Attempts to address MISRA compliance issues in BL1, BL2, and BL31 code.
Mainly issues like not using boolean expressions in conditionals,
conflicting variable names, ignoring return values without (void), adding
explicit casts, etc.
Change-Id: If1fa18ab621b9c374db73fa6eaa6f6e5e55c146a
Signed-off-by: John Powell <john.powell@arm.com>
This patch provides a fix for incorrect crash dump data for
lower EL when TF-A is built with HANDLE_EA_EL3_FIRST=1 option
which enables routing of External Aborts and SErrors to EL3.
Change-Id: I9d5e6775e6aad21db5b78362da6c3a3d897df977
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This patch adds EL2 registers that are supported up to ARMv8.6.
ARM_ARCH_MINOR has to specified to enable save/restore routine.
Note: Following registers are still not covered in save/restore.
* AMEVCNTVOFF0<n>_EL2
* AMEVCNTVOFF1<n>_EL2
* ICH_AP0R<n>_EL2
* ICH_AP1R<n>_EL2
* ICH_LR<n>_EL2
Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
NOTE: Not all EL-2 system registers are saved/restored.
This subset includes registers recognized by ARMv8.0
Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch modifies the delay timer driver to switch to the ARM
secure physical timer instead of using Tegra's on-chip uS timer.
The secure timer is not accessible to the NS world and so eliminates
an important attack vector, where the Tegra timer source gets switched
off from the NS world leading to a DoS attack for the trusted world.
This timer is shared with the S-EL1 layer for now, but later patches
will mark it as exclusive to the EL3 exception mode.
Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Check that entry point information requesting S-EL2
has AArch64 as an execution state during context setup.
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I447263692fed6e55c1b076913e6eb73b1ea735b7
This patch adds support for enabling S-EL2 if this EL is specified in the entry
point information being used to initialise a secure context. It is the caller's
responsibility to check if S-EL2 is available on the system before requesting
this EL through the entry point information.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Change-Id: I2752964f078ab528b2e80de71c7d2f35e60569e1
This patch adds support for the Undefined Behaviour sanitizer. There are
two types of support offered - minimalistic trapping support which
essentially immediately crashes on undefined behaviour and full support
with full debug messages.
The full support relies on ubsan.c which has been adapted from code used
by OPTEE.
Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This patch adds support for the new Memory Tagging Extension arriving in
ARMv8.5. MTE support is now enabled by default on systems that support
at EL0. To enable it at ELx for both the non-secure and the secure
world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
and restoring when necessary in order to prevent register leakage
between the worlds.
Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This patch fixes an issue when secure world timing information
can be leaked because Secure Cycle Counter is not disabled.
For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
bit on CPU cold/warm boot.
For the earlier architectures PMCR_EL0 register is saved/restored
on secure world entry/exit from/to Non-secure state, and cycle
counting gets disabled by setting PMCR_EL0.DP bit.
'include\aarch64\arch.h' header file was tided up and new
ARMv8.5-PMU related definitions were added.
Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This patch fixes FVP_Base_AEMv8A model hang issue with
ARMv8.4+ with cache modelling enabled configuration.
Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
LoUIS field, which is required by the architecture to be
zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
FVP_Base_AEMv8A model can be configured with L3 enabled by
setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
to non-zero values, and presence of L3 is checked in
`aem_generic_core_pwr_dwn` function by reading
CLIDR_EL1.Ctype3 field value.
Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This patch introduces an additional precautionary step to further
enhance protection against variant 4. During the context initialisation
before we enter the various BL stages, the SPSR.SSBS bit is explicitly
set to zero. As such, speculative loads/stores are by default disabled
for all BL stages when they start executing. Subsequently, each BL
stage, can choose to enable speculative loads/stores or keep them
disabled.
This change doesn't affect the initial execution context of BL33 which
is totally platform dependent and, thus, it is intentionally left up to
each platform to initialise.
For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
that, for Arm platforms, all BL stages start with speculative
loads/stores disabled.
Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch enables MTE for Normal world if the CPU suppors it. Enabling
MTE for secure world will be done later.
Change-Id: I9ef64460beaba15e9a9c20ab02da4fb2208b6f7d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch removes incorrect SCTLR_V_BIT definition and adds
definitions for ARMv8.3-Pauth EnIB, EnDA and EnDB bits.
Change-Id: I1384c0a01f56f3d945833464a827036252c75c2e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Those defines are used in STM32MP1 clock driver.
It is better to put them altogether with already defined registers.
Change-Id: I6f8ad8c2477b947af6f76283a4ef5c40212d0027
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.
Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This gives each Secure Partition complete freedom on its address space.
Previously, the memory used by the exception vectors was reserved and
couldn't be used. Also, it always had to be mapped, forcing SPM to
generate translation tables that included the exception vectors as well
as the Partition memory regions. With this change, partitions can reduce
their address space size easily.
Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch applies the new MSR instruction to directly set the
PSTATE.SSBS bit which controls speculative loads. This new instruction
is available at Neoverse N1 core so it's utilised.
Change-Id: Iee18a8b042c90fdb72d2b98f364dcfbb17510728
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Complete the MPAM enablement in TF-A for lower ELs by enabling the EL2
traps in MPAMHCR_EL2 and MPAM2_EL2.This prevents an
MPAM-unaware-hypervisor to be restricted by an MPAM-aware-guest.
Change-Id: I47bf3f833fa22baa590f83d49cc0e3f2974e698d
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
The workarounds for these errata are so closely related that it is
better to only have one patch to make it easier to understand.
Change-Id: I0287fa69aefa8b72f884833f6ed0e7775ca834e9
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.
This feature is supported only in AArch64 state.
This feature is mandatory in ARMv8.3 implementations.
This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.
To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.
Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Implicit Error Synchronization Barrier (IESB) might not be correctly
generated in Cortex-A75 r0p0. To prevent this, IESB are enabled at all
expection levels.
Change-Id: I2a1a568668a31e4f3f38d0fba1d632ad9939e5ad
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
In a system with ARMv8.5-PMU implemented:
- If EL3 is using AArch32, setting MDCR_EL3.SCCD to 1 disables counting
in Secure state in PMCCNTR.
- If EL3 is using AArch64, setting SDCR.SCCD to 1 disables counting in
Secure state in PMCCNTR_EL0.
So far this effect has been achieved by setting PMCR_EL0.DP (in AArch64)
or PMCR.DP (in AArch32) to 1 instead, but this isn't considered secure
as any EL can change that value.
Change-Id: I82cbb3e48f2e5a55c44d9c4445683c5881ef1f6f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ARMv8.4-TTST (Small Translation tables) relaxes the lower limit on the
size of translation tables by increasing the maximum permitted value
of the T1SZ and T0SZ fields in TCR_EL1, TCR_EL2, TCR_EL3, VTCR_EL2 and
VSTCR_EL2.
This feature is supported in AArch64 state only.
This patch adds support for this feature to both versions of the
translation tables library. It also removes the static build time
checks for virtual address space size checks to runtime assertions.
Change-Id: I4e8cebc197ec1c2092dc7d307486616786e6c093
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
in CPUs that don't implement all mandatory 8.2 features (and so have to
claim to be a lower version).
This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
ID registers to detect whether it is needed to set the bit or not.
Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The architecture dependant header files in include/lib/${ARCH} and
include/common/${ARCH} have been moved to /include/arch/${ARCH}.
Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
John Powell
Alexei Fedorov
Max Shvetsov
Varun Wadekar
Artsem Artsemenka
Achin Gupta
Soby Mathew
Justin Chadwell
Paul Beesley
John Tsichritzis
Yann Gautier
Antonio Nino Diaz
Louis Mayencourt
Ambroise Vincent
Sathees Balya