There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.
Before: ENABLE_SPM=1 is required for using either implementation.
By default, the SPCI-based implementation is enabled and
this is overridden if SPM_MM=1.
After: ENABLE_SPM=1 enables the SPCI-based implementation.
SPM_MM=1 enables the MM-based implementation.
The two build flags are mutually exclusive.
Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.
Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
This patch fixes the bug in BL2 dynamic configuration initialisation
which prevents loading NT_FW_CONFIG image (ref. GENFW-3471).
It also adds parentheses around 'if' statement conditions to fix
Coverity defect.
Change-Id: I353566c29b84341887e13bf8098a4fedfc4e00ff
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Same enable method is used by all the four cores. So,
make it globally for all the cores instead of adding
it to individual level.
Change-Id: I9b5728b0e0545c9e27160ea586009d929eb78cad
Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
This change is to add L2 cache node into a5ds device tree.
Change-Id: I64b4b3e839c3ee565abbcd1567d1aa358c32d947
Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
This patch saves the boot parameters provided by the previous bootloader
during cold boot and passes them to Trusty. Commit 06ff251ec introduced
the plat_trusty_set_boot_args() handler, but did not consider the boot
parameters passed by the previous bootloader. This patch fixes that
anomaly.
Change-Id: Ib40dcd02b67c94cea5cefce09edb0be4a998db37
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
EA handlers for exceptions taken from lower ELs at the end invokes
el3_exit function. However there was a bug with sp maintenance which
resulted in el3_exit setting runtime stack to context. This in turn
caused memory corruption on consecutive EL3 entries.
Signed-off-by: Jan Dabros <jsd@semihalf.com>
Change-Id: I0424245c27c369c864506f4baa719968890ce659
This patch enables per-CPU GIC CPU interfaces during CPU
power on. The previous code initialized the distributor
for all CPUs, which was not required.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ifd957b2367da06405b4c3e2225411adbaec35bb8
Ported the pmf asm macros and the asm code in the bl31 entrypoint
necessary for the instrumentation to AArch32.
Since smc dispatch is handled by the bl32 payload on AArch32, we
provide this service only if AARCH32_SP=sp_min is set.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Id33b7e9762ae86a4f4b40d7f1b37a90e5130c8ac
Switching execution states is only possible if EL3 is AArch64.
As such there is no need to validate the entrypoint on AArch32 builds.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: I3c1eb25b5df296a492870641d274bf65213c6608
Fixes the SiP Service driver that is responsible for FPGA
reconfiguration. Also change the base address of FPGA reconfiguration
to 0x400000.
Signed-off-by: Tien Hock, Loh <tien.hock.loh@intel.com>
Change-Id: I2b84c12c85cd5fc235247131fec4916ed2fb56c8
There are a few issues in mailbox that needs to be fixed.
- Send doorbell after an indirect cmd
- Do not ring doorbell when polling mailbox response as it should've been
sent by send_cmd
- remove unneeded cmd_free_offset check
- Fix mailbox initialization
- Fix get_config_status returning a wrong status when the status is busy
- Add command length in mailbox command header
Signed-off-by: Tien Hock, Loh <tien.hock.loh@intel.com>
Change-Id: If613e2ca889a540a616c62d69ad0086a7cd46536
* changes:
rockchip: make miniloader ddr_parameter handling optional
rockchip: px30: cleanup securing of ddr regions
rockchip: px30: move secure init to separate file
rockchip: really use base+size for secure ddr regions
rockchip: bring TZRAM_SIZE values in line
Transfering the regions of ddr memory to additionally protect is very much
specific to some rockchip internal first stage bootloader and doesn't get
used in either mainline uboot or even Rockchip's published vendor uboot
sources.
This results in a big error
ERROR: over or zero region, nr=0, max=10
getting emitted on every boot for most users and such a message coming
from early firmware might actually confuse developers working with the
system.
As this mechanism seems to be only be used by Rockchip's internal miniloader
hide it behind a build conditional, so it doesn't confuse people too much.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: I52c02decc60fd431ea78c7486cad5bac82bdbfbe
So far the px30-related ddr security was loading data for regions to secure
from a pre-specified memory location and also setting region0 to secure
the first megabyte of memory in hard-coded setting (top=0, end=0, meaning
1MB).
To make things more explicit and easier to read add a function doing
the settings for specified memory areas, like other socs have and also
add an assert to make sure any descriptor read from memory does not
overlap the TZRAM security in region0 and TEE security in region1.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: I78441875112bf66a62fde5f1789f4e52a78ef95f
Similar to others like rk3399 and rk3288 move the secure init to a
separate file to unclutter the soc init a bit.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: Iebb38e24f1c7fe5353f139c896fb8ca769bf9691
Sphinx was showing the following warning message:
docs/getting_started/build-options.rst:200: WARNING: Bullet list ends
without a blank line; unexpected unindent.
Change-Id: Iad5d49c1e0d25dd623ad15bce1af31babf860c03
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add-in support for handling BL31 parameter from non-BL2 image, ie. SPL
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I16118d791399f652b6d1093c10092935a3449c32
Load BL31 to DDR instead of On-Chip RAM for scalability. Also, make use
of On-Chip RAM for BL31 specific variables filling down from handoff
offset to reduce fragmentation
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: Ib64f48bd14f71e5fca2d406f4ede3386f2881099
This patch will provide an entrypoint for uboot's spl into BL31.
BL31 will also handle secondary cpu state during uboot's cold boot
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I661bdb782c2d793d5fc3c7f78dd7ff746e33b7a3
Move the get_config_status out of sip_svc driver.
Modify the function so that it can return either
CONFIG_STATUS or RECONFIG_STATUS
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I642d5900339e67f98be61380edc2b838e0dd47af
Separate SiP related definition from mailbox header file
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I45ba540f29d9261007f7ec23469358747cf140b4
The calls to secure ddr regions on rk3288 and rk3399 use parameters of
base and size - as it custom for specifying memory regions, but the
functions themself expect start and endpoints of the area.
This only works by chance for the TZRAM, as it starts a 0x0 and therefore
its end location is the same as its size.
To not fall into a trap later on adapt the functions to really take
base+size parameters.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: Idb9fab38aa081f3335a4eca971e7b7f6757fbbab
The agreed upon division of early boot locations is 0x40000 for bl31
to leave enough room for u-boot-spl and 0x100000 for bl33 (u-boot).
rk3288 and rk3399 already correctly secure the ddr up to the 1MB boundary
so pull the other platforms along to also give the Rockchip TF-A enough
room to comfortably live in.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: Ie9e0c927d3074a418b6fd23b599d2ed7c15c8c6f
SIZE_MAX was mistakenly redefined from UINT32_MAX to UINT64_MAX
on AArch32 when the arch-specific headers were merged.
This value is not currently used by upstream TF-A source code,
so no functionality should be affected.
Change-Id: I2acf7f8736423697c7377e8ed4b08843ced26e66
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Paul Beesley
György Szing
Sandrine Bailleux
Manish Pandey
Alexei Fedorov
Vishnu Banavath
Mark Dykes
Varun Wadekar
Soby Mathew
Jan Dabros
Bence Szépkúti
Hadi Asyrafi
Tien Hock, Loh
Heiko Stuebner
Olivier Deprez