The definitions in bl1/bl1_private.h and bl2/bl2_private.h are useful for
platforms that may need to access them.
Change-Id: Ifd1880f855ddafcb3bfcaf1ed4a4e0f121eda174
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
in CPUs that don't implement all mandatory 8.2 features (and so have to
claim to be a lower version).
This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
ID registers to detect whether it is needed to set the bit or not.
Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Update some asserts that refer to #defines that only occur in
ARM platforms, preventing this code to be used on other platforms.
Instead, use a platform agnostic name, and update all the existing
users.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
The patch SHA 55cf015c enabled PIE support when RESET_TO_BL31=1 for
all ARM platforms. But it seems n1sdp platform doesn't work with PIE
support yet. Hence restrict the ENABLE_PIE=1 to fvp platform.
Change-Id: If44e42528e4b0b57c69084503f346576fe0748bd
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Instead, only platform_def.h is included.
The required files to be included are added in stm32mp1_def.h.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The architecture dependant header files in include/lib/${ARCH} and
include/common/${ARCH} have been moved to /include/arch/${ARCH}.
Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Even though this is not used unless SPD=tspd, only defining it when
SPD_tspd is defined doesn't have any advantage and it makes it harder to
read the code.
Change-Id: I3d93135e05f39be071d16f8a47394a9a3ff54bc8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch enables the Data Independent Timing
functionality (DIT) in EL3 if supported
by the platform.
Change-Id: Ia527d6aa2ee88a9a9fe1c941220404b9ff5567e5
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
This is done in order to keep the files in both repositories in sync.
Change-Id: Ie1a9f321cbcfe8d7d14f206883fa718872271218
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some of the affected macros can only be used from C code. In general, we
use arch_helpers.h for any C helpers to access registers. For
consistency, the other macros have been moved as well.
Also, import some AArch32 helpers from TF-A-Tests.
Change-Id: Ie8fe1ddeadba5336c12971ddc39a7883121386b1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch defines BL31_BASE to 0x0 when RESET_TO_BL31=1 as the
executable is built with PIE support and can be loaded anywhere
in SRAM for execution.
Change-Id: I4007f4626322f1200a6304c9c565987d3357986c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The GIC lowest priority values for each world depends on the number of
priority values implemented in hardware. These constants currently
defined in gic_common.h only meant to enumerate lowest possible
architectural values. Since these values are not used in generic code or
upstream platforms, and that general use of these constants can be
wrong, remove these. Platforms should either define and use these as
appropriate, or determine correct values at run time.
Change-Id: I3805cea8ceb8a592b9eff681ea1b63b7496cec5f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Also, add a disclaimer to explain that the current implementation of SPM
is a prototype that is going to undergo a lot of rework.
Change-Id: I303c1e61c51d9f286cc599fea565fc9ba5a996bf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old SMCs SP_MEMORY_ATTRIBUTES_{GET,SET}_AARCH64 have been removed in
favour of SPRT_MEMORY_PERM_ATTR_{GET,SET}_AARCH64.
Change-Id: Idb93cfa5461d0098df941037c5653f7c44b65227
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This buffer is where all the responses from Secure Partitions are stored
until they are requested.
Change-Id: Iafeb8f0848c5ff6f3e187060cd3a47702484dc45
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce SMCs that open and close handles according to the SPCI
specification.
Change-Id: I65f365f15612e01aa445e783e96e48ae275c39fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove interfaces based on MM_COMMUNICATE.
Change-Id: I628c884b91d9f4758269ea2c4dedc37a66bb93cf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Load SP and RD from package instead of relying on RD being already
loaded in memory and the SP being loaded as a BL32 image.
Change-Id: I18d4fbf4597656c6a7e878e1d7c01a8a324f3f8a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This tool packages Secure Partitions and Resource Descriptor blobs into
a simple file that can be loaded by SPM.
Change-Id: If3800064f30bdc3d7fc6a15ffbb3007ef632bcaa
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is retrieved from the resource description now.
Change-Id: Iaae23945eb2c45305cdc6442853e42f4e04fe094
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is defined by the Secure Partition in the resource
description.
Change-Id: Ia7db90c5de8360a596106880d3f6a632a88d3ea8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce helpers to create resource description struct, as well as code
to load the information from DTB files.
Change-Id: I0f5bb94eb8b01c6cb53fe807a9db0c05a70d7a43
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The structures and associated definitions are in different files so that
the definitions can be used inside DTS files while the structs are
private to SPM. They follow the SPRT specification.
Change-Id: Id6a629040a086c482b9d9fa1883b8aa6bbee619f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.
With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.
When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.
For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.
Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
console_unregister() has always returned a pointer to the console that
was removed on success, not just an integer. Fix the C prototype to
match the assembly implementation.
Change-Id: Iafc43de0767a5c87c9ae5c3aba53761dd28d51e6
Signed-off-by: Julius Werner <jwerner@chromium.org>
- Update CPU frequency on AP807 to 2GHz for SAR 0x0.
- Increase AVS to 0.88V for 2GHz clock
Change-Id: Ic945b682ab2f8543e34294bfc56c3eae2c5e0c8e
Signed-off-by: Christine Gharzuzi <chrisg@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
For platforms using multi-threaded CPUs, there can be upto four
platform power domain levels. At present, there are three platform
power domain levels that are defined for the CSS platforms. Define a
fourth level 'ARM_PWR_LVL3' as well to provide support for an
additional platform power domain level.
Change-Id: I40cc17a10f4690a560776f504364fd7277a7e72a
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
The CSS_SYSTEM_PWR_DMN_LVL macro that defines the system power domain
level is fixed at ARM_PWR_LVL2 for all CSS platforms. However, the
system power domain level can be different for CSS platforms that
use multi-threaded CPUs.
So, in preparation towards adding support for platforms that use
multi-threaded CPUs, refactor the definition of CSS_SYSTEM_PWR_DMN_LVL
such that CSS_SYSTEM_PWR_DMN_LVL is uniquely defined for each of the
CSS platform.
Change-Id: Ia837b13f6865e71da01780993c048b45b7f36d85
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.
Add a macro which makes a variable 'speculation safe', using the
__builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.
The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.
Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a
ISB
DSB SY
sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a
CSEL tracker, tracker, XZR, [cond];
AND safeval,tracker;
CSDB
sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations
The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.
Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
The headers forked at some point in the past and have diverged a lot. In
order to make it easier to share code between TF-A-Tests and TF-A, this
patch synchronises most of the definitions in the mentioned headers.
This is not a complete sync, it has to be followed by more cleanup.
This patch also removes the read helpers for the AArch32 instructions
ats1cpr and ats1hr (they are write-only).
Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This reverts commit 6f512a3dfd.
According to the 'Cortex-A57 MPCore Software Developers Errata Notice':
This bug will only affect secure AArch64 EL3. If the above
conditions occur, the CPU will not invalidate the targeted EL3 TLB
entries and incorrect translations might occur.
For this reason it is not needed in AArch32.
Change-Id: I6f7b333817515499723e8f306145790ad6af9975
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Provide new APIs to add new regions without specifying the base VA.
- `mmap_add_region_alloc_va` adds a static region to mmap choosing as
base VA the first possible address after all the currently mapped
regions. It is aligned to an appropriate boundary in relation to the
size and base PA of the requested region. No attempt is made to fill
any unused VA holes.
- `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
`mmap_add_region_alloc_va` does, but it's dynamic instead of static.
- `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
maps them in the same way as `mmap_add_region_alloc_va` and fills
their `base_va` field. A helper macro has been created to help create
the array, called `MAP_REGION_ALLOC_VA`.
Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ARM CoreLink DMC-620 Dynamic Memory Controller includes a TZC controller
to setup secure or non-secure regions of DRAM memory. The TZC controller
allows to setup upto eight such regions of memory in DRAM. This driver
provides helper functions to setup the TZC controller within DMC-620.
Change-Id: Iee7692417c2080052bdb7b1c2873a024bc5d1d10
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Migrate Marvell platforms from legacy console API to
multi-console API.
Change-Id: I647f5f49148b463a257a747af05b5f0c967f267c
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When compiling assembly files, stdint.h is not included.
UINT32_C and UINT64_C are then not defined.
A new GENMASK macro for assembly is then created.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
These issues wer found by sparse:
drivers/st/clk/stm32mp1_clk.c:1524:19:
warning: incorrect type in assignment (different base types)
expected restricted fdt32_t const [usertype] *pkcs_cell
got unsigned int const [usertype] *
plat/st/stm32mp1/plat_image_load.c:13:6:
warning: symbol 'plat_flush_next_bl_params' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:21:16:
warning: symbol 'plat_get_bl_image_load_info' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:29:13:
warning: symbol 'plat_get_next_bl_params' was not declared.
Should it be static?
plat/st/stm32mp1/bl2_io_storage.c:40:10:
warning: symbol 'block_buffer' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
These warnings were issued by sparse:
plat/st/stm32mp1/stm32mp1_pm.c:365:36:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] pwr_domain_pwr_down_wfi )( ... )
got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:366:23:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] system_off )( ... )
got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:367:25:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] system_reset )( ... )
got void ( [noreturn] *<noident> )( ... )
This cannot be changed the other way in all platforms pm drivers
or else there is a compilation error:
plat/st/stm32mp1/stm32mp1_pm.c:234:1: error: attributes should be specified
before the declarator in a function definition
Signed-off-by: Yann Gautier <yann.gautier@st.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
On AArch32, ARM_DRAM1_BASE and ARM_DRAM1_SIZE constants are currently
32-bit values (because they are suffixed with UL and the value
0x80000000 fits in a unsigned long int, i.e. a 32-bit value). When
summing them up, the result overflows the maximum value that can be
encoded in a 32-bit value so it wraps around and does not result in
the expected value.
This patch changes the suffix of these constants into ULL so that they
always are 64-bit values.
Change-Id: I3b19b1805e35cc7e43050458df379081b1e882d5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
fdtw_read_cells() can only read one or two cells, sometimes it may be
needed to read more cells from one property.
Change-Id: Ie70dc76d1540cd6a04787cde7cccb4d1bafc7282
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().
Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add supprot for Marvell platforms based on Armada-37xx SoC.
This includes support for the official Armada-3720 modular
development board and EspressoBin community board.
The Armada-37xx SoC contains dual Cortex-A53 Application CPU,
single secure CPU (Cortex-M3) and the following interfaces:
- SATA 3.0
- USB 3.0 and USB 2.0
- PCIe
- SDIO (supports boot from eMMC)
- SPI
- UART
- I2c
- Gigabit Ethernet
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Version 1.4.7 introduces a big performance hit to functions that access
the FDT. Downgrade the library to version 1.4.6-9, before the changes
that introduce the problem. Version 1.4.6 isn't used because one of the
libfdt files (fdt_overlay.c) is missing the license header. This
problem is also fixed in 1.4.6-9.
This version corresponds to commit <aadd0b65c987> checks: centralize
printing of property names in failure messages.
FixesARM-software/tf-issues#643
Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.
The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.
Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.
Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch fixes up the AArch64 assembly code to use
adrp/adr instructions instead of ldr instruction for
reference to symbols. This allows these assembly
sequences to be Position Independant. Note that the
the reference to sizes have been replaced with
calculation of size at runtime. This is because size
is a constant value and does not depend on execution
address and using PC relative instructions for loading
them makes them relative to execution address. Also
we cannot use `ldr` instruction to load size as it
generates a dynamic relocation entry which must *not*
be fixed up and it is difficult for a dynamic loader
to differentiate which entries need to be skipped.
Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds a utility function to return
the address of a symbol. By default, the compiler
generates adr/adrp instruction pair to return
the reference and this utility is used to override
this compiler generated to code and use `ldr`
instruction.
This is needed for Position Independent Executable
when it needs to reference a symbol which is constant
and does not depend on the execute address of the
binary.
For example, on the FVP, the GICv3 register context is
stored in a secure carveout (arm_el3_tzc_dram) within
DDR and does not relocate with the BL image. Now if
BL31 is executing at a different address other than
the compiled address, using adrp/adr instructions to
reference this memory will not work as they generate an
address that is PC relative. The way to get around this
problem is to reference it as non-PC relative (i.e
non-relocatable location) via `ldr` instruction.
Change-Id: I5008a951b007144258121690afb68dc8e12ee6f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This function is not related to Arm platforms and can be reused by other
platforms if needed.
Change-Id: Ia9c328ce57ce7e917b825a9e09a42b0abb1a53e8
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.
This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.
The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.
This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).
Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
It has only been tested with a system clock of 24 MHz.
It has only been implemented for the multi console API.
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some of the SGx platforms use System Identification (SID) registers
for platform identification. Add support for these registers in css.
Change-Id: If00b18744a31ff2cf14338f18c8c680eb69c9027
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
The current version of libfdt (1.4.2) has been modified to integrate it
in this repository. In order to do a clean import it is needed to remove
the current version first.
Change-Id: I2cab8c8e5632280d282fa7a2f2339768a0ad1e0f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The definitions FAIL_CONTROL_*_SHIFT were incorrect, they have been
fixed.
The types tzc_region_attributes_t and tzc_action_t have been removed and
replaced by unsigned int because it is not allowed to do logical
operations on enums.
Also, fix some address definitions in arm_def.h.
Change-Id: Id37941d76883f9fe5045a5f0a4224c133c504d8b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The "Reduced Serial Bus" is an Allwinner specific bus, bearing many
similarities with I2C. It sports a much higher bus frequency, though,
(typically 3 MHz) and requires much less handholding for the typical
task of manipulating slave registers (fire-and-forget).
On most A64 boards this bus is used to connect the PMIC to the SoC.
This driver provides basic primitives to read and write slave registers,
it will be later used by the PMIC code.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The `finish_console_register` macro is used by the multi console
framework to register the `console_t` driver callbacks. It relied
on weak references to the `ldr` instruction to populate 0 to the
callback in case the driver has not defined the appropriate
function. Use of `ldr` instruction to load absolute address to a
reference makes the binary position dependant. These instructions
should be replaced with adrp/adr instruction for position independant
executable(PIE). But adrp/adr instructions don't work well with weak
references as described in GNU ld bugzilla issue 22589.
This patch defines a new version of `finish_console_register` macro
which can spcify which driver callbacks are valid and deprecates the
old one. If any of the argument is not specified, then the macro
populates 0 for that callback. Hence the functionality of the previous
deprecated macro is preserved. The USE_FINISH_CONSOLE_REG_2 define
is used to select the new variant of the macro and will be removed
once the deprecated variant is removed.
All the upstream console drivers have been migrated to use the new
macro in this patch.
NOTE: Platforms be aware that the new variant of the
`finish_console_register` should be used and the old variant is
deprecated.
Change-Id: Ia6a67aaf2aa3ba93932992d683587bbd0ad25259
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Add 16-bit variant of mmio_clrsetbits function
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When HW_ASSISTED_COHERENCY is enabled we can use spinlocks
instead of using the more complex and slower bakery algorithm.
Change-Id: I9d791a70050d599241169b9160a67e57d5506564
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Pointer authentication is an Armv8.3 feature that introduces
instructions that can be used to authenticate and verify pointers.
Pointer authentication instructions are allowed to be accessed from all
ELs but only when EL3 explicitly allows for it; otherwise, their usage
will trap to EL3. Since EL3 doesn't have trap handling in place, this
patch unconditionally disables all related traps to EL3 to avoid
potential misconfiguration leading to an unhandled EL3 exception.
FixesARM-software/tf-issues#629
Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
macro jump_if_cpu_midr is used commonly by many arm platform.
It has now been relocated to common place to remove duplication
of code.
Change-Id: Ic0876097dbc085df4f90eadb4b7687dde7c726da
Signed-off-by: Deepak Pandey <Deepak.Pandey@arm.com>
Whereas the GPT table is read with io_block, the binaries to be loaded
(e.g. BL33) cannot use it, as it is not suitable to read them block by
block, or the boot time would be very bad.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This IO is required to read binaries with STM32 header.
This header is added with the stm32image tool.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
To boot on eMMC or SD-cards, STM32MP1 platform needs:
- GPT_IMAGE_ID to read GPT table on those devices
- STM32_IMAGE_ID and IO_TYPE_STM32IMAGE to read images with STM32 header
- IO_TYPE_MMC to have a IO for MMC devices
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This driver is for the STMicroelectronics sdmmc2 IP
which is in STM32MP1 SoC.
It uses the MMC framework, and can address either eMMC or SD-card.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The object pool allocator provides a simplistic interface to manage
allocation in a fixed-size static array. The caller creates a static
"object pool" out of such an array and may then call pool_alloc() to
get the next available object within the pool. There is also a variant
to get multiple consecutive objects: pool_alloc_n().
Note that this interface does not provide any way to free the objects
afterwards. This is by design and it is not a limitation. We do not
want to introduce complexity induced by memory freeing, such as
use-after-free bugs, memory fragmentation and so on.
Change-Id: Iefc2e153767851fbde5841a295f92ae48adda71f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This file is shared between FVP and all CSS platforms. While it may be
true that some definitions can be common, it doesn't make sense
conceptually. For example, the stack size depends on the platform and so
does the SRAM size.
After removing them, there are not enough common definitions to justify
having this header, so the other definitions have been moved to the
platform_def.h of FVP, board_css_def.h and arm_def.h.
Change-Id: Ifbf4b017227f9dfefa1a430f67d7d6baae6a4ba1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The definitions of the logging macros are reordered to be consistent
with the definitions of the log levels.
Change-Id: I6ff07b93eb64786ff147d39014d1c8e15db28444
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This way it can be reused by other platforms if needed.
Note that this driver is designed to work with the Versatile Express NOR
flash of Juno and FVP. In said platforms, the memory is organized as an
interleaved memory of two chips with a 16 bit word.
Any platform that wishes to reuse it with a different configuration will
need to modify the driver so that it is more generic.
Change-Id: Ic721758425864e0cf42b7b9b04bf0d9513b6022e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Before switching to new API the scp_bl2 handler was invoked from
bl2/bl2_image_load.c which was removed. Invoke the platform specific
scp_bl2 handler in analogy to ARM and HiSilicon.
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Map the initialization code for BL31 to overlap with the memory
required for the secondary cores stack. Once BL31 has been
initialized the memory can be remapped to RW data so that it can
be used for secondary cores stacks. By moving code from .text to
.text.init the size of the BL31 image is decreased by a page.
Split arm_common.ld.S into two linker scripts, one for tzc_dram
(arm_tzc_dram.ld.S) and one for reclaiming initialization code
(arm_reclaim_init.ld.S) so that platforms can chose which memory
regions they wish to include.
Change-Id: I648e88f3eda1aa71765744cf34343ecda9320b32
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This option makes it hard to optimize the memory definitions of all Arm
platforms because any change in the common defines must work in all of
them. The best thing to do is to remove it and move the definition to
each platform's header.
FVP, SGI and SGM were using the definitions in board_arm_def.h. The
definitions have been copied to each platform's platform_def.h. Juno
was already using the ones in platform_def.h, so there have been no
changes.
Change-Id: I9aecd11bbc72a3d0d7aad1ef9934d8df21dcfaf2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Respect official response type and update response to follow
official specification.
All the MMC_RESPONSE_R(_x) are replaced with each corresponding define.
Partly revert 2a82a9c95f for dw_mmc.c:
Responses R1, R1B and R5 have CRC.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
- Migrate to bl2_early_platform_setup2().
- Remove references to removed build options.
- Use private definition of bl31_params_t.
This is an incomplete migration, the platform doesn't currently compile.
Change-Id: I1ae477b1f2489f49b651528050fdf06e4a55e425
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Remove references to removed build options.
- Remove support for legacy GIC driver.
- Remove support for LOAD_IMAGE_V2=0.
Change-Id: I72f8c05620bdf4a682765e6e53e2c04ca749a3d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The affected interfaces are bl31_early_platform_setup(),
sp_min_early_platform_setup() and bl2_early_platform_setup().
Change-Id: I50c01ec68bcbe97fe4e5d101bcd0f763358b8e1e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Allow AArch32 to use the multi console driver by adding the
required functions
Change-Id: I9e69f18965f320074cf75442d6b0de891aef7936
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
PAR register used here is a 64 bit register.
On AARCH32 BIT macro is BIT_32.
PAR_ADDR_MASK should then use BIT_64 to avoid overflow.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The patch 7b56928 unified the FWU mechanism on FVP and Juno
platforms due to issues with MCC firmware not preserving the
NVFLAGS. With MCCv150 firmware, this issue is resolved. Also
writing to the NOR flash while executing from the same flash
in Bypass mode had some stability issues. Hence, since the
MCC firmware issue is resolved, this patch reverts to the
NVFLAGS mechanism to detect FWU. Also, with the introduction
of SDS (Shared Data Structure) by the SCP, the reset syndrome
needs to queried from the appropriate SDS field.
Change-Id: If9c08f1afaaa4fcf197f3186887068103855f554
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
Signed-off-by: Soby Mathew <Soby.Mathew@arm.com>
After introducing the Mbed TLS shared heap optimisation, reducing BL2
size by 3 pages didn't leave enough space for growth. We give 1 page
back to maximum BL2 size.
Change-Id: I4f05432f00b923693160f69a4e4ec310a37a2b16
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Marvell A8K SoCs use the MI2CV IP core from Mentor Graphics, which
is also used by Allwinner.
As Mentor Graphics allows a lot of customization, the MI2CV in the two
SoC families are not compatible, and driver modifications are needed.
Extract the common code to a MI2CV driver.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
'dmb ld' is not a recognized instruction for ARMv7. Since generic code
may use 'dmb ld', alias it to 'dmb' when building for ARMv7.
Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Add response flag into ID definition so that driver does not
need to handle it again.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch reduces BL2 size by 12kB. Thanks to the shared Mbed TLS heap
between BL1 and BL2, BL2 now requires less memory since it doesn't need
to allocate a heap anymore.
Change-Id: I58a15f8c424273650c9f55112abe88105b6cdbae
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch introduces the shared Mbed TLS heap optimisation for Arm
platforms. The objective is the Mbed TLS heap to be shared between BL1
and BL2 so as to not allocate the heap memory twice. To achieve that,
the patch introduces all the necessary helpers for implementing this
optimisation. It also applies it for FVP.
Change-Id: I6d85eaa1361517b7490956b2ac50f5fa0d0bb008
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Mbed TLS drivers, in order to work, need a heap for internal usage.
This heap, instead of being directly referenced by the drivers, now it
is being accessed indirectly through a pointer. Also, the heap, instead
of being part of the drivers, now it is being received through the
plat_get_mbedtls_heap() function. This function requests a heap from the
current BL image which utilises the Mbed TLS drivers.
Those changes create the opportunity for the Mbed TLS heap to be shared
among different images, thus saving memory. A default heap
implementation is provided but it can be overridden by a platform
specific, optimised implemenetation.
Change-Id: I286a1f10097a9cdcbcd312201eea576c18d157fa
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch enables handling PMU overflow IRQ by GIC SPI's
directly in EL3. Also implement additional SMC routine,
which can disable the solution on demand in runtime.
Since it is possible to configure PMU interrupt trigger type
in the MADT ACPI table, it is enough to set it only once in EL3
during initialization.
Change-Id: Ie76aa62ccc4fd7cabfec9e3d5ed9970ada1c1b2a
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
This patch introduces new helper routines that allow
configuring the individual IRQs to be edge/level-triggered
via GICD_ICFGR registers. This is helpful to modify
the default configuration of the non-secure GIC SPI's, which
are all set during initialization to be level-sensitive.
Change-Id: I23deb4a0381691a686a3cda52405aa1dfd5e56f2
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Rename a8k_common.h to armada_common.h to keep the same header
name across all other Marvell Armada platforms.
This is especially useful since various Marvell platforms may
use common platform files and share the driver modules.
Change-Id: I7262105201123d54ccddef9aad4097518f1e38ef
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When any of these functions is called the backtrace will be printed to
the console.
Change-Id: Id60842df824b320c485a9323ed6b80600f4ebe35
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.
The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.
The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.
Sample output of a backtrace at EL3:
BACKTRACE: START: function_name
0: EL3: 0x798
1: EL3: 0x538
2: EL3: 0x550
3: EL3: 0x55c
4: EL3: 0x568
5: EL3: 0x5a8
6: EL3: 0xf4
BACKTRACE: END: function_name
In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.
Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The C standard says that printf() has to return the number of characters
it has printed.
Change-Id: I0ef50b1d6766d140724ac0a2fa2c5d023431f984
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only leave the parts relevant to the Trusted Firmware.
Change-Id: I0444c16e402f6c1629211d03bf6cb32ca3dbcf59
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Taken from http://git.simple-cc.org/scc/ from the following commit:
67508ad14af314cea2229783d3c084f28c41daf0
Permission has been granted from the author to use them under the
license BSD-3-Clause instead of ISC.
Change-Id: I65c0ce3ab60c49d34a57533af12a74bd7bde88e5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove code specific to FreeBSD so that they can be used in this
repository.
Change-Id: I5c11eb5b3c05a7fb91aed08371a1f7a0e6122a94
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove all files that don't have only Arm copyright. This is the first
step to cleanup the C library in this repository. They will be re-added
in the following patches.
Change-Id: I72c40a1620d1df3228fc397ec695d569a20245fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I707dbec9b34b802397e99da2f5ae738165d6feba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I76cacf6e1d73b09510561b5090c2bb66d81bec88
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code are also fixed.
No functional changes.
Change-Id: I19786070af7bc5e1f6d15bdba93e22a4451d8fe9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I6235a355e006f0b1c7c1c4d811b3964a64d0434f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.
This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.
Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html
Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The translation library is useful elsewhere. Even though this repository
doesn't exercise the EL2 support of the library, it is better to have it
here as well to make it easier to maintain.
enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
functions are still present, but they are behind ERROR_DEPRECATED and
they call the new functions enable_mmu_svc_mon() and
enable_mmu_direct_svc_mon().
Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Migrate dw_mmc driver from emmc framework to mmc framework. The
emmc framework will be abandoned.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
mmc_read_blocks()/mmc_write_blocks() derived from io_block_ops_t
type. It means that lba param should be integer type, not
unsigned integer type.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Changed the names for consistency with the rest of the library. Introduced
new helpers that manipulate the active translation tables context.
Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..
Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF won't build since no memory region is specified
for when SEPARATE_CODE_AND_RODATA=0 it still relies on
the ARM_MAP_BL_RO_DATA region which is never defined for
this case. Create memory region combining code and RO data for
when the build flag SEPARATE_CODE_AND_RODATA=0 to fix this
Change-Id: I6c129eb0833497710cce55e76b8908ce03e0a638
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This would enable us to write semantically sensible code.
Change-Id: Ie7c75f9c024f671a037448f5c0922174fff3f0ce
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Set the function pointers in the console struct and the functions
they point to to const since they only need to be defined when
the console is being initialised and should not be changed after
Change-Id: I0574307111e3ab2f13d1a4a74c3fa75532dfa4be
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The SGI platforms need to allocate memory for CPER buffers. These
platform buffers would be placed between the shared reserved memory
and the per cpu stack memory, thus the need to redefine stack base
pointer for these platforms. This patch allows each board in ARM
platform to define the PLAT_SP_IMAGE_STACK_BASE.
Change-Id: Ib5465448b860ab7ab0f645f7cb278a67acce7be9
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Include arm_spm_def.h in the platform_def.h file. Without this
inclusion, we get build errors like
In file included from services/std_svc/spm/sp_setup.c:12:0:
services/std_svc/spm/sp_setup.c: In function 'spm_sp_setup':
services/std_svc/spm/sp_setup.c:61:57: error: 'PLAT_SPM_BUF_BASE'
undeclared (first use in this function)
write_ctx_reg(get_gpregs_ctx(ctx), CTX_GPREG_X0, PLAT_SPM_BUF_BASE);
Now that the platform_def.h includes arm_spm_def.h, remove inclusion
of platform_def.h in arm_spm_def.h to remove the circular dependency.
Change-Id: I5225c8ca33fd8d288849524395e436c3d56daf17
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Those device tree files are taken from STM32MP1 U-Boot and Linux.
And they are updated to fit TF-A needs.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
The DDR driver is under dual license, BSD and GPLv2.
The configuration parameters are taken from device tree.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
If a PMIC companion chip is present on board, it has to be configured
for regulators supplies.
This check is done with board DT configuration.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
The management of pinctrl nodes of device tree is also added.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
The clock driver is under dual license, BSD and GPLv2.
The clock driver uses device tree, so a minimal support for this is added.
The required files for driver and DTS files are in include/dt-bindings/.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 is a microprocessor designed by STMicroelectronics,
based on a dual Arm Cortex-A7.
It is an Armv7-A platform, using dedicated code from TF-A.
STM32MP1 uses BL2 compiled with BL2_AT_EL3.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Change arm_setup_page_tables() to take a variable number of memory
regions. Remove coherent memory region from BL1, BL2 and BL2U as
their coherent memory region doesn't contain anything and
therefore has a size of 0. Add check to ensure this
doesn't change without us knowing.
Change-Id: I790054e3b20b056dda1043a4a67bd7ac2d6a3bc0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This also gets rid of MISRA violations for Rule 8.3 and 8.4.
Change-Id: I45bba011b16f90953dd4b260fcd58381f978eedc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
BL2U is running out of stack during firmware update. Increase
stack size to prevent this
Change-Id: I9b1a4e237a00172c6738c84b455b3878ab184cb8
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Add missing parentheses to fix MISRA C-2012 Rule 12.1.
Also, the result of a comparison is an essentially boolean value, it
isn't needed to return 1 or 0 depending on it.
Also, fix header guards (MISRA C-2012 Rule 21.1).
Change-Id: I90c0bcdeb2787c1ca659fc9a981808ece7958de3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
utils_def.h already has U() and ULL(), but not UL(), which is needed for
types like uinptr_t and u_register_t.
Also added L() and LL() for signed values.
Change-Id: I0654df80d57149ff49507c52f1b27f3d500486a0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Uncontainable errors are the most severe form of errors, which typically
mean that the system state can't be trusted any more. This further means
that normal error recovery process can't be followed, and an orderly
shutdown of the system is often desirable.
This patch allows for the platform to define a handler for Uncontainable
errors received. Due to the nature of Uncontainable error, the handler
is expected to initiate an orderly shutdown of the system, and therefore
is not expected to return. A default implementation is added which falls
back to platform unhandled exception.
Also fix ras_arch.h header guards.
Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add common Marvell ARMADA platform components.
This patch also includes common components for Marvell
ARMADA 8K platforms.
Change-Id: I42192fdc6525a42e46b3ac2ad63c83db9bcbfeaf
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add i2c driver for A8K SoC family.
Change-Id: I5932b2fce286d84fc3ad5a74c4c456001faa3196
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add thermal driver for A8K SoC family.
The termal unit data is used by Marvell DRAM initialization
code for optimizing the memory controller configuration
Change-Id: Iad92689fa6e4224a89d872e9aa015393abd9cf73
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add LLC (L3) cache management drivers for Marvell SoCs
AP806, AP807 and AP810
Change-Id: Ic70710f9bc5b6b48395d62212df7011e2fbb5894
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add ModularChip and MCI drivers for A8K SoC family.
ModularChip drivers include support for the internal building
blocks of Marvell ARMADA SoCs - APN806, APN807 and CP110
Change-Id: I9559343788fa2e5eb47e6384a4a7d47408787c02
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add address decoding unit drivers for Marvell SoCs.
Address decoding flow and address translation units chart
are located at docs/marvell/misc/mvebu-a8k-addr-map.txt
Change-Id: Id6ce311fa1f4f112df3adfac5d20449f495f71ed
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Define the values as unsigned int or unsigned long long based on the
actual size of the register. This prevents subtle issues caused by
having a type that is too small. For example:
#define OPTION_ENABLE 0x3
#define OPTION_SHIFT 32
uint64_t mask = OPTION_ENABLE << OPTION_SHIFT;
Because OPTION_ENABLE fits in an int, the value is considered an int.
This means that, after shifting it 32 places to the left, the final
result is 0. The correct way to define the values is:
#define OPTION_ENABLE ULL(0x3)
#define OPTION_SHIFT U(32)
In this case, the compiler is forced to use a 64 bit value from the
start, so shifting it 32 places to the left results in the expected
value.
Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This library can be used in other projects. All comments that talk about
the Trusted Firmware should be talking about the library itself.
Change-Id: I3b98d42f7132be72c1f8a4900acfaa78dbd2daa2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This allows other parts of the code to reuse it. No functional changes.
Change-Id: Ib052ae235c422d9179958bd3016c3e678779ae9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Most registers are 64-bit wide, even in AArch32 mode:
- MAIR_ELx is equivalent to MAIR0 and MAIR1.
- TTBR is 64 bit in both AArch64 and AArch32.
The only difference is the TCR register, which is 32 bit in AArch32 and
in EL3 in AArch64. For consistency with the rest of ELs in AArch64, it
makes sense to also have it as a 64-bit value.
Change-Id: I2274d66a28876702e7085df5f8aad0e7ec139da9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Exception Level is now detected at runtime. This means that it is not
needed to hardcode the EL used by each image.
This doesn't result in a substantial increase of the image size because
the initialization functions that aren't used are garbage-collected by
the linker.
In AArch32 the current EL has been changed from EL3 to EL1 because the
the AArch32 PL1&0 translation regime behaves more like the AArch64 EL1&0
translation regime than the EL3 one.
Change-Id: I941404299ebe7666ca17619207c923b49a55cb73
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Even if the log output is too low for a message to be printed out on
the console by the debug macros, it should still be evaluated by the
compiler to get some type checking and validation of the format
specifiers. To do so, introduce the no_tf_log() macro that encloses
the call to tf_log() in an always-false condition.
This avoids the problem of discovering build issues only when we build
the firmware with the right LOG_LEVEL value.
Change-Id: Ic0fd252ab691d0187fd925756a4837aca1cbfd7b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The ARM_INSTANTIATE_LOCK macro defines a lock meant to be further
manipulated using the arm_lock_init/get/release() macros. It has 2
variants, depending on the BL image it is compiled for. One version
defines the lock variable with internal linkage whereas the other one,
with external linkage.
Code that uses these macros is not compliant with MISRA rule 8.4 because
when using the external linkage version, there is no visible declaration
for the lock variable.
This patch defines the arm_lock variable with internal linkage in both
cases. This fits well the way these macros are used in the code today,
where the lock is not used outside of the translation unit it is
defined in.
Change-Id: I213a74a2a6088a4f1e9a61a319ca7579c2001320
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This check was added to ensure the correct behaviour of fill_constants
macro. This macro has been verified and it is known his correct
behaviour. The check generates an error when the clang assembler is
used, so it is better to remove the check.
Change-Id: I3447ff9e9e5ee5cf0502f65e53c3d105d9396b8b
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This directive is not implemented by clang assembler. The traditional
way to implement structs in assembly is using two macros for every field,
one for the offset, and another one for the size. For every field, the
offset can be calculated using the size and offset of the previous field.
Change-Id: Iacc6781e8f302fb925898737b8e85ab4e88a51cc
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.
This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.
Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
These directives are only used when stabs debugging information
is used, but we use ELF which uses DWARF debugging information.
Clang assembler doesn't support these directives, and removing
them makes the code more compatible with clang.
Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Clang linker doesn't support NEXT. As we are not using the MEMORY command
to define discontinuous memory for the output file in any of the linker
scripts, ALIGN and NEXT are equivalent.
Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This change is largely based on existing eMMC framework by Haojian Zhuang
(@hzhuang1).
The MMC framework supports both eMMC and SD card devices. It was
written as a new framework since breaking few eMMC framework APIs.
At card probe and after the reset to idle command (CMD0), a Send
Interface Condition Command is sent (CMD8) to distinguish between
eMMC and SD card devices. eMMC devices go through the same
sequence as in the former eMMC framework. Else the framework
uses commands dedicated to SD-cards for init or frequency switch.
A structure is created to share info with the driver. It stores:
- the MMC type (eMMC, SD or SD HC)
- the device size
- the max frequency supported by the device
- the block size: 512 for eMMC and SD-HC and read from CSD
structure for older SD-cards
Restriction to align buffers on block size has been removed.
Cache maintenance was removed and is expected to be done in the platform
or device driver.
The MMC framework includes some MISRA compliance coding style
maybe not yet ported in the existing eMMC framework.
FixesARM-software/tf-issues#597
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Casting a pointer to a struct uuid into a pointer to uint32_t may
result in a pointer that is not correctly aligned, which constitutes
an undefined behaviour. In the case of TF, this also generates a data
abort because alignment fault checking is enabled (through the SCTLR.A
bit).
This patch modifies the SMC_UUID_RET() macro to read the uuid
structure without any pointer aliasing. A helper function then
combines every set of 4 bytes into a 32-bit value suitable to be
returned through the x0-x3 registers.
This fixes a violation of MISRA rule 11.3.
Change-Id: I53ee73bb4cb332f4d8286055ceceb6f347caa080
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Instead of having one big file with all the code, it's better to have
a few smaller files that are more manageable:
- xlat_tables_core.c: Code related to the core functionality of the
library (map and unmap regions, initialize xlat context).
- xlat_tables_context.c: Instantiation of the active image context
as well as APIs to manipulate it.
- xlat_tables_utils.c: Helper code that isn't part of the core
functionality (change attributes, debug print messages).
Change-Id: I3ea956fc1afd7473c0bb5e7c6aab3b2e5d88c711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
At present, the function provided by the translation library to enable
MMU constructs appropriate values for translation library, and programs
them to the right registers. The construction of initial values,
however, is only required once as both the primary and secondaries
program the same values.
Additionally, the MMU-enabling function is written in C, which means
there's an active stack at the time of enabling MMU. On some systems,
like Arm DynamIQ, having active stack while enabling MMU during warm
boot might lead to coherency problems.
This patch addresses both the above problems by:
- Splitting the MMU-enabling function into two: one that sets up
values to be programmed into the registers, and another one that
takes the pre-computed values and writes to the appropriate
registers. With this, the primary effectively calls both functions
to have the MMU enabled, but secondaries only need to call the
latter.
- Rewriting the function that enables MMU in assembly so that it
doesn't use stack.
This patch fixes a bunch of MISRA issues on the way.
Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The meaning of them wasn't clear in the header file, it was needed to
search the code for the places where they are used.
Add parentheses to macros in the same header.
Change-Id: I700bc0fd75ccfc0a34f439cb3b2692861bb73b9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This is to fix a number of Coverity Scan DEADCODE defects, CID numbers
listed below, as reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 267023
CID 267022
CID 267020
Change-Id: I2963a799b210149e84ccab5c5b9082267ddfe337
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
The values defined in this type are used in logical operations, which
goes against MISRA Rule 10.1: "Operands shall not be of an inappropriate
essential type".
Now, `unsigned int` is used instead. This also allows us to move the
dynamic mapping bit from 30 to 31. It was an undefined behaviour in the
past because an enum is signed by default, and bit 31 corresponds to the
sign bit. It is undefined behaviour to modify the sign bit. Now, bit 31
is free to use as it was originally meant to be.
mmap_attr_t is now defined as an `unsigned int` for backwards
compatibility.
Change-Id: I6b31218c14b9c7fdabebe432de7fae6e90a97f34
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch introduces setjmp() and ongjmp() primitives to enable
standard setjmp/longjmp style execution. Both APIs parameters take a
pointer to struct jmpbuf type, which hosts CPU registers saved/restored
during jump.
As per the standard usage:
- setjmp() return 0 when a jump is setup; and a non-zero value when
returning from jump.
- The caller of setjmp() must not return, or otherwise update stack
pointer since.
Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
It may be needed to enter the Secure Partition through other means than
an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting
the necessary code from mm_communicate() and allowing other parts of the
code to use it.
Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase
frame of the system timer. ARM ARM states that "The instance of
the register in the CNTCTLBase frame must be programmed with this
value as part of system initialization."
The psci_arch_setup() updates the CNTFRQ system register but
according to the ARM ARM, this instance of the register is
independent of the memory mapped instance. This is only an issue
for Normal world software which relies on the memory mapped
instance rather than the system register one.
This patch resolves the issue for ARM platforms.
The patch also solves a related issue on Juno, wherein
CNTBaseN.CNTFRQ can be written and does not reflect the value of
the register in CNTCTLBase frame. Hence this patch additionally
updates CNTFRQ register in the Non Secure frame of the CNTBaseN.
FixesARM-Software/tf-issues#593
Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size reserved for BL2 has been increased.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Having these definitions in board_arm_def.h forces to
all the arm platforms to use the same definition for
PLAT_ARM_MEM_PROT_ADDR.
This macro also enables the mem-protect mechanism,
which means that all the arm platform has enabled
mem-protect and they cannot get rid of it.
Change-Id: Id29d2c51cbe6edc15f010a9f5a20c42266c48a08
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
When applying some MISRA rules, lots of issues are raised with BIT macro
on AARCH32, and cast on uint32_t would be required (Rule 10.3).
The macros BIT_32 and BIT_64 are then created for 32bit and 64bit.
Then the BIT macro defaults on BIT_64 on AARCH64,
and on BIT_32 on AARCH32.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Import GENMASK_32 and GENMASK_64 macros from optee-os (permissive license).
And default GENMASK is set to GENMASK_32 for AARCH32,
and to GENMASK_64 for 64bit arch.
fixesarm-software/tf-issues#596
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.
Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The translation tables allocated for the Secure Partition do not need
to be treated as a special case. They can be put amongst the other
tables mapping BL31's general purpose memory. They will be mapped with
the same attributes as them, which is fine.
The explicit alignment constraint in BL31's linker script to pad the
last page of memory allocated to the Secure Partition's translation
tables is useless too, as page tables are per se pages, thus their
end address is naturally aligned on a page-boundary.
In fact, this patch does not change the existing behaviour. Since
patch 22282bb68a ("SPM: Move all SP-related info to SP context
struct"), the secure_partition.c file has been renamed into sp_xlat.c
but the linker script has not been properly updated. As a result, the
SP translation tables are not specifically put at the start of the
xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__
symbols have the same value, the size of the resulting mmap_region
covering these xlat tables is 0 and so it is ignored.
Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Use a _ prefix for Macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Conflict with function name and variable name within that function.
Change the name of the function from image_size to get_image_size
to remove conflict and make the function fit the normal project
naming convention.
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.
NOTE: The original definition of
http://www.ti.com/lit/ds/symlink/pc16550d.pdf has no MDR register, but
many TI SoCs implementing 16550 do have a quirky MDR register
implemented. So, this should be enabled with TI_16550_MDR_QUIRK
NOTE: In such implementation, the CSR register does not exist.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Move all information related to a Secure Partition to the struct
secure_partition_context_t.
This requires an in-depth refactor because most of the previous code of
SPM relied on global information.
Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function can be currently accessed through the wrappers
cm_init_context_by_index() and cm_init_my_context(). However, they only
work on contexts that are associated to a CPU.
By making this function public, it is possible to set up a context that
isn't associated to any CPU. For consistency, it has been renamed to
cm_setup_context().
Change-Id: Ib2146105abc8137bab08745a8adb30ca2c4cedf4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
The config files are placeholders and do not have any useful bindings
defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
if SPD=tspd. The load address of these configs are specified in tb_fw_config
via new bindings defined for these configs. Currently, in FVP, the
soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
and ARM_SHARED_RAM. This memory was typically used for BL32 when
ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
space anymore, it should be safe to use this memory for these configs.
There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
that this overlap doesn't happen.
The previous arm_dyn_get_hwconfig_info() is modified to accept configs
other than hw_config and hence renamed to arm_dyn_get_config_load_info().
The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
BL2_BASE.
Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.
Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds capability to FVP to disable authentication dynamically
via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
the TB_FW_CONFIG for the `disable_auth` property and invokes the
`load_dyn_disable_auth()` API to disable authentication if the
property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
FVP as it is a development platform. Note that the TB_FW_CONFIG has to
be authenticated by BL1 irrespective of these settings.
The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
rather than in bl2_platform_setup() as we need to get the value of
`disable_auth` property prior to authentication of any image by BL2.
Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
In 'console_set_scope' and when registering a console, field 'flags' of
'console_t' is assigned a 32-bit value. However, when it is actually
used, the functions perform 64-bit reads to access its value. This patch
changes all 64-bit reads to 32-bit reads.
Change-Id: I181349371409e60065335f078857946fa3c32dc1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This reverts commit 2f18aa1fa3.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>
The bounds check in ARM_CASSERT_MMAP does not take into account the
array sentinel in plat_arm_mmap. This commit fixes this, and adds an
additional check to ensure the number of entries in the array is
within the bounds of PLAT_ARM_MMAP_ENTRIES.
Change-Id: Ie6df10c0aa0890d62826bc3224ad7b3e36fd53e2
Signed-off-by: Chris Kay <chris.kay@arm.com>
There are three calls to mmap_add_region() that always occur in
arm_setup_page_tables(), and two further calls based on whether coherent
memory is enabled, and whether SPM is enabled in BL31.
This commit adapts the ARM_BL_REGIONS definition to match the number of
calls made inside arm_setup_page_tables() so that the MAX_MMAP_REGIONS
is realigned with what is actually occurring.
Change-Id: I7adc05951abccf2cbd5c86280eb874911e6a1566
Signed-off-by: Chris Kay <chris.kay@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size of BL31 has been increased in builds with SPM.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the multi console driver, allowing to register the same console more
than once may result in an infinte loop when putc is called.
If, for example, a boot message is trying to be printed, but the
consoles in the loop in the linked list are runtime consoles, putc will
iterate forever looking for a console that can print boot messages (or
a NULL pointer that will never come).
This loop in the linked list can occur after restoring the system from a
system suspend. The boot console is registered during the cold boot in
BL31, but the runtime console is registered even in the warm boot path.
Consoles are always added to the start of the linked list when they are
registered, so this it what should happen if they were actually
different structures:
console_list -> NULL
console_list -> BOOT -> NULL
console_list -> RUNTIME -> BOOT -> NULL
console_list -> RUNTIME -> RUNTIME -> BOOT -> NULL
In practice, the two runtime consoles are the same one, so they create
this loop:
console_list -> RUNTIME -. X -> BOOT -> NULL
^ |
`----'
This patch adds an assertion to detect this problem. The assertion will
fail whenever the same structure tries to be registered while being on
the list.
In order to assert this, console_is_registered() has been implemented.
It returns 1 if the specified console is registered, 0 if not.
Change-Id: I922485e743775ca9bd1af9cbd491ddd360526a6d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>