The BLE is the pre-TF-A boot stage required by Marvell Armada
BootROM for bringing up DRAM and allow the boot image copy to it.
Since this is not a standard boot level and only uses the TF-A
as a build environment, it was introduced out of source tree.
However it turns out that such remote location introduces additional
complexity to the upstream TF-A build process.
In order to simplify the build environment the BLE source folder
is relocated from the external repository to A8K platform directory.
The build documentation is updated accordingly.
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Map the initialization code for BL31 to overlap with the memory
required for the secondary cores stack. Once BL31 has been
initialized the memory can be remapped to RW data so that it can
be used for secondary cores stacks. By moving code from .text to
.text.init the size of the BL31 image is decreased by a page.
Split arm_common.ld.S into two linker scripts, one for tzc_dram
(arm_tzc_dram.ld.S) and one for reclaiming initialization code
(arm_reclaim_init.ld.S) so that platforms can chose which memory
regions they wish to include.
Change-Id: I648e88f3eda1aa71765744cf34343ecda9320b32
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Mark the GICv3, CCI and CCN code only used in Bl31 initialization
with __init to be reclaimed once no longer needed.
Change-Id: I3d77f36758450d9d1d87ecc60bc1c63fe4082667
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Mark the initialization functions found in the BL31 boot sequence
as __init so they can be reclaimed when no longer needed.
Change-Id: I687a89346419c7710ef5097feaa325d83c527697
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Remove ARM_MAP_BL_ROMLIB memory region macro as it is now split
into two regions for code and data
Change-Id: Ic17b5b584933c196db29fe83051d7e0a8e92911c
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
- Fix build issue
- Add initial memory parameters descriptors for BL2
- Migrate to image load V2
Basic build and run test passed on MacchiatoBin board.
Need to fix the service CPU (CM3) image load procesure and test
OPTEE functionality, which probably will require additional work.
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
This option makes it hard to optimize the memory definitions of all Arm
platforms because any change in the common defines must work in all of
them. The best thing to do is to remove it and move the definition to
each platform's header.
FVP, SGI and SGM were using the definitions in board_arm_def.h. The
definitions have been copied to each platform's platform_def.h. Juno
was already using the ones in platform_def.h, so there have been no
changes.
Change-Id: I9aecd11bbc72a3d0d7aad1ef9934d8df21dcfaf2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to new GIC interfaces.
- Migrate to bl31_early_platform_setup2().
- Use bl31_warm_entrypoint() instead of psci_entrypoint().
- Use PLAT_VIRT_ADDR_SPACE_SIZE and PLAT_PHY_ADDR_SPACE_SIZE.
- Update Makefile paths.
- Remove references to removed build options.
- Use private definition of bl31_params_t.
Change-Id: I860341594b5c868b2fcaa59d23957ee718472ef1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to bl31_early_platform_setup2().
- Remove references to removed build options.
- Replace zeromem16() by zeromem().
- Use private definition of bl31_params_t.
This is an incomplete migration, the platform doesn't currently compile.
Change-Id: I67fbf2206678be80c3a16692024221a131cec42f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- mt6795: Migrate to new GIC interfaces.
- Remove support for PSCI platform compatibility layer.
- Migrate to bl31_early_platform_setup2().
- Migrate from cm_init_context() to cm_init_my_context().
- Use PLAT_VIRT_ADDR_SPACE_SIZE and PLAT_PHY_ADDR_SPACE_SIZE.
- Update Makefile paths.
- Use private definition of bl31_params_t.
This is an incomplete migration, mt6795 doesn't currently compile.
Change-Id: Icf9307637066cd6f2166524715e4f117f5ce2350
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to bl2_early_platform_setup2().
- Remove references to removed build options.
- Use private definition of bl31_params_t.
This is an incomplete migration, the platform doesn't currently compile.
Change-Id: I1ae477b1f2489f49b651528050fdf06e4a55e425
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to new GIC interfaces.
- Remove references to removed build options.
Change-Id: I6f90a33d5438a9d7b71be3f93e8d9da278c8c6e6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to new GIC interfaces.
- Migrate to bl31_early_platform_setup2().
- Remove references to removed build options.
Change-Id: Ia7c63f75325ea4b41e32a9de3f01b0007d0ae210
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Migrate to bl31_early_platform_setup2().
- Remove references to removed build options.
Change-Id: Ie9f149e3fdec935f9329402ed3dd8e1c00b8832c
Acked-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Remove references to removed build options.
- Remove support for legacy GIC driver.
- Remove support for LOAD_IMAGE_V2=0.
Change-Id: I72f8c05620bdf4a682765e6e53e2c04ca749a3d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The affected interfaces are bl31_early_platform_setup(),
sp_min_early_platform_setup() and bl2_early_platform_setup().
Change-Id: I50c01ec68bcbe97fe4e5d101bcd0f763358b8e1e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Commit eba1b6b3c7 ("plat/poplar: migrate to mmc framework") defines
variable 'info' without !POPLAR_RECOVERY protection, and hence causes
the following unused variable error with POPLAR_RECOVERY=1 build.
plat/hisilicon/poplar/bl1_plat_setup.c: In function ‘bl1_platform_setup’:
plat/hisilicon/poplar/bl1_plat_setup.c:95:25: error: unused variable ‘info’ [-Werror=unused-variable]
struct mmc_device_info info;
^~~~
The patches fixes the build error with POPLAR_RECOVERY=1.
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Fixed a Coverity defect by adding a runtime check to avoid potential
NULL pointer dereference.
Change-Id: I9a0aa0efd27334131ac835b43348658b436c657d
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
For sgm775 the SCP_BL2 build in debug mode is around 94KiB which
is higher than the maximum size for SCP_BL2.
This patch increase the maximum allowed size for SCP_BL2 to
96KiB.
Change-Id: Ibca0daadba41429301c651ae21cbba87e45ccddf
Signed-off-by: Elieva Pignat <Elieva.Pignat@arm.com>
Ensure case clauses:
* Terminate with an unconditional break, return or goto statement.
* Use conditional break, return or goto statements as long as the end
of the case clause is unreachable; such case clauses must terminate
with assert(0) /* Unreachable */ or an unconditional __dead2 function
call
* Only fallthough when doing otherwise would result in less
readable/maintainable code; such case clauses must terminate with a
/* Fallthrough */ comment to make it clear this is the case and
indicate that a fallthrough is intended.
This reduces the chance of bugs appearing due to unintended flow through a
switch statement
Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Set MULTI_CONSOLE_API=1 for both AArch64 and AArch32 by default.
MULTI_CONSOLE_API=0 is still supported, but it has to be set from the
command line.
Change-Id: I4eeaa8e243a3fe93ed8a716e502666a26ad28f35
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Allow AArch32 to use the multi console driver by adding the
required functions
Change-Id: I9e69f18965f320074cf75442d6b0de891aef7936
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
At the moment we have two I2C stub drivers (for the Allwinner and the
Marvell platform), which #include the actual .c driver file.
Change this into the more usual design, by renaming and moving the stub
drivers into platform specific header files and including these from the
actual driver file. The platform specific include directories make sure
the driver picks up the right header automatically.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The patch d323af9 removed the support for coherent memory in BL1 and
BL2 for ARM platforms. But the CryptoCell SBROM integration depends
on use of coherent buffers for passing data from the AP CPU to the
CryptoCell. Hence this patch reintroduces support for coherent
memory in BL1 and BL2 if ARM_CRYPTOCELL_INTEG=1.
Change-Id: I011482dda7f7a3ec9e3e79bfb3f4fa03796f7e02
Signed-Off-by: Soby Mathew <soby.mathew@arm.com>
Even though we initialise the platform part and the I2C controller
itself at boot time, we actually only access the bus on power down.
Meanwhile a rich OS might have configured the I2C pins differently or
even disabled the controller.
So repeat the platform setup and controller initialisation just before
we actually access the bus to power off the system. This is safe,
because at this point the rich OS should no longer be running.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Drop the unnecessary check for the I2C pins being already configured as
I2C pins (we actually don't care).
Also avoid resetting *every* peripheral that is covered by the PRCM reset
controller, instead just clear the one line connected to the I2C controller.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch fixes an array overrun in CSS scmi driver if the
system power domain level is less than 2. This was reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 308492
Change-Id: I3a59c700490816718d20c71141281f19b2b7e7f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds experimental support for TBB to the HiKey960 board. To
build and test with TBB modify the uefi-tools project platforms.config
+ATF_BUILDFLAGS=TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 SAVE_KEYS=1 \
MBEDTLS_DIR=./mbedtls
Signed-off-by: Teddy Reed <teddy@casualhacking.io>
The AXP805 PMIC used with H6 is capable of shutting down the system.
Add support for using it to shut down the system power.
The original placeholder power off code is moved to A64 code, as it's
still TODO to implement PMIC operations for A64.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The OTT reference design of Allwinner H6 SoC uses an X-Powers AXP805
PMIC.
Add initial code for it.
Currently it's only detected.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
As the ATF may need to do some power initialization on Allwinner
platform with AXP PMICs, call the PMIC setup code in BL31.
Stub of PMIC setup code is added, to prevent undefined reference.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The patch 7b56928 unified the FWU mechanism on FVP and Juno
platforms due to issues with MCC firmware not preserving the
NVFLAGS. With MCCv150 firmware, this issue is resolved. Also
writing to the NOR flash while executing from the same flash
in Bypass mode had some stability issues. Hence, since the
MCC firmware issue is resolved, this patch reverts to the
NVFLAGS mechanism to detect FWU. Also, with the introduction
of SDS (Shared Data Structure) by the SCP, the reset syndrome
needs to queried from the appropriate SDS field.
Change-Id: If9c08f1afaaa4fcf197f3186887068103855f554
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
Signed-off-by: Soby Mathew <Soby.Mathew@arm.com>
Adds an undocumented build option that enables non-secure access to
the PL011 UART1.
This allows a custom build where the UART can be used as a serial debug
port for WinDbg (or other debugger) connection.
This option is not documented in the user guide, as it is provided as a
convenience for Windows debugging, and not intended for general use.
In particular, enabling non-secure access to the UART might allow
a denial of service attack!
Change-Id: I4cd7d59c2cac897cc654ab5e1188ff031114ed3c
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Signed-off-by: Evan Lloyd <evan.lloyd@arm.com>
A cache flush is added in BL1, in Mbed TLS shared heap code. Thus, we
ensure that the heap info written to the DTB always gets written back to
memory. Hence, sharing this info with other images is guaranteed.
Change-Id: I0faada31fe7a83854cd5e2cf277ba519e3f050d5
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
In Mbed TLS shared heap code, an additional sanity check is introduced
in BL2. Currently, when BL2 shares heap with BL1, it expects the heap
info to be found in the DTB. If for any reason the DTB is missing, BL2
cannot have the heap address and, hence, Mbed TLS cannot proceed. So,
BL2 cannot continue executing and it will eventually crash. With this
change we ensure that if the DTB is missing BL2 will panic() instead of
having an unpredictable crash.
Change-Id: I3045ae43e54b7fe53f23e7c2d4d00e3477b6a446
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch, firstly, makes the error messages consistent to how printed
strings are usually formatted. Secondly, it removes an unnecessary #if
directive.
Change-Id: Idbb8ef0070562634766b683ac65f8160c9d109e6
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Marvell A8K SoCs use the MI2CV IP core from Mentor Graphics, which
is also used by Allwinner.
As Mentor Graphics allows a lot of customization, the MI2CV in the two
SoC families are not compatible, and driver modifications are needed.
Extract the common code to a MI2CV driver.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.
After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.
The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.
Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.
If the board has been set into secure mode, then only a signed binary can
be used to recover the board.
Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds entries to the mem params array for
- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID
BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.
In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.
[bod: squashing several patches from Rui, Jun and bod]
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The watchdog block on the IMX is mercifully simple. This patch maps the
various registers and bits associated with the block.
We are mostly only really interested in the power-down-enable (PDE) bits in
the block for the purposes of ATF.
The i.MX7 Solo Applications Processor Reference Manual details the PDE bit
as follows:
"Power Down Enable bit. Reset value of this bit is 1, which means the power
down counter inside the WDOG is enabled after reset. The software must
write 0 to this bit to disable the counter within 16 seconds of reset
de-assertion. Once disabled this counter cannot be enabled again. See
Power-down counter event for operation of this counter."
This patch does that zero write in-lieu of later phases in the boot
no-longer have the necessary permissions to rewrite the PDE bit directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines the most basic part of the CAAM and the only piece of
the CAAM silicon we are really interested in, in ATF, the CAAM control
structure.
The CAAM itself is a huge address space of some 32k, way out of scope for
the purpose we have in ATF.
This patch adds a simple CAAM init function that assigns ownership of the
CAAM job-rings to the non-secure MID with the ownership bit set to
non-secure.
This will allow later logic in the boot process such as OPTEE, u-boot and
Linux to assign job-rings as appropriate, restricting if necessary but
leaving open the main functionality of the CAAM to the Linux NS runtime.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The QEMU platform has only been used with LOAD_IMAGE_V2=1 for some time
now and bit rot has occurred for LOAD_IMAGE_V2=0. To ease the
maintenance make LOAD_IMAGE_V2=1 mandatory and remove the platform
specific code for LOAD_IMAGE_V2=0.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Enable ARM_XLAT_TABLES_LIB_V1 as ZynqMP is using
v1 library of translation tables.
With upstream patch d323af9e3d,
the usage of MAP_REGION_FLAT is referring to definition in file
include/lib/xlat_tables/xlat_tables_v2.h but while preparing
xlat tables in lib/xlat_tables/xlat_tables_common.c it is referring
to include/lib/xlat_tables/xlat_tables.h which is v1 xlat tables.
Also, ZynqMP was using v1 so defined ARM_XLAT_TABLES_LIB_V1 to
use v1 xlat tables everywhere.
This fixes the issue of xlat tables failures as it takes v2
library mmap_region structure in some files and v1 in other
files.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
The High Assurance Boot or HAB is an on-chip method of providing a
root-of-trust from the reset vector to subsequent stages in the bootup
flow of the Cortex-A7 on the i.MX series of processors.
This patch adds a simple header file with pointer offsets of the provided
set of HAH API callbacks in the BootROM.
The relative offset of the function pointers is a constant and known
quantum, a software-contract between NXP and an implementation which is
defined in the NXP HAB documentation.
All we need is the correct base offset and then we can map the set of
function pointers relative to that offset.
imx_hab_arch.h provides the correct offset and the imx_hab.h hooks the
offset to the pre-determined callbacks.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
In order to enable compile time differences in HAB interaction, we should
split out the definition of the base address of the HAB API.
Some version of the i.MX series have different offsets from the BootROM
base for the HAB callback table.
This patch defines the header into which we will define the i.MX7 specific
offset. The offset of the i.MX7 function-callback table is simultaneously
defined.
Once done, we can latch a set of common function pointer locations from the
offset given here and if necessary change the offset for different
processors without any other code-change.
For now all we support is i.MX7 so the only offset being defined is that
for the i.MX7.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds snvs.c with a imx_snvs_init() function.
imx_snvs_init() sets up permissions of the RTC via the SNVS HPCOMR.
During previous work with OPTEE on the i.MX7 part we discovered that prior
to switching from secure-world to normal-world it is required to apply more
permissive permissions than are defaulted to in order for Linux to be able
to access the RTC and CAAM functionality in general.
This patch pertains to fixing the RTC permissions by way of the
HPCOMR.NPSWA_EN bit.
Once set non-privileged code aka Linux-kernel code has permissions to
access the SNVS where the RTC resides.
Perform that permissions fix in imx_snvs_init() now, with a later patch making
the call from our platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit defines two things.
- The basic SNVS memory map. At the moment that is total overkill for the
permission bits we need to set inside the SNVS but, for the sake of
completeness define the whole SNVS area as a struct.
- The bits of the HPCOMR register
A permission fix will need to be applied to the SNVS block prior to
switching on TrustZone. All we need to do is waggle a bit in the HPCOMR
register. To do that waggle we first need to define the bits of the
HPCOMR register.
- A imx_snvs_init() function definition
Declare the snvs_init() function so that it can be called from our
platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an initial AHB-to-IP TrustZone (AIPS-TZ) initialization
routine. Setting up the AIPSTZ controller is required to inform the SoC
interconnect fabric which bus-masters can read/write and if the read/writes
are buffered.
For our purposes the initial configuration is for everything to be open. We
can lock-down later on as necessary.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines:
- The full range of IO-mux register offsets relative to the base address of
the IO-mux block base address.
- The bits for muxing the UART1 TX/RX lines.
- The bits for muxing the UART6 TX/RX lines.
- The pad control pad bits for the UART
Two functions are provided to configure pad muxes:
- void io_muxc_set_pad_alt_function(pad_mux_offset, alt_function)
Takes a pad_mux_offset and sets the alt_function bit-mask supplied.
This will have the effect of switching the pad into one of its defined
peripheral functions. These peripheral function modes are defined in the
NXP documentation and need to be referred to in order to correctly
configure a new alternative-function.
- void io_muxc_set_pad_features(pad_feature_offset, pad_features)
Takes a pad_feature_offset and applies a pad_features bit-mask to the
indicated pad.
This function allows the setting of PAD drive-strength, pull-up values,
hysteresis glitch filters and slew-rate settings.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an internal UART init routine that gets called from the
external facing clock init function.
In the first pass this call does an explicit disable of all UART
clock-gates. Later changes will enable only the UART clock-gates we care
about.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>