A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:
- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.
A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.
The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:
- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
Secure Partition.
- Implementing a well defined interface that is used by the normal world
and other secure services for accessing the services exported by a
Secure Partition.
- Implementing a well defined interface that is used by a Secure
Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
Partition to fulfil a service request.
Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function can be useful to setup TCR_ELx by callers that don't use
the translation tables library to setup the system registers related
to them. By making it common, it can be reused whenever it is needed
without duplicating code.
Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A line in the upstream SPDs is only compiled in in `DEBUG` builds. This
line is used to help with assertions and so assertion failures can
happen in release builds with assertions enabled. Use
`ENABLE_ASSERTIONS` instead of `DEBUG`.
This bug was introduced in commit aa61368eb5, which introduced the build
option `ENABLE_ASSERTIONS`.
Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Registered interrupts are configured in edge detection as the default
previous configuration assumed in previous code.
Not target mask required as Qemu BL31 will not send/route SGIs.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Change sizeof call so it references a static type instead of return of
a function in order to be MISRA compliant.
Change-Id: I6f1adb206073d6cd200156e281b8d76249e3af0e
Signed-off-by: Joel Hutton <joel.hutton@arm.com>
Add events that trigger before entry to normal/secure world. The
events trigger after the normal/secure context has been restored.
Similarly add events that trigger after leaving normal/secure world.
The events trigger after the normal/secure context has been saved.
Change-Id: I1b48a7ea005d56b1f25e2b5313d77e67d2f02bc5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
FWU uses additional images that have to be loaded,
and this patch adds the documentation of how to do
it in FVP and Juno.
Change-Id: I1a40641c11c5a4c8db0aadeaeb2bec30c9279e28
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
OP-TEE dedicates the end of the Qemu secure DRAM as specific out-of-TEE
secure RAM. To support this configuration the trusted firmware should
not load OP-TEE resources in this area.
To overcome the issue, OP-TEE pageable image is now loaded 2MByte above
the secure RAM base address.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
This patch adds support for TBB to qemu. An RSA ROT keypair is generated at
build time and is included into BL1/BL2. The key and content certificates
are read over semihosting.
FixesARM-software/tf-issues#526
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
For Trusted Board Boot, BL2 needs more space to support the ECDSA
and ECDSA+RSA algorithms.
Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
On Arm standard platforms, it runs out of SRAM space when TBB is
enabled, so the TSP default location is changed to dram when TBB
is enabled.
Change-Id: I516687013ad436ef454d2055d4e6fce06e467044
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
These hooks are intended to allow one platform to try load
images from alternative places. There is a hook to initialize
the sequence of boot locations and a hook to pass to the next
sequence.
Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Before this change, plat_secondary_cold_boot_setup reads wake up mailbox
as a byte array but through 64bit accesses on unaligned 64bit addresses.
In the other hand qemu_pwr_domain_on wakes secondary cores by writing
into a 64bit array.
This change forces the 64bit mailbox format as PLAT_QEMU_HOLD_ENTRY_SIZE
explicitly specifies it.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
This allows other EL3 components to subscribe to CPU on events.
Update Firmware Design guide to list psci_cpu_on_finish as an available
event.
Change-Id: Ida774afe0f9cdce4021933fcc33a9527ba7aaae2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This light-weight framework enables some EL3 components to publish
events which other EL3 components can subscribe to. Publisher can
optionally pass opaque data for subscribers. The order in which
subscribers are called is not defined.
Firmware design updated.
Change-Id: I24a3a70b2b1dedcb1f73cf48313818aebf75ebb6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Trusted Firmware has been tested as part of its CI system against Cortex
and Foundation models in the 11.1 Model release available on
developer.arm.com. Trusted Firmware has also been tested against the
v8.7 AEM model. This patch updates the user guide documentation to
reflect the version of the Foundation, AEM and Cortex Models that
Trusted Firmware has been tested against.
Change-Id: Ia0f51469032427b6056567d151bf8144a7cf0e42
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
This is not executable code. It should be put into .rodata instead
of .text section.
This produces more correct BL1 image when SEPARATE_CODE_AND_RODATA is
defined.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Init EDMA controller with non secure mode. A lot of peripherals are
depend on EDMA controller. But EDMA controller is in secure mode
by default. And this operation has to be executed in secure mode.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Updates are required to enable the fiptool utility to be built on a
Windows platform. This change modifies the source files to enable
building with Visual Studio (detected via preprocessor settings).
The primary changes are:
1. Provide an implementation of the getopt_long function. This does
not exist in the Visual Studio CRT libraries because Windows
commands normally use '/' not '-' as an option indicator.
2. Redirect some function names to match those supported by the
Visual Studio libraries (when building with Visual Studio).
2. Modify a structure name (stat) to match that provided
by the Visual Studio libraries (_stat).
Note - this change does not provide makefile updates. It only modifies
the sources to enable the fiptool to be built from a Visual
Studio project. In normal use the presence of FIPTOOL.EXE is
enough to satisfy the make requirements. A makefile change may
be derived from the Visual Studio command line information at
some point in the future.
Change-Id: I3ade77ea140246af3c030920b3f97c070087f111
Signed-off-by: Evan Lloyd <evan.lloyd@arm.com>
The implementation is the same as those used to disable it in EL3.
Change-Id: Ibfe7e69034a691fbf57477c5a76a8cdca28f6b26
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a new API in the translation tables library
(v2), that allows to change the memory attributes of a memory
region. It may be used to change its execution permissions and
data access permissions.
As a prerequisite, the memory must be already mapped. Moreover, it
must be mapped at the finest granularity (currently 4 KB).
Change-Id: I242a8c6f0f3ef2b0a81a61e28706540462faca3c
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a new API in the translation tables library
(v2), that allows to query the memory attributes of a memory block
or a memory page.
Change-Id: I45a8b39a53da39e7617cbac4bff5658dc1b20a11
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously, in AArch32, `IMAGE_XLAT_DEFAULT_REGIME` wasn't defined. The
translation regime is only used in the AArch64 port of the translation
tables library v2, so this is not a problem for now, but future patches
will use it.
`IMAGE_EL` isn't used in AArch32, so it isn't needed to define it.
Change-Id: I4acdb01a58658956ab94bd82ed5b7fee1aa6ba90
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The GIC driver initialization currently allows an array of interrupts to
be configured as secure. Future use cases would require more interrupt
configuration other than just security, such as priority.
This patch introduces a new interrupt property array as part of both
GICv2 and GICv3 driver data. The platform can populate the array with
interrupt numbers and respective properties. The corresponding driver
initialization iterates through the array, and applies interrupt
configuration as required.
This capability, and the current way of supplying array (or arrays, in
case of GICv3) of secure interrupts, are however mutually exclusive.
Henceforth, the platform should supply either:
- A list of interrupts to be mapped as secure (the current way).
Platforms that do this will continue working as they were. With this
patch, this scheme is deprecated.
- A list of interrupt properties (properties include interrupt group).
Individual interrupt properties are specified via. descriptors of
type 'interrupt_prop_desc_t', which can be populated with the macro
INTR_PROP_DESC().
A run time assert checks that the platform doesn't specify both.
Henceforth the old scheme of providing list of secure interrupts is
deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
that the interrupt properties are supplied instead of an array of secure
interrupts.
Add a section to firmware design about configuring secure interrupts.
FixesARM-software/tf-issues#262
Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>