_END
The _LIMIT is generally defined by platform_def.h to indicate the
platform-dependent memory constraint. So, its typical usage is
ASSERT(. <= BL31_LIMIT, "BL31 image has exceeded its limit.")
in a linker script.
On the other hand, _END is used to indicate the end address of the
compiled image, i.e. we do not know it until the image is linked.
Here, all of these macros belong to the latter, so should be
suffixed with _END.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Before adding a base address and a size to compute the end
address of an image to copy or authenticate, check this
won't result in an integer overflow. If it does then consider
the input arguments are invalid.
As a result, bl1_plat_mem_check() can now safely assume the
end address (computed as the sum of the base address and size
of the memory region) doesn't overflow, as the validation is
done upfront in bl1_fwu_image_copy/auth(). A debug assertion
has been added nonetheless in the ARM implementation in order
to help catching such problems, should bl1_plat_mem_check()
be called in a different context in the future.
Fixes TFV-1: Malformed Firmware Update SMC can result in copy
of unexpectedly large data into secure memory
Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>
ASM_ASSERT failure and panic messages are suppressed at present. This
patch enables printing the PC location for panic messages, and file name
and line number upon assembly assert failure.
Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The previous code required that a certificate be signed with the ROT
key before the platform's NV counter could be updated with the value
in the certificate. This implies that the Non-Trusted NV counter was
not being updated for Non-Trusted content certificates, as they cannot
be signed with the ROT key in the TBBR CoT scheme.
The code is reworked to only allow updating the platform's Trusted NV
counter when a certificate protected by the Trusted NV counter is
signed with the ROT key.
Content certificates protected by the Non-Trusted NV counter are
allowed to update the platform's Non-Trusted NV counter, assuming
that the certificate value is higher than the platform's value.
A new optional platform API has been introduced, named
plat_set_nv_ctr2(). Platforms may choose to implement it and perform
additional checks based on the authentication image descriptor before
modifying the NV counters. A default weak implementation is available
that just calls into plat_set_nv_ctr().
FixesARM-software/tf-issues#426
Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>