* changes:
Migrate ARM platforms to use the new GICv3 API
Adding new optional PSCI hook pwr_domain_on_finish_late
GICv3: Enable multi socket GIC redistributor frame discovery
This patch invokes the new function gicv3_rdistif_probe() in the
ARM platform specific gicv3 driver. Since this API modifies the
shared GIC related data structure, it must be invoked coherently
by using the platform specific pwr_domain_on_finish_late hook.
Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This PSCI hook is similar to pwr_domain_on_finish but is
guaranteed to be invoked with the respective core and cluster are
participating in coherency. This will be necessary to safely invoke
the new GICv3 API which modifies shared GIC data structures concurrently.
Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch provides declaration and definition of new GICv3 driver
API: gicv3_rdistif_probe().This function delegates the responsibility
of discovering the corresponding Redistributor base frame to each CPU
itself. It is a modified version of gicv3_rdistif_base_addrs_probe()
and is executed by each CPU in the platform unlike the previous
approach in which only the Primary CPU did the discovery of all the
Redistributor frames for every CPU.
The flush operations as part of gicv3_driver_init() function are
made necessary even for platforms with WARMBOOT_ENABLE_DCACHE_EARLY
because the GICv3 driver data structure contents are accessed by CPU
with D-Cache turned off during power down operations.
Change-Id: I1833e81d3974b32a3e4a3df4766a33d070982268
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The Fast Models provide a non-volatile counter component, which is used
in the Trusted Board Boot implementation to protect against rollback
attacks.
This component comes in 2 versions (see [1]).
- Version 0 is the default and models a locked non-volatile counter,
whose value is fixed.
- Version 1 of the counter may be incremented in a monotonic fashion.
plat_set_nv_ctr() must cope with both versions. This is achieved by:
1) Attempting to write the new value in the counter.
2) Reading the value back.
3) If there is a mismatch, we know the counter upgrade failed.
When using version 0 of the counter, no upgrade is possible so the
function is expected to fail all the time. However, the code is
missing a compiler barrier between the write operation and the next
read. Thus, the compiler may optimize and remove the read operation on
the basis that the counter value has not changed. With the default
optimization level used in TF-A (-Os), this is what's happening.
The fix introduced in this patch marks the write and subsequent read
accesses to the counter as volatile, such that the compiler makes no
assumption about the value of the counter.
Note that the comment above plat_set_nv_ctr() was clearly stating
that when using the read-only version of the non-volatile counter,
"we expect the values in the certificates to always match the RO
values so that this function is never called". However, the fact that
the counter value was read back seems to contradict this comment, as
it is implementing a counter-measure against misuse of the
function. The comment has been reworded to avoid any confusion.
Without this patch, this bug may be demonstrated on the Base AEM FVP:
- Using version 0 of the non-volatile counter (default version).
- With certificates embedding a revision number value of 32
(compiling TF-A with TFW_NVCTR_VAL=32).
In this configuration, the non-volatile counter is tied to value 31 by
default. When BL1 loads the Trusted Boot Firmware certificate, it
notices that the two values do not match and tries to upgrade the
non-volatile counter. This write operation is expected to fail
(because the counter is locked) and the function is expected to return
an error but it succeeds instead.
As a result, the trusted boot does not abort as soon as it should and
incorrectly boots BL2. The boot is finally aborted when BL2 verifies
the BL31 image and figures out that the version of the SoC Firmware
Key Certificate does not match. On Arm platforms, only certificates
signed with the Root-of-Trust Key may trigger an upgrade of the
non-volatile Trusted counter.
[1] https://developer.arm.com/docs/100964/1160/fast-models-components/peripheral-components/nonvolatilecounter
Change-Id: I9979f29c23b47b338b9b484013d1fb86c59db92f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The documentation for Marvell platforms was not included in the
rendered document output until now because, while it was mostly
valid RST format, the files were saved with a .txt extension.
This patch corrects some RST formatting errors, creates a document
tree (index page) for the Marvell documents, and adds the Marvell
subtree to the main index.
Change-Id: Id7d4ac37eded636f8f62322a153e1e5f652ff51a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Rockchip platform is using the first 1MB of DRAM as secure ram space,
and there is a vendor loader who loads and runs the BL31/BL32/BL33,
this loader is usually load by SoC BootRom to the start addres of DRAM,
we need to reserve enough space for this loader so that it doesn't need
to do the relocate when loading the BL31. eg.
We use U-Boot SPL to load ATF BL31 and U-Boot proper as BL33, the SPL
TEXT BASE is offset 0 of DRAM which is decide by Bootrom; if we update
the BL31_BASE to offset 0x40000(256KB), then the 0~0x40000 should be
enough for SPL and no need to do the relocate while the space size
0x10000(64KB) may not enough for SPL.
After this update, the BL31 can use the rest 768KB of the first 1MB,
which is also enough, and the loader who is using BL31 elf file can
support this update without any change.
Change-Id: I66dc685594d77f10f9a49c3be015fd6729250ece
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Patch introduce the macro NS_IMAGE_MAX_SIZE to simplify the image size
calculation. Use of additional parenthesis removes the possibility of
improper calculations due nested macro expansion for subtraction.
In case of platforms with DRAM window over 32bits, patch also removes
potential problems with type casting, as meminfo.image_size is uint32_t
but macro calculations were done in 64bit space.
Signed-off-by: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
Change-Id: I2d05a2d9dd6000dba6114df53262995cf85af018
This commit change the plat/qemu directory structure into:
`-- plat
`-- qemu
|-- common (files shared with all qemu subplatforms)
|-- qemu (original qemu platform)
|-- qemu_sbsa (new sqemu_sbsa platform)
|-- subplat1
`-- subplat2
This opens the possibility of adding new qemu sub-platforms which reuse
existing common platform code. The first platform which will leverage new
structure will be SBSA platform.
Signed-off-by: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Id0d8133e1fffc1b574b69aa2770ebc02bb837a9b
Avoid to load FIP by hacking address. Load it by partition table instead.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Change-Id: I0283fc2e6e459bff14de19d92db4158e05106ee4
Avoid to load FIP by hacking address. Load it by partition table instead.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Change-Id: Ib476d024a51e4b9705441a0007d78f9fdf0ca078
The block size of some storage device is 4096-byte long, such as UFS. But
PARTITION_BLOCK_SIZE is defined as 512-byte long. So replace it by
PLAT_PARTITION_BLOCK_SIZE. Make it configurable in platform.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Change-Id: Iada05f7c646d0a0f2c0d3b8545540b3cb7153de3
Both kernel and U-Boot use a SMC call to the secure monitor to get the
chip ID. This call is translated by BL31 to a call to the SCP to
retrieve the ID. Add a new SiP call and the backing SCPI command.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Change-Id: Ib128f5645ee92866e7ebbcd550dacd33f573524b
* changes:
rpi3: Do prescaler and control setup in C
rpi3: Prepare for supporting a GIC (in RPi4)
rpi3: Make SHARED_RAM optional
rpi3: Rename RPI3_IO_BASE to RPI_IO_BASE
rpi3: Move shared rpi3 files into common directory
We should either change them to `unsigned int` or `unsigned long long`
when the size of the variable is the same in AArch64 and AArch32 or
to `u_register_t` if it is supposed to be 32 bit wide in AArch32
and 64 bit wide in AArch64.
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I80e2a6edb33248ee88be395829abbd4c36c89abe
AArch64 System register SCTLR_EL1[31:0] is architecturally mapped
to AArch32 System register SCTLR[31:0]
AArch64 System register ACTLR_EL1[31:0] is architecturally mapped
to AArch32 System register ACTLR[31:0].
`u_register_t` should be used when it's important to store the
contents of a register in its native size
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I0055422f8cc0454405e011f53c1c4ddcaceb5779
To initialise the arch timer configuration and some clock prescaler, we
need to do two MMIO access *once*, early during boot.
As tempting as it may sound, plat_reset_handler() is not the right place
to do this, as it will be called on every CPU coming up, both for
secondary cores as well as during warmboots. So this access will be done
multiple times, and even during a rich OS' runtime. Whether doing so anyway
is actually harmful is hard to say, but we should definitely avoid this if
possible.
Move the initialisation of these registers to C code in
bl1_early_platform_setup(), where it will still be executed early enough
(before enabling the console), but only once during the whole boot
process.
Change-Id: I081c41a5476d424411411488ff8f633e87d3bcc5
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
If a firmware component like TF-A reserves special memory regions for
its own or secure payload services, it should announce the location and
size of those regions to the non-secure world. This will avoid
disappointment when some rich OS tries to acccess this memory, which
will likely end in a crash.
The traditional way of advertising reserved memory using device tree is
using the special memreserve feature of the device tree blob (DTB).
However by definition those regions mentioned there do not prevent the
rich OS to map this memory, which may lead to speculative accesses to
this memory and hence spurious bus errors.
A safer way of carving out memory is to use the /reserved-memory node as
part of the normal DT structure. Besides being easier to setup, this
also defines an explicit "no-map" property to signify the secure-only
nature of certain memory regions, which avoids the rich OS to
accidentally step on it.
Add a helper function to allow platform ports to easily add a region.
Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
To allow sharing the driver between the RPi3 and RPi4, move the random
number generator driver into the generic driver directory.
Change-Id: Iae94d7cb22c6bce3af9bff709d76d4caf87b14d1
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
With the incoming support for the Raspberry Pi 4 boards, one directory
to serve both versions will not end up well.
Create an additional layer by inserting a "rpi" directory betweeen /plat
and rpi3, so that we can more easily share or separate files between the
two later.
Change-Id: I75adbb054fe7902f34db0fd5e579a55612dd8a5f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
As the PSCI "power" management functions for the Raspberry Pi 3 port
will be shared with the upcoming RPi4 support, we need to prepare them
for dealing with the GIC interrupt controller.
Splitting this code just for those simple calls to the generic GIC
routines does not seem worthwhile, so just use a #define the protect the
GIC code from being included by the existing RPi3 code.
Change-Id: Iaca6b0214563852b28ad4a088ec45348ae8be40d
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The QEMU platform port scans its device tree to advertise PSCI as the
CPU enable method. It does this by scanning *every* node in the DT and
check whether its compatible string starts with "arm,cortex-a". Then it
sets the enable-method to PSCI, if it doesn't already have one.
Other platforms might want to use this functionality as well, so let's
move it out of the QEMU platform directory and make it more robust by
fixing some shortcomings:
- A compatible string starting with a certain prefix is not a good way
to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
match as well and is in turn favoured with an enable-method.
- If the DT already has an enable-method, we won't change this to PSCI.
Those two issues will for instance fail on the Raspberry Pi 4 DT.
To fix those problems, we adjust the scanning method:
The DT spec says that all CPU nodes are subnodes of the mandatory
/cpus node, which is a subnode of the root node. Also each CPU node has
to have a device_type = "cpu" property. So we find the /cpus node, then
scan for a subnode with the proper device_type, forcing the
enable-method to "psci".
We have to restart this search after a property has been patched, as the
node offsets might have changed meanwhile.
This allows this routine to be reused for the Raspberry Pi 4 later.
Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
To allow sharing the driver between the RPi3 and RPi4, move the mailbox
driver into the generic driver directory.
Change-Id: I463e49acf82b02bf004f3d56482b7791f3020bc0
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The existing Raspberry Pi 3 port sports a number of memory regions,
which are used for several purposes. The upcoming RPi4 port will not use
all of those, so make the SHARED_RAM region optional, by only mapping it
if it has actually been defined. This helps to get a cleaner RPi4 port.
Change-Id: Id69677b7fb6ed48d9f238854b610896785db8cab
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
With the advent of Raspberry Pi 4 support, we need to separate some
board specific headers between the RPi3 and RPi4.
Rename and move the "rpi3_hw.h" header, so that .c files just include
rpi_hw.h, and automatically get the correct version.
Change-Id: I03b39063028d2bee1429bffccde71dddfe2dcde8
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The location of the MMIO window is different between a Raspberry Pi 3
and 4: the former has it just below 1GB, the latter below 4GB.
The relative location of the peripherals is mostly compatible though.
To allow sharing code between the two models, let's rename the symbol
used for the MMIO base to the more generic RPI_IO_BASE name.
Change-Id: I3c2762fb30fd56cca743348e79d72ef8c60ddb03
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
To be able to share code more easily between the existing Raspberry Pi 3
and the upcoming Raspberry Pi 4 platform, move some code which is not
board specific into a "common" directory.
Change-Id: I9211ab2d754b040128fac13c2f0a30a5cc8c7f2c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
which returns 128-bit value and uses Generic timer physical counter
value to increase the randomness of the generated key.
The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
pauth_disable_el1()` and `pauth_disable_el3()` functions disable
PAuth for EL1 and EL3 respectively;
`pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
`save_gp_registers()` and `pauth_context_save()`;
`restore_gp_pauth_registers()` replaces `pauth_context_restore()`
and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
for 12 uint64_t PAuth registers instead of 10 by removal of macro
CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
in `msr spsel` instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>