Changed the ordering of the log levels in the documentation to
mate the code
Change-Id: Ief1930b73d833fdf675b039c98046591c0c264c1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The stdint header was introduced to rk3399's plat_sip_calls.c in order
to fix missing stdint definitions. However, ordering headers
alphabetically caused the fix to be ineffective, as stint was then
included after the offending header file (dfs.h).
Move the stdint include to that header to properly fix the issue.
Change-Id: Ieaad37a7932786971488ab58fc5b169bfa79e197
Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
The translation tables allocated for the Secure Partition do not need
to be treated as a special case. They can be put amongst the other
tables mapping BL31's general purpose memory. They will be mapped with
the same attributes as them, which is fine.
The explicit alignment constraint in BL31's linker script to pad the
last page of memory allocated to the Secure Partition's translation
tables is useless too, as page tables are per se pages, thus their
end address is naturally aligned on a page-boundary.
In fact, this patch does not change the existing behaviour. Since
patch 22282bb68a ("SPM: Move all SP-related info to SP context
struct"), the secure_partition.c file has been renamed into sp_xlat.c
but the linker script has not been properly updated. As a result, the
SP translation tables are not specifically put at the start of the
xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__
symbols have the same value, the size of the resulting mmap_region
covering these xlat tables is 0 and so it is ignored.
Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the context management library, cm_setup_context() takes the
information in ep_info to fill the registers x0-x7. This patch replaces
the current code that sets them manually by the correct initialization
code.
Change-Id: Id1fdf4681b154026c2e3af1f9b05b19582b7d16d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 5.7: A tag name shall be a unique identifier
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
Fixed For:
make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed
Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
To prevent violation of directive 4.5 having variable name channel
in css_pm_scmi.c not being typographically ambiguous change macro
argument CHANNEL in css_mhu_doorbell.h change argument to _channel
to fit with our convention which is a permitted exception of
directive 4.5 for this project
Rule 5.7: A tag name shall be a unique identifier
Fixed for:
make LOG_LEVEL=50 PLAT=juno
Change-Id: I147cdb13553e83ed7df19149b282706db115d612
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Rule 5.7: A tag name shall be a unique identifier
There were 2 amu_ctx struct type definitions:
- In lib/extensions/amu/aarch64/amu.c
- In lib/cpus/aarch64/cpuamu.c
Renamed the latter to cpuamu_ctx to avoid this name clash
To avoid violation of Rule 8.3 also change name of function
amu_ctxs to unique name (cpuamu_ctxs) since it now returns a
different type (cpuamu_ctx) than the other amu_ctxs function
Fixed for:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: Ieeb7e390ec2900fd8b775bef312eda93804a43ed
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=juno
Change-Id: I575fbc96e8267f2b075e88def1f6e3185394613a
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make PLAT=fvp USE_COHERENT_MEM=0
Change-Id: If50c583d3b63799ee6852626b15be00c0f6b10a0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make PLAT=fvp SPD=tspd
Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for Macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Conflict with function name and variable name within that function.
Change the name of the function from image_size to get_image_size
to remove conflict and make the function fit the normal project
naming convention.
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Rule 5.1: External identifiers shall be distinct
Some of the identifier names in the GICv3 driver were so long that the
first 31 characters were identical. This patch shortens these names to
make sure they are different.
Fixed for:
LOG_LEVEL=50 PLAT=fvp
Change-Id: Iecd551e3a015d144716b87b42c83dd3ab8c34d90
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The slave ports of LD20 CCI-500 are connected as follows:
S0: CA53
S1: CA72
Be careful because the slave interface is not arranged in the
cluster number order (CA72: cluster 0, CA53: cluster 1).
Root-caused-by: Tetsuya Yoshizaki <yoshizaki.tetsuya@socionext.com>
Signed-off-by: Satoshi Ikawa <ikawa.satoshi@socionext.com>
On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.
NOTE: The original definition of
http://www.ti.com/lit/ds/symlink/pc16550d.pdf has no MDR register, but
many TI SoCs implementing 16550 do have a quirky MDR register
implemented. So, this should be enabled with TI_16550_MDR_QUIRK
NOTE: In such implementation, the CSR register does not exist.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Rule 21.15: The pointer arguments to the Standard Library functions
memcpy, memmove and memcmp shall be pointers to qualified or unqualified
versions of compatible types.
Basically that means that both pointer arguments must be of the same
type. However, even if the pointers passed as arguments to the above
functions are of the same type, Coverity still thinks it's a violation
if we do pointer arithmetics directly at the function call. Thus the
pointer arithmetic operations were moved outside of the function
argument.
First detected on the following configuration
make PLAT=fvp LOG_LEVEL=50
Change-Id: I8b912ec1bfa6f2d60857cb1bd453981fd7001b94
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The upcoming patch that adds dynamic mitigation for Cortex-A76
requires that DYNAMIC_WORKAROUND_CVE_2018_3639=1. On FVP, we pull in
all the CPU files into the build which means there will be a build
failure if DYNAMIC_WORKAROUND_CVE_2018_3639=0.
Change-Id: I2e781cbeafbf5d16eaabf76a1677e0c9f81269d2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch bumps up the BL1-RW size for Juno and at the same time reduces
the BL2 size when TBB is enabled, TF_MBEDTLS_KEY_ALG=rsa+ecdsa. The BL2
size for this config is reduced as it was observed that the peak memory
usage is only reached when SPD=opteed and the dual rsa+ecdsa support is
not needed for this case.
Change-Id: Ia9009771b5cfd805e9cc75410aabb7db99fc2fbc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in
AArch32 state, ensure that the SMC call will take a shortcut in EL3.
This minimizes the time it takes to apply the mitigation in EL3.
When lower ELs run in AArch32, it is preferred that they execute the
`BPIALL` instruction to invalidate the BTB. However, on some cores
the `BPIALL` instruction may be a no-op and thus would benefit from
making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path.
Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch updates the firmware design guide for the BL memory
layout change on ARM platforms.
Change-Id: Icbfe7249484bb8b4ba3c94421172d42f27605c52
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
A pointer to rt_svc_desc_t was defined both in the
function and globally. The innermost definition
hid the global definition which is the one we want
to use so remove the innermost definition to prevent
this
Change-Id: Idabdbc0947178ae83224bd17a9b170df7c278d51
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The weak pragma was assigned twice to the bl2_plat_handle_post_image_load
definition both in plat/common/ and in plat/arm/common/ this was an error as
it should have only have been defined in plat/common
Change-Id: Id85e14c699cb09ed998d1677f2a172e760911918
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Simplify the code of the SMC handler by extracting the code of
SP_EVENT_COMPLETE and MM_COMMUNICATE.
Change-Id: I9250a3f5e4b807b35c9d044592c1074a45ab9a07
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Instead of just knowing if the Secure Partition is being initialized or
not, this generic state enum can be used to tell if the Secure Partition
is busy and to add more states in the future if needed.
Also, the spinlock of the secure_partition_context_t structure now only
protects against concurrent accesses to the state of the secure
partition. Previously, it used to lock down the whole structure, thus
preventing one CPU to access any of its fields while another CPU was
executing the partition.
Change-Id: I51215328e2ca8ea2452f92e4a1cb237415958b22
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The current internal names are too long, which makes it hard to write
code as many lines overflow the limit and need to be split, which may
not help the reader.
Change-Id: I072bdc8f3dd125255063ffa7f02500e5228fc9a1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Dimitris Papastamos
Daniel Boulby
Paul Kocialkowski
Sandrine Bailleux
Antonio Nino Diaz
Satoshi Ikawa
Benjamin Fair
John Tsichritzis
Isla Mitchell
Soby Mathew