Improved support for W=2 compilation flag by solving some nested-extern
and sign-compare warnings.
The libraries are compiling with warnings (which turn into errors with
the Werror flag).
Outside of libraries, some warnings cannot be fixed.
Change-Id: I06b1923857f2a6a50e93d62d0274915b268cef05
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Improved support for W=1 compilation flag by solving missing-prototypes
and old-style-definition warnings.
The libraries are compiling with warnings (which turn into errors with
the Werror flag).
Outside of libraries, some warnings cannot be fixed without heavy
structural changes.
Change-Id: I1668cf99123ac4195c2a6a1d48945f7a64c67f16
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
SSBS support is determined by checking ID_AA64PFR1_EL1 and not
ID_AA64PFR0_EL1.
FixesARM-Software/tf-issues#679
Change-Id: I8ecba13b850995ec6a6ede3c2a1e02e69a3a95db
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The GIC definitions used in this file have to be provided by the platform
but platform_def.h wasn't included.
Change-Id: I858cdf7e60c50577c8e798d64ec2cbc4f067f33b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Since commit 01fc1c24b9 ("BL31: Use helper function to save registers
in SMC handler") all the general-purpose registers are saved when
entering EL3. It isn't needed to save them here.
Change-Id: Ic540a5441b89b70888da587ab8fc3b2508cef8cc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rather than letting the Trusty makefile set the option to enable dynamic
translation tables, make platforms do it themselves.
This also allows platforms to replace the implementation of the
translation tables library as long as they use the same function
prototypes.
Change-Id: Ia60904f61709ac323addcb57f7a83391d9e21cd0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Commit 09d40e0e08 ("Sanitise includes across codebase") modified the
include paths of the TSP includes but it didn't remove the include path
from the makefile or did the same for TLK. This patch does the remaining
work.
Change-Id: Iecee2e88fabcd06989d35568c3a4c1f4e7d93572
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of having a custom implementation of setjmp() and longjmp() it
is better to follow the C standard.
The comments in setjmp.h are no longer needed as there are no deviations
from the expected one, so they have been removed.
All SDEI code that relied on them has been fixed to use the new function
prototypes and structs.
Change-Id: I6cd2e21cb5a5bcf81ba12283f2e4c067bd5172ca
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Trusty requires dynamic translation tables support, so the makefile of
Trusty itself should request it. Not doing so causes platforms such as
FVP to fail to build with Trusty. Other platforms like Tegra still build
because they use dynamic translation tables by default.
Change-Id: Id67d3b9e1f7d0547fa81e81cefa3faf1e0e6f876
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch dynamically maps the first page of trusty's code memory,
before accessing it to find out if we are running a 32-bit or 64-bit
image.
On Tegra platforms, this means we have to increase the mappings to
accomodate the new memmap entry.
Change-Id: If370d1e6cfcccd69b260134c1b462d8d17bee03d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
During System Suspend, the entire system loses its state. To allow Trusty
to save/restore its context and allow its TAs to participate in the suspend
process, it needs to look at the max affinity level being suspended. This
patch passes the max affinity level to Trusty to enable to do so.
Change-Id: If7838dae10c3f5a694baedb15ec56fbad41f2b36
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
c_rt_ctx is used to store current SP before the system goes
into suspend. The assert for its value being zero is not
really necessary as the value gets over-written eventually.
This patch removes assert(tlk_ctx->c_rt_ctx == 0) from the
System Suspend path, as a result.
Change-Id: If41f15e74ebbbfd82958d8e179114899b2ffb0a7
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
This patch adds support to handle following TLK SMCs:
{TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}
These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.
Brief:
TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
set up secure storage buffers.
TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
pass NS memory ranges to TLK.
TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
Verified Boot parameters to TLK.
Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
Reviewed-on: https://git-master.nvidia.com/r/1643851
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
This reverts commit 2f37046524 ("Add support for the SMC Calling
Convention 2.0").
SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.
The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.
Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When an unknown Trusty image is found, there's no point of still trying
to register the BL32 init handler. Instead, we just should bail out of
the trusty_setup() and allow the system to continue to boot.
Signed-off-by: David Lin <dtwlin@google.com>
Main Fixes:
Use int32_t replace int [Rule 4.6]
Added explicit casts (e.g. 0U) to integers in order for them to be
compatible with whatever operation they're used in [Rule 10.1]
Force operands of an operator to the same type category [Rule 10.4]
Fixed if statement conditional to be essentially boolean [Rule 14.4]
Voided non c-library functions whose return types are not used
[Rule 17.7]
Change-Id: I98caa330c371757eb2dfb9438448cb99115ed907
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
This implementation is no longer deprecated.
Change-Id: I68552d0fd5ba9f08fad4345e4657e8e3c5362a36
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The SPM implementation based on MM is going to be kept for the
foreseeable future.
Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Registered init handlers return a boolean int, not a return code,
so convert the result from the SPM init call before returning it.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Permit unaligned accesses while executing the secure partition
payload, so that we don't have to modify existing code that we
will host there. (The UEFI spec explicitly permits unaligned
accesses)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Corrects typos in core code, documentation files, drivers, Arm
platforms and services.
None of the corrections affect code; changes are limited to comments
and other documentation.
Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Expose the timer registers that are accessible at EL0 per the
architecture to the SPM payload running in secure EL0. Note
that this requires NS_TIMER_SWITCH to be enable for all users
of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Update some asserts that refer to #defines that only occur in
ARM platforms, preventing this code to be used on other platforms.
Instead, use a platform agnostic name, and update all the existing
users.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Also, add a disclaimer to explain that the current implementation of SPM
is a prototype that is going to undergo a lot of rework.
Change-Id: I303c1e61c51d9f286cc599fea565fc9ba5a996bf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old SMCs SP_MEMORY_ATTRIBUTES_{GET,SET}_AARCH64 have been removed in
favour of SPRT_MEMORY_PERM_ATTR_{GET,SET}_AARCH64.
Change-Id: Idb93cfa5461d0098df941037c5653f7c44b65227
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that the arguments passed during the SMC call don't comply with the
SPCI specifications. This will be fixed in following patches, but it is
needed to implement a few more SPCI SMCs to be able to do it. The
current code allows us to start testing it.
Change-Id: Ic13dcc54c40327df03be1b0f52e8a44f468f06b4
Co-authored-by: Jean-Paul Etienne <jean-paul.etienne@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This buffer is where all the responses from Secure Partitions are stored
until they are requested.
Change-Id: Iafeb8f0848c5ff6f3e187060cd3a47702484dc45
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Blocking calls can only succeed if the target Secure Partition is idle.
Change-Id: Iabeaa0b8d3e653fd8581fa086758936abfc1c772
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that the arguments passed during the SMC call don't comply with the
SPCI specifications. This will be fixed in following patches, but it is
needed to implement a few more SPCI SMCs to be able to do it. The
current code allows us to start testing it.
Change-Id: Ief0e75d072b311737fcdb0c6a60ba5b7406a9ee5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce SMCs that open and close handles according to the SPCI
specification.
Change-Id: I65f365f15612e01aa445e783e96e48ae275c39fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove interfaces based on MM_COMMUNICATE.
Change-Id: I628c884b91d9f4758269ea2c4dedc37a66bb93cf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SPM needs to map a number of regions on behalf of the secure partition.
Previously, it used to get a list of them from platform code using the
plat_get_secure_partition_mmap() API. Now it gets them from the resource
description structure.
The SPM<->SP shared buffer is mapped dynamically at EL3. This buffer is
used to pass information between SPM and SP, so it must be mapped at EL3
as well in order to be used by SPM.
Dynamic translation tables have been enabled when the Trusted Firmware
is compiled with SPM support.
Change-Id: I64ad335e931661812a0a60558e60372e1e5e6b72
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Read entrypoint of the Secure Partition from the resource description
struct.
Change-Id: Ie693c7b4d4fecafd85b6934d9d8c4232efb1dc55
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Load SP and RD from package instead of relying on RD being already
loaded in memory and the SP being loaded as a BL32 image.
Change-Id: I18d4fbf4597656c6a7e878e1d7c01a8a324f3f8a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is retrieved from the resource description now.
Change-Id: Iaae23945eb2c45305cdc6442853e42f4e04fe094
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is defined by the Secure Partition in the resource
description.
Change-Id: Ia7db90c5de8360a596106880d3f6a632a88d3ea8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current SPM is a prototype that only supports one secure partition
in EL0. The objective of SPM is to have multiple partitions. The current
MM interface isn't adequate for this, so it is needed to modify heavily
the code to add proper support for it.
However, there are platforms which are already using this (like SGI) and
removing the code would break it. For this reason, the current SPM code
has been duplicated in order to temporarily preserve compatibility. All
new improvements/changes to SPM will be done in the non-deprecated copy,
that may change without notice.
The new build option SPM_DEPRECATED has been introduced to select the SPM
implementation. It defaults to 1, that selects the deprecated SPM.
Change-Id: Ic9f80b53b450e97b4d3f47e4ef4a138ee8d87443
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.
With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.
When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.
For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.
Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Secure world execution nearly always expect a controlled exit to
Non-secure world. SDEI interrupts, although targets EL3, occur on behalf
of Non-secure world, and may have higher priority than Secure world
interrupts. Therefore they might preempt Secure execution, and yield
execution to Non-secure SDEI handler. Upon completion of SDEI event
handling (regardless of whether it's COPLETE or COMPLETE_AND_RESUME), we
must resume Secure execution if it was preempted.
Change-Id: I6edd991032588588427ba2fe6c3d7668f7080e3d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current secure partition design mandates that a) at a point, only
a single core can be executing in the secure partition, and b) a core
cannot be preempted by an interrupt while executing in secure
partition.
Ensure this by activating the SPM priority prior to entering the
parition. Deactivate the priority on return from the
partition.
Change-Id: Icb3473496d16b733564592eef06304a1028e4f5c
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch includes context.h from sdei_private.h to fix the
following compilation errors:
<snip>
In file included from services/std_svc/sdei/sdei_event.c:9:0:
services/std_svc/sdei/sdei_private.h: In function 'sdei_client_el':
services/std_svc/sdei/sdei_private.h:164:2: error: unknown type name 'cpu_context_t'
cpu_context_t *ns_ctx = cm_get_context(NON_SECURE);
^
services/std_svc/sdei/sdei_private.h:165:2: error: unknown type name 'el3_state_t'
el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx);
^
services/std_svc/sdei/sdei_private.h:165:2: error: implicit declaration of function 'get_el3state_ctx' [-Werror=implicit-function-declaration]
services/std_svc/sdei/sdei_private.h:165:25: error: initialization makes pointer from integer without a cast [-Werror]
el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx);
^
services/std_svc/sdei/sdei_private.h:167:2: error: implicit declaration of function 'read_ctx_reg' [-Werror=implicit-function-declaration]
return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ?
^
services/std_svc/sdei/sdei_private.h:167:33: error: 'CTX_SCR_EL3' undeclared (first use in this function)
return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ?
^
services/std_svc/sdei/sdei_private.h:167:33: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors
<snip>
Change-Id: Id0cad56accf81b19cb0d301784f3f086dd052722
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Ensure case clauses:
* Terminate with an unconditional break, return or goto statement.
* Use conditional break, return or goto statements as long as the end
of the case clause is unreachable; such case clauses must terminate
with assert(0) /* Unreachable */ or an unconditional __dead2 function
call
* Only fallthough when doing otherwise would result in less
readable/maintainable code; such case clauses must terminate with a
/* Fallthrough */ comment to make it clear this is the case and
indicate that a fallthrough is intended.
This reduces the chance of bugs appearing due to unintended flow through a
switch statement
Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The value used to signal failure is 0. It is needed to return a different
value on success.
Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The specification requires that, after wakeup from a CPU suspend, the
dispatcher must mask all events on the CPU. This patch adds the feature
to the SDEI dispatcher by subscribing to the PSCI suspend to power down
event, and masking all events on the PE.
Change-Id: I9fe1d1bc2a58379ba7bba953a8d8b275fc18902c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Some platforms might chose to take different actions depending on this
value; this is precisely the case for rcar-gen3.
Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.
Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The event lock for a shared event was being unlocked twice, and the
locking sequence for event complete was misplaced. This patch fixes both
issues.
Change-Id: Ie2fb15c6ec240af132d7d438946ca160bd5c63dc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I6235a355e006f0b1c7c1c4d811b3964a64d0434f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Functions provided by stdio.h such as printf and sprintf are available
in the codebase, but they add a lot of code to the final image if they
are used:
- AArch64: ~4KB
- AArch32: ~2KB in T32, ~3KB in A32
tf_printf and tf_snprintf are a lot more simple, but it is preferable
to use them when possible because they are also used in common code.
Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Changed the names for consistency with the rest of the library. Introduced
new helpers that manipulate the active translation tables context.
Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Fix the types of the arguments of trusty_generic_platform_smc()
to match the expected prototype of a runtime service handler
(see rt_svc_handle_t type).
Change-Id: Ie839d116ca924b4b018ea2abbef72a1073da2a32
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Instead of having a different initialization routine than the rest of
the codebase, use the common implementation.
Change-Id: I27c03b9905f3cf0af8810aad9e43092005387a1a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Fix mismatches between the format specifier and the corresponding
variable type.
Change-Id: Ib9004bd9baa9ba24a50000bea4f2418e1bf7e743
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.
This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.
Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The function end_sdei_explicit_dispatch() was intended to be
end_sdei_synchronous_dispatch() which does the opposite of
begin_sdei_synchronous_dispatch(). This patch fixes that.
No functional changes.
Change-Id: I141bd91eb342ecf4ddfd05b49513eee4549e7a56
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
commit 2ccfcb2ea5 ("SDEI: Determine client
EL from NS context's SCR_EL3") intended to read from SCR_EL3, but
wrongly read from SPSR_EL3 instead. This patch fixes that.
Change-Id: I8ffea39cc98ef59cb8e7a4c6ef4cb12011c58536
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The Commit cdb6ac94ec introduced a bug
because of which the SDEI dispatcher wrongly panic when an SDEI event
dispatched earlier as a result of interrupt. This patch fixes the check
for a bound interrupt.
Change-Id: If55c8f0422ff781731248bbbc9c1b59fa0d3c4b0
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currently, the dispatcher reads from SCR_EL3 register directly to
determine the EL of SDEI client. This is with the assumption that
SCR_EL3 is not modified throughout. However, with RAS work flows, it's
possible that SCR_EL3 register contains values corresponding to Secure
world, and therefore EL determination can go wrong. To mitigate this,
always read the register from the saved Non-secure context.
Change-Id: Ic85e4021deb18eb58757f676f9a001174998543a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
It may be needed to enter the Secure Partition through other means than
an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting
the necessary code from mm_communicate() and allowing other parts of the
code to use it.
Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only use synchronous calls to enter the Secure Partition in order to
simplify the SMC handling code.
Change-Id: Ia501a045585ee0836b9151141ad3bd11d0971be2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.
Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the context management library, cm_setup_context() takes the
information in ep_info to fill the registers x0-x7. This patch replaces
the current code that sets them manually by the correct initialization
code.
Change-Id: Id1fdf4681b154026c2e3af1f9b05b19582b7d16d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 5.7: A tag name shall be a unique identifier
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
Fixed For:
make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed
Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make PLAT=fvp SPD=tspd
Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Simplify the code of the SMC handler by extracting the code of
SP_EVENT_COMPLETE and MM_COMMUNICATE.
Change-Id: I9250a3f5e4b807b35c9d044592c1074a45ab9a07
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of just knowing if the Secure Partition is being initialized or
not, this generic state enum can be used to tell if the Secure Partition
is busy and to add more states in the future if needed.
Also, the spinlock of the secure_partition_context_t structure now only
protects against concurrent accesses to the state of the secure
partition. Previously, it used to lock down the whole structure, thus
preventing one CPU to access any of its fields while another CPU was
executing the partition.
Change-Id: I51215328e2ca8ea2452f92e4a1cb237415958b22
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current internal names are too long, which makes it hard to write
code as many lines overflow the limit and need to be split, which may
not help the reader.
Change-Id: I072bdc8f3dd125255063ffa7f02500e5228fc9a1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This is done in order to make it easier to read the file spm_main.c.
Change-Id: I21e765154c1682a319a3bc47a19a42fd736e910e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Move all information related to a Secure Partition to the struct
secure_partition_context_t.
This requires an in-depth refactor because most of the previous code of
SPM relied on global information.
Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>