The API description currently states that interrupt handlers
(interrupt_type_handler_t pointers) SHOULD return a pointer
to the target cpu_context.
This patch rewords the description of the interrupts handlers to state
that it MUST return a pointer to the target security context. It also
warns about potential portability issue. Specifically, this pointer is
not used on AArch64 and calls to context library APIs must be used to
ask BL31 to return to a specific context. However, this could change in
the future and interrupt handlers must always return the pointer.
Change-Id: I3f82a046de4d7a5b51a8cbebe7eb2a00dbbdb4f0
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Fix a link broken by a missing space that turned
it into a link to an non-existent anchor.
Change-Id: Ie863e963db28afa3a28b69d3f63bd7638bdf5af9
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
This patch adds the secure payload dispatcher for interacting
with Google's Trusty TEE. Documentation for Trusty can be found
at https://source.android.com/security/trusty
Original authors:
-----------------
* Arve Hjønnevåg <arve@android.com>
* Michael Ryleev <gmar@google.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
At present, build options in the user guide aren't listed in any
specific order. Ordering them alphabetically is a standard practice, and
is also easier on the reader.
Contents unchanged.
Change-Id: Ibc36f3a2a576edb86c1a402430d2ef5adcb2f144
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch fixes the type of the return value of bl1_plat_mem_check()
in the porting guide. It also specifies the expected return value.
Change-Id: I7c437342b8bfb1e621d74b2edf0aaf97b913216a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Updated the user guide to clarify building FIP for AArch32.
The instructions were previously specific to building a FIP for AArch64.
Change-Id: I7bd1a6b8e810cfda411f707e04f479006817858e
Signed-off-by: David Cunado <david.cunado@arm.com>
The user guide incorrectly claimed that it is possible to load a
bootwrapped kernel over JTAG on Juno in the same manner as an EL3
payload. In the EL3 payload boot flow, some of the platform
initialisations in BL2 are modified. In particular, the TZC settings
are modified to allow unrestricted access to DRAM. This in turn allows
the debugger to access the DRAM and therefore to load the image there.
In the BL33-preloaded boot flow though, BL2 uses the default TZC
programming, which prevent access to most of the DRAM from secure state.
When execution reaches the SPIN_ON_BL1_EXIT loop, the MMU is disabled
and thus DS-5 presumably issues secure access transactions while trying
to load the image, which fails.
One way around it is to stop execution at the end of BL2 instead. At
this point, the MMU is still enabled and the DRAM is mapped as
non-secure memory. Therefore, the debugger is allowed to access this
memory in this context and to sucessfully load the bootwrapped kernel in
DRAM. The user guide is updated to suggest this alternative method.
Co-Authored-By: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>
Change-Id: I537ea1c6d2f96edc06bc3f512e770c748bcabe94
This patch adds necessary updates for building and running Trusted
Firmware for AArch32 to user-guide.md. The instructions for running
on both `FVP_Base_AEMv8A-AEMv8A` in AArch32 mode and
`FVP_Base_Cortex-A32x4` models are added. The device tree files for
AArch32 Linux kernel are also added in the `fdts` folder.
Change-Id: I0023b6b03e05f32637cb5765fdeda8c8df2d0d3e
This patch adds the PSCI library integration guide for AArch32 ARMv8-A
systems `psci-lib-integration-guide.md` to the documentation. The
patch also adds appropriate reference to the new document in
the `firmware-design.md` document.
Change-Id: I2d5b5c6b612452371713399702e318e3c73a8ee0
This patch updates the User Guide to recommend the latest version
of some of the software dependencies of ARM Trusted Firmware.
- Upgrade Linaro release: 16.02 -> 16.06
- Upgrade FVPs
- Foundation v8 FVP: 9.5 -> 10.1
- Base FVPs: 7.6 -> 7.7
- Upgrade mbed TLS library: 2.2.0 -> 2.2.1
Note that the latest release of mbed TLS as of today is 2.3.0 but it has
compilations issues with the set of library configuration options that
Trusted Firmware uses. 2.2.1 is the next most recent release known to
build with TF.
This patch also fixes the markdown formatting of a link in the
User Guide.
Change-Id: Ieb7dd336f4d3110fba060afec4ad580ae707a8f1
This patch adds common changes to support AArch32 state in
BL1 and BL2. Following are the changes:
* Added functions for disabling MMU from Secure state.
* Added AArch32 specific SMC function.
* Added semihosting support.
* Added reporting of unhandled exceptions.
* Added uniprocessor stack support.
* Added `el3_entrypoint_common` macro that can be
shared by BL1 and BL32 (SP_MIN) BL stages. The
`el3_entrypoint_common` is similar to the AArch64
counterpart with the main difference in the assembly
instructions and the registers that are relevant to
AArch32 execution state.
* Enabled `LOAD_IMAGE_V2` flag in Makefile for
`ARCH=aarch32` and added check to make sure that
platform has not overridden to disable it.
Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
This patch adds capability to load BL images based on image
descriptors instead of hard coded way of loading BL images.
This framework is designed such that it can be readily adapted
by any BL stage that needs to load images.
In order to provide the above capability the following new
platform functions are introduced:
bl_load_info_t *plat_get_bl_image_load_info(void);
This function returns pointer to the list of images that the
platform has populated to load.
bl_params_t *plat_get_next_bl_params(void);
This function returns a pointer to the shared memory that the
platform has kept aside to pass trusted firmware related
information that next BL image needs.
void plat_flush_next_bl_params(void);
This function flushes to main memory all the params that
are passed to next image.
int bl2_plat_handle_post_image_load(unsigned int image_id)
This function can be used by the platforms to update/use
image information for given `image_id`.
`desc_image_load.c` contains utility functions which can be used
by the platforms to generate, load and executable, image list
based on the registered image descriptors.
This patch also adds new version of `load_image/load_auth_image`
functions in-order to achieve the above capability.
Following are the changes for the new version as compared to old:
- Refactor the signature and only keep image_id and image_info_t
arguments. Removed image_base argument as it is already passed
through image_info_t. Given that the BL image base addresses and
limit/size are already provided by the platforms, the meminfo_t
and entry_point_info arguments are not needed to provide/reserve
the extent of free memory for the given BL image.
- Added check for the image size against the defined max size.
This is needed because the image size could come from an
unauthenticated source (e.g. the FIP header).
To make this check, new member is added to the image_info_t
struct for identifying the image maximum size.
New flag `LOAD_IMAGE_V2` is added in the Makefile.
Default value is 0.
NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when
`LOAD_IMAGE_V2` is enabled.
Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
Partition driver requires the "PLAT_PARTITION_MAX_ENTRIES" definition.
By default, it's defined to 128 in partition driver. But it costs a lot
of memory, and only a few partition entries are really used in platform
partition table. If user wants use memory efficiently, user should
define the build flag in platform.mk instead.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
This patch adds support for NODE_HW_STATE PSCI API by introducing a new
PSCI platform hook (get_node_hw_state). The implementation validates
supplied arguments, and then invokes this platform-defined hook and
returns its result to the caller. PSCI capabilities are updated
accordingly.
Also updates porting and firmware design guides.
Change-Id: I808e55bdf0c157002a7c104b875779fe50a68a30
This feature allows one to quickly verify that the expected
image is contained in the FIP without extracting the image and
running sha256sum(1) on it.
The sha256 digest is only shown when the verbose flag is used.
This change requires libssl-dev to be installed in order to build
Trusted Firmware. Previously, libssl-dev was optionally needed only
to support Trusted Board Boot configurations.
FixesARM-Software/tf-issues#124
Change-Id: Ifb1408d17f483d482bb270a589ee74add25ec5a6
This patch enables the AArch32 build including SP_MIN in the
top level Makefile. The build flag `ARCH` now can specify either
`aarch64`(default) or `aarch32`. Currently only FVP AEM model is
supported for AArch32 build. Another new build flag `AARCH32_SP`
is introduced to specify the AArch32 secure payload to be built.
Change-Id: Ie1198cb9e52d7da1b79b93243338fc3868b08faa
fiptool provides a more consistent and intuitive interface compared to
the fip_create program. It serves as a better base to build on more
features in the future.
fiptool supports various subcommands. Below are the currently
supported subcommands:
1) info - List the images contained in a FIP file.
2) create - Create a new FIP file with the given images.
3) update - Update an existing FIP with the given images.
4) unpack - Extract a selected set or all the images from a FIP file.
5) remove - Remove images from a FIP file. This is a new command that
was not present in fip_create.
To create a new FIP file, replace "fip_create" with "fiptool create".
To update a FIP file, replace "fip_create" with "fiptool update".
To dump the contents of a FIP file, replace "fip_create --dump" with
"fiptool info".
A compatibility script that emulates the basic functionality of
fip_create is provided. Existing scripts might or might not work with
the compatibility script. Users are strongly encouraged to migrate to
fiptool.
FixesARM-Software/tf-issues#87FixesARM-Software/tf-issues#108FixesARM-Software/tf-issues#361
Change-Id: I7ee4da7ac60179cc83cf46af890fd8bc61a53330
Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation tables but to the image size as well.
The defines `PLAT_ARM_MAX_BL1_RW_SIZE`, `PLAT_ARM_MAX_BL2_SIZE` and
`PLAT_ARM_MAX_BL31_SIZE` have been moved to the file board_arm_def.h.
This way, ARM platforms no longer have to set their own values if
`ARM_BOARD_OPTIMISE_MEM=0` and they can specify optimized values
otherwise. The common sizes have been set to the highest values used
for any of the current build configurations.
This is needed because in some build configurations some images are
running out of space. This way there is a common set of values known
to work for all of them and it can be optimized for each particular
platform if needed.
The space reserved for BL2 when `TRUSTED_BOARD_BOOT=0` has been
increased. This is needed because when memory optimisations are
disabled the values for Juno of `PLAT_ARM_MMAP_ENTRIES` and
`MAX_XLAT_TABLES` are higher. If in this situation the code is
compiled in debug mode and with "-O0", the code won't fit.
Change-Id: I70a3d8d3a0b0cad1d6b602c01a7ea334776e718e
This patch introduces the PSCI Library interface. The major changes
introduced are as follows:
* Earlier BL31 was responsible for Architectural initialization during cold
boot via bl31_arch_setup() whereas PSCI was responsible for the same during
warm boot. This functionality is now consolidated by the PSCI library
and it does Architectural initialization via psci_arch_setup() during both
cold and warm boots.
* Earlier the warm boot entry point was always `psci_entrypoint()`. This was
not flexible enough as a library interface. Now PSCI expects the runtime
firmware to provide the entry point via `psci_setup()`. A new function
`bl31_warm_entrypoint` is introduced in BL31 and the previous
`psci_entrypoint()` is deprecated.
* The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
defines from the Trusted Firmware SMC helpers. The former is now in a new
header file `smcc.h` and the SMC helpers are moved to Architecture specific
header.
* The CPU context is used by PSCI for context initialization and
restoration after power down (PSCI Context). It is also used by BL31 for SMC
handling and context management during Normal-Secure world switch (SMC
Context). The `psci_smc_handler()` interface is redefined to not use SMC
helper macros thus enabling to decouple the PSCI context from EL3 runtime
firmware SMC context. This enables PSCI to be integrated with other runtime
firmware using a different SMC context.
NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
invoked prior to architectural setup. It is highly unlikely that the platform
setup will depend on architectural setup and cause any failure. Please be
be aware of this change in sequence.
Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` respectively. This enables PSCI to be built independently from
BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
PSCI library sources and gets included by `bl31.mk`. Other changes which
are done as part of this patch are:
* The runtime services framework is now moved to the `common/` folder to
enable reuse.
* The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
specific folder.
* The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
to `plat/common` folder. The original file location now has a stub which
just includes the file from new location to maintain platform compatibility.
Most of the changes wouldn't affect platform builds as they just involve
changes to the generic bl1.mk and bl31.mk makefiles.
NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:
* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.
In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.
Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.
This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.
This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.
- When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
the read-only section still looks like this (padding omitted):
| ... |
+-------------------+
| Exception vectors |
+-------------------+
| Read-only data |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script provides the limits of the whole
read-only section.
- When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
read-only data are swapped, such that the code and exception
vectors are contiguous, followed by the read-only data. This
gives the following new layout (padding omitted):
| ... |
+-------------------+
| Read-only data |
+-------------------+
| Exception vectors |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script now exports 2 sets of addresses
instead: the limits of the code and the limits of the read-only
data. Refer to the Firmware Design guide for more details. This
provides platform code with a finer-grained view of the image
layout and allows it to map these 2 regions with the appropriate
access permissions.
Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
This patch adds a new linker symbol in BL1's linker script named
'__BL1_ROM_END__', which marks the end of BL1's ROM content. This
covers BL1's code, read-only data and read-write data to relocate
in Trusted SRAM. The address of this new linker symbol is exported
to C code through the 'BL1_ROM_END' macro.
The section related to linker symbols in the Firmware Design guide
has been updated and improved.
Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
This patch adds following optional PSCI STAT functions:
- PSCI_STAT_RESIDENCY: This call returns the amount of time spent
in power_state in microseconds, by the node represented by the
`target_cpu` and the highest level of `power_state`.
- PSCI_STAT_COUNT: This call returns the number of times a
`power_state` has been used by the node represented by the
`target_cpu` and the highest power level of `power_state`.
These APIs provides residency statistics for power states that has
been used by the platform. They are implemented according to v1.0
of the PSCI specification.
By default this optional feature is disabled in the PSCI
implementation. To enable it, set the boolean flag
`ENABLE_PSCI_STAT` to 1. This also sets `ENABLE_PMF` to 1.
Change-Id: Ie62e9d37d6d416ccb1813acd7f616d1ddd3e8aff
This patch adds Performance Measurement Framework(PMF) in the
ARM Trusted Firmware. PMF is implemented as a library and the
SMC interface is provided through ARM SiP service.
The PMF provides capturing, storing, dumping and retrieving the
time-stamps, by enabling the development of services by different
providers, that can be easily integrated into ARM Trusted Firmware.
The PMF capture and retrieval APIs can also do appropriate cache
maintenance operations to the timestamp memory when the caller
indicates so.
`pmf_main.c` consists of core functions that implement service
registration, initialization, storing, dumping and retrieving
the time-stamp.
`pmf_smc.c` consists SMC handling for registered PMF services.
`pmf.h` consists of the macros that can be used by the PMF service
providers to register service and declare time-stamp functions.
`pmf_helpers.h` consists of internal macros that are used by `pmf.h`
By default this feature is disabled in the ARM trusted firmware.
To enable it set the boolean flag `ENABLE_PMF` to 1.
NOTE: The caller is responsible for specifying the appropriate cache
maintenance flags and for acquiring/releasing appropriate locks
before/after capturing/retrieving the time-stamps.
Change-Id: Ib45219ac07c2a81b9726ef6bd9c190cc55e81854
Add build time option 'cadence1' for ZYNQMP_CONSOLE to select the 2nd
UART available in the SoC.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
A production ROM with TBB enabled must have the ability to boot test software
before a real ROTPK is deployed (e.g. manufacturing mode). Previously the
function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed.
This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags`
parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK
in certificate is used without verifying against the platform value.
FixesARM-software/tf-issues#381
Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
* Move stdlib header files from include/stdlib to include/lib/stdlib for
consistency with other library headers.
* Fix checkpatch paths to continue excluding stdlib files.
* Create stdlib.mk to define the stdlib source files and include directories.
* Include stdlib.mk from the top level Makefile.
* Update stdlib header path in the fip_create Makefile.
* Update porting-guide.md with the new paths.
Change-Id: Ia92c2dc572e9efb54a783e306b5ceb2ce24d27fa
The system registers that are saved and restored in CPU context include
AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
AArch64-only (i.e. on hardware that does not implement AArch32, or at
least not at EL1 and higher ELs) platform leads to an exception. This patch
introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
include these AArch32 systems registers in the cpu context or not. By default
this build option is set to 1 to ensure compatibility. AArch64-only platforms
must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
verify this.
FixesARM-software/tf-issues#386
Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
This patch adds a new optional platform hook `pwr_domain_pwr_down_wfi()` in
the plat_psci_ops structure. This hook allows the platform to perform platform
specific actions including the wfi invocation to enter powerdown. This hook
is invoked by both psci_do_cpu_off() and psci_cpu_suspend_start() functions.
The porting-guide.md is also updated for the same.
This patch also modifies the `psci_power_down_wfi()` function to invoke
`plat_panic_handler` incase of panic instead of the busy while loop.
FixesARM-Software/tf-issues#375
Change-Id: Iba104469a1445ee8d59fb3a6fdd0a98e7f24dfa3
This patch adds support to select CCN driver for FVP during build.
A new build option `FVP_INTERCONNECT_DRIVER` is added to allow
selection between the CCI and CCN driver. Currently only the CCN-502
variant is supported on FVP.
The common ARM CCN platform helper file now verifies the cluster
count declared by platform is equal to the number of root node
masters exported by the ARM Standard platform.
Change-Id: I71d7b4785f8925ed499c153b2e9b9925fcefd57a
Added a build flag to select the generic delay timer on FVP instead
of the SP804 timer. By default, the generic one will be selected. The
user guide has been updated.
Change-Id: Ica34425c6d4ed95a187b529c612f6d3b26b78bc6
Added plat_get_syscnt_freq2, which is a 32 bit variant of the 64 bit
plat_get_syscnt_freq. The old one has been flagged as deprecated.
Common code has been updated to use this new version. Porting guide
has been updated.
Change-Id: I9e913544926c418970972bfe7d81ee88b4da837e
This patch changes the default driver for FVP platform from the deprecated
GICv3 legacy to the GICv3 only driver. This means that the default build of
Trusted Firmware will not be able boot Linux kernel with GICv2 FDT blob. The
user guide is also updated to reflect this change of default GIC driver for
FVP.
Change-Id: Id6fc8c1ac16ad633dabb3cd189b690415a047764
This patch removes support for legacy Versatile Express memory map for the
GIC peripheral in the FVP platform. The user guide is also updated for the
same.
Change-Id: Ib8cfb819083aca359e5b46b5757cb56cb0ea6533
Add MAX_IO_BLOCK_DEVICES in porting guide. It's necessary to define
this macro to support io block device. With this macro, multiple
block devices could be opened at the same time. Each block device
stores its own state.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
The translation table library code has moved from lib/aarch64/ to
lib/xlat_tables/ since commit 3ca9928df but the Porting Guide still
points to the old location. This patch fixes this issue.
Change-Id: I983a9a100d70eacf6bac71725ffbb4bb5f3732b0
Parse the parameter structure the FSBL populates, to populate the bl32
and bl33 image structures.
Cc: Sarat Chand Savitala <saratcha@xilinx.com>
Cc: petalinux-dev@xilinx.com
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
[ SB
- pass pointers to structs instead of structs
- handle execution state parameter
- populate bl32 SPSR
- add documentation
- query bootmode and consider missing handoff parameters an error when
not in JTAG boot mode
]
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Drop the current configuration options for selecting the location of
the ATF and TSP (ZYNQMP_ATF_LOCATION, ZYNQMP_TSP_RAM_LOCATION).
The new configuration provides one default setup (ATF in OCM,
BL32 in DRAM). Additionally, the new configuration options
- ZYNQMP_ATF_MEM_BASE
- ZYNQMP_ATF_MEM_SIZE
- ZYNQMP_BL32_MEM_BASE
- ZYNQMP_BL32_MEM_SIZE
can be used to freely configure the memory locations used for ATF and
secure payload.
Also, allow setting the BL33 entry point via PRELOADED_BL33_BASE.
Cc: petalinux-dev@xilinx.com
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
This patch adds links to the Cortex-A53 and Cortex-A57 MPCores
Software Developers Errata Notice documents in the ARM CPU Specific
Build Macros document.
Change-Id: I0aa26d7f373026097ed012a02bc61ee2c5b9d6fc
It is up to the platform to implement the new plat_crash_print_regs macro to
report all relevant platform registers helpful for troubleshooting.
plat_crash_print_regs merges or calls previously defined plat_print_gic_regs
and plat_print_interconnect_regs macros for each existing platforms.
NOTE: THIS COMMIT REQUIRES ALL PLATFORMS THAT ENABLE THE `CRASH_REPORTING`
BUILD FLAG TO MIGRATE TO USE THE NEW `plat_crash_print_regs()` MACRO. BY
DEFAULT, `CRASH_REPORTING` IS ENABLED IN DEBUG BUILDS FOR ALL PLATFORMS.
Fixes: arm-software/tf-issues#373
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
This patch updates the TF User Guide, simplifying some of the steps
to build and run TF and trying to avoid duplicated information that
is already available on the ARM Connected Community or the Linaro
website.
The recommended Linaro release is now 16.02.
Change-Id: I21db486d56a07bb10f5ee9a33014ccc59ca12986
To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistaken by similar names like BL32_BASE that work in a
completely different way.
NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
BUILD OPTION `PRELOADED_BL33_BASE`.
Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b
This patch enables the SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and
BL31 common architectural setup code. When in secure state, this disables
instruction fetches from Non-secure memory.
NOTE: THIS COULD BREAK PLATFORMS THAT HAVE SECURE WORLD CODE EXECUTING FROM
NON-SECURE MEMORY, BUT THIS IS CONSIDERED UNLIKELY AND IS A SERIOUS SECURITY
RISK.
FixesARM-Software/tf-issues#372
Change-Id: I684e84b8d523c3b246e9a5fabfa085b6405df319
The Xilinx Zynq UltraScale+ MPSOC containes a quad A53 cluster. This
patch adds the platform port for that SoC.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
This patch modifies the return type of the platform API
`plat_get_ns_image_entrypoint()` from `unsigned long` to
`uintptr_t` in accordance with the coding guidelines.
Change-Id: Icb4510ca98b706aa4d535fe27e203394184fb4ca
To get round problems encountered when building in a DOS build
environment the generation of the .o file containing build identifier
strings is modified.
The problems encounterred were:
1. DOS echo doesn't strip ' characters from the output text.
2. git is not available from CMD.EXE so the BUILD_STRING value needs
some other origin.
A BUILD_STRING value of "development build" is used for now.
MAKE_BUILD_STRINGS is used to customise build string generation in a DOS
environment. This variable is not defined in the UNIX build environment
make file helper, and so the existing build string generation behaviour
is retained in these build environments.
NOTE: This commit completes a cumulative series aimed at improving
build portability across development environments.
This enables the build to run on several new build environments,
if the relevant tools are available.
At this point the build is tested on Windows 7 Enterprise SP1,
using CMD.EXE, Cygwin and Msys (MinGW),as well as a native
Linux envionment". The Windows platform builds used
aarch64-none-elf-gcc.exe 4.9.1. CMD.EXE and Msys used Gnu
Make 3.81, cygwin used Gnu Make 4.1.
CAVEAT: The cert_create tool build is not tested on the Windows
platforms (openssl-for-windows has a GPL license).
Change-Id: Iaa4fc89dbe2a9ebae87e2600c9eef10a6af30251
lib/aarch64/xlat_helpers.c defines helper functions to build
translation descriptors, but no common code or upstream platform
port uses them. As the rest of the xlat_tables code evolves, there
may be conflicts with these helpers, therefore this code should be
removed.
Change-Id: I9f5be99720f929264818af33db8dada785368711
This patch adds support for non-volatile counter authentication to
the Authentication Module. This method consists of matching the
counter values provided in the certificates with the ones stored
in the platform. If the value from the certificate is lower than
the platform, the boot process is aborted. This mechanism protects
the system against rollback.
The TBBR CoT has been updated to include this method as part of the
authentication process. Two counters are used: one for the trusted
world images and another for the non trusted world images.
** NEW PLATFORM APIs (mandatory when TBB is enabled) **
int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);
This API returns the non-volatile counter value stored
in the platform. The cookie in the first argument may be
used to select the counter in case the platform provides
more than one (i.e. TBSA compliant platforms must provide
trusted and non-trusted counters). This cookie is specified
in the CoT.
int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);
This API sets a new counter value. The cookie may be
used to select the counter to be updated.
An implementation of these new APIs for ARM platforms is also
provided. The values are obtained from the Trusted Non-Volatile
Counters peripheral. The cookie is used to pass the extension OID.
This OID may be interpreted by the platform to know which counter
must return. On Juno, The trusted and non-trusted counter values
have been tied to 31 and 223, respectively, and cannot be modified.
** IMPORTANT **
THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
ORDER TO SUCCESSFULLY BUILD TF.
Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a
This patch adds an option to the ARM common platforms to load BL31 in the
TZC secured DRAM instead of the default secure SRAM.
To enable this feature, set `ARM_BL31_IN_DRAM` to 1 in build options.
If TSP is present, then setting this option also sets the TSP location
to DRAM and ignores the `ARM_TSP_RAM_LOCATION` build flag.
To use this feature, BL2 platform code must map in the DRAM used by
BL31. The macro ARM_MAP_BL31_SEC_DRAM is provided for this purpose.
Currently, only the FVP BL2 platform code maps in this DRAM.
Change-Id: If5f7cc9deb569cfe68353a174d4caa48acd78d67
Asynchronous abort exceptions generated by the platform during cold boot are
not taken in EL3 unless SCR_EL3.EA is set.
Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture
initialisation. Further write accesses to SCR_EL3 preserve these bits during
cold boot.
A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions
being trapped by EL3 after cold boot or not.
For further reference SError Interrupts are also known as asynchronous external
aborts.
On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in
EL3 whatever the SCR_EL3.EA value is.
Fixesarm-software/tf-issues#368
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
The Firmware Design document is meant to provide a general overview
of the Trusted Firmware code. Although it is useful to provide some
guidance around the responsibilities of the platform layer, it should
not provide too much platform specific implementation details. Right
now, some sections are too tied to the implementation on ARM
platforms. This makes the Firmware Design document harder to digest.
This patch simplifies this aspect of the Firmware Design document.
The sections relating the platform initialisations performed by the
different BL stages have been simplified and the extra details about
the ARM platforms implementation have been moved to the Porting Guide
when appropriate.
This patch also provides various documentation fixes and additions
in the Firmware Design and Platform Porting Guide. In particular:
- Update list of SMCs supported by BL1.
- Remove MMU setup from architectural inits, as it is actually
performed by platform code.
- Similarly, move runtime services initialisation, BL2 image
initialization and BL33 execution out of the platform
initialisation paragraph.
- List SError interrupt unmasking as part of BL1 architectural
initialization.
- Mention Trusted Watchdog enabling in BL1 on ARM platforms.
- Fix order of steps in "BL2 image load and execution" section.
- Refresh section about GICv3/GICv2 drivers initialisation on
ARM platforms.
Change-Id: I32113c4ffdc26687042629cd8bbdbb34d91e3c14
Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.
Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().
All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.
Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
The previous reset code in BL1 performed the following steps in
order:
1. Warm/Cold boot detection.
If it's a warm boot, jump to warm boot entrypoint.
2. Primary/Secondary CPU detection.
If it's a secondary CPU, jump to plat_secondary_cold_boot_setup(),
which doesn't return.
3. CPU initialisations (cache, TLB...).
4. Memory and C runtime initialization.
For a secondary CPU, steps 3 and 4 are never reached. This shouldn't
be a problem in most cases, since current implementations of
plat_secondary_cold_boot_setup() either panic or power down the
secondary CPUs.
The main concern is the lack of secondary CPU initialization when
bare metal EL3 payloads are used in case they don't take care of this
initialisation themselves.
This patch moves the detection of primary/secondary CPU after step 3
so that the CPU initialisations are performed per-CPU, while the
memory and the C runtime initialisation are only performed on the
primary CPU. The diagrams used in the ARM Trusted Firmware Reset
Design documentation file have been updated to reflect the new boot
flow.
Platforms ports might be affected by this patch depending on the
behaviour of plat_secondary_cold_boot_setup(), as the state of the
platform when entering this function will be different.
FixesARM-software/tf-issues#342
Change-Id: Icbf4a0ee2a3e5b856030064472f9fa6696f2eb9e
This patch clarifies a porting API in the Porting Guide that do not
follow the ARM Architecture Program Calling Standards (AAPCS). The
list of registers that are allowed to be clobbered by this API has
been updated in the Porting Guide.
FixesARM-software/tf-issues#259
Change-Id: Ibf2adda2e1fb3e9b8f53d8a918d5998356eb8fce
Enable alternative boot flow where BL2 does not load BL33 from
non-volatile storage, and BL31 hands execution over to a preloaded
BL33.
The flag used to enable this bootflow is BL33_BASE, which must hold
the entrypoint address of the BL33 image. The User Guide has been
updated with an example of how to use this option with a bootwrapped
kernel.
Change-Id: I48087421a7b0636ac40dca7d457d745129da474f
`board_arm_def.h` contains multiple definitions of
`PLAT_ARM_MMAP_ENTRIES` and `MAX_XLAT_TABLES` that are optimised for
memory usage depending upon the chosen build configuration. To ease
maintenance of these constants, this patch replaces their multiple
definitions with a single set of definitions that will work on all ARM
platforms.
Platforms can override the defaults with optimal values by enabling the
`ARM_BOARD_OPTIMISE_MMAP` build option. An example has been provided in
the Juno ADP port.
Additionally, `PLAT_ARM_MMAP_ENTRIES` is increased by one to accomodate
future ARM platforms.
Change-Id: I5ba6490fdd1e118cc9cc2d988ad7e9c38492b6f0
The common topology description helper funtions and macros for
ARM Standard platforms assumed a dual cluster system. This is not
flexible enough to scale to multi cluster platforms. This patch does
the following changes for more flexibility in defining topology:
1. The `plat_get_power_domain_tree_desc()` definition is moved from
`arm_topology.c` to platform specific files, that is `fvp_topology.c`
and `juno_topology.c`. Similarly the common definition of the porting
macro `PLATFORM_CORE_COUNT` in `arm_def.h` is moved to platform
specific `platform_def.h` header.
2. The ARM common layer porting macros which were dual cluster specific
are now removed and a new macro PLAT_ARM_CLUSTER_COUNT is introduced
which must be defined by each ARM standard platform.
3. A new mandatory ARM common layer porting API
`plat_arm_get_cluster_core_count()` is introduced to enable the common
implementation of `arm_check_mpidr()` to validate MPIDR.
4. For the FVP platforms, a new build option `FVP_NUM_CLUSTERS` has been
introduced which allows the user to specify the cluster count to be
used to build the topology tree within Trusted Firmare. This enables
Trusted Firmware to be built for multi cluster FVP models.
Change-Id: Ie7a2e38e5661fe2fdb2c8fdf5641d2b2614c2b6b
This patch adds a link to the Cortex-A57 Software Optimization Guide
in the ARM CPU Specific Build Macros document to justify the default
value of the A57_DISABLE_NON_TEMPORAL_HINT build flag.
Change-Id: I9779e42a4bb118442b2b64717ce143314ec9dd16
The folowing build options were missing from the User Guide and have been
documented:
- CTX_INCLUDE_FPREGS
- DISABLE_PEDANTIC
- BUILD_STRING
- VERSION_STRING
- BUILD_MESSAGE_TIMESTAMP
Change-Id: I6a9c39ff52cad8ff04deff3ac197af84d437b8b7
Current code mandates loading of SCP_BL2/SCP_BL2U images for all
CSS platforms. On future ARM CSS platforms, the Application
Processor (AP) might not need to load these images. So, these
items can be removed from the FIP on those platforms.
BL2 tries to load SCP_BL2/SCP_BL2U images if their base
addresses are defined causing boot error if the images are not
found in FIP.
This change adds a make flag `CSS_LOAD_SCP_IMAGES` which if set
to `1` does:
1. Adds SCP_BL2, SCP_BL2U images to FIP.
2. Defines the base addresses of these images so that AP loads
them.
And vice-versa if it is set to `0`. The default value is set to
`1`.
Change-Id: I5abfe22d5dc1e9d80d7809acefc87b42a462204a
ARM PL061 GPIO driver requires the "PLAT_PL061_MAX_GPIOS" definition.
By default, it's defined to 32 in PL061 GPIO driver. If user wants
more PL061 controllers in platform, user should define the build
flag in platform.mk instead.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
The LDNP/STNP instructions as implemented on Cortex-A53 and
Cortex-A57 do not behave in a way most programmers expect, and will
most probably result in a significant speed degradation to any code
that employs them. The ARMv8-A architecture (see Document ARM DDI
0487A.h, section D3.4.3) allows cores to ignore the non-temporal hint
and treat LDNP/STNP as LDP/STP instead.
This patch introduces 2 new build flags:
A53_DISABLE_NON_TEMPORAL_HINT and A57_DISABLE_NON_TEMPORAL_HINT
to enforce this behaviour on Cortex-A53 and Cortex-A57. They are
enabled by default.
The string printed in debug builds when a specific CPU errata
workaround is compiled in but skipped at runtime has been
generalised, so that it can be reused for the non-temporal hint use
case as well.
Change-Id: I3e354f4797fd5d3959872a678e160322b13867a1
Move up to Base FVP version 7.2 (build 0.8/7202) and Foundation FVP version
9.5 (build 9.5.41) in the user guide.
Change-Id: Ie9900596216808cadf45f042eec639d906e497b2
This patch adds a brief explanation of the top/bottom load approach
to the Firmware Design guide and how Trusted Firmware keeps track of
the free memory at boot time. This will help platform developers to
avoid unexpected results in the memory layout.
FixesARM-software/tf-issues#319
Change-Id: I04be7e24c1f3b54d28cac29701c24bf51a5c00ad
The memory translation library in Trusted Firmware supports
non-identity mappings for Physical to Virtual addresses since commit
f984ce84ba. However, the porting guide hasn't been updated
accordingly and still mandates the platform ports to use
identity-mapped page tables for all addresses.
This patch removes this out-dated information from the Porting Guide
and clarifies in which circumstances non-identity mapping may safely
be used.
FixesARM-software/tf-issues#258
Change-Id: I84dab9f3cabfc43794951b1828bfecb13049f706
This patch reworks the section about booting an EL3 payload in the
User Guide:
- Centralize all EL3 payload related information in the same
section.
- Mention the possibility to program the EL3 payload in flash memory
and execute it in place.
- Provide model parameters for both the Base and Foundation FVPs.
- Provide some guidance to boot an EL3 payload on Juno.
Change-Id: I975c8de6b9b54ff4de01a1154cba63271d709912
The PL011 TRM (ARM DDI 0183G) specifies that the UART must be
disabled before any of the control registers are programmed. The
PL011 driver included in TF does not disable the UART, so the
initialization in BL2 and BL31 is violating this requirement
(and potentially in BL1 if the UART is enabled after reset).
This patch modifies the initialization function in the PL011
console driver to disable the UART before programming the
control registers.
Register clobber list and documentation updated.
FixesARM-software/tf-issues#300
Change-Id: I839b2d681d48b03f821ac53663a6a78e8b30a1a1
Currently, Trusted Firmware on ARM platforms unlocks access to the
timer frame registers that will be used by the Non-Secure world. This
unlock operation should be done by the Non-Secure software itself,
instead of relying on secure firmware settings.
This patch adds a new ARM specific build option 'ARM_CONFIG_CNTACR'
to unlock access to the timer frame by setting the corresponding
bits in the CNTACR<N> register. The frame id <N> is defined by
'PLAT_ARM_NSTIMER_FRAME_ID'. Default value is true (unlock timer
access).
Documentation updated accordingly.
FixesARM-software/tf-issues#170
Change-Id: Id9d606efd781e43bc581868cd2e5f9c8905bdbf6
GIC v2 and v3 specification references in the porting guide
should refer to publically visible links, not ARM internal links.
Change-Id: Ib47c8adda6a03581f23bcaed72d71c08c7dd9fb1
Signed-off-by: Yuping Luo <yuping.luo@arm.com>
Since commit 804040d106, the Juno port has moved from per-CPU mailboxes
to a single shared one. This patch updates an out-dated reference to
the former per-CPU mailboxes mechanism in the Firmware Design.
Change-Id: I355b54156b1ace1b3df4c4416e1e8625211677fc
Migrate all direct usage of __attribute__ to usage of their
corresponding macros from cdefs.h.
e.g.:
- __attribute__((unused)) -> __unused
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
This patch adds a brief description of 'MAX_MMAP_REGIONS' and
'ADDR_SPACE_SIZE' to the Porting Guide. These fields must be defined
by the platform in order to use the translation table library.
Change-Id: Ida366458fe2bc01979091a014dc38da0fae5991e
This patch fixes a couple of issues in the "CPU specific operations
framework" section in the Firmware Design document.
* Fix broken link to the CPU Specific Build Macros document.
* Fix the path to the cortex_a53.S file.
* Fix power levels terminology.
Change-Id: Ib610791eaba13dab2823b7699bb63534bcd1c8fb
The fip_create tool specifies images in the command line using the
ARM TF naming convention (--bl2, --bl31, etc), while the cert_create
tool uses the TBBR convention (--tb-fw, --soc-fw, etc). This double
convention is confusing and should be aligned.
This patch updates the fip_create command line options to follow the
TBBR naming convention. Usage examples in the User Guide have been
also updated.
NOTE: users that build the FIP by calling the fip_create tool directly
from the command line must update the command line options in their
scripts. Users that build the FIP by invoking the main ARM TF Makefile
should not notice any difference.
Change-Id: I84d602630a2585e558d927b50dfde4dd2112496f
Remove the following redundant sentence from the user guide, which
implies the user should use the TF version from the Linaro release,
which was not the intention:
"However, the rest of this document assumes that you got the
Trusted Firmware as part of the Linaro release."
Also, tidied up the grammar in this section.
Change-Id: I5dae0b68d3683e2a85a7b3c6a31222182a66f6c8
This patch adds design documentation for the Firmware Update (FWU)
feature in `firmware-update.md`. It provides an overview of FWU,
describes the BL1 SMC interface, and includes diagrams showing
an example FWU boot flow and the FWU state machine.
This patch also updates the existing TF documents where needed:
* `porting-guide.md`
* `user-guide.md`
* `firmware-design.md`
* `rt-svc-writers-guide.md`
* `trusted_board_boot.md`
Change-Id: Ie6de31544429b18f01327bd763175e218299a4ce
Co-Authored-By: Dan Handley <dan.handley@arm.com>
This patch introduces a new document presenting the ARM Trusted
Firmware Reset Design. It shows the reset code flow, lists the
different build options that affect it, in which case to use them
and what their exact effect is.
The section about using BL31 entrypoint as the reset address has
been moved from the general firmware design document to this one.
It's also been improved to explain why the FVP port supports the
RESET_TO_BL31 configuration, even though the reset vector address
can't be programmed dynamically.
This document includes some images, which have been generated using
Dia version 0.97.2. This tool can be obtained from:
https://wiki.gnome.org/Apps/Dia/Download
This patch provides:
- the image files describing the different reset flow diagrams;
- the source '.dia' file;
- a script automating the generation of the images from the '.dia'
file.
Note that the 2 latter files are not actually needed for the document
and are provided for convenience only, in case the reset images need
to be modified.
Change-Id: Ib6302e8209d418a5b31c4e85e55fd9e83caf2ca2
This patch updates the relevant documentation in ARM Trusted Firmware
for the new GIC drivers. The user-guide.md and porting-guide.md have been
updated as follows:
* The build option to compile Trusted Firmware with different GIC drivers
for FVP has been explained in the user-guide.md.
* The implementation details of interrupt management framework porting
APIs for GICv3 have been added in porting-guide.md.
* The Linaro tracking kernel release does not work OOB in GICv3 mode.
The instructions for changing UEFI configuration in order to run with
the new GICv3 driver in ARM TF have been added to user-guide.md.
The interrupt-framework-design.md has been updated as follows:
* Describes support for registering and handling interrupts targeted to EL3
e.g. Group 0 interrupts in GICv3.
* Describes the build option `TSP_NS_INTR_ASYNC_PREEMPT` in detail.
* Describes preemption of TSP in S-EL1 by non secure interrupts and
also possibly by higher priority EL3 interrupts.
* Describes the normal world sequence for issuing `standard` SMC calls.
* Modifies the document to correspond to the current state of interrupt
handling in TSPD and TSP.
* Modifies the various functions names in the document to reflect
the current names used in code.
Change-Id: I78c9514b5be834f193405aad3c1752a4a9e27a6c
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:
https://github.com/ARM-software/arm-trusted-firmware/wiki
Changes apply to output messages, comments and documentation.
non-ARM platform files have been left unmodified.
Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
This patch replaces all references to the SCP Firmware (BL0, BL30,
BL3-0, bl30) with the image terminology detailed in the TF wiki
(https://github.com/ARM-software/arm-trusted-firmware/wiki):
BL0 --> SCP_BL1
BL30, BL3-0 --> SCP_BL2
bl30 --> scp_bl2
This change affects code, documentation, build system, tools and
platform ports that load SCP firmware. ARM plaforms have been
updated to the new porting API.
IMPORTANT: build option to specify the SCP FW image has changed:
BL30 --> SCP_BL2
IMPORTANT: This patch breaks compatibility for platforms that use BL2
to load SCP firmware. Affected platforms must be updated as follows:
BL30_IMAGE_ID --> SCP_BL2_IMAGE_ID
BL30_BASE --> SCP_BL2_BASE
bl2_plat_get_bl30_meminfo() --> bl2_plat_get_scp_bl2_meminfo()
bl2_plat_handle_bl30() --> bl2_plat_handle_scp_bl2()
Change-Id: I24c4c1a4f0e4b9f17c9e4929da815c4069549e58
The mbed TLS library has introduced some changes in the API from
the 1.3.x to the 2.x releases. Using the 2.x releases requires
some changes to the crypto and transport modules.
This patch updates both modules to the mbed TLS 2.x API.
All references to the mbed TLS library in the code or documentation
have been updated to 'mbed TLS'. Old references to PolarSSL have
been updated to 'mbed TLS'.
User guide updated to use mbed TLS 2.2.0.
NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
Applying this patch will require an mbed TLS 2.x release to be used.
Also note that the mbed TLS license changed to Apache version 2.0.
Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
Move up the version numbers in the user guide of:
* DS-5 (to v5.22)
* Base FVP (to 7.0)
* Foundation FVP (to 9.4)
* Linaro release (to 15.10)
Note that, starting from Linaro release 15.10, the related release
instructions have migrated from http://releases.linaro.org to the
ARM Connected Community website. The URLs in the User Guide have
been updated accordingly.
The 'libssl-dev' package has been removed from the list of
prerequisite tools, as it is already referenced on the ARM Connected
Community page. Also, the 'device-tree-compiler' package has been
marked as an optional dependency, since the Trusted Firmware
repository provides the prebuilt DTB files. Hence, this tool is
needed only when the user wants to rebuild the DTS files.
Change-Id: I4a172ece60bf90437131c6b96e73a9f1e9b40117
The Server Base System Architecture document (ARM-DEN-0029)
specifies a generic UART device. The programmer's view of this
generic UART is a subset of the ARM PL011 UART. However, the
current PL011 driver in Trusted Firmware uses some features
that are outside the generic UART specification.
This patch modifies the PL011 driver to exclude features outside
the SBSA generic UART specification by setting the boolean build
option 'PL011_GENERIC_UART=1'. Default value is 0 (use full
PL011 features).
User guide updated.
FixesARM-software/tf-issues#216
Change-Id: I6e0eb86f9d69569bc3980fb57e70d6da5d91a737
This patch overrides the default weak definition of
`bl31_plat_runtime_setup()` for ARM Standard platforms to
specify a BL31 runtime console. ARM Standard platforms are
now expected to define `PLAT_ARM_BL31_RUN_UART_BASE` and
`PLAT_ARM_BL31_RUN_UART_CLK_IN_HZ` macros which is required
by `arm_bl31_plat_runtime_setup()` to initialize the runtime
console.
The system suspend resume helper `arm_system_pwr_domain_resume()`
is fixed to initialize the runtime console rather than the boot
console on resumption from system suspend.
FixesARM-software/tf-issues#220
Change-Id: I80eafe5b6adcfc7f1fdf8b99659aca1c64d96975
It is not ideal for BL31 to continue to use boot console at
runtime which could be potentially uninitialized. This patch
introduces a new optional platform porting API
`bl31_plat_runtime_setup()` which allows the platform to perform
any BL31 runtime setup just prior to BL31 exit during cold boot.
The default weak implementation of this function will invoke
`console_uninit()` which will suppress any BL31 runtime logs.
On the ARM Standard platforms, there is an anomaly that
the boot console will be reinitialized on resumption from
system suspend in `arm_system_pwr_domain_resume()`. This
will be resolved in the following patch.
NOTE: The default weak definition of `bl31_plat_runtime_setup()`
disables the BL31 console. To print the BL31 runtime
messages, platforms must override this API and initialize a
runtime console.
FixesARM-software/tf-issues#328
Change-Id: Ibaf8346fcceb447fe1a5674094c9f8eb4c09ac4a
On a GICv2 system, interrupts that should be handled in the secure world are
typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
as IRQs instead. The mechanism for handling both types of interrupts is the same
in both cases. This patch enables the TSP to run on a GICv3 system by:
1. adding support for handling IRQs in the exception handling code.
2. removing use of "fiq" in the names of data structures, macros and functions.
The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
former build flag is defined, it will be used to define the value for the
new build flag. The documentation is also updated accordingly.
Change-Id: I1807d371f41c3656322dd259340a57649833065e
This patch adds watchdog support on ARM platforms (FVP and Juno).
A secure instance of SP805 is used as Trusted Watchdog. It is
entirely managed in BL1, being enabled in the early platform setup
hook and disabled in the exit hook. By default, the watchdog is
enabled in every build (even when TBB is disabled).
A new ARM platform specific build option `ARM_DISABLE_TRUSTED_WDOG`
has been introduced to allow the user to disable the watchdog at
build time. This feature may be used for testing or debugging
purposes.
Specific error handlers for Juno and FVP are also provided in this
patch. These handlers will be called after an image load or
authentication error. On FVP, the Table of Contents (ToC) in the FIP
is erased. On Juno, the corresponding error code is stored in the
V2M Non-Volatile flags register. In both cases, the CPU spins until
a watchdog reset is generated after 256 seconds (as specified in
the TBBR document).
Change-Id: I9ca11dcb0fe15af5dbc5407ab3cf05add962f4b4
The implications of the 'PROGRAMMABLE_RESET_ADDRESS' build option on
the platform porting layer are simple enough to be described in the
User Guide directly. This patch removes the reference to the Porting
Guide.
Change-Id: I7f753b18abd20effc4fd30836609e1fd51d9221d
This patch introduces a new build option named COLD_BOOT_SINGLE_CPU,
which allows platforms that only release a single CPU out of reset to
slightly optimise their cold boot code, both in terms of code size
and performance.
COLD_BOOT_SINGLE_CPU defaults to 0, which assumes that the platform
may release several CPUs out of reset. In this case, the cold reset
code needs to coordinate all CPUs via the usual primary/secondary
CPU distinction.
If a platform guarantees that only a single CPU will ever be released
out of reset, there is no need to arbitrate execution ; the notion of
primary and secondary CPUs itself no longer exists. Such platforms
may set COLD_BOOT_SINGLE_CPU to 1 in order to compile out the
primary/secondary CPU identification in the cold reset code.
All ARM standard platforms can release several CPUs out of reset
so they use COLD_BOOT_SINGLE_CPU=0. However, on CSS platforms like
Juno, bringing up more than one CPU at reset should only be attempted
when booting an EL3 payload, as it is not fully supported in the
normal boot flow.
For platforms using COLD_BOOT_SINGLE_CPU=1, the following 2 platform
APIs become optional:
- plat_secondary_cold_boot_setup();
- plat_is_my_cpu_primary().
The Porting Guide has been updated to reflect that.
User Guide updated as well.
Change-Id: Ic5b474e61b7aec1377d1e0b6925d17dfc376c46b
- Document the new build option EL3_PAYLOAD_BASE
- Document the EL3 payload boot flow
- Document the FVP model parameters to boot an EL3 payload
Change-Id: Ie6535914a9a68626e4401659bee4fcfd53d4bd37
Normally, in the FVP port, secondary CPUs are immediately powered
down if they are powered on at reset. However, when booting an EL3
payload, we need to keep them powered on as the requirement is for
all CPUs to enter the EL3 payload image. This patch puts them in a
holding pen instead of powering them off.
Change-Id: I6526a88b907a0ddb820bead72f1d350a99b1692c
This patch adds support for booting EL3 payloads on CSS platforms,
for example Juno. In this scenario, the Trusted Firmware follows
its normal boot flow up to the point where it would normally pass
control to the BL31 image. At this point, it jumps to the EL3
payload entry point address instead.
Before handing over to the EL3 payload, the data SCP writes for AP
at the beginning of the Trusted SRAM is restored, i.e. we zero the
first 128 bytes and restore the SCP Boot configuration. The latter
is saved before transferring the BL30 image to SCP and is restored
just after the transfer (in BL2). The goal is to make it appear that
the EL3 payload is the first piece of software to run on the target.
The BL31 entrypoint info structure is updated to make the primary
CPU jump to the EL3 payload instead of the BL31 image.
The mailbox is populated with the EL3 payload entrypoint address,
which releases the secondary CPUs out of their holding pen (if the
SCP has powered them on). The arm_program_trusted_mailbox() function
has been exported for this purpose.
The TZC-400 configuration in BL2 is simplified: it grants secure
access only to the whole DRAM. Other security initialization is
unchanged.
This alternative boot flow is disabled by default. A new build option
EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
payload's entry point address. The build system has been modified
such that BL31 and BL33 are not compiled and/or not put in the FIP in
this case, as those images are not used in this boot flow.
Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077
This patch modifies the prototype of the bl1_plat_prepare_exit()
platform API to pass the address of the entry point info structure
received from BL2. The structure contains information that can be
useful, depending on the kind of clean up or bookkeeping operations
to perform.
The weak implementation of this function ignores this argument to
preserve platform backwards compatibility.
NOTE: THIS PATCH MAY BREAK PLATFORM PORTS THAT ARE RELYING ON THE
FORMER PROTOTYPE OF THE BL1_PLAT_PREPARE_EXIT() API.
Change-Id: I3fc18f637de06c85719c4ee84c85d6a4572a0fdb
This patch introduces a new build flag, SPIN_ON_BL1_EXIT, which
puts an infinite loop in BL1. It is intended to help debugging
the post-BL2 phase of the Trusted Firmware by stopping execution
in BL1 just before handing over to BL31. At this point, the
developer may take control of the target using a debugger.
This feature is disabled by default and can be enabled by
rebuilding BL1 with SPIN_ON_BL1_EXIT=1.
User Guide updated accordingly.
Change-Id: I6b6779d5949c9e5571dd371255520ef1ac39685c
The IMF_READ_INTERRUPT_ID build option enables a feature where the interrupt
ID of the highest priority pending interrupt is passed as a parameter to the
interrupt handler registered for that type of interrupt. This additional read
of highest pending interrupt id from GIC is problematic as it is possible that
the original interrupt may get deasserted and another interrupt of different
type maybe become the highest pending interrupt. Hence it is safer to prevent
such behaviour by removing the IMF_READ_INTERRUPT_ID build option.
The `id` parameter of the interrupt handler `interrupt_type_handler_t` is
now made a reserved parameter with this patch. It will always contain
INTR_ID_UNAVAILABLE.
FixesARM-software/tf-issues#307
Change-Id: I2173aae1dd37edad7ba6bdfb1a99868635fa34de
This patch changes the build time behaviour when using deprecated API within
Trusted Firmware. Previously the use of deprecated APIs would only trigger a
build warning (which was always treated as a build error), when
WARN_DEPRECATED = 1. Now, the use of deprecated C declarations will always
trigger a build time warning. Whether this warning is treated as error or not
is determined by the build flag ERROR_DEPRECATED which is disabled by default.
When the build flag ERROR_DEPRECATED=1, the invocation of deprecated API or
inclusion of deprecated headers will result in a build error.
Also the deprecated context management helpers in context_mgmt.c are now
conditionally compiled depending on the value of ERROR_DEPRECATED flag
so that the APIs themselves do not result in a build error when the
ERROR_DEPRECATED flag is set.
NOTE: Build systems that use the macro WARN_DEPRECATED must migrate to
using ERROR_DEPRECATED, otherwise deprecated API usage will no longer
trigger a build error.
Change-Id: I843bceef6bde979af7e9b51dddf861035ec7965a
This patch adds an optional API to the platform port:
void plat_error_handler(int err) __dead2;
The platform error handler is called when there is a specific error
condition after which Trusted Firmware cannot continue. While panic()
simply prints the crash report (if enabled) and spins, the platform
error handler can be used to hand control over to the platform port
so it can perform specific bookeeping or post-error actions (for
example, reset the system). This function must not return.
The parameter indicates the type of error using standard codes from
errno.h. Possible errors reported by the generic code are:
-EAUTH : a certificate or image could not be authenticated
(when Trusted Board Boot is enabled)
-ENOENT : the requested image or certificate could not be found
or an IO error was detected
-ENOMEM : resources exhausted. Trusted Firmware does not use
dynamic memory, so this error is usually an indication
of an incorrect array size
A default weak implementation of this function has been provided.
It simply implements an infinite loop.
Change-Id: Iffaf9eee82d037da6caa43b3aed51df555e597a3
This patch is a complete rework of the main Makefile. Functionality
remains the same but the code has been reorganized in sections in
order to improve readability and facilitate adding future extensions.
A new file 'build_macros.mk' has been created and will contain common
definitions (variables, macros, etc) that may be used from the main
Makefile and other platform specific makefiles.
A new macro 'FIP_ADD_IMG' has been introduced and it will allow the
platform to specify binary images and the necessary checks for a
successful build. Platforms that require a BL30 image no longer need
to specify the NEED_BL30 option. The main Makefile is now completely
unaware of additional images not built as part of Trusted Firmware,
like BL30. It is the platform responsibility to specify images using
the macro 'FIP_ADD_IMG'. Juno uses this macro to include the BL30
image in the build.
BL33 image is specified in the main Makefile to preserve backward
compatibility with the NEED_BL33 option. Otherwise, platform ports
that rely on the definition of NEED_BL33 might break.
All Trusted Board Boot related definitions have been moved to a
separate file 'tbbr_tools.mk'. The main Makefile will include this
file unless the platform indicates otherwise by setting the variable
'INCLUDE_TBBR_MK := 0' in the corresponding platform.mk file. This
will keep backward compatibility but ideally each platform should
include the corresponding TBB .mk file in platform.mk.
Change-Id: I35e7bc9930d38132412e950e20aa2a01e2b26801
This patch redefines the values of IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED to match the corresponding definitions in
errno.h:
#define IO_FAIL (-ENOENT)
#define IO_NOT_SUPPORTED (-ENODEV)
#define IO_RESOURCES_EXHAUSTED (-ENOMEM)
NOTE: please note that the IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED definitions are considered deprecated
and their usage should be avoided. Callers should rely on errno.h
definitions when checking the return values of IO functions.
Change-Id: Ic8491aa43384b6ee44951ebfc053a3ded16a80be
This patch adds an optional API to the platform port:
void bl1_plat_prepare_exit(void);
This function is called prior to exiting BL1 in response to the
RUN_IMAGE_SMC request raised by BL2. It should be used to perform
platform specific clean up or bookkeeping operations before
transferring control to the next image.
A weak empty definition of this function has been provided to
preserve platform backwards compatibility.
Change-Id: Iec09697de5c449ae84601403795cdb6aca166ba1
When a platform port does not define PLAT_PERCPU_BAKERY_LOCK_SIZE, the total
memory that should be allocated per-cpu to accommodate all bakery locks is
calculated by the linker in bl31.ld.S. The linker stores this value in the
__PERCPU_BAKERY_LOCK_SIZE__ linker symbol. The runtime value of this symbol is
different from the link time value as the symbol is relocated into the current
section (.bss). This patch fixes this issue by marking the symbol as ABSOLUTE
which allows it to retain its correct value even at runtime.
The description of PLAT_PERCPU_BAKERY_LOCK_SIZE in the porting-guide.md has been
made clearer as well.
Change-Id: Ia0cfd42f51deaf739d792297e60cad5c6e6e610b
This patch unifies the bakery lock api's across coherent and normal
memory implementation of locks by using same data type `bakery_lock_t`
and similar arguments to functions.
A separate section `bakery_lock` has been created and used to allocate
memory for bakery locks using `DEFINE_BAKERY_LOCK`. When locks are
allocated in normal memory, each lock for a core has to spread
across multiple cache lines. By using the total size allocated in a
separate cache line for a single core at compile time, the memory for
other core locks is allocated at link time by multiplying the single
core locks size with (PLATFORM_CORE_COUNT - 1). The normal memory lock
algorithm now uses lock address instead of the `id` in the per_cpu_data.
For locks allocated in coherent memory, it moves locks from
tzfw_coherent_memory to bakery_lock section.
The bakery locks are allocated as part of bss or in coherent memory
depending on usage of coherent memory. Both these regions are
initialised to zero as part of run_time_init before locks are used.
Hence, bakery_lock_init() is made an empty function as the lock memory
is already initialised to zero.
The above design lead to the removal of psci bakery locks from
non_cpu_power_pd_node to psci_locks.
NOTE: THE BAKERY LOCK API WHEN USE_COHERENT_MEM IS NOT SET HAS CHANGED.
THIS IS A BREAKING CHANGE FOR ALL PLATFORM PORTS THAT ALLOCATE BAKERY
LOCKS IN NORMAL MEMORY.
Change-Id: Ic3751c0066b8032dcbf9d88f1d4dc73d15f61d8b
ARM TF configures all interrupts as non-secure except those which
are present in irq_sec_array. This patch updates the irq_sec_array
with the missing secure interrupts for ARM platforms.
It also updates the documentation to be inline with the latest
implementation.
FixesARM-software/tf-issues#312
Change-Id: I39956c56a319086e3929d1fa89030b4ec4b01fcc
This patch corrects some typos in the platform migration guide. More
importantly, the commit ID of the patch that implements migration of ARM
Reference platforms to the new platform API has been corrected.
Change-Id: Ib0109ea42c3d2bad2c6856ab725862652da7f3c8
This patch adds the necessary documentation updates to porting_guide.md
for the changes in the platform interface mandated as a result of the new
PSCI Topology and power state management frameworks. It also adds a
new document `platform-migration-guide.md` to aid the migration of existing
platform ports to the new API.
The patch fixes the implementation and callers of
plat_is_my_cpu_primary() to use w0 as the return parameter as implied by
the function signature rather than x0 which was used previously.
Change-Id: Ic11e73019188c8ba2bd64c47e1729ff5acdcdd5b
Since there is a unique warm reset entry point, the FVP and Juno
port can use a single mailbox instead of maintaining one per core.
The mailbox gets programmed only once when plat_setup_psci_ops()
is invoked during PSCI initialization. This means mailbox is not
zeroed out during wakeup.
Change-Id: Ieba032a90b43650f970f197340ebb0ce5548d432
This patch adds support to the Juno and FVP ports for composite power states
with both the original and extended state-id power-state formats. Both the
platform ports use the recommended state-id encoding as specified in
Section 6.5 of the PSCI specification (ARM DEN 0022C). The platform build flag
ARM_RECOM_STATE_ID_ENC is used to include this support.
By default, to maintain backwards compatibility, the original power state
parameter format is used and the state-id field is expected to be zero.
Change-Id: Ie721b961957eaecaca5bf417a30952fe0627ef10
This patch defines deprecated platform APIs to enable Trusted
Firmware components like Secure Payload and their dispatchers(SPD)
to continue to build and run when platform compatibility is disabled.
This decouples the migration of platform ports to the new platform API
from SPD and enables them to be migrated independently. The deprecated
platform APIs defined in this patch are : platform_get_core_pos(),
platform_get_stack() and platform_set_stack().
The patch also deprecates MPIDR based context management helpers like
cm_get_context_by_mpidr(), cm_set_context_by_mpidr() and cm_init_context().
A mechanism to deprecate APIs and identify callers of these APIs during
build is introduced, which is controlled by the build flag WARN_DEPRECATED.
If WARN_DEPRECATED is defined to 1, the users of the deprecated APIs will be
flagged either as a link error for assembly files or compile time warning
for C files during build.
Change-Id: Ib72c7d5dc956e1a74d2294a939205b200f055613
The state-id field in the power-state parameter of a CPU_SUSPEND call can be
used to describe composite power states specific to a platform. The current PSCI
implementation does not interpret the state-id field. It relies on the target
power level and the state type fields in the power-state parameter to perform
state coordination and power management operations. The framework introduced
in this patch allows the PSCI implementation to intepret generic global states
like RUN, RETENTION or OFF from the State-ID to make global state coordination
decisions and reduce the complexity of platform ports. It adds support to
involve the platform in state coordination which facilitates the use of
composite power states and improves the support for entering standby states
at multiple power domains.
The patch also includes support for extended state-id format for the power
state parameter as specified by PSCIv1.0.
The PSCI implementation now defines a generic representation of the power-state
parameter. It depends on the platform port to convert the power-state parameter
(possibly encoding a composite power state) passed in a CPU_SUSPEND call to this
representation via the `validate_power_state()` plat_psci_ops handler. It is an
array where each index corresponds to a power level. Each entry contains the
local power state the power domain at that power level could enter.
The meaning of the local power state values is platform defined, and may vary
between levels in a single platform. The PSCI implementation constrains the
values only so that it can classify the state as RUN, RETENTION or OFF as
required by the specification:
* zero means RUN
* all OFF state values at all levels must be higher than all RETENTION
state values at all levels
* the platform provides PLAT_MAX_RET_STATE and PLAT_MAX_OFF_STATE values
to the framework
The platform also must define the macros PLAT_MAX_RET_STATE and
PLAT_MAX_OFF_STATE which lets the PSCI implementation find out which power
domains have been requested to enter a retention or power down state. The PSCI
implementation does not interpret the local power states defined by the
platform. The only constraint is that the PLAT_MAX_RET_STATE <
PLAT_MAX_OFF_STATE.
For a power domain tree, the generic implementation maintains an array of local
power states. These are the states requested for each power domain by all the
cores contained within the domain. During a request to place multiple power
domains in a low power state, the platform is passed an array of requested
power-states for each power domain through the plat_get_target_pwr_state()
API. It coordinates amongst these states to determine a target local power
state for the power domain. A default weak implementation of this API is
provided in the platform layer which returns the minimum of the requested
power-states back to the PSCI state coordination.
Finally, the plat_psci_ops power management handlers are passed the target
local power states for each affected power domain using the generic
representation described above. The platform executes operations specific to
these target states.
The platform power management handler for placing a power domain in a standby
state (plat_pm_ops_t.pwr_domain_standby()) is now only used as a fast path for
placing a core power domain into a standby or retention state should now be
used to only place the core power domain in a standby or retention state.
The extended state-id power state format can be enabled by setting the
build flag PSCI_EXTENDED_STATE_ID=1 and it is disabled by default.
Change-Id: I9d4123d97e179529802c1f589baaa4101759d80c
This patch removes the assumption in the current PSCI implementation that MPIDR
based affinity levels map directly to levels in a power domain tree. This
enables PSCI generic code to support complex power domain topologies as
envisaged by PSCIv1.0 specification. The platform interface for querying
the power domain topology has been changed such that:
1. The generic PSCI code does not generate MPIDRs and use them to query the
platform about the number of power domains at a particular power level. The
platform now provides a description of the power domain tree on the SoC
through a data structure. The existing platform APIs to provide the same
information have been removed.
2. The linear indices returned by plat_core_pos_by_mpidr() and
plat_my_core_pos() are used to retrieve core power domain nodes from the
power domain tree. Power domains above the core level are accessed using a
'parent' field in the tree node descriptors.
The platform describes the power domain tree in an array of 'unsigned
char's. The first entry in the array specifies the number of power domains at
the highest power level implemented in the system. Each susbsequent entry
corresponds to a power domain and contains the number of power domains that are
its direct children. This array is exported to the generic PSCI implementation
via the new `plat_get_power_domain_tree_desc()` platform API.
The PSCI generic code uses this array to populate its internal power domain tree
using the Breadth First Search like algorithm. The tree is split into two
arrays:
1. An array that contains all the core power domain nodes
2. An array that contains all the other power domain nodes
A separate array for core nodes allows certain core specific optimisations to
be implemented e.g. remove the bakery lock, re-use per-cpu data framework for
storing some information.
Entries in the core power domain array are allocated such that the
array index of the domain is equal to the linear index returned by
plat_core_pos_by_mpidr() and plat_my_core_pos() for the MPIDR
corresponding to that domain. This relationship is key to be able to use
an MPIDR to find the corresponding core power domain node, traverse to higher
power domain nodes and index into arrays that contain core specific
information.
An introductory document has been added to briefly describe the new interface.
Change-Id: I4b444719e8e927ba391cae48a23558308447da13
This patch fixes a pair of typos. The security state had been described
as non-secure where it should have been secure.
Change-Id: Ib3f424708a6b8e2084e5447f8507ea4e9c99ee79
The TZDRAM base on the reference platform has been bumped up due to
some BL2 memory cleanup. Platforms can also use a different TZDRAM
base by setting TZDRAM_BASE=<value> in the build command line.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch removes the bootargs pointer from the platform params
structure. Instead the bootargs are passed by the BL2 in the
bl32_ep_info struct which is a part of the EL3 params struct.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Remove the 'NEED_BL32' flag from the makefile. TLK compiles using a
completely different build system and is present on the device as a
binary blob. The NEED_BL32 flag does not influence the TLK load/boot
sequence at all. Moreover, it expects that TLK binary be present on
the host before we can compile BL31 support for Tegra.
This patch removes the flag from the makefile and thus decouples both
the build systems.
Tested by booting TLK without the NEED_BL32 flag.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch implements support for T132 (Denver CPU) based Tegra
platforms.
The following features have been added:
* SiP calls to switch T132 CPU's AARCH mode
* Complete PSCI support, including 'System Suspend'
* Platform specific MMIO settings
* Locking of CPU vector registers
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Linaro produce monthly software releases for the Juno and AEMv8-FVP
platforms. These provide an integrated set of software components
that have been tested together on these platforms.
From now on, it is recommend that Trusted Firmware developers use the
Linaro releases (currently 15.06) as a baseline for the dependent
software components: normal world firmware, Linux kernel and device
tree, file system as well as any additional micro-controller firmware
required by the platform.
This patch updates the user guide to document this new process. It
changes the instructions to get the source code of the full software
stack (including Trusted Firmware) and updates the dependency build
instructions to make use of the build scripts that the Linaro releases
provide.
Change-Id: Ia8bd043f4b74f1e1b10ef0d12cc8a56ed3c92b6e
This patch implements the get_sys_suspend_power_state() handler required by
the PSCI SYSTEM_SUSPEND API. The intent of this handler is to return the
appropriate State-ID field which can be utilized in `affinst_suspend()` to
suspend to system affinity level.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch updates the user guide, adding instructions to build the
Trusted Firmware with Trusted Board Support using the new framework.
It also provides documentation about the framework itself, including
a detailed section about the TBBR implementation using the framework.
Change-Id: I0849fce9c5294cd4f52981e7a8423007ac348ec6
The authentication framework deprecates plat_match_rotpk()
in favour of plat_get_rotpk_info(). This patch removes
plat_match_rotpk() from the platform port.
Change-Id: I2250463923d3ef15496f9c39678b01ee4b33883b
This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.
A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.
The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.
The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.
On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.
REMOVED BUILD OPTIONS:
* 'AUTH_MOD'
Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
This patch extends the platform port by adding an API that returns
either the Root of Trust public key (ROTPK) or its hash. This is
usually stored in ROM or eFUSE memory. The ROTPK returned must be
encoded in DER format according to the following ASN.1 structure:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
In case the platform returns a hash of the key:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
keyDigest OCTET STRING
}
An implementation for ARM development platforms is provided in this
patch. When TBB is enabled, the ROTPK hash location must be specified
using the build option 'ARM_ROTPK_LOCATION'. Available options are:
- 'regs' : return the ROTPK hash stored in the Trusted
root-key storage registers.
- 'devel_rsa' : return a ROTPK hash embedded in the BL1 and
BL2 binaries. This hash has been obtained from the development
RSA public key located in 'plat/arm/board/common/rotpk'.
On FVP, the number of MMU tables has been increased to map and
access the ROTPK registers.
A new file 'board_common.mk' has been added to improve code sharing
in the ARM develelopment platforms.
Change-Id: Ib25862e5507d1438da10773e62bd338da8f360bf
The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.
This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.
As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.
A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.
Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.
The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.
IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.
Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
This patch adds a boolean build option 'SAVE_KEYS' to indicate the
certificate generation tool that it must save the private keys used
to establish the chain of trust. This option depends on 'CREATE_KEYS'
to be enabled. Default is '0' (do not save).
Because the same filenames are used as outputs to save the keys,
they are no longer a dependency to the cert_tool. This dependency
has been removed from the Makefile.
Documentation updated accordingly.
Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b
This patch adds support for SYSTEM_SUSPEND API as mentioned in the PSCI 1.0
specification. This API, on being invoked on the last running core on a
supported platform, will put the system into a low power mode with memory
retention.
The psci_afflvl_suspend() internal API has been reused as most of the actions
to suspend a system are the same as invoking the PSCI CPU_SUSPEND API with the
target affinity level as 'system'. This API needs the 'power state' parameter
for the target low power state. This parameter is not passed by the caller of
the SYSTEM_SUSPEND API. Hence, the platform needs to implement the
get_sys_suspend_power_state() platform function to provide this information.
Also, the platform also needs to add support for suspending the system to the
existing 'plat_pm_ops' functions: affinst_suspend() and
affinst_suspend_finish().
Change-Id: Ib6bf10809cb4e9b92f463755608889aedd83cef5
This patch adds support to run a Trusted OS during boot time. The
previous stage bootloader passes the entry point information in
the 'bl32_ep_info' structure, which is passed over to the SPD.
The build system expects the dispatcher to be passed as an input
parameter using the 'SPD=<dispatcher>' option. The Tegra docs have
also been updated with this information.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The 'ARM_TSP_RAM_LOCATION_ID' option specified in the user guide
corresponds to the internal definition not visible to the final
user. The proper build option is 'ARM_TSP_RAM_LOCATION'. This
patch fixes it.
FixesARM-software/tf-issues#308
Change-Id: Ica8cb72c0c5e8b3503f60b5357d16698e869b1bd
This patch introduces a new platform build option, called
PROGRAMMABLE_RESET_ADDRESS, which tells whether the platform has
a programmable or fixed reset vector address.
If the reset vector address is fixed then the code relies on the
platform_get_entrypoint() mailbox mechanism to figure out where
it is supposed to jump. On the other hand, if it is programmable
then it is assumed that the platform code will program directly
the right address into the RVBAR register (instead of using the
mailbox redirection) so the mailbox is ignored in this case.
Change-Id: If59c3b11fb1f692976e1d8b96c7e2da0ebfba308
The attempt to run the CPU reset code as soon as possible after reset
results in highly complex conditional code relating to the
RESET_TO_BL31 option.
This patch relaxes this requirement a little. In the BL1, BL3-1 and
PSCI entrypoints code, the sequence of operations is now as follows:
1) Detect whether it is a cold or warm boot;
2) For cold boot, detect whether it is the primary or a secondary
CPU. This is needed to handle multiple CPUs entering cold reset
simultaneously;
3) Run the CPU init code.
This patch also abstracts the EL3 registers initialisation done by
the BL1, BL3-1 and PSCI entrypoints into common code.
This improves code re-use and consolidates the code flows for
different types of systems.
NOTE: THE FUNCTION plat_secondary_cold_boot() IS NOW EXPECTED TO
NEVER RETURN. THIS PATCH FORCES PLATFORM PORTS THAT RELIED ON THE
FORMER RETRY LOOP AT THE CALL SITE TO MODIFY THEIR IMPLEMENTATION.
OTHERWISE, SECONDARY CPUS WILL PANIC.
Change-Id: If5ecd74d75bee700b1bd718d23d7556b8f863546
This patch removes the FIRST_RESET_HANDLER_CALL build flag and its
use in ARM development platforms. If a different reset handling
behavior is required between the first and subsequent invocations
of the reset handling code, this should be detected at runtime.
On Juno, the platform reset handler is now always compiled in.
This means it is now executed twice on the cold boot path, first in
BL1 then in BL3-1, and it has the same behavior in both cases. It is
also executed twice on the warm boot path, first in BL1 then in the
PSCI entrypoint code.
Also update the documentation to reflect this change.
NOTE: THIS PATCH MAY FORCE PLATFORM PORTS THAT USE THE
FIRST_RESET_HANDLER_CALL BUILD OPTION TO FIX THEIR RESET HANDLER.
Change-Id: Ie5c17dbbd0932f5fa3b446efc6e590798a5beae2
On ARM standard platforms, snoop and DVM requests used to be enabled
for the primary CPU's cluster only in the first EL3 bootloader.
In other words, if the platform reset into BL1 then CCI coherency
would be enabled by BL1 only, and not by BL3-1 again.
However, this doesn't cater for platforms that use BL3-1 along with
a non-TF ROM bootloader that doesn't enable snoop and DVM requests.
In this case, CCI coherency is never enabled.
This patch modifies the function bl31_early_platform_setup() on
ARM standard platforms so that it always enables snoop and DVM
requests regardless of whether earlier bootloader stages have
already done it. There is no harm in executing this code twice.
ARM Trusted Firmware Design document updated accordingly.
Change-Id: Idf1bdeb24d2e1947adfbb76a509f10beef224e1c
T210 is the latest chip in the Tegra family of SoCs from NVIDIA. It is an
ARM v8 dual-cluster (A57/A53) SoC, with any one of the clusters being active
at a given point in time.
This patch adds support to boot the Trusted Firmware on T210 SoCs. The patch
also adds support to boot secondary CPUs, enter/exit core power states for
all CPUs in the slow/fast clusters. The support to switch between clusters
is still not available in this patch and would be available later.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
There has been a breaking change in the communication protocols used
between the AP cores and the SCP on CSS based platforms like Juno.
This means both the AP Trusted Firmware and SCP firmware must be
updated at the same time.
In case the user forgets to update the SCP ROM firmware, this patch
detects when it still uses the previous version of the communication
protocol. It will then output a comprehensive error message that helps
trouble-shoot the issue.
Change-Id: I7baf8f05ec0b7d8df25e0ee53df61fe7be0207c2
Update the User Guide, Porting Guide and Firmware Design documents
to align them with the recent changes made to the FVP and Juno
platform ports.
Also fix some other historical inaccuracies.
Change-Id: I37aba4805f9044b1a047996d3e396c75f4a09176
Include TLK Dispatcher's documentation and add NVIDIA to the
Acknowledgements file. TLK is now a supported Trusted OS with
the Trusted Firmware.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Even though both CCI-400 and CCI-500 IPs have different configurations
with respect to the number and types of supported interfaces, their
register offsets and programming sequences are similar. This patch
creates a common driver for enabling and disabling snoop transactions
and DVMs with both the IPs.
New platform ports which implement one of these IPs should use this
common driver. Existing platform ports which implement CCI-400 should
migrate to the common driver as the standalone CCI-400 will be
deprecated in the future.
Change-Id: I3ccd0eb7b062922d2e4a374ff8c21e79fa357556
The 'libssl-dev' package must be installed on the host to build the
certificate generation tool. This patch adds it to the list of
required tools in the User Guide.
Change-Id: I018381fb14b7c2d2bd6f2b7929aaad0571f7eb2e
This patch replaces SHA1 by SHA256 in the 'cert_create' tool, so
certificate signatures are generated according to the NSA Suite B
cryptographic algorithm requirements.
Documentation updated accordingly.
Change-Id: I7be79e6b2b62dac8dc78a4f4f5006e37686bccf6
This patch removes the plat_get_max_afflvl() platform API
and instead replaces it with a platform macro PLATFORM_MAX_AFFLVL.
This is done because the maximum affinity level for a platform
is a static value and it is more efficient for it to be defined
as a platform macro.
NOTE: PLATFORM PORTS NEED TO BE UPDATED ON MERGE OF THIS COMMIT
FixesARM-Software/tf-issues#265
Change-Id: I31d89b30c2ccda30d28271154d869060d50df7bf
The command line options specified in the User Guide to run the AEMv8 Base FVP
with the legacy VE memory map apply only when the model is configured to use GIC
v2.0. This patch adds the 'gicv3.gicv2-only=1' to the command line to ensure
that the right version of GIC is used.
Change-Id: I34c44e19fd42c29818b734ac8f6aa9bf97b4e891
This patch updates the user-guide.md with the various build options related to
Trusted Board Boot and steps to build a FIP image which includes this
support. It also adds a trusted-board-boot.md which describes the scope and
design of this feature.
Change-Id: Ifb421268ebf7e06a135684c8ebb04c94835ce061
Final updates to readme.md and change-log.md for ARM Trusted Firmware version
1.1. Also increment the version in the Makefile.
Change-Id: Ib001a6ec9a9c570985841d06f0ff80ed76c2996b
Move up the version numbers in the user guide of:
* DS-5 (to v5.20)
* EDK2 (to v2.1-rc0)
* Linux Kernel (to 1.3-Juno)
* Linaro file-system (to 14.12)
* Juno SCP binary (to 1.5.0-rc0 within board recovery image 0.10.1).
Also remove duplicate information that is available from the
ARM Connected Community website.
* Base FVP (to 6.2)
* Foundation FVP (to 9.1). Also update the name of the Foundation
FVP binary since it has changed since version 2.1.
Co-Authored-By: Dan Handley <dan.handley@arm.com>
Change-Id: I1cf2f2b1a3f1b997ac905a4ab440876d265698c0
The CPU specific reset handlers no longer have the freedom
of using any general purpose register because it is being invoked
by the BL3-1 entry point in addition to BL1. The Cortex-A57 CPU
specific reset handler was overwriting x20 register which was being
used by the BL3-1 entry point to save the entry point information.
This patch fixes this bug by reworking the register allocation in the
Cortex-A57 reset handler to avoid using x20. The patch also
explicitly mentions the register clobber list for each of the
callee functions invoked by the reset handler
Change-Id: I28fcff8e742aeed883eaec8f6c4ee2bd3fce30df
This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.
The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).
TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.
For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.
Documentation updated accordingly.
Change-Id: I74ff12bc2b041556c48533375527d9e8c035b8c3
This patch adds support to call the reset_handler() function in BL3-1 in the
cold and warm boot paths when another Boot ROM reset_handler() has already run.
This means the BL1 and BL3-1 versions of the CPU and platform specific reset
handlers may execute different code to each other. This enables a developer to
perform additional actions or undo actions already performed during the first
call of the reset handlers e.g. apply additional errata workarounds.
Typically, the reset handler will be first called from the BL1 Boot ROM. Any
additional functionality can be added to the reset handler when it is called
from BL3-1 resident in RW memory. The constant FIRST_RESET_HANDLER_CALL is used
to identify whether this is the first version of the reset handler code to be
executed or an overridden version of the code.
The Cortex-A57 errata workarounds are applied only if they have not already been
applied.
FixesARM-software/tf-issue#275
Change-Id: Id295f106e4fda23d6736debdade2ac7f2a9a9053
This patch provides an option to specify a interrupt routing model
where non-secure interrupts (IRQs) are routed to EL3 instead of S-EL1.
When such an interrupt occurs, the TSPD arranges a return to
the normal world after saving any necessary context. The interrupt
routing model to route IRQs to EL3 is enabled only during STD SMC
processing. Thus the pre-emption of S-EL1 is disabled during Fast SMC
and Secure Interrupt processing.
A new build option TSPD_ROUTE_NS_INT_EL3 is introduced to change
the non secure interrupt target execution level to EL3.
FixesARM-software/tf-issues#225
Change-Id: Ia1e779fbbb6d627091e665c73fa6315637cfdd32
This patch:
* Bumps the PSCI VERSION to 1.0. This means that
the PSCI_VERSION API will now return the value 0x00010000
to indicate the version as 1.0. The firmware remains
compatible with PSCI v0.2 clients.
* The firmware design guide is updated to document the
APIs supported by the Trusted Firmware generic code.
* The FVP Device Tree Sources (dts) and Blobs(dtb) are also
updated to add "psci-1.0" and "psci-0.2" to the list of
compatible PSCI versions.
Change-Id: Iafc2f549c92651dcd65d7e24a8aae35790d00f8a
This patch allows the secure payload (BL3-2) to be loaded in the
DRAM region secured by the TrustZone controller (top 16 MB of DRAM1).
The location of BL3-2 can be selected at build time by setting the
build flag FVP_TSP_RAM_LOCATION to one of the following options:
- 'tsram' : Trusted SRAM (this is the default option)
- 'tdram' : Trusted DRAM
- 'dram' : Secure region in DRAM1 (top 16MB configured by the
TrustZone controller)
The number of MMU tables in BL3-2 depends on its location in
memory: 3 in case it is loaded in DRAM, 2 otherwise.
Documentation updated accordingly.
FixesARM-software/tf-issues#212
Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a
This patch allows the platform to validate the power_state and
entrypoint information from the normal world early on in PSCI
calls so that we can return the error safely. New optional
pm_ops hooks `validate_power_state` and `validate_ns_entrypoint`
are introduced to do this.
As a result of these changes, all the other pm_ops handlers except
the PSCI_ON handler are expected to be successful. Also, the PSCI
implementation will now assert if a PSCI API is invoked without the
corresponding pm_ops handler being registered by the platform.
NOTE : PLATFORM PORTS WILL BREAK ON MERGE OF THIS COMMIT. The
pm hooks have 2 additional optional callbacks and the return type
of the other hooks have changed.
FixesARM-Software/tf-issues#229
Change-Id: I036bc0cff2349187c7b8b687b9ee0620aa7e24dc
This patch removes the non-secure entry point information being passed
to the platform pm_ops which is not needed. Also, it removes the `mpidr`
parameter for platform pm hooks which are meant to do power management
operations only on the current cpu.
NOTE: PLATFORM PORTS MUST BE UPDATED AFTER MERGING THIS COMMIT.
Change-Id: If632376a990b7f3b355f910e78771884bf6b12e7
This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.
FixesARM-Software/tf-issues#106
Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773
Patch 20d51ca moved the shared data page from the top of the
Trusted SRAM to the bottom, changing the load addresses of BL3-1
and BL3-2.
This patch updates BL3-1 and BL3-2 addresses in the instructions
to run the Trusted Firmware on FVP using BL3-1 as reset vector.
This patch is similar to but distinct from bfb1dd5 and 7ea4c43.
Change-Id: I6b467f9a82360a5e2181db99fea881487de52704
This patch allows the BL3-1 NOBITS section to overlap the BL1 R/W
section since the former will always be used after the latter.
Similarly, the BL3-2 NOBITS section can overlay the BL2 image
when BL3-2 is loaded in Trusted SRAM.
Due to the current size of the images, there is no actual overlap.
Nevertheless, this reorganization may help to optimise the Trusted
SRAM usage when the images size grows.
Note that because BL3-1 NOBITS section is allowed to overlap the
BL1 R/W section, BL1 global variables will remain valid only until
execution reaches the BL3-1 entry point during a cold boot.
Documentation updated accordingly.
FixesARM-software/tf-issues#254
Change-Id: Id538f4d1c7f1f7858108280fd7b97e138572b879
Previously, the User Guide recommended launching the Foundation
FVP with the parameter --no-secure-memory, which disabled security
control of the address map. This was due to missing support for
secure memory regions in v1 of the Foundation FVP. This is no longer
needed as secure memory is now supported on the Foundation FVP.
This patch updates the User Guide to recommend enabling secure
memory instead.
Change-Id: Ifae53c10ff6e1c7c6724af20e05a3d3a88f6a5ad
This patch allows to define the name of the FIP at build time by
defining the FIP_NAME variable. If FIP_NAME is not defined, default
name 'fip.bin' is used.
Documentation updated accordingly.
Change-Id: Ic41f42aac379b0c958b3dfd02863ba8ba7108710
This patch optimizes the Cortex-A57 cluster power down sequence by not
flushing the Level1 data cache. The L1 data cache and the L2 unified
cache are inclusive. A flush of the L2 by set/way flushes any dirty
lines from the L1 as well. This is a known safe deviation from the
Cortex-A57 TRM defined power down sequence. This optimization can be
enabled by the platform through the 'SKIP_A57_L1_FLUSH_PWR_DWN' build
flag. Each Cortex-A57 based platform must make its own decision on
whether to use the optimization.
This patch also renames the cpu-errata-workarounds.md to
cpu-specific-build-macros.md as this facilitates documentation
of both CPU Specific errata and CPU Specific Optimization
build macros.
Change-Id: I299b9fe79e9a7e08e8a0dffb7d345f9a00a71480
Prior to this patch, the errata workarounds were applied for any version
of the CPU in the release build and in the debug build an assert
failure resulted when the revision did not match. This patch applies
errata workarounds in the Cortex-A57 reset handler only if the 'variant'
and 'revision' fields read from the MIDR_EL1 match. In the debug build,
a warning message is printed for each errata workaround which is not
applied.
The patch modifies the register usage in 'reset_handler` so
as to adhere to ARM procedure calling standards.
FixesARM-software/tf-issues#242
Change-Id: I51b1f876474599db885afa03346e38a476f84c29
This patch deprecates the build option to relocate the shared data
into Trusted DRAM in FVP. After this change, shared data is always
located at the base of Trusted SRAM. This reduces the complexity
of the memory map and the number of combinations in the build
options.
FixesARM-software/tf-issues#257
Change-Id: I68426472567b9d8c6d22d8884cb816f6b61bcbd3
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
FixesARM-software/tf-issues#233
Change-Id: I6843fc32ef90aadd3ea6ac4c7f314f8ecbd5d07b
This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.
This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.
FixesARM-software/tf-issues#244FixesARM-software/tf-issues#245
Change-Id: I3ebe1d4901f8b857e8bb51372290978a3323bfe7
Final updates to readme.md and change-log.md for ARM Trusted
Firmware version 1.0. Also increment the version in the Makefile.
Change-Id: I00fe1016c8b936834bbf7bbba7aab07f51261bbb
* Fix broken link to SCP download.
* Remove requirement to install `ia32-libs`. This package is no
longer available in current versions of Ubuntu and is no
longer required when using the Linaro toolchain.
Change-Id: I9823d535a1d69136685754b7707b73e1eef0978d
This patch gathers miscellaneous minor fixes to the documentation, and comments
in the source code.
Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Co-Authored-By: Dan Handley <dan.handley@arm.com>
This patch reorganizes the firmware design guide to add information about the
port of the ARM Trusted Firmware to the Juno ARM development platform.
Change-Id: I0b80e2e7a35ccad1af2e971506cfb7fe505f8b84
This patch makes the Trusted Firmware build instructions in the
user guide platform independent.
FVP specific instructions have been grouped together under a new
section dedicated to FVP.
Juno specific instructions to build and run the Trusted Firmware,
UEFI and Linux have been added.
Change-Id: I9bfb1b9d732b1f73abbe29f68ac931e1773a4fd5
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#100 (commit 186c1d4). This is distinct
from the similar issue fixed in commit bfb1dd5.
Also clarify the dependence on the FVP_SHARED_DATA_LOCATION and
FVP_TSP_RAM_LOCATION build options, and tidy up the "Notes
regarding Base FVP configuration options" section.
Change-Id: I6b03452a71f0c69efa169852712bcb184242696e
Move up the version numbers of the following Trusted Firmware
dependencies in the user guide:
* Foundation and Base FVPs (latest publically available
versions).
* EDK2 implementation. The guide now uses the latest version from
https://github.com/ARM-software/edk2.git. This requires the
`iasl` package to also be installed.
* Linux kernel. The guide now uses the latest version from
https://github.com/ARM-software/linux.git.
* Linaro OpenEmbedded file system.
* ARM Development Studio 5.
Change-Id: I95bb863a61e47b9ef8be3d110f7087375ee78add
This patch adds documentation for CPU specific abstraction in the firmware-
design.md and adds a new document cpu-errata-workarounds.md to describe
the cpu errata workaround build flags.
Change-Id: Ia08c2fec0b868a0a107d0264e87a60182797a1bd
This patch adds CPU core and cluster power down sequences to the CPU specific
operations framework introduced in a earlier patch. Cortex-A53, Cortex-A57 and
generic AEM sequences have been added. The latter is suitable for the
Foundation and Base AEM FVPs. A pointer to each CPU's operations structure is
saved in the per-cpu data so that it can be easily accessed during power down
seqeunces.
An optional platform API has been introduced to allow a platform to disable the
Accelerator Coherency Port (ACP) during a cluster power down sequence. The weak
definition of this function (plat_disable_acp()) does not take any action. It
should be overriden with a strong definition if the ACP is present on a
platform.
Change-Id: I8d09bd40d2f528a28d2d3f19b77101178778685d
This patch adds an optional platform API (plat_reset_handler) which allows the
platform to perform any actions immediately after a cold or warm reset
e.g. implement errata workarounds. The function is called with MMU and caches
turned off. This API is weakly defined and does nothing by default but can be
overriden by a platform with a strong definition.
Change-Id: Ib0acdccbd24bc756528a8bd647df21e8d59707ff
* Move TSP platform porting functions to new file:
include/bl32/tsp/platform_tsp.h.
* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
TSP interrupt handling code, instead of depending on the FVP
specific definition IRQ_SEC_PHY_TIMER.
* Rename TSP platform porting functions from bl32_* to tsp_*, and
definitions from BL32_* to TSP_*.
* Update generic TSP code to use new platform porting function names
and definitions.
* Update FVP port accordingly and move all TSP source files to:
plat/fvp/tsp/.
* Update porting guide with above changes.
Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
BE UPDATED
FixesARM-software/tf-issues#167
Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f
The intent of io_init() was to allow platform ports to provide
a data object (io_plat_data_t) to the IO storage framework to
allocate into. The abstraction was incomplete because io_plat_data_t
uses a platform defined constant and the IO storage framework
internally allocates other arrays using platform defined constants.
This change simplifies the implementation by instantiating the
supporting objects in the IO storage framework itself. There is now
no need for the platform to call io_init().
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE IO STORAGE
FRAMEWORK TO BE UDPATED.
Change-Id: Ib48ac334de9e538064734334c773f8b43df3a7dc
This patch groups the current contents of the Trusted DRAM region at
address 0x00_0600_0000 (entrypoint mailboxes and BL3-1 parameters) in
a single shared memory area that may be allocated to Trusted SRAM
(default) or Trusted DRAM at build time by setting the
FVP_SHARED_DATA_LOCATION make variable. The size of this shared
memory is 4096 bytes.
The combination 'Shared data in Trusted SRAM + TSP in Trusted DRAM'
is not currently supported due to restrictions in the maximum number
of mmu tables that can be created.
Documentation has been updated to reflect these changes.
FixesARM-software/tf-issues#100
Change-Id: I26ff04d33ce4cacf8d770d1a1e24132b4fc53ff0
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#117 (commit a1b6db6).
FixesARM-software/tf-issues#237
Change-Id: I764eb17c66034511efb984c0e7cfda29bd99198f
Create new LOG_LEVEL build option, which controls the amount of
console output compiled into the build. This should be one of the
following:
0 (LOG_LEVEL_NONE)
10 (LOG_LEVEL_NOTICE)
20 (LOG_LEVEL_ERROR)
30 (LOG_LEVEL_WARNING)
40 (LOG_LEVEL_INFO)
50 (LOG_LEVEL_VERBOSE)
All log output up to and including the log level is compiled into the
build. The default value is 40 in debug builds and 20 in release
builds.
Complement the existing INFO, WARN and ERROR console output macros
with NOTICE and VERBOSE macros, which are conditionally compiled in
depending on the value of LOG_LEVEL.
FixesARM-software/tf-issues#232
Change-Id: I951e2f333e7b90fc4b1060741d9a6db699d5aa72
Secure ROM at address 0x0000_0000 is defined as FVP_TRUSTED_ROM
Secure RAM at address 0x0400_0000 is defined as FVP_TRUSTED_SRAM
Secure RAM at address 0x0600_0000 is defined as FVP_TRUSTED_DRAM
BLn_BASE and BLn_LIMIT definitions have been updated and are based on
these new memory regions.
The available memory for each bootloader in the linker script is
defined by BLn_BASE and BLn_LIMIT, instead of the complete memory
region.
TZROM_BASE/SIZE and TZRAM_BASE/SIZE are no longer required as part of
the platform porting.
FVP common definitions are defined in fvp_def.h while platform_def.h
contains exclusively (with a few exceptions) the definitions that are
mandatory in the porting guide. Therefore, platform_def.h now includes
fvp_def.h instead of the other way around.
Porting guide has been updated to reflect these changes.
Change-Id: I39a6088eb611fc4a347db0db4b8f1f0417dbab05
This patch defines a compile time macro for each boot loader stage
which allows compilation of code only for a specific stage.
Change-Id: I3a4068404cd3dc26d652556ca9ca7afea8dd28ef
Tests show a slight reduction in code size compared to 13.11.
User guide updated.
FixesARM-software/tf-issues#207
Change-Id: I9b80a5d7820cdfd443cac4d4b63f925b74a8c3a3
This patch adds support for BL3-2 initialization by asynchronous
method where BL3-1 transfers control to BL3-2 using world switch.
After BL3-2 initialization, it transfers control to BL3-3 via SPD
service handler. The SPD service handler initializes the CPU context
to BL3-3 entrypoint depending on the return function indentifier from
TSP initialization.
FixesARM-software/TF-issues#184
Change-Id: I7b135c2ceeb356d3bb5b6a287932e96ac67c7a34
The purpose of platform_is_primary_cpu() is to determine after reset
(BL1 or BL3-1 with reset handler) if the current CPU must follow the
cold boot path (primary CPU), or wait in a safe state (secondary CPU)
until the primary CPU has finished the system initialization.
This patch removes redundant calls to platform_is_primary_cpu() in
subsequent bootloader entrypoints since the reset handler already
guarantees that code is executed exclusively on the primary CPU.
Additionally, this patch removes the weak definition of
platform_is_primary_cpu(), so the implementation of this function
becomes mandatory. Removing the weak symbol avoids other
bootloaders accidentally picking up an invalid definition in case the
porting layer makes the real function available only to BL1.
The define PRIMARY_CPU is no longer mandatory in the platform porting
because platform_is_primary_cpu() hides the implementation details
(for instance, there may be platforms that report the primary CPU in
a system register). The primary CPU definition in FVP has been moved
to fvp_def.h.
The porting guide has been updated accordingly.
FixesARM-software/tf-issues#219
Change-Id: If675a1de8e8d25122b7fef147cb238d939f90b5e
This patch adds the CPUECTLR_EL1 register and the CCI Snoop Control
register to the list of registers being reported when an unhandled
exception occurs.
Change-Id: I2d997f2d6ef3d7fa1fad5efe3364dc9058f9f22c
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.
FixesARM-software/tf-issues#95
Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
This patch introduces platform APIs to initialise and
print a character on a designated crash console.
For the FVP platform, PL011_UART0 is the designated
crash console. The platform porting guide is also updated
to document the new APIs.
Change-Id: I5e97d8762082e0c88c8c9bbb479353eac8f11a66
This patch removes the allocation of memory for coherent stacks, associated
accessor function and some dead code which called the accessor function. It also
updates the porting guide to remove the concept and the motivation behind using
stacks allocated in coherent memory.
FixesARM-software/tf-issues#198
Change-Id: I00ff9a04f693a03df3627ba39727e3497263fc38
Update the "Memory layout on FVP platforms" section in the Firmware
Design document to reflect the overlaying of BL1 and BL2 images
by BL3-1 and BL3-2.
Also update the Porting Guide document to mention the
BL31_PROGBITS_LIMIT and BL32_PROGBITS_LIMIT constants.
Change-Id: I0b23dae5b5b4490a01be7ff7aa80567cff34bda8
- Add support for loading a BL3-0 image in BL2. Information about
memory extents is populated by platform-specific code. Subsequent
handling of BL3-0 is also platform specific.
The BL2 main function has been broken down to improve readability.
The BL3-2 image is now loaded before the BL3-3 image to align with
the boot flow.
- Build system: Add support for specifying a BL3-0 image that will be
included into the FIP image.
- IO FIP driver: Add support for identifying a BL3-0 image inside a
FIP image.
- Update the documentation to reflect the above changes.
Change-Id: I067c184afd52ccaa86569f13664757570c86fc48
Refactor the FVP gic code in plat/fvp/fvp_gic.c to be a generic ARM
GIC driver in drivers/arm/gic/arm_gic.c. Provide the platform
specific inputs in the arm_gic_setup() function so that the driver
has no explicit dependency on platform code.
Provide weak implementations of the platform interrupt controller
API in a new file, plat/common/plat_gic.c. These simply call through
to the ARM GIC driver.
Move the only remaining FVP GIC function, fvp_gic_init() to
plat/fvp/aarch64/fvp_common.c and remove plat/fvp/fvp_gic.c
FixesARM-software/tf-issues#182
Change-Id: Iea82fe095fad62dd33ba9efbddd48c57717edd21
This concept is no longer required since we now support loading of
images at fixed addresses only.
The image loader now automatically detects the position of the image
inside the current memory layout and updates the layout such that
memory fragmentation is minimised.
The 'attr' field of the meminfo data structure, which used to hold
the bottom/top loading information, has been removed. Also the 'next'
field has been removed as it wasn't used anywhere.
The 'init_bl2_mem_layout()' function has been moved out of common
code and put in BL1-specific code. It has also been renamed into
'bl1_init_bl2_mem_layout'.
FixesARM-software/tf-issues#109
Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
The array of affinity nodes is currently allocated for 32 entries
with the PSCI_NUM_AFFS value defined in psci.h. This is not enough
for large systems, and will substantially over allocate the array
for small systems.
This patch introduces an optional platform definition
PLATFORM_NUM_AFFS to platform_def.h. If defined this value is
used for PSCI_NUM_AFFS, otherwise a value of two times the number
of CPU cores is used.
The FVP port defines PLATFORM_NUM_AFFS to be 10 which saves
nearly 1.5KB of memory.
FixesARM-software/tf-issues#192
Change-Id: I68e30ac950de88cfbd02982ba882a18fb69c1445
This patch makes the console crash dump of processor register
state optional based on the CRASH_REPORTING make variable.
This defaults to only being enabled for DEBUG builds. This can
be overridden by setting a different value in the platform
makefile or on the make command line.
Change-Id: Icfa1b2d7ff0145cf0a85e8ad732f9cee7e7e993f
This patch adds documentation that describes the design of the Interrupt
management framework in the ARM Trusted Firmware. The porting-guide.md has also
been updated to describe the interface that should be implemented by each
platform to support this framework.
Change-Id: I3eda48e5c9456e6a9516956bee16a29e366633b7
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Update documentation with BL3-1 hardening interface
changes and for using BL3-1 as a reset vector feature
Change-Id: Iafdd05e7a8e66503409f2acc934372efef5bc51b
Update the Linux kernel, Linaro file system, FVP and DS-5 versions used for the
v0.4 release in user-guide.md.
Change-Id: I2265fc17c229d4b8cc52165d6583a4a579cdcee3
This patch modifies and adds to the existing documentation
for the crash reporting implementation in BL3-1.
Change-Id: I2cfbfeeeb64996ec7d19a9ddf95295482899b4bd
Following recent refactoring changes to platform.h, this commit updates
porting-guide.md to correctly refer to platform.h and platform_def.h where
appropriate.
Change-Id: Idf1e77503c24358696f8f3c14caa0cc1d579deb4
Rework the "Memory layout on FVP platforms" section in the Firmware
Design document. Add information about where the TSP image fits
in the memory layout when present.
Add documentation for the base addresses of each bootloader image
in the porting guide.
Change-Id: I4afb2605e008a1cb28c44a697804f2cb6bb4c9aa
The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
drivers/io/io_fip.c.
Also update the porting guide to reflect this change.
The BL3-2 platform definitions remain non-configurably present
in the FVP port.
FixesARM-software/tf-issues#68
Change-Id: Iea28b4e94d87a31f5522f271e290919a8a955460
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
to 'runtime_exceptions.S'
Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
Change-Id: I04780757a149eeb5482a12a61e821be947b882c0
The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.
This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.
Change-Id: I9450f2d8b32d74bd00b6ce57a0a1542716ab449c
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
FixesARM-software/tf-issues#149
Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe
At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.
FixesARM-software/tf-issues#148
Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.
This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.
panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.
The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.
FixesARM-software/tf-issues#79 Improve reporting of unhandled exception
Change-Id: I260791dc05536b78547412d147193cdccae7811a
The TZC configuration on FVP was incorrectly allowing both secure
and non-secure accesses to the DRAM, which can cause aliasing
problems for software. It was also not enabling virtio access on
some models.
This patch fixes both of those issues. The patch also enabless
non-secure access to the DDR RAM for all devices with defined IDs.
The third region of DDR RAM has been removed from the configuration
as this is not used in any of the FVP models.
FixesARM-software/tf-issues#150FixesARM-software/tf-issues#151
Change-Id: I60ad5daaf55e14f178affb8afd95d17e7537abd7
The BL images share common stack management code which provides
one coherent and one cacheable stack for every CPU. BL1 and BL2
just execute on the primary CPU during boot and do not require
the additional CPU stacks. This patch provides separate stack
support code for UP and MP images, substantially reducing the
RAM usage for BL1 and BL2 for the FVP platform.
This patch also provides macros for declaring stacks and
calculating stack base addresses to improve consistency where
this has to be done in the firmware.
The stack allocation source files are now included via
platform.mk rather than the common BLx makefiles. This allows
each platform to select the appropriate MP/UP stack support
for each BL image.
Each platform makefile must be updated when including this
commit.
FixesARM-software/tf-issues#76
Change-Id: Ia251f61b8148ffa73eae3f3711f57b1ffebfa632
BL3-1 architecture setup code programs the system counter frequency
into the CNTFRQ_EL0 register. This frequency is defined by the
platform, though. This patch introduces a new platform hook that
the architecture setup code can call to retrieve this information.
In the ARM FVP port, this returns the first entry of the frequency
modes table from the memory mapped generic timer.
All system counter setup code has been removed from BL1 as some
platforms may not have initialized the system counters at this stage.
The platform specific settings done exclusively in BL1 have been moved
to BL3-1. In the ARM FVP port, this consists in enabling and
initializing the System level generic timer. Also, the frequency change
request in the counter control register has been set to 0 to make it
explicit it's using the base frequency. The CNTCR_FCREQ() macro has been
fixed in this context to give an entry number rather than a bitmask.
In future, when support for firmware update is implemented, there
is a case where BL1 platform specific code will need to program
the counter frequency. This should be implemented at that time.
This patch also updates the relevant documentation.
It properly fixesARM-software/tf-issues#24
Change-Id: If95639b279f75d66ac0576c48a6614b5ccb0e84b
This reverts commit 1c297bf015
because it introduced a bug: the CNTFRQ_EL0 register was no
longer programmed by all CPUs. bl31_platform_setup() function
is invoked only in the cold boot path and consequently only
on the primary cpu.
A subsequent commit will correctly implement the necessary changes
to the counter frequency setup code.
FixesARM-software/tf-issues#125
Conflicts:
docs/firmware-design.md
plat/fvp/bl31_plat_setup.c
Change-Id: Ib584ad7ed069707ac04cf86717f836136ad3ab54
This patch reworks the console driver to ensure that each bootloader stage
initializes it independently. As a result, both BL3-1 and BL2 platform code
now calls console_init() instead of relying on BL1 to perform console setup
FixesARM-software/tf-issues#120
Change-Id: Ic4d66e0375e40a2fc7434afcabc8bbb4715c14ab
This patch implements ARM Standard Service as a runtime service and adds
support for call count, UID and revision information SMCs. The existing
PSCI implementation is subsumed by the Standard Service calls and all
PSCI calls are therefore dispatched by the Standard Service to the PSCI
handler.
At present, PSCI is the only specification under Standard Service. Thus
call count returns the number of PSCI calls implemented. As this is the
initial implementation, a revision number of 0.1 is returned for call
revision.
FixesARM-software/tf-issues#62
Change-Id: I6d4273f72ad6502636efa0f872e288b191a64bc1
At present, bl1_arch_setup() and bl31_arch_setup() program the counter
frequency using a value from the memory mapped generic timer. The
generic timer however is not necessarily present on all ARM systems
(although it is architected to be present on all server systems).
This patch moves the timer setup to platform-specific code and updates
the relevant documentation. Also, CNTR.FCREQ is set as the specification
requires the bit corresponding to the counter's frequency to be set when
enabling. Since we intend to use the base frequency, set bit 8.
FixesARM-software/tf-issues#24
Change-Id: I32c52cf882253e01f49056f47c58c23e6f422652
If a platform doesn't specify a BLx_SOURCE variable, then building
of the corresponding bootloader isn't attempted. Also allow BL3-3 to
be omitted from the FIP.
Note, this change also removes support for PLAT=all and the 'fip' target
from the 'all' recipe.
FixesARM-software/tf-issues#30
Change-Id: Ibdfead0440256eaf364617ecff65290ca6fe6240
Signed-off-by: Jon Medhurst <tixy@linaro.org>
Update the readme.md and change-log.md with release information.
Also, remove the "Detailed changes since last release" section of
the change-log.md since the same information can be found in the
GIT commit messages. FixesARM-software/tf-issues#22.
Change-Id: I968cc8aaf588aa5c34ba8f1c12a5b797a46e04f5
Consolidate firmware-design.md and porting-guide.pm so
that recently added sections fit better with
pre-existing sections. Make the documentation more
consistent in use of terminology.
Change-Id: Id87050b096122fbd845189dc2fe1cd17c3003468
1. Add design information on EL3 runtime services and
Secure-EL1 Payload Dispatchers (SPD) to
firmware-design.md.
2. Create new EL3 runtime service writer's guide
(rt-svc-writers-guide.md) to ease creation of new
runtime services.
Change-Id: I670aeb5fc246e25c6e599a15139aac886a0074fd
Move the firmware design documentation out of user-guide.md
and into a new file - firmware-design.md. Reformat the
section headers.
Change-Id: I664815dd47011c7c1cf2202aa4472a8fd78ebb92
1. Update user-guide.md with the latest versions of dependent
components required by the tested configurations of ARM Trusted
Firmware. This includes the tested versions of Fixed Virtual
Platforms (FVPs), toolchain, EFI Development Kit 2(EDK2),
Linux kernel and Linux file system.
2. Remove the instructions to configure the Cortex Base FVP
with the legacy GICv2 memory map as this is no longer supported
since version 5.3 of the Base FVPs.
3. General tidyup of "Using the software" section.
Change-Id: If8264cd29036b59dc5ff435b5f8b1d072dd36ef0
The UART used to be initialised in bl1_platform_setup(). This is too
late because there are some calls to the assert() macro, which needs
to print some messages on the console, before that.
This patch moves the UART initialisation code to
bl1_early_platform_setup().
FixesARM-software/tf-issues#49
Change-Id: I98c83a803866372806d2a9c2e1ed80f2ef5b3bcc
This patch adds the following support to the BL3-1 stage:
1. BL3-1 allows runtime services to specify and determine the security
state of the next image after BL3-1. This has been done by adding
the `bl31_set_next_image_type()` & `bl31_get_next_image_type()`
apis. The default security state is non-secure. The platform api
`bl31_get_next_image_info()` has been modified to let the platform
decide which is the next image in the desired security state.
2. BL3-1 exports the `bl31_prepare_next_image_entry()` function to
program entry into the target security state. It uses the apis
introduced in 1. to do so.
3. BL3-1 reads the information populated by BL2 about the BL3-2 image
into its internal data structures.
4. BL3-1 introduces a weakly defined reference `bl32_init()` to allow
initialisation of a BL3-2 image. A runtime service like the Secure
payload dispatcher will define this function if present.
Change-Id: Icc46dcdb9e475ce6575dd3f9a5dc7a48a83d21d1
This patch adds support for loading a BL3-2 image in BL2. In case a
BL3-2 image is found, it also passes information to BL3-1 about where it
is located and the extents of memory available to it. Information about
memory extents is populated by platform specific code.
The documentation has also been updated to reflect the above changes.
Change-Id: I526b2efb80babebab1318f2b02e319a86d6758b0
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch reworks BL2 to BL3-1 hand over interface by introducing a
composite structure (bl31_args) that holds the superset of information
that needs to be passed from BL2 to BL3-1.
- The extents of secure memory available to BL3-1
- The extents of memory available to BL3-2 (not yet implemented) and
BL3-3
- Information to execute BL3-2 (not yet implemented) and BL3-3 images
This patch also introduces a new platform API (bl2_get_bl31_args_ptr)
that needs to be implemented by the platform code to export reference to
bl31_args structure which has been allocated in platform-defined memory.
The platform will initialize the extents of memory available to BL3-3
during early platform setup in bl31_args structure. This obviates the
need for bl2_get_ns_mem_layout platform API.
BL2 calls the bl2_get_bl31_args_ptr function to get a reference to
bl31_args structure. It uses the 'bl33_meminfo' field of this structure
to load the BL3-3 image. It sets the entry point information for the
BL3-3 image in the 'bl33_image_info' field of this structure. The
reference to this structure is passed to the BL3-1 image.
Also fixes issue ARM-software/tf-issues#25
Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517
New phony Makefile targets have been added:
* checkcodebase
* checkpatch
The checkcodebase target will run a Linux style compliance check over the
entire codebase, and honours the V=1 Makefile verbose setting and so will
show more information when this is enabled.
If the local directory is a git checkout then the output of git ls-files is
used to decide which files to test for compliance. If the local directory
is not under git control then a 'best attempt' is made, but in this case it
should be noted that it is possible for additional non-codebase files to be
tested, so care should be taken when parsing the output.
The checkpatch target will compare local changes against the git origin/master
to allow issues with the last set of changes to be identified. To override
the change comparision location, set the BASE_COMMIT variable to your
desired git branch.
Both targets rely on the Linux source tree script checkpatch.pl to do the
syntax checking, and expects that the CHECKPATCH environment variable points
to the location of this file.
Notes on the usage of these targets have been added to the contributing.md
and docs/user-guide.md text files.
Change-Id: I6d73c97af578e24a34226d972afadab9d30f1d8d
The psci implementation does not track target affinity level requests
specified during cpu_suspend calls correctly as per the following
example.
1. cpu0.cluster0 calls cpu_suspend with the target affinity level as 0
2. Only the cpu0.cluster0 is powered down while cluster0 remains
powered up
3. cpu1.cluster0 calls cpu_off to power itself down to highest
possible affinity level
4. cluster0 will be powered off even though cpu0.cluster0 does not
allow cluster shutdown
This patch introduces reference counts at affinity levels > 0 to track
the number of cpus which want an affinity instance at level X to
remain powered up. This instance can be turned off only if its
reference count is 0. Cpus still undergo the normal state transitions
(ON, OFF, ON_PENDING, SUSPEND) but the higher levels can only be
either ON or OFF depending upon their reference count.
The above issue is thus fixed as follows:
1. cluster0's reference count is incremented by two when cpu0 and cpu1
are initially powered on.
2. cpu0.cluster0 calls cpu_suspend with the target affinity level as
0. This does not affect the cluster0 reference count.
3. Only the cpu0.cluster0 is powered down while cluster0 remains
powered up as it has a non-zero reference count.
4. cpu1.cluster0 call cpu_off to power itself down to highest possible
affinity level. This decrements the cluster0 reference count.
5. cluster0 is still not powered off since its reference count will at
least be 1 due to the restriction placed by cpu0.
Change-Id: I433dfe82b946f5f6985b1602c2de87800504f7a9
The FVP platform has a few filenames that begin with fvp_. These are
renamed to plat_ to make it easier to use the FVP port as a template.
Change-Id: I601e6256d5ef3bae81a2e1f5df6de56db5b27069
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
Move all explicit platform or architecture specific references
into a new platform.mk file that is defined for each platform.
Change-Id: I9d6320d1ba957e0cc8d9b316b3578132331fa428
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
The GICv3 distributor can have more ports than CPUs are available in
the system. Probe all re-distributors and use the matching affinity
levels as specified by each core and re-distributor to decide which
re-distributor to use with which CPU core.
If a core cannot be matched with a re-distributor, the core panics and
is placed in an endless loop.
Change-Id: Ie393cfe07c7449a2383959e3c968664882e18afc
Traps when accessing architectural features are disabled by clearing bits
in CPTR_EL3 during early boot, including accesses to floating point
registers. The value of this register was previously undetermined, causing
unwanted traps to EL3. Future EL3 code (for example, context save/restore
code) may use floating point registers, although they are not used by current
code.
Also, the '-mgeneral-regs-only' flag is enabled in the GCC settings to
prevent generation of code that uses floating point registers.
Change-Id: I9a03675f6387bbbee81a6f2c9ccf81150db03747
In order to reduce the software dependency on the compiler, the project
is now compiled with the '-ffreestanding' flag. This is to prevent GCC
from replacing functions with more optimised versions. An example is
where GCC replaces a simple printf() with a puts().
Change-Id: I1973fe6957cd708e8432a0039af9d50e037bd884
- Update porting guide to describe where files live and how to get
FreeBSD source code.
- Update change-log to describe relocation and new functions.
Change-Id: Id8f30cc7bafdd1064b3a5c5aae958c5aa3fb79f3
Platform setup code has to reserve some memory for storing the
memory layout information. It is populated in early platform setup
code.
blx_get_sec_mem_layout() functions used to return a copy of this
structure. This patch modifies blx_get_sec_mem_layout() functions
so that they now directly return a pointer to their memory layout
structure. It ensures that the memory layout returned by
blx_get_sec_mem_layout() is always up-to-date and also avoids a
useless copy of the meminfo structure.
Also rename blx_get_sec_mem_layout() to blx_plat_sec_mem_layout()
to make it clear those functions are platform specific.
Change-Id: Ic7a6f9d6b6236b14865ab48a9f5eff545ce56551
This patch makes changes to the documents to reflect the current
state of play of the psci cpu_suspend function.
Change-Id: I086509fb75111b6e9f93b7f6dbcd33cc4591b9f3
In fvp_affinst_on/suspend, the non-secure entrypoint is always
expected to lie in the DRAM. This check will not be valid if
non-secure code executes directly out of flash e.g. a baremetal
test. This patch removes this check.
Change-Id: I0436e1138fc394aae8ff1ea59ebe38b46a440b61
In the previous psci implementation, the psci_afflvl_power_on_finish()
function would run into an error condition if the value of the context
id parameter in the cpu_on and cpu_suspend psci calls was != 0. The
parameter was being restored as the return value of the affinity level
0 finisher function. A non zero context id would be treated as an
error condition. This would prevent successful wake up of the cpu from
a power down state. Also, the contents of the general purpose
registers were not being cleared upon return to the non-secure world
after a cpu power up. This could potentially allow the non-secure
world to view secure data.
This patch ensures that all general purpose registers are set to ~0
prior to the final eret that drops the execution to the non-secure
world. The context id is used to initialize the general purpose
register x0 prior to re-entry into the non-secure world and is no
longer restored as a function return value. A platform helper
(platform_get_stack()) has been introduced to facilitate this change.
Change-Id: I2454911ffd75705d6aa8609a5d250d9b26fa097c
This patch fixes the following constant values in the psci.h:
1. The affinity level shift value in the power_state parameter of the
cpu_suspend psci call. The previous value was preventing shutdown
of the affinity level 1.
2. The values used for affinity state constants (ON, OFF,
ON_PENDING). They did not match the values expected to be returned
by the affinity_info psci api as mentioned in the spec.
3. The state id shift value in the power_state parameter of the
cpu_suspend psci call.
Change-Id: I62ed5eb0e9640b4aa97b93923d6630e6b877a097
The FVP specific code that gets called after a cpu has been physically
powered on after having been turned off or suspended earlier does not
clear the PWRC.PWKUPR.WEN bit. Not doing so causes problems if: a cpu
is suspended, woken from suspend, powered down through a cpu_off call
& receives a spurious interrupt. Since the WEN bit is not cleared
after the cpu woke up from suspend, the spurious wakeup will power the
cpu on. Since the cpu_off call clears the jump address in the mailbox
this spurious wakeup will cause the cpu to crash.
This patch fixes this issue by clearing the WEN bit whenever a cpu is
powered up.
Change-Id: Ic91f5dffe1ed01d76bc7fc807acf0ecd3e38ce5b
- Add instructions for contributing to ARM Trusted Firmware.
- Update copyright text in all files to acknowledge contributors.
Change-Id: I9311aac81b00c6c167d2f8c889aea403b84450e5
This patch updates the user guide section about the memory layout.
- Explain the verifications that the linker scripts does on the
global memory layout.
- Refer to the new linker symbols.
- Describe the linker symbols exported to the trusted firmware code.
Change-Id: I033ab2b867e8b9776deb4185b9986bcb8218f286
A single binary can be compiled using a command such as:
make CROSS_COMPILE=aarch64-none-elf- bl1
Also make use of brackets consistent in the Makefile.
Change-Id: I2180fdb473411ef7cffe39670a7b2de82def812e
- Large RAM-disks may have trouble starting with 2GB of memory.
- Increase from 2GB to 4GB in FDT.
Change-Id: I12c1b8e5db41114b88c69c48621cb21247a6a6a7
Any asynchronous exception caused by the firmware should be handled
in the firmware itself. For this reason, unmask SError exceptions
(and Debug ones as well) on all boot paths. Also route external
abort and SError interrupts to EL3, otherwise they will target EL1.
Change-Id: I9c191d2d0dcfef85f265641c8460dfbb4d112092
Global and static variables are expected to be initialised to zero
by default. This is specified by the C99 standard. This patch
removes some unnecessary initialisations of such variables.
It fixes a compilation warning at the same time:
plat/fvp/bl31_plat_setup.c:82:3: warning: missing braces around
initializer [-Wmissing-braces]
section("tzfw_coherent_mem"))) = {0};
^
plat/fvp/bl31_plat_setup.c:82:3: warning: (near initialization for
‘ns_entry_info[0]’) [-Wmissing-braces]
Note that GCC should not have emitted this warning message in the
first place. The C Standard permits braces to be elided around
subaggregate initializers. See this GCC bug report:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
Change-Id: I13cb0c344feb9803bca8819f976377741fa6bc35