This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.
The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.
Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.
Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch fixes up the AArch64 assembly code to use
adrp/adr instructions instead of ldr instruction for
reference to symbols. This allows these assembly
sequences to be Position Independant. Note that the
the reference to sizes have been replaced with
calculation of size at runtime. This is because size
is a constant value and does not depend on execution
address and using PC relative instructions for loading
them makes them relative to execution address. Also
we cannot use `ldr` instruction to load size as it
generates a dynamic relocation entry which must *not*
be fixed up and it is difficult for a dynamic loader
to differentiate which entries need to be skipped.
Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.
This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.
The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.
This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).
Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current version of libfdt (1.4.2) has been modified to integrate it
in this repository. In order to do a clean import it is needed to remove
the current version first.
Change-Id: I2cab8c8e5632280d282fa7a2f2339768a0ad1e0f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Imported from lib/libc/string/strrchr.c from commit:
59fd2fb98e4cc7e9bfc89598e28e21d405fd470c
Change-Id: I898206c6f0372d4d211c149ec0fb9522d0a5b01c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Leave the caches on and explicitly flush any data that
may be stale when the core is powered down. This prevents
non-coherent interconnect access which has negative side-
effects on AM65x.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Pointer authentication is an Armv8.3 feature that introduces
instructions that can be used to authenticate and verify pointers.
Pointer authentication instructions are allowed to be accessed from all
ELs but only when EL3 explicitly allows for it; otherwise, their usage
will trap to EL3. Since EL3 doesn't have trap handling in place, this
patch unconditionally disables all related traps to EL3 to avoid
potential misconfiguration leading to an unhandled EL3 exception.
FixesARM-software/tf-issues#629
Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Some platforms can only resume from system suspend from the boot
CPU, hence they should only enter that state from that same core.
The following commit presents an interface that allows the platform to
reject system suspend entry near its very last stage (last CPU).
When a platform enables its caches before it accesses the
psci_non_cpu_pd_nodes structure then explicit cache maintenance
is not needed.
Signed-off-by: Andrew F. Davis <afd@ti.com>
The MMU is not disabled in this path, update the comment to
reflect this. Also clarify that both paths call prepare_cpu_pwr_dwn(),
but the second path does stack cache maintenance.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Commit 79621f0038 broke sgi575.
It is possible to have a region with 0 as value for the attributes. It
means device memory, read only, secure, executable. This is legitimate
if the code is in flash and the code is executed from there.
This is the case for SGI_MAP_FLASH0_RO, defined in the file
plat/arm/css/sgi/sgi_plat.c.
This problem is solved by checking both size and attributes in xlat v1.
In xlat v2, it is enough to check the granularity, as it can never be 0.
Change-Id: I7be11f1b0e51c4c2ffd560b4a6cdfbf15de2c276
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Mark the xlat tables code only used in BL31 initialization as
__init to be reclaimed once no longer needed
Change-Id: I3106bfd994706a57c578624573bcfa525fbbd3c4
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Mark the initialization functions in BL31, such as context management,
EHF, RAS and PSCI as __init so that they can be reclaimed by the
platform when no longer needed
Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Depending on the build flags it is possible that some of the memory
regions mapped in page table setup could have a size of 0. In this
case we simply want to do nothing but still wish to map the other
regions in the array. Therefore we cannot only use size == 0 as
the termination logic for the loop.
Since an attributes field with value 0 means that the region is
device memory, read only, secure and executable. Device memory
can't be executable, so this combination should never be used
and it is safe to use as a terminator value.
Therefore by changing the termination logic to use attributes
instead of size we prevent terminating the loop when we don't
intend to.
Change-Id: I92fc7f689ab08543497be6be4896dace2ed7b66a
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Ensure case clauses:
* Terminate with an unconditional break, return or goto statement.
* Use conditional break, return or goto statements as long as the end
of the case clause is unreachable; such case clauses must terminate
with assert(0) /* Unreachable */ or an unconditional __dead2 function
call
* Only fallthough when doing otherwise would result in less
readable/maintainable code; such case clauses must terminate with a
/* Fallthrough */ comment to make it clear this is the case and
indicate that a fallthrough is intended.
This reduces the chance of bugs appearing due to unintended flow through a
switch statement
Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This patch fixes the name of the Cortex-ares errata function which was
previously named `cortex_a72_errata_report` which was an error.
Change-Id: Ia124df4628261021baa8d9a30308bc286d45712b
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
With the current implementation, it's possible for a contender to
observe accesses in the Critical Section before acquiring or releasing
the lock. Insert fencing in the locking and release codes to prevent any
reorder.
FixesARM-software/tf-issues#609
Change-Id: I773b82aa41dd544a2d3dbacb9a4b42c9eb767bbb
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The current functions to disable and enable Dynamic Code Optimizer
(DCO) assume that all denver cores are in the same cluster. They
ignore AFF1 field of the mpidr_el1 register, which leads to
incorect logical core id calculation.
This patch calls the platform handler, plat_my_core_pos(), to get
the logical core id to disable/enable DCO for the core.
Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>
Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
When any of these functions is called the backtrace will be printed to
the console.
Change-Id: Id60842df824b320c485a9323ed6b80600f4ebe35
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch fixes a bug in the context management code that causes it to
ignore the HANDLE_EA_EL3_FIRST compile-time option and instead always
configure SCR_EL3 to force all external aborts to trap into EL3. The
code used #ifdef to read compile-time option declared with add_define in
the Makefile... however, those options are always defined, they're just
defined to either 0 or 1, so #if is the correct syntax to check for
them. Also update the documentation to match.
This bug has existed since the Nov 2017 commit 76454abf4 (AArch64:
Introduce External Abort handling), which changed the
HANDLE_EA_EL3_FIRST option to use add_define.
Change-Id: I7189f41d0daee78fa2fcf4066323e663e1e04d3d
Signed-off-by: Julius Werner <jwerner@chromium.org>
Updated optee_utils.c to fixARM-software/tf-issues#603 related to the
tee-validate-header bug.
Minor updates to the header valid checking logic. It would never make
sense to have less than 1 image to load so this is now checked.
Changed OPTEE_MAX_IMAGE_NUM to OPTEE_MAX_NUM_IMAGES to clarify its
definition. OPTEE_MAX_IMAGE_NUM sounds like an ID assigned to the last
image to load. OPTEE_MAX_NUM_IMAGES sounds like the maximum number of
images to load.
Signed-off-by: Nathan Menhorn <nathan.menhorn@xilinx.com>
The initial implementation was corrupting registers that it shouldn't.
Now this is fixed.
Change-Id: Iaa407c18e668b2d9381391bf10d6876fe936aded
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
armclang replaces calls to printf by calls to one of the symbols
__0printf, __1printf or __2printf. This patch adds new functions with
these names that internally call printf so that the Trusted Firmware can
be compiled with this compiler.
Change-Id: I06a0e3e5001232fe5b2577615666ddd66e81eef0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.
Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove code specific to FreeBSD so that they can be used in this
repository.
Change-Id: I5c11eb5b3c05a7fb91aed08371a1f7a0e6122a94
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The existing files had some style problems that this patch fixes.
Change-Id: I794e0d96e52f8da0ffa0d70a41f36c4432b4e563
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
They are too big for the Trusted Firmware, and it can be confusing to
have two versions of the same functions with different names. tf_printf
and tf_snprintf will replace them in the next patch.
Change-Id: I978414ac169cc3156e249549ef101a70eb31a295
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
sscanf() is unused and it doesn't work, so it doesn't make sense to
keep it.
timingsafe_bcmp() isn't used anywhere.
Change-Id: Ib5d28ff21d0f3ccc36c5c0fb5474b3384105cf80
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove all files that don't have only Arm copyright. This is the first
step to cleanup the C library in this repository. They will be re-added
in the following patches.
Change-Id: I72c40a1620d1df3228fc397ec695d569a20245fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I76cacf6e1d73b09510561b5090c2bb66d81bec88
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch uses the 'declare_cpu_ops_wa' macro, to set the check function,
to report that Denver cores are mitigated.
Denver cores are vulnerable to this anomaly and require the mitigation to
be enabled always.
Change-Id: I1bb6eefdec8c01fb8b645e112f8d04d4bb8811ef
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.
This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.
Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html
Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The translation library is useful elsewhere. Even though this repository
doesn't exercise the EL2 support of the library, it is better to have it
here as well to make it easier to maintain.
enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
functions are still present, but they are behind ERROR_DEPRECATED and
they call the new functions enable_mmu_svc_mon() and
enable_mmu_direct_svc_mon().
Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
During cold boot, the initial translation tables are created with data
caches disabled, so all modifications go to memory directly. After the
MMU is enabled and data cache is enabled, any modification to the tables
goes to data cache, and eventually may get flushed to memory.
If CPU0 modifies the tables while CPU1 is off, CPU0 will have the
modified tables in its data cache. When CPU1 is powered on, the MMU is
enabled, then it enables coherency, and then it enables the data cache.
Until this is done, CPU1 isn't in coherency, and the translation tables
it sees can be outdated if CPU0 still has some modified entries in its
data cache.
This can be a problem in some cases. For example, the warm boot code
uses only the tables mapped during cold boot, which don't normally
change. However, if they are modified (and a RO page is made RW, or a XN
page is made executable) the CPU will see the old attributes and crash
when it tries to access it.
This doesn't happen in systems with HW_ASSISTED_COHERENCY or
WARMBOOT_ENABLE_DCACHE_EARLY. In these systems, the data cache is
enabled at the same time as the MMU. As soon as this happens, the CPU is
in coherency.
There was an attempt of a fix in psci_helpers.S, but it didn't solve the
problem. That code has been deleted. The code was introduced in commit
<264410306381> ("Invalidate TLB entries during warm boot").
Now, during a map or unmap operation, the memory associated to each
modified table is flushed. Traversing a table will also flush it's
memory, as there is no way to tell in the current implementation if the
table that has been traversed has also been modified.
Change-Id: I4b520bca27502f1018878061bc5fb82af740bb92
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Changed the names for consistency with the rest of the library. Introduced
new helpers that manipulate the active translation tables context.
Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..
Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
We had exit but we didn't have atexit, and we were calling panic and
tf_printf from exit, which generated a dependency from exit to them.
Having atexit allows to set a different function pointer in every image.
Change-Id: I95b9556d680d96249ed3b14da159b6f417da7661
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
fdt library instead of creating a static library that could be
used in the linking stage.
Change-Id: If3705bba188ec39e1fbf2322a7f2a9a941e1b90d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
If either USE_COHERENT_MEM or HW_ASSISTED_COHERENCY being true
should cause us to not enter the ifdef block, then the logic
is not correct here. Posibly bad use of De Morgan's law?
Fix this.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Add a null pointer check for the error record probe
function -- avoids a panic in case a platform has not defined it.
Change-Id: I1139fa0df33297a12ec16615cacd07540925f991
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
This library can be used in other projects. All comments that talk about
the Trusted Firmware should be talking about the library itself.
Change-Id: I3b98d42f7132be72c1f8a4900acfaa78dbd2daa2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This allows other parts of the code to reuse it. No functional changes.
Change-Id: Ib052ae235c422d9179958bd3016c3e678779ae9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Most registers are 64-bit wide, even in AArch32 mode:
- MAIR_ELx is equivalent to MAIR0 and MAIR1.
- TTBR is 64 bit in both AArch64 and AArch32.
The only difference is the TCR register, which is 32 bit in AArch32 and
in EL3 in AArch64. For consistency with the rest of ELs in AArch64, it
makes sense to also have it as a 64-bit value.
Change-Id: I2274d66a28876702e7085df5f8aad0e7ec139da9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Exception Level is now detected at runtime. This means that it is not
needed to hardcode the EL used by each image.
This doesn't result in a substantial increase of the image size because
the initialization functions that aren't used are garbage-collected by
the linker.
In AArch32 the current EL has been changed from EL3 to EL1 because the
the AArch32 PL1&0 translation regime behaves more like the AArch64 EL1&0
translation regime than the EL3 one.
Change-Id: I941404299ebe7666ca17619207c923b49a55cb73
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
xlat_arch_tlbi_va_regime() isn't used, so it has been renamed to
xlat_arch_tlbi_va() and the previous implementation has been removed.
Change-Id: Ic118bed3fb68234748d86b2e9e95b25650289276
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
They only contained one function that is easily integrated in the private
library header and the existing architectural C files.
This also helps making the library more portable, as the Makefile of the
library now doesn't use the variable INCLUDES, which is specific to this
codebase and doesn't respect the namespace of the library.
Change-Id: I22228e6a97e9b4f346f5cd8947609263e8df71d8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.
This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.
Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
It is useful to have LOG_LEVEL_VERBOSE because it prints the memory map
of each image, but that also means that the change_mem_attributes and
get_mem_attributes functions have verbose prints, and generate a too
long text output that hides other useful information.
As they were mostly there for debug purposes, this patch removes them.
Change-Id: I2986537377d1f78be2b79cc8a6cf230c380bdb55
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The previous debug output for EL1&0 translation regimes was too verbose,
which makes it hard to read and hides the intent behind the parameters
assigned to each region. This patch simplifies this output and makes the
outputs for EL3 and EL1&0 mostly the same. The difference is that in
EL1&0 it is specified whether the region is exclusively accessible from
EL1 (PRIV) or both EL0 and EL1 (USER).
For example:
MEM-RW(PRIV)-NOACCESS(USER)-XN(PRIV)-XN(USER)-S
MEM-RO(PRIV)-NOACCESS(USER)-EXEC(PRIV)-EXEC(USER)-S
After the change, it becomes this:
MEM-RW-XN-PRIV-S
MEM-RO-EXEC-PRIV-S
Change-Id: I15f4b99058429d42107fbf89e15f4838a9b559a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of having one big file with all the code, it's better to have
a few smaller files that are more manageable:
- xlat_tables_core.c: Code related to the core functionality of the
library (map and unmap regions, initialize xlat context).
- xlat_tables_context.c: Instantiation of the active image context
as well as APIs to manipulate it.
- xlat_tables_utils.c: Helper code that isn't part of the core
functionality (change attributes, debug print messages).
Change-Id: I3ea956fc1afd7473c0bb5e7c6aab3b2e5d88c711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Having an active stack while enabling MMU has shown coherency problems.
This patch builds on top of translation library changes that introduces
MMU-enabling without using stacks.
Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while
enabling MMU only because of active stack. Now that we can enable MMU
without using stack, we can enable both MMU and data caches at the same
time.
NOTE: Since this feature depends on using translation table library v2,
disallow using translation table library v1 with HW_ASSISTED_COHERENCY.
FixesARM-software/tf-issues#566
Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
An earlier patch split MMU-enabling function for translation library v2.
Although we don't intend to introduce the exact same functionality for
xlat v1, this patch introduces stubs for directly enabling MMU to
maintain API-compatibility.
Change-Id: Id7d56e124c80af71de999fcda10f1734b50bca97
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, the function provided by the translation library to enable
MMU constructs appropriate values for translation library, and programs
them to the right registers. The construction of initial values,
however, is only required once as both the primary and secondaries
program the same values.
Additionally, the MMU-enabling function is written in C, which means
there's an active stack at the time of enabling MMU. On some systems,
like Arm DynamIQ, having active stack while enabling MMU during warm
boot might lead to coherency problems.
This patch addresses both the above problems by:
- Splitting the MMU-enabling function into two: one that sets up
values to be programmed into the registers, and another one that
takes the pre-computed values and writes to the appropriate
registers. With this, the primary effectively calls both functions
to have the MMU enabled, but secondaries only need to call the
latter.
- Rewriting the function that enables MMU in assembly so that it
doesn't use stack.
This patch fixes a bunch of MISRA issues on the way.
Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The values defined in this type are used in logical operations, which
goes against MISRA Rule 10.1: "Operands shall not be of an inappropriate
essential type".
Now, `unsigned int` is used instead. This also allows us to move the
dynamic mapping bit from 30 to 31. It was an undefined behaviour in the
past because an enum is signed by default, and bit 31 corresponds to the
sign bit. It is undefined behaviour to modify the sign bit. Now, bit 31
is free to use as it was originally meant to be.
mmap_attr_t is now defined as an `unsigned int` for backwards
compatibility.
Change-Id: I6b31218c14b9c7fdabebe432de7fae6e90a97f34
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces setjmp() and ongjmp() primitives to enable
standard setjmp/longjmp style execution. Both APIs parameters take a
pointer to struct jmpbuf type, which hosts CPU registers saved/restored
during jump.
As per the standard usage:
- setjmp() return 0 when a jump is setup; and a non-zero value when
returning from jump.
- The caller of setjmp() must not return, or otherwise update stack
pointer since.
Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The XN, PXN and UXN bits are part of the upper attributes, not the
lower attributes.
Change-Id: Ia5e83f06f2a8de88b551f55f1d36d694918ccbc0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The issue can occur if end_va is equal to the max architecture address,
and when mm_cursor point to the last entry of mmap_region_t table: {0}.
The first line of the while will then be true, e.g. on AARCH32, we have:
mm_cursor->base_va (=0) + mm_cursor->size (=0) - 1 == end_va (=0xFFFFFFFF)
And the mm_cursor->size = 0 will be lesser than mm->size
A check on mm_cursor->size != 0 should be done as in the previous while,
to avoid such kind of infinite loop.
fixesarm-software/tf-issues#594
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 5.7: A tag name shall be a unique identifier
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
Fixed For:
make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed
Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Rule 5.7: A tag name shall be a unique identifier
There were 2 amu_ctx struct type definitions:
- In lib/extensions/amu/aarch64/amu.c
- In lib/cpus/aarch64/cpuamu.c
Renamed the latter to cpuamu_ctx to avoid this name clash
To avoid violation of Rule 8.3 also change name of function
amu_ctxs to unique name (cpuamu_ctxs) since it now returns a
different type (cpuamu_ctx) than the other amu_ctxs function
Fixed for:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: Ieeb7e390ec2900fd8b775bef312eda93804a43ed
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make PLAT=fvp USE_COHERENT_MEM=0
Change-Id: If50c583d3b63799ee6852626b15be00c0f6b10a0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for Macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Rule 21.15: The pointer arguments to the Standard Library functions
memcpy, memmove and memcmp shall be pointers to qualified or unqualified
versions of compatible types.
Basically that means that both pointer arguments must be of the same
type. However, even if the pointers passed as arguments to the above
functions are of the same type, Coverity still thinks it's a violation
if we do pointer arithmetics directly at the function call. Thus the
pointer arithmetic operations were moved outside of the function
argument.
First detected on the following configuration
make PLAT=fvp LOG_LEVEL=50
Change-Id: I8b912ec1bfa6f2d60857cb1bd453981fd7001b94
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in
AArch32 state, ensure that the SMC call will take a shortcut in EL3.
This minimizes the time it takes to apply the mitigation in EL3.
When lower ELs run in AArch32, it is preferred that they execute the
`BPIALL` instruction to invalidate the BTB. However, on some cores
the `BPIALL` instruction may be a no-op and thus would benefit from
making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path.
Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This function can be currently accessed through the wrappers
cm_init_context_by_index() and cm_init_my_context(). However, they only
work on contexts that are associated to a CPU.
By making this function public, it is possible to set up a context that
isn't associated to any CPU. For consistency, it has been renamed to
cm_setup_context().
Change-Id: Ib2146105abc8137bab08745a8adb30ca2c4cedf4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Flush the indirect branch predictor and RSB on entry to EL3 by issuing
a newly added instruction for Denver CPUs. Support for this operation
can be determined by comparing bits 19:16 of ID_AFR0_EL1 with 0b0001.
To achieve this without performing any branch instruction, a per-cpu
vbar is installed which executes the workaround and then branches off
to the corresponding vector entry in the main vector table. A side
effect of this change is that the main vbar is configured before any
reset handling. This is to allow the per-cpu reset function to override
the vbar setting.
Change-Id: Ief493cd85935bab3cfee0397e856db5101bc8011
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The context management library initialises the CPU context for the
secure/non-secure worlds to zero. This leads to zeros being stored
to the actual registers when we restore the CPU context, during a
world switch. Denver CPUs dont expect zero to be written to the
implementation defined, actlr_el1 register, at any point of time.
Writing a zero to some fields of this register, results in an
UNDEFINED exception.
This patch bases the context actlr_el1 value on the actual hardware
register, to maintain parity with the expected settings
Change-Id: I1c806d7ff12daa7fd1e5c72825494b81454948f2
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Using variables as format strings can generate security problems when
the user can control those strings. Some compilers generate warnings
in that cases, even when the variables are constants and are not
controlled by the user.
Change-Id: I65dee1d1b66feab38cbf298290a86fa56e6cca40
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.
This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.
Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
EHF currently allows for registering interrupt handlers for a defined
priority ranges. This is primarily targeted at various EL3 dispatchers
to own ranges of secure interrupt priorities in order to delegate
execution to lower ELs.
The RAS support added by earlier patches necessitates registering
handlers based on interrupt number so that error handling agents shall
receive and handle specific Error Recovery or Fault Handling interrupts
at EL3.
This patch introduces a macro, RAS_INTERRUPTS() to declare an array of
interrupt numbers and handlers. Error handling agents can use this macro
to register handlers for individual RAS interrupts. The array is
expected to be sorted in the increasing order of interrupt numbers.
As part of RAS initialisation, the list of all RAS interrupts are sorted
based on their ID so that, given an interrupt, its handler can be looked
up with a simple binary search.
For an error handling agent that wants to handle a RAS interrupt,
platform must:
- Define PLAT_RAS_PRI to be the priority of all RAS exceptions.
- Enumerate interrupts to have the GIC driver program individual EL3
interrupts to the required priority range. This is required by EHF
even before this patch.
Documentation to follow.
Change-Id: I9471e4887ff541f8a7a63309e9cd8f771f76aeda
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previous patches added frameworks for handling RAS errors. This patch
introduces features that the platform can use to enumerate and iterate
RAS nodes:
- The REGISTER_RAS_NODES() can be used to expose an array of
ras_node_info_t structures. Each ras_node_info_t describes a RAS
node, along with handlers for probing the node for error, and if
did record an error, another handler to handle it.
- The macro for_each_ras_node() can be used to iterate over the
registered RAS nodes, probe for, and handle any errors.
The common platform EA handler has been amended using error handling
primitives introduced by both this and previous patches.
Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The ARMv8 RAS Extensions introduced Standard Error Records which are a
set of standard registers through which:
- Platform can configure RAS node policy; e.g., notification
mechanism;
- RAS nodes can record and expose error information for error handling
agents.
Standard Error Records can either be accessed via. memory-mapped
or System registers. This patch adds helper functions to access
registers and fields within an error record.
Change-Id: I6594ba799f4a1789d7b1e45b3e17fd40e7e0ba5c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.
This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.
With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.
When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, the function that restores general purpose registers also
does ERET. Refactor the restore code to restore general purpose
registers without ERET to complement the save function.
The macro save_x18_to_x29_sp_el0 was used only once, and is therefore
removed, and its contents expanded inline for readability.
No functional changes, but with this patch:
- The SMC return path will incur an branch-return and an additional
register load.
- The unknown SMC path restores registers x0 to x3.
Change-Id: I7a1a63e17f34f9cde810685d70a0ad13ca3b7c50
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
In AArch64, the field ID_AA64MMFR0_EL1.PARange has a different set of
allowed values depending on the architecture version.
Previously, we only compiled the Trusted Firmware with the values that
were allowed by the architecture. However, given that this field is
read-only, it is easier to compile the code with all values regardless
of the target architecture.
Change-Id: I57597ed103dd0189b1fb738a9ec5497391c10dd1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously mem_protect used to be only supported from BL2. This is not
helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
mem_protect from el3_runtime firmware on ARM Platforms specifically
when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
tables temporarily and then the protected regions are then cleared. This
avoids the need to map the non secure DRAM permanently to BL31/sp_min.
The stack size is also increased, because DYNAMIC_XLAT_TABLES require
a bigger stack.
Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
According to the ARMv8 ARM issue C.a:
AP[1] is valid only for stage 1 of a translation regime that can
support two VA ranges. It is RES 1 when stage 1 translations can
support only one VA range.
This means that, even though this bit is ignored, it should be set to 1
in the EL3 and EL2 translation regimes.
For translation regimes consisting on EL0 and a higher regime this bit
selects between control at EL0 or at the higher Exception level. The
regimes that support two VA ranges are EL1&0 and EL2&0 (the later one
is only available since ARMv8.1).
This fix has to be applied to both versions of the translation tables
library.
Change-Id: If19aaf588551bac7aeb6e9a686cf0c2068e7c181
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A fix for errata 835769 may be available in revisions r0p2, r0p3 or r0p4
of the Cortex-A53 processor. The presence of the fix is determined by
checking bit 7 in the REVIDR register.
If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.
Change-Id: Ib75b008e755e9ac648554ca9398024fdbea4a91a
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
A fix for errata 843419 may be available in revision r0p4 of the
Cortex-A53 processor. The presence of the fix is determined by checking
bit 8 in the REVIDR register.
If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.
Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
The last entry in the mapping table is not necessarily the same as the
end of the table. This patch loops through the table to find the last
entry marker, on every new mmap addition. The memove operation then
has to only move the memory between current entry and the last entry.
For platforms that arrange their MMIO map properly, this opearation
turns out to be a NOP.
The previous implementation added significant overhead per mmap
addition as the memmove operation always moved the difference between
the current mmap entry and the end of the table.
Tested on Tegra platforms and this new approach improves the memory
mapping time by ~75%, thus significantly reducing boot time on some
platforms.
Change-Id: Ie3478fa5942379282ef58bee2085da799137e2ca
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Initializes each element of the last_cpu_in_non_cpu_pd array in PSCI
stat implementation to -1, the reset value. This satisfies MISRA rule
9.3.
Previously, only the first element of the array was initialized to -1.
Change-Id: I666c71e6c073710c67c6d24c07a219b1feb5b773
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.
Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
return either:
* -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
requires firmware mitigation for CVE-2017-5715 but the mitigation
is not compiled in.
* 0 to indicate that firmware mitigation is required, or
* 1 to indicate that no firmware mitigation is required.
This patch complies with v1.2 of the firmware interfaces
specification (ARM DEN 0070A).
Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A72 and A73.
Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined.
Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
MISRA C-2012 Rule 7.3 violation: lowercase l shall not be used as literal suffixes.
This patch resolves this for the ULL() macro by using ULL suffix instead
of the ull suffix.
Change-Id: Ia8183c399e74677e676956e8653e82375d0e0a01
Signed-off-by: David Cunado <david.cunado@arm.com>
During the warm boot sequence:
1. The MMU is enabled with the data cache disabled. The MMU table walker
is set up to access the translation tables as in cacheable memory,
but its accesses are non-cacheable because SCTLR_EL3.C controls them
as well.
2. The interconnect is set up and the CPU enters coherency with the
rest of the system.
3. The data cache is enabled.
If the support for dynamic translation tables is enabled and another CPU
makes changes to a region, the changes may only be present in the data
cache, not in RAM. The CPU that is booting isn't in coherency with the
rest of the system, so the table walker of that CPU isn't either. This
means that it may read old entries from RAM and it may have invalid TLB
entries corresponding to the dynamic mappings.
This is not a problem for the boot code because the mapping is 1:1 and
the regions are static. However, the code that runs after the boot
sequence may need to access the dynamically mapped regions.
This patch invalidates all TLBs during warm boot when the dynamic
translation tables support is enabled to prevent this problem.
Change-Id: I80264802dc0aa1cb3edd77d0b66b91db6961af3d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch also fixes the assumption that the counters are disabled on
the resume path. This is incorrect as the AMU counters are enabled
early in the CPU reset function before `cpuamu_context_restore()`
runs.
Change-Id: I38a94eb166a523f00de18e86860434ffccff2131
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch also fixes `cpuamu_write_cpuamcntenclr_el0()` to use an MSR
instruction instead of an MRS instruction.
Change-Id: Ia6531f64b5ebc60ba432124eaa8d8eaccba40ed0
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
AArch32 uses odd-even pairs when passing 64-bit arguments to
functions. For example in `amu_group0_cnt_write_internal()` the
second argument is a uint64_t which is passed in r2 and r3.
In `amu_group1_set_evtype_internal()` the value that needs to be
written to the system register is in r1 not in r0.
Change-Id: I20196268fdb1dc9ef6c4ebe61e761fba9623b3f2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Before suspend the AMU counters should be enabled and after resume
they should be disabled. Assert that to be consistent with the
AArch64 implementation of `amu_context_{save,restore}()`.
Change-Id: Ia46f77e4062b93afb93721a2890a9b9d2a7f300e
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Implement helpers to test if the core supports SPE/SVE. We have a
similar helper for AMU and this patch makes all extensions consistent
in their implementation.
Change-Id: I3e6f7522535ca358259ad142550b19fcb883ca67
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The AArch32 assembly implementation of `print_errata_status` did not save
a register which was getting clobbered by a `get_cpu_ops_ptr`. This
patch fixes that.
Change-Id: Id0711e46b7c685a18a10328d4b513e952a5d860b
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
When enabling VERBOSE() traces, the zlib library fails to compile
because of an incompatible format specifier string. Fix that.
Change-Id: I74ff1c8dc2e6157ee982f7754bce4504599e3013
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Currently optee header info is only printed after it is validated,
but this does not help with debugging in case of error, so print it
before.
Signed-off-by: Victor Chong <victor.chong@linaro.org>
AArch32 only platforms can boot the OP-TEE secure firmware as
a BL32 secure payload. Such configuration can be defined through
AARCH32_SP=optee.
The source files can rely on AARCH32_SP_OPTEE to condition
OP-TEE boot specific instruction sequences.
OP-TEE does not expect ARM Trusted Firmware formatted structure
as boot argument. Load sequence is expected to have already loaded
to OP-TEE boot arguments into the bl32 entrypoint info structure.
Last, AArch32 platform can only boot AArch32 OP-TEE images.
Change-Id: Ic28eec5004315fc9111051add6bb1a1d607fc815
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
This commit adds some more files to use zlib from TF.
To use zlib, ->zalloc and ->zfree hooks are needed. The implementation
depends on the system. For user-space, the libc provides malloc() and
friends. Unfortunately, ARM Trusted Firmware does not provide malloc()
or any concept of dynamic memory allocation.
I implemented very simple calloc() and free() for this. Stupidly,
zfree() never frees memory, but it works enough for this.
The purpose of using zlib is to implement gunzip() - this function
takes compressed data from in_buf, then dumps the decompressed data
to oub_buf. The work_buf is used for memory allocation during the
decompress. Upon exit, it updates in_buf and out_buf. If successful,
in_buf points to the end of input data, out_buf to the end of the
decompressed data.
To use this feature, you need to do:
- include lib/zlib/zlib.mk from your platform.mk
- add $(ZLIB_SOURCES) to your BL*_SOURCES
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Import the following files from zlib 1.2.11:
adler32.c
crc32.c
crc32.h
inffast.c
inffast.h
inffixed.h
inflate.c
inflate.h
inftrees.c
inftrees.h
zconf.h
zlib.h
zutil.c
zutil.h
The original tarball is available from http://zlib.net/
The zlib is free software, distributed under the zlib license. The
license text is included in the "zlib.h" file. It should be compatible
with BSD-3-Clause.
The zlib license is included in the SPDX license list available at
https://spdx.org/licenses/, but I did not add the SPDX license tag to
the imported files above, to keep them as they are in the upstream
project. This seems the general policy for ARM Trusted Firmware, as
SPDX License Identifier was not added to files imported from FreeBSD.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The assertion in zero_normalmem() fails for BL2_AT_EL3. This mode is
executed in EL3, so it should check sctlr_el3 instead of sctlr_el1.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Add amu_context_save() and amu_context_restore() functions for aarch32
Change-Id: I4df83d447adeaa9d9f203e16dc5a919ffc04d87a
Signed-off-by: Joel Hutton <joel.hutton@arm.com>
This patch implements a fast path for this SMC call on affected PEs by
detecting and returning immediately after executing the workaround.
NOTE: The MMU disable/enable workaround now assumes that the MMU was
enabled on entry to EL3. This is a valid assumption as the code turns
on the MMU after reset and leaves it on until the core powers off.
Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
In the initial implementation of this workaround we used a dedicated
workaround context to save/restore state. This patch reduces the
footprint as no additional context is needed.
Additionally, this patch reduces the memory loads and stores by 20%,
reduces the instruction count and exploits static branch prediction to
optimize the SMC path.
Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
On some platforms it may be necessary to discover the SMCCC version
via a PSCI features call.
Change-Id: I95281ac2263ca9aefda1809eb03464fbdb8ac24d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
coreboot supports an in-memory console to store firmware logs even when
no serial console is available. It is widely supported by
coreboot-compatible bootloaders (including SeaBIOS and GRUB) and can be
read by the Linux kernel.
This patch allows BL31 to add its own log messages to this console. The
driver will be registered automatically if coreboot support is compiled
in and detects the presence of a console buffer in the coreboot tables.
Change-Id: I31254dfa0c2fdeb7454634134b5707b4b4154907
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch adds the foundation for a platform-independent coreboot
support library that can be shared by all platforms that boot BL31 from
coreboot (acting as BL2). It adds code to parse the "coreboot table", a
data structure that coreboot uses to communicate different kinds of
information to later-stage firmware and certain OS drivers.
As a first small use case for this information, allow platforms to
access the serial console configuration used by coreboot, removing the
need to hardcode base address and divisors and allowing Trusted Firmware
to benefit from coreboot's user configuration (e.g. which UART to pick
and which baud rate to use).
Change-Id: I2bfb39cd2609ce6640b844ab68df6c9ae3f28e9e
Signed-off-by: Julius Werner <jwerner@chromium.org>
In AARCH32 mode, cortex_a72_reset_func branches to address in lr
register instead of r5 register. This leads to linux boot failure
of Cortex-A72 cores in AARCH32 mode on Juno-R2 board.
This patch fixes the branching of cortex_a72_reset_func to r5
register as in cortex_a57_reset_func implementation.
Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
A per-cpu vbar is installed that implements the workaround by
invalidating the branch target buffer (BTB) directly in the case of A9
and A17 and indirectly by invalidating the icache in the case of A15.
For Cortex A57 and A72 there is currently no workaround implemented
when EL3 is in AArch32 mode so report it as missing.
For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
no changes since there is currently no upstream AArch32 EL3 support
for these CPUs.
Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Even though the workaround for CVE-2017-5715 is not a CPU erratum, the
code is piggybacking on the errata framework to print whether the
workaround was applied, missing or not needed.
Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
As we are using the errata framework to handle workarounds in a more
general sense, change the default string to reflect that.
Change-Id: I2e266af2392c9d95e18fe4e965f9a1d46fd0e95e
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1. This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.
Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
If AMU is not supported by the hardware but it is enabled in Trusted
Firmware, the console will be spammed with warnings every time a CPU
is brought up with a CPU ON call.
Remove the warning message as this is more in line with how other
extensions like SPE and SVE are handled.
Change-Id: Iba6d367e4d1375ab554d23d2eaceab3ae1362c5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
On some systems, the AMU counters might reset to 0 when a CPU
powerdown happens. This behaviour conflicts with the intended
use-case of AMU as lower ELs are only expected to see non-decreasing
counter values.
Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Add some AMU helper functions to allow configuring, reading and
writing of the Group 0 and Group 1 counters. Documentation for these
helpers will come in a separate patch.
Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
group 1 counters should be enabled. The maximum number of group 1
counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
If the platform does not define this mask, no group 1 counters are
enabled.
A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
generic code to allocate an array to save and restore the counters on
CPU suspend.
Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The suspend hook is published at the start of a CPU powerdown
operation. The resume hook is published at the end of a CPU powerup
operation.
Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A75.
Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.
This is achieved by using 3 vector tables. There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround. The
additional tables are `vbar0` and `vbar1`.
The sequence of events for handling a single exception is
as follows:
1) Install vector table `vbar0` which saves the CPU context on entry
to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
with the MMU disabled and I$ enabled. This is the default vector table.
2) Before doing an ERET into Secure-EL1, switch vbar to point to
another vector table `vbar1`. This is required to restore EL3 state
when returning from the workaround, before proceeding with normal EL3
exception handling.
3) While in Secure-EL1, the `BPIALL` instruction is executed and an
SMC call back to EL3 is performed.
4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
restored. The vbar is switched to point to `vbar0` in preparation to
handle further exceptions. Finally a branch to the runtime vector
table entry is taken to complete the handling of the original
exception.
This workaround is enabled by default on the affected CPUs.
NOTE
====
There are 4 different stubs in Secure-EL1. Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.
Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
and enabling the MMU. To achieve this without performing any branch
instruction, a per-cpu vbar is installed which executes the workaround
and then branches off to the corresponding vector entry in the main
vector table. A side effect of this change is that the main vbar is
configured before any reset handling. This is to allow the per-cpu
reset function to override the vbar setting.
This workaround is enabled by default on the affected CPUs.
Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
`mm_cursor` doesn't have the needed data because the `memmove()` that
is called right before it overwrites that information. In order to get
the information of the region that was being mapped, `mm` has to be used
instead (like it is done to fill the fields of `unmap_mm`).
If the incorrect information is read, this check isn't reliable and
`xlat_tables_unmap_region` may be requested to unmap memory that isn't
mapped at all, triggering assertions.
Change-Id: I602d4ac83095d4e5dac9deb34aa5d00d00e6c289
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.
If SVE is implemented, EL3 will do the following:
- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
- Exit from Non-secure world: SIMD, FP and SVE functionality is
disabled. As SIMD and FP registers are part of the SVE Z-registers
then any use of SIMD / FP functionality would corrupt the SVE
registers.
The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.
This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.
Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.
Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: David Cunado <david.cunado@arm.com>
The `ENABLE_AMU` build option can be used to enable the
architecturally defined AMU counters. At present, there is no support
for the auxiliary counter group.
Change-Id: Ifc7532ef836f83e629f2a146739ab61e75c4abc8
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The `ENABLE_AMU` build option can be used to enable the
architecturally defined AMU counters. At present, there is no support
for the auxiliary counter group.
Change-Id: I7ea0c0a00327f463199d1b0a481f01dadb09d312
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The Cortex A75 has 5 AMU counters. The first three counters are fixed
and the remaining two are programmable.
A new build option is introduced, `ENABLE_AMU`. When set, the fixed
counters will be enabled for use by lower ELs. The programmable
counters are currently disabled.
Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch replaces the macro ASM_ASSERTION with the macro
ENABLE_ASSERTIONS in ARM Cortex-A53/57/72 MPCore Processor
related files. There is build error when ASM_ASSERTION is set
to 1 and ENABLE_ASSERTIONS is set to 0 because function
asm_assert in common/aarch32/debug.S is defined in the macro
ENABLE_ASSERTIONS but is called with the macro ASM_ASSERTION.
There is also the indication to use ENABLE_ASSERTIONS but not
ASM_ASSERTION in the Makefile.
Signed-off-by: Matt Ma <matt.ma@spreadtrum.com>
There is an edge case where the cache maintaince done in
psci_do_cpu_off may not seen by some cores. This case is handled in
psci_cpu_on_start but it hasn't handled in psci_affinity_info.
Change-Id: I4d64f3d1ca9528e364aea8d04e2d254f201e1702
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Factor out SPE operations in a separate file. Use the publish
subscribe framework to drain the SPE buffers before entering secure
world. Additionally, enable SPE before entering normal world.
A side effect of this change is that the profiling buffers are now
only drained when a transition from normal world to secure world
happens. Previously they were drained also on return from secure
world, which is unnecessary as SPE is not supported in S-EL1.
Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Factor out extension enabling to a separate function that is called
before exiting from EL3 for first entry into Non-secure world.
Change-Id: Ic21401ebba531134d08643c0a1ca9de0fc590a1b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If an implementation of ARMv8.2 includes ARMv8.2-LPA, the value 0b0110
is permitted in ID_AA64MMFR0_EL1.PARange, which means that the Physical
Address range supported is 52 bits (4 PiB). It is a reserved value
otherwise.
Change-Id: Ie0147218e9650aa09f0034a9ee03c1cca8db908a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The FPEXC32_EL2 register controls SIMD and FP functionality when the
lower ELs are executing in AArch32 mode. It is architecturally mapped
to AArch32 system register FPEXC.
This patch removes FPEXC32_EL2 register from the System Register context
and adds it to the floating-point context. EL3 only saves / restores the
floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1.
The rationale for this change is that if the Secure world is using FP
functionality and EL3 is not managing the FP context, then the Secure
world will save / restore the appropriate FP registers.
NOTE - this is a break in behaviour in the unlikely case that
CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32
Secure Payload that modifies FPEXC, but does not save and restore
this register
Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184
Signed-off-by: David Cunado <david.cunado@arm.com>
This function can be useful to setup TCR_ELx by callers that don't use
the translation tables library to setup the system registers related
to them. By making it common, it can be reused whenever it is needed
without duplicating code.
Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ARMv7-A architectures that do not support the Virtualization extensions
do not support instructions for the 32bit division. This change provides
a software implementation for 32bit division.
The division implementation is dumped from the OP-TEE project
http://github.com/OP-TEE/optee_os. The code was slightly modified
to pass trusted firmware checkpatch requirements and copyright is
given to the ARM trusted firmware initiative and its contributors.
Change-Id: Idae0c7b80a0d75eac9bd41ae121921d4c5af3fa3
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_GENERIC_TIMER to enable generic timer
support.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
ARCH_SUPPORTS_LARGE_PAGE_ADDRESSING allows build environment to
handle specific case when target ARMv7 core only supports 32bit MMU
descriptor mode.
If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_LARGE_PAGE_ADDRESSING to enable
large page addressing support.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
As Cortex-A9 needs to manually enable program flow prediction,
do not reset SCTLR[Z] at entry. Platform should enable it only
once MMU is enabled.
Change-Id: I34e1ee2da73221903f7767f23bc6fc10ad01e3de
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
This patch includes various fixes for PSCI STAT functionality
relating to timestamp collection:
1. The PSCI stat accounting for retention states for higher level
power domains were done outside the locks which could lead to
spurious values in some race conditions. This is moved inside
the locks. Also, the call to start the stat accounting was redundant
which is now removed.
2. The timestamp wrap-around case when calculating residency did
not cater for AArch32. This is now fixed.
3. In the warm boot path, `plat_psci_stat_accounting_stop()` was
getting invoked prior to population of target power states. This
is now corrected.
Change-Id: I851526455304fb74ff0a724f4d5318cd89e19589
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Add events that trigger before entry to normal/secure world. The
events trigger after the normal/secure context has been restored.
Similarly add events that trigger after leaving normal/secure world.
The events trigger after the normal/secure context has been saved.
Change-Id: I1b48a7ea005d56b1f25e2b5313d77e67d2f02bc5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This allows other EL3 components to subscribe to CPU on events.
Update Firmware Design guide to list psci_cpu_on_finish as an available
event.
Change-Id: Ida774afe0f9cdce4021933fcc33a9527ba7aaae2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Antonio Nino Diaz
Soby Mathew
Andrew F. Davis
Jeenu Viswambharan
ldts
Daniel Boulby
Roberto Vargas
Varun Wadekar
Dimitris Papastamos
Julius Werner
nathan-menhorn
John Tsichritzis
Sughosh Ganu
Joel Hutton
Yann Gautier
Isla Mitchell
danh-arm
Jonathan Wright
davidcunado-arm
Sandrine Bailleux
Victor Chong
Etienne Carriere
Masahiro Yamada
Manoj Kumar
Matt Ma