Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.
After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.
The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.
Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.
If the board has been set into secure mode, then only a signed binary can
be used to recover the board.
Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds entries to the mem params array for
- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID
BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.
In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.
[bod: squashing several patches from Rui, Jun and bod]
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The watchdog block on the IMX is mercifully simple. This patch maps the
various registers and bits associated with the block.
We are mostly only really interested in the power-down-enable (PDE) bits in
the block for the purposes of ATF.
The i.MX7 Solo Applications Processor Reference Manual details the PDE bit
as follows:
"Power Down Enable bit. Reset value of this bit is 1, which means the power
down counter inside the WDOG is enabled after reset. The software must
write 0 to this bit to disable the counter within 16 seconds of reset
de-assertion. Once disabled this counter cannot be enabled again. See
Power-down counter event for operation of this counter."
This patch does that zero write in-lieu of later phases in the boot
no-longer have the necessary permissions to rewrite the PDE bit directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines the most basic part of the CAAM and the only piece of
the CAAM silicon we are really interested in, in ATF, the CAAM control
structure.
The CAAM itself is a huge address space of some 32k, way out of scope for
the purpose we have in ATF.
This patch adds a simple CAAM init function that assigns ownership of the
CAAM job-rings to the non-secure MID with the ownership bit set to
non-secure.
This will allow later logic in the boot process such as OPTEE, u-boot and
Linux to assign job-rings as appropriate, restricting if necessary but
leaving open the main functionality of the CAAM to the Linux NS runtime.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The QEMU platform has only been used with LOAD_IMAGE_V2=1 for some time
now and bit rot has occurred for LOAD_IMAGE_V2=0. To ease the
maintenance make LOAD_IMAGE_V2=1 mandatory and remove the platform
specific code for LOAD_IMAGE_V2=0.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Enable ARM_XLAT_TABLES_LIB_V1 as ZynqMP is using
v1 library of translation tables.
With upstream patch d323af9e3d,
the usage of MAP_REGION_FLAT is referring to definition in file
include/lib/xlat_tables/xlat_tables_v2.h but while preparing
xlat tables in lib/xlat_tables/xlat_tables_common.c it is referring
to include/lib/xlat_tables/xlat_tables.h which is v1 xlat tables.
Also, ZynqMP was using v1 so defined ARM_XLAT_TABLES_LIB_V1 to
use v1 xlat tables everywhere.
This fixes the issue of xlat tables failures as it takes v2
library mmap_region structure in some files and v1 in other
files.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
The High Assurance Boot or HAB is an on-chip method of providing a
root-of-trust from the reset vector to subsequent stages in the bootup
flow of the Cortex-A7 on the i.MX series of processors.
This patch adds a simple header file with pointer offsets of the provided
set of HAH API callbacks in the BootROM.
The relative offset of the function pointers is a constant and known
quantum, a software-contract between NXP and an implementation which is
defined in the NXP HAB documentation.
All we need is the correct base offset and then we can map the set of
function pointers relative to that offset.
imx_hab_arch.h provides the correct offset and the imx_hab.h hooks the
offset to the pre-determined callbacks.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
In order to enable compile time differences in HAB interaction, we should
split out the definition of the base address of the HAB API.
Some version of the i.MX series have different offsets from the BootROM
base for the HAB callback table.
This patch defines the header into which we will define the i.MX7 specific
offset. The offset of the i.MX7 function-callback table is simultaneously
defined.
Once done, we can latch a set of common function pointer locations from the
offset given here and if necessary change the offset for different
processors without any other code-change.
For now all we support is i.MX7 so the only offset being defined is that
for the i.MX7.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds snvs.c with a imx_snvs_init() function.
imx_snvs_init() sets up permissions of the RTC via the SNVS HPCOMR.
During previous work with OPTEE on the i.MX7 part we discovered that prior
to switching from secure-world to normal-world it is required to apply more
permissive permissions than are defaulted to in order for Linux to be able
to access the RTC and CAAM functionality in general.
This patch pertains to fixing the RTC permissions by way of the
HPCOMR.NPSWA_EN bit.
Once set non-privileged code aka Linux-kernel code has permissions to
access the SNVS where the RTC resides.
Perform that permissions fix in imx_snvs_init() now, with a later patch making
the call from our platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit defines two things.
- The basic SNVS memory map. At the moment that is total overkill for the
permission bits we need to set inside the SNVS but, for the sake of
completeness define the whole SNVS area as a struct.
- The bits of the HPCOMR register
A permission fix will need to be applied to the SNVS block prior to
switching on TrustZone. All we need to do is waggle a bit in the HPCOMR
register. To do that waggle we first need to define the bits of the
HPCOMR register.
- A imx_snvs_init() function definition
Declare the snvs_init() function so that it can be called from our
platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an initial AHB-to-IP TrustZone (AIPS-TZ) initialization
routine. Setting up the AIPSTZ controller is required to inform the SoC
interconnect fabric which bus-masters can read/write and if the read/writes
are buffered.
For our purposes the initial configuration is for everything to be open. We
can lock-down later on as necessary.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines:
- The full range of IO-mux register offsets relative to the base address of
the IO-mux block base address.
- The bits for muxing the UART1 TX/RX lines.
- The bits for muxing the UART6 TX/RX lines.
- The pad control pad bits for the UART
Two functions are provided to configure pad muxes:
- void io_muxc_set_pad_alt_function(pad_mux_offset, alt_function)
Takes a pad_mux_offset and sets the alt_function bit-mask supplied.
This will have the effect of switching the pad into one of its defined
peripheral functions. These peripheral function modes are defined in the
NXP documentation and need to be referred to in order to correctly
configure a new alternative-function.
- void io_muxc_set_pad_features(pad_feature_offset, pad_features)
Takes a pad_feature_offset and applies a pad_features bit-mask to the
indicated pad.
This function allows the setting of PAD drive-strength, pull-up values,
hysteresis glitch filters and slew-rate settings.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an internal UART init routine that gets called from the
external facing clock init function.
In the first pass this call does an explicit disable of all UART
clock-gates. Later changes will enable only the UART clock-gates we care
about.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This set of patches adds a very minimal layer of USB enabling patches to
clock.c. Unlike the watchdog or UART blocks the USB clocks pertain to PHYs,
the main USB clock etc, not to different instances of the same IP block.
As a result this patch-set takes the clock CCGR clock identifier directly
rather than as an index of an instance of blocks of the same type.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a set of functions to enable the clock for each of the
watchdog IP blocks.
Unlike the MMC and UART blocks, the watchdog blocks operate off of the one
root clock, only the clock-gates are enable/disabled individually.
As a consequence the function clock_set_wdog_clk_root_bits() is used to set
the root-slice just once for all of the watchdog blocks.
Future implementations may need to change this model but for now on the one
supported processor and similar NXP SoCs this model should work fine.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an API to configure up the base USDHC clocks, taking a
bit-mask of silicon specific bits as an input from a higher layer in order
to direct the necessary clock source.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an API to configure up the base UART clocks, taking a
bit-mask of silicon specific bits as an input from a higher layer in order
to direct the necessary clock source.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit:
- Defines a clock stub with a conjoined header defining the clock
memory map.
- Defines the CCM Clock Gating Register which comes in a quadrumvirate
register set to read, set, clear and toggle individual clock gates into
one of four states based bitmask.
00: Domain clocks not needed
01: Domain clocks needed when in RUN
10: Domain clocks needed when in RUN and WAIT
11: Domain clocks needed all the time
- Defines clock control register bits
There are various quadrumvirate register blocks target-root, misc-root,
post-root, pre-root in the CCM.
The number of registers is huge but the four registers in each
quadrumvirate block contain the same bits, so the number of bit
definitions is actually quite low.
- Defines clock identifiers
An array of clock gates is provided in the CCM block. In order to index
that array and thus enable/disable clock gates for the right components,
we need to provide meaningful names to the indices.
Section 5.2.5 of the i.MX7 Solo Application Processor Reference Manual
Rev 0.1 provides the relevant details.
- Defines target mux select bits
This is a comprehensive definition of the target clock mux select bits.
These bits are required to correctly select the clock source. Defining
all of the bits up-front even for unused blocks in ATF means we can
switch on any block we want at a later date without having to write new
code in the clock-mux layer.
- Defines identifier indices into root-slice array
The root-slice array of control registers has a specific set of indices,
which differ from the clock-gate indices.
- Provides a clock gate enable/disable routine
Provides a clock-gate enable/disable routine via the set/clr
registers in a given clock-gate control register block.
This index passed should be one of the enums associated with CCM and
depending on enable/disable being passed either set or clr will be
written to.
The Domain0 bits are currently the only bits targeted by this write, more
work may need to be done on the domain bits in subsequent patches as a
result.
- imx: Adds set/clr routines to clock layer
Adds a set and clr routine to the clock layer. These routines allow us to
access the set and clear registers of the "target" block registers. These
are the registers where we select the clock source from the available list.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to have some common code shared between similar SOCs its pretty
common to have IP blocks reused. In reusing those blocks we frequently need
to map compatible blocks to different addresses depending on the SOC.
This patch adds a basic memory map of the i.MX7 based on the "Cortex-A7
Memory Map" section 2.12 of "i.MX7Solo Applications Processor Reference
Manual, Rev 0.1 08/2016"
In memory map terms the i.MX7S and i.MX7D are identical with the D
variant containing two Cortex-A7 cores plus a Cortex-M core and the S
variant containing one Cortex-A7 and one Cortex-M.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds ATF support for AES data blob encrypt/decrypt.
ATF establishes a path to send the address of the structure
to the xilsecure, so that it will pick addresses of the data
and performs the requested operation (encrypt/decrypt) and puts
the result in load address.
where structure contains
- Data blob src address
- load address
- IV address
- Key address - this will actual key addr in case of KUP
else it will be zero.
- Data-size
- Aes-op type
- KeySrc
Signed-off-by: Kalyani Akula <kalyani.akula@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Correct function header of pm_api_clock_getparent() and
pm_api_clock_setparent().
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Acked-by: Will Wong <WILLW@xilinx.com>
PLL type clock is enabled by FSBL on boot-up. PMUFW enable/disable
them based on their user count. So, it should not be handled from ATF.
Put PLL type clock into bypass and reset mode only while changing
PLL rate (FBDIV).
Signed-off-by: Tejas Patel <tejas.patel@xilinx.com>
Acked-by: Will Wong <WILLW@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
CCF has already provision to enable clock during registration
through CLK_IS_CRITICAL flag. Use CLK_IS_CRITICAL instead of
init_enable attribute.
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Jolly Shah <jolly.shah@xilinx.com>
WDT used by APU is FPD_WDT. FPD WDT clock is controlled by
FPD_SLCR.WDT_CLK_SEL register. Correct the same in WDT clock
database.
As per FPD_SLCR.WDT_CLK_SEL register, there can be only two
parents of WDT clock not three. Fix the same by correcting it's
parents in clock database.
Signed-off-by: Tejas Patel <tejas.patel@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Jolly Shah <jolly.shah@xilinx.com>
Add support for writing to AFI registers.
So that after writing a bitstream the interface can be programmed.
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Signed-off-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Since the MMIO read/write APIs are removed from Linux user space,
Linux cannot directly write to the Global General Storage Register 4
any more to set healthy boot status.
Create an IOCTL to allow Linux to set boot health status.
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Will Wong <willw@xilinx.com>
To make ULPI transceiver work, a HIGH - LOW - HIGH pulse needs
to be given to resetb pin of ULPI chip. In ZYNQMP, this resetb
pin is being driven by BOOT MODE PIN 1. The BOOT MODE PIN's
are controlled by BOOT_PIN_CTRL register present in CRL_APB
address region. Since CRL_APB can be resticted to secure access,
this pin should be controlled by ATF.
This patch adds the support for the same.
Signed-off-by: Anurag Kumar Vulisha <anuragku@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
This patch introduces the shared Mbed TLS heap optimisation for Arm
platforms. The objective is the Mbed TLS heap to be shared between BL1
and BL2 so as to not allocate the heap memory twice. To achieve that,
the patch introduces all the necessary helpers for implementing this
optimisation. It also applies it for FVP.
Change-Id: I6d85eaa1361517b7490956b2ac50f5fa0d0bb008
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Mbed TLS drivers, in order to work, need a heap for internal usage.
This heap, instead of being directly referenced by the drivers, now it
is being accessed indirectly through a pointer. Also, the heap, instead
of being part of the drivers, now it is being received through the
plat_get_mbedtls_heap() function. This function requests a heap from the
current BL image which utilises the Mbed TLS drivers.
Those changes create the opportunity for the Mbed TLS heap to be shared
among different images, thus saving memory. A default heap
implementation is provided but it can be overridden by a platform
specific, optimised implemenetation.
Change-Id: I286a1f10097a9cdcbcd312201eea576c18d157fa
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Some customers are missing host libraries required for doimage
builds.
This patch requests for the library installation check for every
doimage build and suggest the required installation steps in case
of missing headers.
Change-Id: Icde18c3d4d6045f65e50d2dc9e6514971f40033e
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Reviewed-by: Igal Liberman <igall@marvell.com>
This patch enables handling PMU overflow IRQ by GIC SPI's
directly in EL3. Also implement additional SMC routine,
which can disable the solution on demand in runtime.
Since it is possible to configure PMU interrupt trigger type
in the MADT ACPI table, it is enough to set it only once in EL3
during initialization.
Change-Id: Ie76aa62ccc4fd7cabfec9e3d5ed9970ada1c1b2a
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Current default behavior of cpu_standby callback
is problematic during the SBSA test, which is
unable to run due to EL3 panic. Make it dependent on
the PM firmware running.
Change-Id: I7a53de8c880bd23b157dd65ce14bb48b5a5c76c8
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
In order to allow the use of PCIe cards such as graphics cards, whose
demands for BAR space are typically much higher than those of network
or SATA/USB cards, reconfigure the I/O windows so we can declare two
MMIO PCI regions: a 512 MB MMIO32 one at 0xc000_0000 and a 4 GB MMIO64
one at 0x8_0000_0000. In addition, this will leave ample room for an
ECAM config space at 0xe000_0000 (up to the ECAM maximum of 256 MB)
For compatibility with older kernels or firmware, leave the original
16 MB window in place as well.
Change-Id: Ia8177194e542078772f90941eced81b231c16887
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
In order to allow the use of PCIe cards such as graphics cards, whose
demands for BAR space are typically much higher than those of network
or SATA/USB cards, reconfigure the I/O windows so we can declare two
MMIO PCI regions: a 512 MB MMIO32 one at 0xc000_0000 and a 4 GB MMIO64
one at 0x8_0000_0000. In addition, this will leave ample room for an
ECAM config space at 0xe000_0000 (up to the ECAM maximum of 256 MB)
For compatibility with older kernels or firmware, leave the original
16 MB window in place as well.
Change-Id: I80b00691ae8d0a3f3f7285b8e0bfc21c0a095e94
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Define the RT service space as secure with use of memory controller
trustzone feature. Thanks to this protection, any NS-Bootloader nor NS-OS,
won't be able to access RT services (e.g. accidentally overwrite it,
which will at best result in RT services unavailability).
Change-Id: Ie5b6cbe9a1b77879d6d8f8eac5d4e41e468496ce
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Rename a8k_common.h to armada_common.h to keep the same header
name across all other Marvell Armada platforms.
This is especially useful since various Marvell platforms may
use common platform files and share the driver modules.
Change-Id: I7262105201123d54ccddef9aad4097518f1e38ef
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add another level of abstraction of weak defs for
arm_bl2_handle_post_image_load to prevent two weak definitions
of the same function
Change-Id: Ie953786f43b0f88257c82956ffaa5fe0d19603db
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Currently in Linux maximum number of clocks is hard-coded and
so it needs to allocate static memory. It can get actual clock
number after querying all clock names by special clock name
string. Add new query data parameter to get actual number of
clocks so Linux can get actual clock numbers in advance.
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Small patch which removes some redundant casts to (void *).
Change-Id: If1cfd68f2989bac1d39dbb3d1c31d4119badbc21
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
TI-SCI message protocol provides support for controlling of various
physical cores available in the SoC. In order to control which host is
capable of controlling a physical processor core, there is a processor
access control list that needs to be populated as part of the board
configuration data.
Introduce support for the set of TI-SCI message protocol APIs that
provide us with this capability of controlling physical cores.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
Since system controller now has control over SoC power management, core
operation such as reset need to be explicitly requested to reboot the SoC.
Add support for this here.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
TI-SCI message protocol provides support for management of various
hardware entities within the SoC.
In general, we expect to function at a device level of abstraction,
however, for proper operation of hardware blocks, many clocks directly
supplying the hardware block needs to be queried or configured.
Introduce support for the set of TI-SCI message protocol support that
provide us with this capability.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
TI-SCI message protocol provides support for management of various
hardware entitites within the SoC.
We introduce the fundamental device management capability support to
the driver protocol as part of this change.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
Texas Instrument's System Control Interface (TI-SCI) Message Protocol
is used in Texas Instrument's System on Chip (SoC) such as those
in K3 family AM654x SoCs to communicate between various compute
processors with a central system controller entity.
TI-SCI message protocol provides support for management of various
hardware entities within the SoC. Add support driver to allow
communication with system controller entity within the SoC.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
Secure Proxy module manages hardware threads that are meant
for communication between the processor entities. Add support
for this here.
Signed-off-by: Andrew F. Davis <afd@ti.com>
tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.
Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
All the arm platforms were including the files related to
mem-protect. This configuration generates some problems
with new platforms that don't support such functionality,
and for that reason this patch moves these files to the
platform specific makefiles.
Change-Id: I6923e5224668b76667795d8e11723cede7979b1e
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I707dbec9b34b802397e99da2f5ae738165d6feba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The Raspberry Pi 3 port doesn't actually depend on any Arm platform
code, so the dependencies can be removed.
Change-Id: Ic2f47f5001bebde3862815b1d880a169d82b3f65
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function is required for platforms where
COLD_BOOT_SINGLE_CPU=0 however it was missing from rockchip
platforms
Change-Id: I32a85f226a4f22085a27113903f34bdb6f28dbcc
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The translation library is useful elsewhere. Even though this repository
doesn't exercise the EL2 support of the library, it is better to have it
here as well to make it easier to maintain.
enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
functions are still present, but they are behind ERROR_DEPRECATED and
they call the new functions enable_mmu_svc_mon() and
enable_mmu_direct_svc_mon().
Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Functions provided by stdio.h such as printf and sprintf are available
in the codebase, but they add a lot of code to the final image if they
are used:
- AArch64: ~4KB
- AArch32: ~2KB in T32, ~3KB in A32
tf_printf and tf_snprintf are a lot more simple, but it is preferable
to use them when possible because they are also used in common code.
Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add support for System Guidance for Mobile platform SGM775
Change-Id: I2442a50caae8f597e5e5949cd48f695cf75d9653
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
In css platforms where the cpu/cluster management is done by the hardware,
software does need to issue certain scmi requests.
This patch wraps those scmi calls around the HW_ASSISTED_COHERENCY
build option to remove them on platforms that have this hardware support.
Change-Id: Ie818e234484ef18549aa7f977aef5c3f0fc26c27
Signed-off-by: Deepak Pandey <Deepak.Pandey@arm.com>
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
This omission causes a build error as the definition for
arm_tzc_regions_info_t is needed from plat_arm.h
Change-Id: I26935ee90d3e36ab6a016ff2c4eee4413df3e4e8
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
The Arm SGI platforms can switch to using SCMI. So enable support for
SCMI and remove portions of code that would be unused after switching
to SCMI.
Change-Id: Ifd9e1c944745f703da5f970b5daf1be2b07ed14e
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
On SGI platforms, the 'CORE_PWRDN_EN' bit of 'CPUPWRCTLR_EL1'
register requires an explicit write to clear it for hotplug and
idle to function correctly. The reset value of this bit is zero
but it still requires this explicit clear to zero. This indicates
that this could be a model related issue but for now this issue can
be fixed be clearing the CORE_PWRDN_EN in the platform specific
reset handler function.
Change-Id: I4222930daa9a3abacdace6b7c3f4a5472ac0cb19
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
TF Makefile was linking all the objects files generated for the
fdt library instead of creating a static library that could be
used in the linking stage.
Change-Id: If3705bba188ec39e1fbf2322a7f2a9a941e1b90d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF won't build since no memory region is specified
for when SEPARATE_CODE_AND_RODATA=0 it still relies on
the ARM_MAP_BL_RO_DATA region which is never defined for
this case. Create memory region combining code and RO data for
when the build flag SEPARATE_CODE_AND_RODATA=0 to fix this
Change-Id: I6c129eb0833497710cce55e76b8908ce03e0a638
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
GPIO_089 connects to PCIE_PERST_N. It needs to be configured as
output low.
Signed-off-by: Kaihua Zhong <zhongkaihua@huawei.com>
Signed-off-by: Xiaowei Song <songxiaowei@hisilicon.com>
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
We can enter and exit coherency without any software operations,
but HW_ASSISTED_COHERENCY has stronger implications that are
causing issues. Until these can be resolved, only use the weaker
WARMBOOT_ENABLE_DCACHE_EARLY flag.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Add the various flags that are required to build the components needed
to enable the RAS feature on SGI575 platform. By default, all flags
are set to 0, disabling building of all corresponding components.
Change-Id: I7f8536fba895043ef6e397cc33ac9126cb572132
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Add platform specific changes needed to add support for the RAS
feature on SGI575 platform, including adding a mapping for the
CPER buffer being used on SGI575 platform.
Change-Id: I01a982e283609b5c48661307906346fa2738a43b
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Add a platform specific handler for RAS interrupts and configure the
platform RAS interrupts for EL3 handling. The interrupt handler passes
control to StandaloneMM code executing in S-EL0, which populates the
CPER buffer with relevant error information. The handler subsequently
invokes the SDEI client which processes the information in the error
information in the CPER buffer. The helper functions
plat_sgi_get_ras_ev_map and plat_sgi_get_ras_ev_map_size would be
defined for sgi platforms in the subsequent patch, which adds sgi575
specific RAS changes.
Change-Id: I490f16c15d9917ac40bdc0441659b92380108d63
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
The secure partition manager reserves chunks of memory which are used
for the S-EL0 StandaloneMM image and the buffers required for
communication between the Non-Secure world with the StandaloneMM
image. Add the memory chunks to relevant arrays for mapping the
regions of memory with corresponding attributes.
Change-Id: If371d1afee0a50ca7cacd55e16aeaca949d5062b
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
The SGI platforms need to allocate memory for CPER buffers. These
platform buffers would be placed between the shared reserved memory
and the per cpu stack memory, thus the need to redefine stack base
pointer for these platforms. This patch allows each board in ARM
platform to define the PLAT_SP_IMAGE_STACK_BASE.
Change-Id: Ib5465448b860ab7ab0f645f7cb278a67acce7be9
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Include arm_spm_def.h in the platform_def.h file. Without this
inclusion, we get build errors like
In file included from services/std_svc/spm/sp_setup.c:12:0:
services/std_svc/spm/sp_setup.c: In function 'spm_sp_setup':
services/std_svc/spm/sp_setup.c:61:57: error: 'PLAT_SPM_BUF_BASE'
undeclared (first use in this function)
write_ctx_reg(get_gpregs_ctx(ctx), CTX_GPREG_X0, PLAT_SPM_BUF_BASE);
Now that the platform_def.h includes arm_spm_def.h, remove inclusion
of platform_def.h in arm_spm_def.h to remove the circular dependency.
Change-Id: I5225c8ca33fd8d288849524395e436c3d56daf17
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
The board_arm_def.h header file needs to be included via the platform
definition header. Not doing so, results in a redefinition error of
PLAT_ARM_MAX_BL31_SIZE macro, if defined in the platform definition
file.
Change-Id: I1d178f6e8a6a41461e7fbcab9f6813a2faa2d82b
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
platform.mk is updated to have compilation rules for DTB, stm32image tool,
and the concatenation of the 3 binaries.
A new linker script and an assembly file are added to manage this.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
The DDR driver is under dual license, BSD and GPLv2.
The configuration parameters are taken from device tree.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
If a PMIC companion chip is present on board, it has to be configured
for regulators supplies.
This check is done with board DT configuration.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
This will be used by BL33 to get boot device and instance.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
The management of pinctrl nodes of device tree is also added.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
The clock driver is under dual license, BSD and GPLv2.
The clock driver uses device tree, so a minimal support for this is added.
The required files for driver and DTS files are in include/dt-bindings/.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 is a microprocessor designed by STMicroelectronics,
based on a dual Arm Cortex-A7.
It is an Armv7-A platform, using dedicated code from TF-A.
STM32MP1 uses BL2 compiled with BL2_AT_EL3.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Change arm_setup_page_tables() to take a variable number of memory
regions. Remove coherent memory region from BL1, BL2 and BL2U as
their coherent memory region doesn't contain anything and
therefore has a size of 0. Add check to ensure this
doesn't change without us knowing.
Change-Id: I790054e3b20b056dda1043a4a67bd7ac2d6a3bc0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
OP-TEE loading is optional on Developerbox controlled via SCP
firmware. To check if OP-TEE is loaded or not, we use DRAM1 region
info passed by SCP firmware.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
This also gets rid of MISRA violations for Rule 8.3 and 8.4.
Change-Id: I45bba011b16f90953dd4b260fcd58381f978eedc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
BL1 is used in recovery mode on HiKey. The TBB implementation
on HiKey is in BL2. It means that user need to build ATF BL2
with TBB and ATF BL1 with non-TBB. It's inconvenient.
So include TBB in BL1, too.
Signed-off-by: Teddy Reed <teddy@prosauce.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
External Aborts while executing in EL3 is fatal in nature. This patch
allows for the platform to define a handler for External Aborts received
while executing in EL3. A default implementation is added which falls
back to platform unhandled exception.
Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Double fault is when the PE receives another error whilst one is being
handled. To detect double fault condition, a per-CPU flag is introduced
to track the status of error handling. The flag is checked/modified
while temporarily masking external aborts on the PE.
This patch routes double faults to a separate platform-defined handler.
Change-Id: I70e9b7ba4c817273c55a0af978d9755ff32cc702
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Uncontainable errors are the most severe form of errors, which typically
mean that the system state can't be trusted any more. This further means
that normal error recovery process can't be followed, and an orderly
shutdown of the system is often desirable.
This patch allows for the platform to define a handler for Uncontainable
errors received. Due to the nature of Uncontainable error, the handler
is expected to initiate an orderly shutdown of the system, and therefore
is not expected to return. A default implementation is added which falls
back to platform unhandled exception.
Also fix ras_arch.h header guards.
Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add support for A8K platform boards
Change-Id: Ife025d930d2ab6cabbc13bbe19b2273cc1c938c8
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add common Marvell ARMADA platform components.
This patch also includes common components for Marvell
ARMADA 8K platforms.
Change-Id: I42192fdc6525a42e46b3ac2ad63c83db9bcbfeaf
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Define the values as unsigned int or unsigned long long based on the
actual size of the register. This prevents subtle issues caused by
having a type that is too small. For example:
#define OPTION_ENABLE 0x3
#define OPTION_SHIFT 32
uint64_t mask = OPTION_ENABLE << OPTION_SHIFT;
Because OPTION_ENABLE fits in an int, the value is considered an int.
This means that, after shifting it 32 places to the left, the final
result is 0. The correct way to define the values is:
#define OPTION_ENABLE ULL(0x3)
#define OPTION_SHIFT U(32)
In this case, the compiler is forced to use a 64 bit value from the
start, so shifting it 32 places to the left results in the expected
value.
Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Non-secure DRAM region shouldn't be protected in the range specified
in the Linux command line with memmap.
This change also increases the size of the Secure DRAM region.
Change-Id: I306e9e443a84b834c99739f54a534a3ca3be2424
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This option allows the Trusted Firmware to pass the correct arguments to
a 32 or 64-bit Linux kernel without the need of an intermediate loader
such as U-Boot.
Change-Id: I2b22e8933fad6a614588ace559f893e97329801f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
FIQs shouldn't be used at all as long as the interrupt routing doesn't
support them properly.
Change-Id: Ib1db7b523a62de2035d41197bc791048337cf791
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove unused variable and set the secure entrypoint correctly.
Change-Id: I7447ea62771092de6be35704077ae28c519d6993
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
It uses the hardware RNG in a similar way as Juno (it gets 128 bits of
entropy and does xor on them).
It is disabled by default.
Change-Id: I8b3adb61f5a5623716e0e8b6799404c68dd94c60
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that this is a non-secure RNG. This is only useful for educational
purposes.
Change-Id: If359c8d0f755ef8e416986de7fbca34679a523e1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There is no way to boot BL31 at the addresses specified in the platform
memory map unless an extra loader is used at address 0x00000000. It is
better to remove it to prevent confusion. Having it enabled was a bug.
Change-Id: I3229fbc080f5996cff47efce8e799bae94e0d5cb
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Implement VideoCore mailbox interface driver and use it to get the board
revision identifier.
For now it is only used to print the model for debug purposes.
This wiki contains the documentation of the mailbox interface:
https://github.com/raspberrypi/firmware/wiki
Change-Id: I11943b99b52cc1409f4a195ebe58eb44ae5b1d6c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This implementation doesn't actually turn the system off, it simply
reboots it and prevents it from booting while keeping it in a low power
mode.
Change-Id: I7f72c9f43f25ba0341db052bc2be4774c88a7ea3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add a new default makefile target to concatenate BL1 and the FIP and
generate armstub8.bin. This way it isn't needed to do it manually.
Documentation updated to reflect the changes.
Change-Id: Id5b5b1b7b9f87767db63fd01180ddfea855a7207
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
With commit cf24229e6e ("Run compiler on debug macros for type
checking"), the compiler will now always evaluate INFO() macro
calls, no matter the LOG_LEVEL value. Therefore, any variable
referenced in the macro has to be be defined.
Address this issue by removing the local variable and using the
expression it was assigned directly in the INFO() call.
Change-Id: Iedc23b3538c1e162372e85390881e50718e50bf3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add domain suspend/resume support, Linux kernel
can "echo mem > /sys/power/state" to put system
into suspend mode, all CPUs and cluster will be
powered off and can be waked up if irq pending
in GIC, tested on i.MX8QM MEK board.
Since the power state has been implemented, switch
to use standard power state for CCI operations
instead of private cpu use count in i.MX8QM.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add domain off support for Linux kernel's cpu
hot-plug feature, when there are cpu off request
from Linux kernel, TF-A will send command to
system controller to do CPU power gate accordingly,
tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system reset support for i.MX8QM,
when Linux kernel issues "reboot" command,
TF-A will send command to inform system
controller to reset whole board according
to board design, tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system power off support for i.MX8QM,
when Linux kernel issues "poweroff" command,
TF-A will send command to inform system
controller to power off whole board according
to board design, tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add domain suspend/resume support, Linux kernel
can "echo mem > /sys/power/state" to put system
into suspend mode, all CPUs and cluster will be
powered off and can be waked up if irq pending
in GIC, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Running optee_test failed because SEC_DRAM0_SIZE is too small. Previous
is 2 MB. We enlarge it to 11 MB for passing the test. Also we reduce
the NS_DRAM0_SIZE from 13MB to 4MB so that the whole section is still
fit in 16MB.
This commit also modified the document to reflect the changes we've
made in code.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Add domain off support for Linux kernel's cpu
hot-plug feature, when there are cpu off request
from Linux kernel, TF-A will send command to
system controller to do CPU power gate accordingly.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system reset support for i.MX8QX,
when Linux kernel issues "reboot" command,
TF-A will send command to inform system
controller to reset whole board according
to board design, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system power off support for i.MX8QX,
when Linux kernel issues "poweroff" command,
TF-A will send command to inform system
controller to power off whole board according
to board design, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Implement minimal interrupt routing functions. All interrupts are
treated as non-secure interrupts to be handled by the non-secure world.
Add note to the documentation about disabling FIQs qhen using OP-TEE
with Linux.
Change-Id: I937096542d973925e43ae946c5d0b306d0d95a94
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The plat_arm_mmap variable is already declared in plat_arm.h, which is
included from plat/arm/common/arm_common.c.
Similarly, plat_arm.h declares the 'plat_arm_psci_pm_ops' variable, which
does not need to be declared again in plat/arm/common/arm_pm.c.
The duplication was not compliant with MISRA rule 8.5.
Change-Id: Icc42547cc025023226b1078a7ec4f06d093364b7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
These directives are only used when stabs debugging information
is used, but we use ELF which uses DWARF debugging information.
Clang assembler doesn't support these directives, and removing
them makes the code more compatible with clang.
Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Clang linker doesn't support NEXT. As we are not using the MEMORY command
to define discontinuous memory for the output file in any of the linker
scripts, ALIGN and NEXT are equivalent.
Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno SPD=tspd CSS_USE_SCMI_SDS_DRIVER=1 all
Change-Id: Id732c8df12ef3e20903c41b7ab9a9b55341d68ac
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno SPD=tspd CSS_USE_SCMI_SDS_DRIVER=1 all
Change-Id: Id9dcc6238b39fac6046abc28141e3ef5e7aa998d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: I3ac25096b55774689112ae37bdf1222f9a9ecffb
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch adds experimental support for TRUSTED_BOARD_BOOT to the
Hikey. This is adapted from the RPi3 and QEMU implementations.
Since the Hikey starts from BL2 the TRUSTED_BOARD_BOOT ROT begins there
too. When TRUSTED_BOARD_BOOT is defined, the BL1 build is skipped.
See the following example:
make \
PLAT=hikey \
BL33=u-boot.bin \
SCP_BL2=mcuimage.bin \
TRUSTED_BOARD_BOOT=1 \
MBEDTLS_DIR=../../mbedtls \
GENERATE_COT=1 \
all fip
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
This patch adds support for TBB to rpi3. The ROTPK is generated at build
time and is included into BL1/BL2. The key and content certificates are
read over semihosting.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
The H6 is Allwinner's most recent SoC. It shares most peripherals with the
other ARMv8 Allwinner SoCs (A64/H5), but has a completely different memory
map.
Introduce a separate platform target, which includes a different header
file to cater for the address differences. Also add the new build target
to the documentation.
The new ATF platform name is "sun50i_h6".
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
To wake a core from wfi interrupts must be enabled, in some cases they
may not be and so we can lock up here. Unconditionally enable interrupts
before wfi and then restore interrupt state.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Actions may need to be taken by the last core when all clusters
have been shutdown. Add a top level root domain node to coordinate
this between clusters.
Signed-off-by: Andrew F. Davis <afd@ti.com>
So far we already support booting on two different SoCs, and we will
shortly add a third, so add some code to determine the current SoC type.
This can be later used to runtime detect certain properties.
Also print the SoC name to the console, to give valuable debug information.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
There is nothing we need from the BootROM area, so we also don't need
to map it in EL3.
Remove the mapping and reduce the number of MMAP regions by one.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The DRAM controller supports up to 4GB of DRAM, and there are actually
boards out there where we can use at least 3GB of this.
Relax the PSCI entry point check, to be not restricted to 2GB of DRAM.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The "#ifdef SUNXI_SPC_BASE" guard was meant to allow the build on SoCs
without a Secure Peripherals Controller, so that we skip that part of
the security setup. But in the current position this will trigger a
warning about an unused variable.
Simply move the guard one line up to cover the variable as well.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The "INFO" output in sunxi_cpu_ops.c is quite verbose, so make this more
obvious by changing the log level to "VERBOSE" and so avoiding it to
be printed in a normal (even debug) build.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The relative VER_REG *offset* is the same across all known SoCs, so we
can define this offset near it's user.
Remove it from the memory map.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Some code in sunxi_common.c requires symbols defined in sunxi_private.h,
so add the header to that file.
It was included via another header before, but let's make this explicit.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch is an attempt to run Trusted OS (OP-TEE OS being one of them) along
side BL31 image.
ATF supports multiple SPD's that can take dispatcher name (opteed for OP-TEE OS)
as an input using the 'SPD=<dispatcher name>' option during bl31 build.
Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
Having an active stack while enabling MMU has shown coherency problems.
This patch builds on top of translation library changes that introduces
MMU-enabling without using stacks.
Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while
enabling MMU only because of active stack. Now that we can enable MMU
without using stack, we can enable both MMU and data caches at the same
time.
NOTE: Since this feature depends on using translation table library v2,
disallow using translation table library v1 with HW_ASSISTED_COHERENCY.
FixesARM-software/tf-issues#566
Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currenly the CNTFRQ register and system timer is initialized in BL31 for
use by the normal world. During firmware update, the NS-BL1 or NS-BL2U
may need to access the system timer. Hence this patch duplicates the
CNTFRQ and system timer initialization in BL1 as well.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I1ede78b4ae64080fb418cb93f3e48b26d7b724dc
Set the ability to dynamically disable Trusted Boot Board
authentication to be off by default
Change-Id: Ibd2aa179179f7d9b0e7731c6e450f200a8c67529
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
In the case of the platform max power level being less than the system
power level, make sure to not overrun the array of power states.
This fixes Coverity Scan OVERRUN defect CID 267021.
Change-Id: I52646ab9be2fceeb5c331b5dad7a6267991f4197
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
This is to fix a number of Coverity Scan DEADCODE defects, CID numbers
listed below, as reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 267023
CID 267022
CID 267020
Change-Id: I2963a799b210149e84ccab5c5b9082267ddfe337
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
This patch is an attempt to run Trusted OS (OP-TEE OS being one of them) along
side BL31 image.
ATF supports multiple SPD's that can take dispatcher name (opteed for OP-TEE OS)
as an input using the 'SPD=<dispatcher name>' option during bl31 build.
Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
The file arm_ras.c intended to provide common platform-specific RAS
configuration for Arm platforms. Because this file has symbol
definitions, it's proving difficult to provide a common definition.
This patch therefore renames and makes the file specific to FVP. Other
platforms shall provide their own configuration in similar fashion.
Change-Id: I766fd238946e3e49cdb659680e1b45f41b237901
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add Makefile and plaform definations file.
My thanks to Daniel Thompson and Ard Biesheuvel for the bits and pieces
I've taken from their earlier work regarding build and deploy steps for
Developerbox based on Synquacer SoCs. They deserve much of the credit
for this work although, since I assembled and tested things, any blame
is probably mine.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
PSCI framework uses SCPI driver to communicate to SCP firmware for
various power management operations. Following PSCI operations are
supported:
- CPU ON
- CPU OFF
- CPU STANDBY
- SYSTEM RESET
- SYSTEM OFF
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Retrieve DRAM info from SCP firmware using SCPI driver. Board supports
multiple DRAM slots so its required to fetch DRAM info from SCP firmware
and pass this info to UEFI via non-secure SRAM.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Add System Control and Power Interface (SCPI) driver which provides APIs
for PSCI framework to work. SCPI driver uses MHU driver APIs to communicate
with SCP firmware for various system control and power operations.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Add Message Handling Unit (MHU) driver used to communicate among
Application Processors (AP) and System Control Processor (SCP).
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
BL31 runs from SRAM which is a non-coherent memory on synquacer. So
enable MMU with SRAM memory marked as Non-Cacheable and mark page tables
kept on SRAM as Non-Cacheable via XLAT_TABLE_NC flag. Also add page tables
for Device address space.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
These functions describe the layout of the cores and clusters in order
to support the PSCI framework.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
As this platform supports direct entry to BL31 and no BL2, so
populate BL32 and BL33 entrypoints with static memory load info.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
synquacer supports direct entry to BL31 without BL1 and BL2 as
SCP firmware does similar work. So this patch adds BL31 stub APIs.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
This patch reads the chipid registers directly instead of making
pm call when running at BL32. User should ensure that these registers
should always be accessed from APU in their system configuration.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
This patch builds ATF to DDR if SPD is enabled as it cant fit in
On chip memory(OCM) with SPD enabled. This solves the issue
of build failure with SPD enabled for ZynqMP platform.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase
frame of the system timer. ARM ARM states that "The instance of
the register in the CNTCTLBase frame must be programmed with this
value as part of system initialization."
The psci_arch_setup() updates the CNTFRQ system register but
according to the ARM ARM, this instance of the register is
independent of the memory mapped instance. This is only an issue
for Normal world software which relies on the memory mapped
instance rather than the system register one.
This patch resolves the issue for ARM platforms.
The patch also solves a related issue on Juno, wherein
CNTBaseN.CNTFRQ can be written and does not reflect the value of
the register in CNTCTLBase frame. Hence this patch additionally
updates CNTFRQ register in the Non Secure frame of the CNTBaseN.
FixesARM-Software/tf-issues#593
Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
While it would be useful to have a device tree based build, the
required components are not in place yet, so support just a simple
statically defined configuration to begin with.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
These functions are used for the PSCI implementation and are needed to
build BL31, but we cannot implement them until we add several more drivers
related to ti-sci so these are only stubs for now.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Do proper initialization of GIC V3. This will allow CP15 access to GIC
from "normal world" (aka HLOS) via mrc/mcr calls.
K3 SoC family uses GICv3 compliant GIC500 without compatibility for
legacy GICv2.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Provide K3_TIMER_FREQUENCY for the platform configuration if the GTC
clock is selected statically and override option if the platform has a
different configuration.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
This library will be used to properly set up mappings from different
bootloaders at different exception levels. It ensures that memory mapped
devices such as UARTs are still accessible and memory regions have the
correct access permissions.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
These functions describe the layout of the cores and clusters in order to
support the PSCI framework.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Because there is no BL2, BL31 must determine the entrypoint and memory
location of BL32 and BL33 on its own.
BL32_BASE and PRELOADED_BL33_BASE will be set in the corresponding board
makefile. We also allow a DTB address to be specified for cases when BL33
is a Linux image.
NOTE: It is possible to pull in this information from device tree as
well, however libfdt does not contain the required hooks to make this
happen at this point in time.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
The K3 family of SoCs has multiple interconnects. The key interconnect
for high performance processors is the MSMC3 interconnect. This is
an io-coherent interconnect which exports multiple ports for each
processor cluster.
Sometimes, port 0 of the MSMC may not have an ARM cluster OR is isolated
such that the instance of ATF does not manage it. Define macros
in platform_def.h to help handle this.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Create the baseline Makefile, platform definitions file and platform
specific assembly macros file. This includes first set of constants
for the platform including cache sizes and linker format and a stub for
BL31 and the basic memory layout
K3 SoC family of processors do not use require a BL1 or BL2 binary,
since such functions are provided by an system controller on the SoC.
This lowers the burden of ATF to purely managing the local ARM cores
themselves.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size reserved for BL2 has been increased.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
NXP's i.MX8QM is an ARMv8 SoC with 2 clusters, 2 Cortex-A72
cores in one cluster and 4 Cortex-A53 in the other cluster,
and also has system controller (Cortex-M4) inside, documentation
can be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8QX is an ARMv8 SoC with 4 Cortex-A35 cores and
system controller (Cortex-M4) inside, documentation can
be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8 SoCs have system controller (M4 core)
which takes control of clock management, power management,
partition management, PAD management etc., other
clusters like Cortex-A35 can send out command via MU
(Message Unit) to system controller for clock/power
management etc..
This patch adds basic IPC(inter-processor communication) support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Having these definitions in board_arm_def.h forces to
all the arm platforms to use the same definition for
PLAT_ARM_MEM_PROT_ADDR.
This macro also enables the mem-protect mechanism,
which means that all the arm platform has enabled
mem-protect and they cannot get rid of it.
Change-Id: Id29d2c51cbe6edc15f010a9f5a20c42266c48a08
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
In Arm platforms, when using dynamic configuration, the necessary
parameters are made available as a DTB. The DTB is loaded by BL1 and,
later on, is parsed by BL1, BL2 or even both, depending on when
information from the DTB is needed.
When the DTB is going to be parsed, it must be validated first, to
ensure that it is properly structured. If an invalid DTB is detected
then:
- BL1 prints a diagnostic but allows execution to continue,
- BL2 prints a diagnostic and panics.
Now the behaviour of BL1 is changed so for it also to panic. Thus, the
behaviour of BL1 and BL2 is now similar.
Keep in mind that if BL1 only loads the DTB but it doesn't need to
read/write it, then it doesn't validate it. The validation is done only
when the DTB is actually going to be accessed.
Change-Id: Idcae6092e6dbeab7248dd5e041d6cbb7784fe410
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Some peripherals are TrustZone aware, so they need to be configured to
be accessible from non-secure world, as we don't need any of them being
exclusive to the secure world.
This affects some clocks, DMA channels and the Secure Peripheral
Controller (SPC). The latter controls access to most devices, but is not
active unless booting with the secure boot fuse burnt.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The reset vector entry point is preserved across CPU resets, so it only
needs to be set once at boot.
Hotplugged CPUs are not actually powered down, but are put in a wfi with
the GIC disconnected.
With this commit, Linux is able to enable, hotplug and use all four CPUs.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
sun50i_cpu_on will be used by the PSCI implementation to initialize
secondary cores for SMP. Unfortunately, sun50i_cpu_off is not usable by
PSCI directly, because it is not possible for a CPU to use this function
to power itself down. Power cannot be shut off until the outputs are
clamped, and MMIO does not work once the outputs are clamped.
But at least CPU0 can shutdown the other cores early in the BL31 boot
process and before shutting down the system.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The Allwinner A64 SoC is quite popular on single board computers.
It comes with four Cortex-A53 cores in a singe cluster and the usual
peripherals for set-top box/tablet SoC.
The ATF platform target is called "sun50i_a64".
[Andre: adapted to amended directory layout, removed unneeded definitions ]
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This platform supports Allwinner's SoCs with ARMv8 cores. So far they
all sport a single cluster of Cortex-A53 cores.
"sunxi" is the original code name used for this platform, and since it
appears in the Linux kernel and in U-Boot as well, we use it here as a
short file name prefix and for identifiers.
This port includes BL31 support only. U-Boot's SPL takes the role of the
primary loader, also doing the DRAM initialization. It then loads the
rest of the firmware, namely ATF and U-Boot (BL33), then hands execution
over to ATF.
This commit includes the basic platform code shared across all SoCs.
There is no platform.mk yet.
[Andre: moved files into proper directories, supported RESET_TO_BL31,
various clean ups and simplifications ]
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Remove the redundant SGI functions which map memory
for BL1 and BL2.
Change-Id: I651a06d0eb6d28263a56f59701bb3815f1ba93dc
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Append a node to hw-config dtb which will include a property to hold
the value of the SSC_VERSION register. This will be used by the BL33
stage to determine the platform-id and the config-id of the platform
it is executing on.
Change-Id: Ie7b1e5d8c1bbe0efdb7ef0714f14b7794ec6058e
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Remove the existing method of populating the platform id in arg2 of
BL33 which is no longer needed with dynamic configuration feature
enabled as the BL33 will get this information directly via the config
files. Add the tb_fw_config and hw_config dts files.
Change-Id: I3c93fec2aedf9ef1f774a5f0969d2d024e47ed2c
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.
Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The stdint header was introduced to rk3399's plat_sip_calls.c in order
to fix missing stdint definitions. However, ordering headers
alphabetically caused the fix to be ineffective, as stint was then
included after the offending header file (dfs.h).
Move the stdint include to that header to properly fix the issue.
Change-Id: Ieaad37a7932786971488ab58fc5b169bfa79e197
Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
The translation tables allocated for the Secure Partition do not need
to be treated as a special case. They can be put amongst the other
tables mapping BL31's general purpose memory. They will be mapped with
the same attributes as them, which is fine.
The explicit alignment constraint in BL31's linker script to pad the
last page of memory allocated to the Secure Partition's translation
tables is useless too, as page tables are per se pages, thus their
end address is naturally aligned on a page-boundary.
In fact, this patch does not change the existing behaviour. Since
patch 22282bb68a ("SPM: Move all SP-related info to SP context
struct"), the secure_partition.c file has been renamed into sp_xlat.c
but the linker script has not been properly updated. As a result, the
SP translation tables are not specifically put at the start of the
xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__
symbols have the same value, the size of the resulting mmap_region
covering these xlat tables is 0 and so it is ignored.
Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
In LOAD_IMAGE_V1 (i.e when LOAD_IMAGE_V2=0) the bl2_tzram_layout is,
by default, assigned to the bl1_tzram_layout->free_base which is
dynamically calculated based on the images loaded in memory. There is a
chance that the bl2_tzram_layout will be assigned a value not aligned to
8 bytes. This patch rounds up the free_base value for the required
alignment.
This doesn't happen in LOAD_IMAGE_V2 because the bl2_tzram_layout is
assigned by default to the bl1_tzram_layout->total_base, which is
aligned.
Change-Id: Idc583e7dad993d02ac6791797406118c96f83fa1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7
To prevent violation of directive 4.5 having variable name channel
in css_pm_scmi.c not being typographically ambiguous change macro
argument CHANNEL in css_mhu_doorbell.h change argument to _channel
to fit with our convention which is a permitted exception of
directive 4.5 for this project
Rule 5.7: A tag name shall be a unique identifier
Fixed for:
make LOG_LEVEL=50 PLAT=juno
Change-Id: I147cdb13553e83ed7df19149b282706db115d612
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=juno
Change-Id: I575fbc96e8267f2b075e88def1f6e3185394613a
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The slave ports of LD20 CCI-500 are connected as follows:
S0: CA53
S1: CA72
Be careful because the slave interface is not arranged in the
cluster number order (CA72: cluster 0, CA53: cluster 1).
Root-caused-by: Tetsuya Yoshizaki <yoshizaki.tetsuya@socionext.com>
Signed-off-by: Satoshi Ikawa <ikawa.satoshi@socionext.com>
The upcoming patch that adds dynamic mitigation for Cortex-A76
requires that DYNAMIC_WORKAROUND_CVE_2018_3639=1. On FVP, we pull in
all the CPU files into the build which means there will be a build
failure if DYNAMIC_WORKAROUND_CVE_2018_3639=0.
Change-Id: I2e781cbeafbf5d16eaabf76a1677e0c9f81269d2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch bumps up the BL1-RW size for Juno and at the same time reduces
the BL2 size when TBB is enabled, TF_MBEDTLS_KEY_ALG=rsa+ecdsa. The BL2
size for this config is reduced as it was observed that the peak memory
usage is only reached when SPD=opteed and the dual rsa+ecdsa support is
not needed for this case.
Change-Id: Ia9009771b5cfd805e9cc75410aabb7db99fc2fbc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The weak pragma was assigned twice to the bl2_plat_handle_post_image_load
definition both in plat/common/ and in plat/arm/common/ this was an error as
it should have only have been defined in plat/common
Change-Id: Id85e14c699cb09ed998d1677f2a172e760911918
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
The config files are placeholders and do not have any useful bindings
defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
if SPD=tspd. The load address of these configs are specified in tb_fw_config
via new bindings defined for these configs. Currently, in FVP, the
soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
and ARM_SHARED_RAM. This memory was typically used for BL32 when
ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
space anymore, it should be safe to use this memory for these configs.
There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
that this overlap doesn't happen.
The previous arm_dyn_get_hwconfig_info() is modified to accept configs
other than hw_config and hence renamed to arm_dyn_get_config_load_info().
The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
BL2_BASE.
Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds capability to FVP to disable authentication dynamically
via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
the TB_FW_CONFIG for the `disable_auth` property and invokes the
`load_dyn_disable_auth()` API to disable authentication if the
property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
FVP as it is a development platform. Note that the TB_FW_CONFIG has to
be authenticated by BL1 irrespective of these settings.
The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
rather than in bl2_platform_setup() as we need to get the value of
`disable_auth` property prior to authentication of any image by BL2.
Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The vcu disable bit in efuse ipdisable register is valid
only if PL powered up so, consider PL powerup status for
determing EG/EV part. If PL is not powered up, display
EG/EV as a part of string. The PL powerup status will
be filled by pmufw based on PL PROGB status in the
9th bit of version field.This patch also used IPI
to get this info from pmufw instead of directly accessing
the registers. Accessing this info from pmufw using
IPI fixes the issue of PMUFW access denied error for
reading IPDISABLE register.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
This patch adds new API for processing secure images. This API
is used for authentication and decryption of secure images using
xilsecure in pmufw.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Existing code blocks each IPI send request in ipi_mb_notify()
function till pmu clears respective bit in ipi observation
register.
After sending PM_SYSTEM_SHUTDOWN request to PMU, PMU will
restart APU. While PMU is restarting APU, ATF is running out
of OCM, which can cause read/write hang from/to OCM.
There is no need to wait for notification from PMU in case
of SystemShutdown request in ATF, as APU is going to restart.
This patch fixes APU only restart issue.
Signed-off-by: Tejas Patel <tejasp@xilinx.com>
Acked-by: Wendy Liang <wendy.liang@xilinx.com>
This patch makes bitstream load blocking call and waits until
bitstream is loaded successfully or return with error.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Tested-by: Avesh Khan <aveshk@xilinx.com>
GET_CALLBACK_DATA function is not required now. IPI mailbox
can be used instead of GET_CALLBACK_DATA function.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
PMU IPI-1 is used for callbacks from PMU to master. Unsecure
master can also receive callbacks from PMU, so make PMU IPI-1
as non-secure.
All requests from master(s) to PMU would still go on PMU IPI-1
secure channel.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Remove includes of gic_common.h and string.h which
are not required.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Acked-by: Jolly Shah <jollys@xilinx.com>
Xilinx now requires the PMU FW when using ATF, so it doesn't make sense
to maintain checks for the PMU FW in ATF. This also means that cases
where ATF came up before the PMU FW (such as on QEMU) ATF will now hang
waiting for the PMU FW instead of aborting.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Use positive logic (pm_up instead of pm_down) to check whether PMU
services are available. This change also puts the variable into the
BSS section rather than the Data section as the variable is now
initialized to 0 rather than 1.
Signed-off-by: Will Wong <WILLW@xilinx.com>
Signed-off-by: Stefan Krsmanovic <stefan.krsmanovic@aggios.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
If we can't find the FSBL handoff struct don't panic and just use the
defaults instead.
We still print a warning to the user to let them know what we couldn't
find it.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Instead of calling panic() in fsbl_atf_handover() return the error
status so that bl31_early_platform_setup() can act accordingly.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Type "entry_point_info_t" is used in zynqmp_private.h. It is defined
in "bl_common.h". The header file which defines the type should be
included.
Signed-off-by: Wendy Liang <jliang@xilinx.com>
Added SHA to calculate SHA3 hash,RSA to encrypt data with
public key and decrypt with private key and AES to do symmetric
encryption with User key or device key.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Read ipdisable reg which needs to be used for cg/eg/ev device detection.
ATF runs in EL3 that's why this read can be done directly.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
This patch corrects the SVD mask for getting chip ID
using 0xe is wrong and 0x7 is correct.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
psci system_reset and system_off calls now retrieve shutdown scope on
the fly. The default scope is system, but it can be changed by calling
pm_system_shutdown(2, scope)
Until full support for different restart scopes becomes available with
PSCI 1.1 this change allows users to set the reboot scope to match
their application needs.
Possible scope values:
0 - APU subsystem: does not affect RPU, PMU or PL
1 - PS only: shutdown/restart entire PS without affecting PL
2 - System: shutdown/restart applies to entire system
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Signed-off-by: Davorin Mista <davorin.mista@aggios.com>
The PM_INIT_FINALIZE PM API is required to inform the PFW that APU is
done with requesting nodes and that not-requested nodes can be powered
down. If PM is not enabled, this call will never be made and PFW will
never power down any of the nodes which APU can use.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
This patch adds pm_secure_rsaaes() API to provide access to
the xilsecure library for loading secure images
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Read boot mode register using pm_mmio_read if pmu is
present otherwise access it directly using mmio_read_32().
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
The pm_req_wakeup PM API accepts start address (64-bit unsiged integer)
and a flag stating if address should be used. To save an argument
of the SMC call, flag is encoded in the LSB of the address, since
addresses are word aligned.
Decode start address and use-address flag in the PM SMC handler and
pass them to pm_req_wakeup.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Call to pm_client_wakeup from pm_req_wakeup prevented the PM API
call to be used to wake up non-APU processor (e.g. from higher ELs),
since it clears power down request for specified APU processor.
Move this function out of pm_client_wakeup to allow passing wake up
requests to the PMU for other processor in the system.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
NODE_EXTERN is the slave node which represents an external wake
source.
Signed-off-by: Mirela Simonovic <mirela.simonovic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Beside standard suspend-to-RAM state, Zynq MPSoC supports
suspend-to-RAM state with additional power savings, called
power-off suspend-to-RAM. If this mode is set, only NODE_EXTERN
must be set as wake source. Standard suspend-to-RAM procedure
is unchanged.
This patch adds support for setting suspend mode from higher
ELs and ensuring that all conditions for power-off suspend mode
are set.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
pm_get_node_status API function returns 3 values:
-status: Current power state of the node
-requirements: Current requirements for the node
-usage: Current usage of the node
The last two values only apply to slave nodes.
Signed-off-by: Anes Hadziahmetagic <anes.hadziahmetagic@aggios.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
The MT bit in MPIDR is always set for SGI platforms and so the
core position calculation code is updated to take into account
the thread affinity value as well.
Change-Id: I7b2a52707f607dc3859c6bbcd2b145b7987cb4ed
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
Instead of instantiating a local copy of GICv3 driver data for SGI
platforms, reuse the existing instance of GICv3 driver data available
in the arm common platform code.
Change-Id: If6f38e15d1f0e20cea96fff98091da300015d295
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
This reverts commit 2f18aa1fa3.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
To catch early hangs in resume, this sets up the watchdog before
anything else in the pmusram code (ignoring setting up the stack...).
This uses hard coded settings for the watchdog until the proper
watchdog restore later on in the firmware/kernel.
This also restores the old watchdog register values before the PLLs
are restored to make sure we don't temporarily switch over to a 1/3s
timeout on the watchdog when the pclk_wdt goes from 4MHz to 100MHz.
Change-Id: I8f7652089a88783271b17482117b4609330abe80
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
All the m0 code run in SRAM before, but we need to watch PMU_POWER_ST
when SOC enter into FSM, and SRAM will shutdown during this time, so
this code need run in PMUSRAM. But PMUSRAM only 8K space, we can not
put all the m0 binary into PMUSRAM, Split the M0 binary into two, dram
part still run in SRAM, and suspend part run in PMUSRAM.
Change-Id: Ie08bdf3e2b8838f12b9297fe60ab0aad219684b1
Signed-off-by: Lin Huang <hl@rock-chips.com>
we need to enable PMU_WKUP_RST_EN for pmu powermode configure, since
enable wakeup reset will hold the soc status, so the SOC will not affect
by some power or other single glitch when resume, and keep the soc in the
right status. And it not need to enable DDRIO_RET_HW_DE_REQ, the ddr resume
will do it manual.
Change-Id: Ib4af897ffb3cb63dc2aa9a6002e5d9ef86ee4a49
Signed-off-by: Lin Huang <hl@rock-chips.com>
SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>
Normally, BL33 needs to contain a boot loader like U-Boot or UEFI that
eventually gives control to the OS. However, in some cases, this boot
sequence may be too slow. For example, when doing tests in a
cycle-accurate emulator, the user may only be interested in the
interaction between the Trusted Firmware and the OS, not in the boot
process itself.
The new option ARM_LINUX_KERNEL_AS_BL33 allows BL33 to contain the Linux
kernel image by changing the value of registers x0-x3 to the values
expected by the kernel. This option requires the device tree blob (DTB)
to be present in memory. Its address must be specified in the newly
introduced ARM_PRELOADED_DTB_BASE build option. For now, it only supports
AArch64 kernels.
This option is only available when RESET_TO_BL31=1. For this reason
the BL33 binary must be preloaded in memory and PRELOADED_BL33_BASE must
be used.
For example, if the kernel is loaded at 0x80080000 and the DTB is loaded
at address 0x82000000, the firmware could be built like this:
CROSS_COMPILE=aarch64-linux-gnu- \
make PLAT=fvp DEBUG=1 \
RESET_TO_BL31=1 \
ARM_LINUX_KERNEL_AS_BL33=1 \
PRELOADED_BL33_BASE=0x80080000 \
ARM_PRELOADED_DTB_BASE=0x82000000 \
all fip
Change-Id: If9dc847c65ae2d0c27b51f0fd44fc06b28497db9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size of BL31 has been increased in builds with SPM.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Assign 0x10 for RAS exceptions on ARM platforms, and install
EHF priority descriptor.
- Call the common RAS initialisation from ARM BL31 setup.
- Add empty definitions for platform error records and RAS interrupts.
Change-Id: I0675f299b7840be4c83a9c7a81073a95c605dc90
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previous patches added frameworks for handling RAS errors. This patch
introduces features that the platform can use to enumerate and iterate
RAS nodes:
- The REGISTER_RAS_NODES() can be used to expose an array of
ras_node_info_t structures. Each ras_node_info_t describes a RAS
node, along with handlers for probing the node for error, and if
did record an error, another handler to handle it.
- The macro for_each_ras_node() can be used to iterate over the
registered RAS nodes, probe for, and handle any errors.
The common platform EA handler has been amended using error handling
primitives introduced by both this and previous patches.
Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, any External Abort routed to EL3 is reported as an unhandled
exception and cause a panic. This patch enables ARM Trusted Firmware to
handle External Aborts routed to EL3.
With this patch, when an External Abort is received at EL3, its handling
is delegated to plat_ea_handler() function. Platforms can provide their
own implementation of this function. This patch adds a weak definition
of the said function that prints out a message and just panics.
In order to support handling External Aborts at EL3, the build option
HANDLE_EA_EL3_FIRST must be set to 1.
Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
compilation; this patch fixes that too.
Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previously mem_protect used to be only supported from BL2. This is not
helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
mem_protect from el3_runtime firmware on ARM Platforms specifically
when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
tables temporarily and then the protected regions are then cleared. This
avoids the need to map the non secure DRAM permanently to BL31/sp_min.
The stack size is also increased, because DYNAMIC_XLAT_TABLES require
a bigger stack.
Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Since commit 031dbb1224 ("AArch32: Add essential Arch helpers"),
it is difficult to use consistent format strings for printf() family
between aarch32 and aarch64.
For example, uint64_t is defined as 'unsigned long long' for aarch32
and as 'unsigned long' for aarch64. Likewise, uintptr_t is defined
as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.
A problem typically arises when you use printf() in common code.
One solution could be, to cast the arguments to a type long enough
for both architectures. For example, if 'val' is uint64_t type,
like this:
printf("val = %llx\n", (unsigned long long)val);
Or, somebody may suggest to use a macro provided by <inttypes.h>,
like this:
printf("val = %" PRIx64 "\n", val);
But, both would make the code ugly.
The solution adopted in Linux kernel is to use the same typedefs for
all architectures. The fixed integer types in the kernel-space have
been unified into int-ll64, like follows:
typedef signed char int8_t;
typedef unsigned char uint8_t;
typedef signed short int16_t;
typedef unsigned short uint16_t;
typedef signed int int32_t;
typedef unsigned int uint32_t;
typedef signed long long int64_t;
typedef unsigned long long uint64_t;
[ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]
This gets along with the codebase shared between 32 bit and 64 bit,
with the data model called ILP32, LP64, respectively.
The width for primitive types is defined as follows:
ILP32 LP64
int 32 32
long 32 64
long long 64 64
pointer 32 64
'long long' is 64 bit for both, so it is used for defining uint64_t.
'long' has the same width as pointer, so for uintptr_t.
We still need an ifdef conditional for (s)size_t.
All 64 bit architectures use "unsigned long" size_t, and most 32 bit
architectures use "unsigned int" size_t. H8/300, S/390 are known as
exceptions; they use "unsigned long" size_t despite their architecture
is 32 bit.
One idea for simplification might be to define size_t as 'unsigned long'
across architectures, then forbid the use of "%z" string format.
However, this would cause a distortion between size_t and sizeof()
operator. We have unknowledge about the native type of sizeof(), so
we need a guess of it anyway. I want the following formula to always
return 1:
__builtin_types_compatible_p(size_t, typeof(sizeof(int)))
Fortunately, ARM is probably a majority case. As far as I know, all
32 bit ARM compilers use "unsigned int" size_t.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Commit 4c0d039076 ("Rework type usage in Trusted Firmware") changed
the type usage in struct declarations, but did not touch the definition
side. Fix the type mismatch.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
SGI-575 platform is based on Cortex-A75 processor which has its MT bit
in the MPIDR register set to '1'. So the Arm platform layer code has
to be made aware of this.
Signed-off-by: Sudipto Paul <sudipto.paul@arm.com>
Currently the SCMI driver supports MHUv1, but Arm platforms may have
varied versions of MHU driver, with MHUv2 controllers being in the
latest Arm platforms.
This patch updates the SCMI driver to support MHUv2, specifically that
the sender must send the wake-up to the receiver before initiating any
data transfer.
Also, the existing mhu driver files, css_mhu.c and css_mhu.h, have been
moved from the scpi directory to a new directory, css/drivers/mhu.
Change-Id: I9b46b492a3e1d9e26db12d83a9773958a8c8402f
Signed-off-by: Samarth Parikh <samarth.parikh@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
Change-Id: Ie4cd6011b3e4fdcdd94ccb97a7e941f3b5b7aeb8
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd all
Change-Id: I0a16cf68fef29cf00ec0a52e47786f61d02ca4ae
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno LOG_LEVEL=50 all
Change-Id: I0e4a03a0d2170cb1c632e079112a972091994a39
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I32b223251b8bf5924149d89431a65d3405a73d3e
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Fix that DDR can't work at 533MHz. Now step to set DDR frequency
from 150MHz to 800MHz. DDR could work among these frequency, 150MHz,
266MHz, 400MHz, 533MHz and 800MHz.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Add TZMP1 support on Juno and increase the BL2 size accordingly due to the
extra data structures to describe the TZC regions and the additional code.
Signed-off-by: Summer Qin <summer.qin@arm.com>
This patch allows the ARM Platforms to specify the TZC regions to be
specified to the ARM TZC helpers in arm_tzc400.c and arm_tzc_dmc500.c.
If the regions are not specified then the default TZC region will be
configured by these helpers.
This override mechanism allows specifying special regions for TZMP1
usecase.
Signed-off-by: Summer Qin <summer.qin@arm.com>
This patch introduce TF-A support for NXP's ls1043a platform.
more details information of ls1043a chip and ls1043ardb board
can be found at docs/plat/ls1043a.rst.
Boot sequence on ls1043a is: bootrom loads bl1 firstly, then bl1
loads bl2, bl2 will load bl31, bl32 and bl33, bl31 will boot
bl32(tee os) and bl33(u-boot or uefi), bl33 boot Linux kernel.
Now TF-A on ls1043ardb platform has the following features in this patch:
* Support boot from Nor flash.
* TF-A can boot bl33 which runs in el2 of non-secure world.
* TF-A boot OPTee OS.
* Support PSCI
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Signed-off-by: Chenyin.Ha <Chenyin.Ha@nxp.com>
Signed-off-by: Chenhui Zhao <chenhui.zhao@nxp.com>
Signed-off-by: jiaheng.fan <jiaheng.fan@nxp.com>
Signed-off-by: Wen He <wen.he_1@nxp.com>
Building TBBR(SPD=opteed) and non-TBBR TF-A images is breaking for
Juno for different configurations listed below:
* Overflow error of 4096 bytes for rsa algorithm.
* Overflow error of 8192 bytes for ecdsa algorithm.
* Overflow error of 4096 bytes for rsa+ecdsa algorithm.
* Overflow error of 4096 bytes for non-TBBR case.
So this patch increments macro PLAT_ARM_MAX_BL2_SIZE for all the above
cases accordingly.
Change-Id: I75ec6c0a718181d34553fe55437f0496f467683f
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
This fixes an off by 576x bug the the sram_udelay code. The wrong
value was multipled by the system ticks per mhz value (which is 24),
so we delayed for 1/576th of the requested time.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
The current AArch32 version of plat_arm_calc_core_pos uses an incorrect
algorithm to calculate the linear position of a core / PE from its
MPIDR.
This patch corrects the algorithm to:
(ClusterId * FVP_MAX_CPUS_PER_CLUSTER) * FVP_MAX_PE_PER_CPU
+ (CPUId * FVP_MAX_PE_PER_CPU)
+ ThreadId
which supports cores where there are more than 1 PE per CPU.
NOTE: the AArch64 version was fixed in 39b21d1
Change-Id: I72aea89d8f72f8b1fef54e2177a0fa6fef0f5513
Signed-off-by: David Cunado <david.cunado@arm.com>
Use the console_pl011_core_* functions directly in the crash console
callbacks.
This bypasses the MULTI_CONSOLE_API for the crash console (UART1), but
allows using the crash console before the C runtime has been initialized
(eg to call ASM_ASSERT). This retains backwards compatibility with respect
to functionality when the old API is used.
Use the MULTI_CONSOLE_API to register UART0 as the boot and runtime
console.
FixesARM-software/tf-issues#572
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Add support for System Guidance for Infrastructure platform SGI575.
Change-Id: I0125c2ed4469fbc8367dafcc8adce770b6b3147d
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
If system is still accessing storage device, reboot operation
may cause data broken. So add the flush and delay operation
before system reset.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.
Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
Switch to the new console APIs enabled by setting MULTI_CONSOLE_API=1.
The crash console doesn't use this API, it uses internally the core
functions of the 16550 console.
`bl31_plat_runtime_setup` is no longer needed. When this platform port
was introduced, that function used to disable the console. It was needed
to override that behaviour. The new behaviour is to switch to the
runtime console. The console is registered for all scopes (boot, crash
and runtime) in `rpi3_console_init` so it is not needed to override the
default behaviour anymore.
Update documentation.
Change-Id: If2ee8f91044216183b7ef142e5c05ad6220ae92f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Removes fall-through in switch statement on unknown interrupt type in
release builds.
Previous behaviour was to assert(0) on default case in debug builds but
fall through and interpret the unknown interrupt type as
INTR_TYPE_EL3 in release builds.
Change-Id: I05fb0299608efda0f9eda2288d3e56e5625e05c9
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
Add crash_console_init declaration to console.h
Only enable MULTI_CONSOLE_API for AArch64
FixesARM-software/tf-issues#571
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Add support for the new MULTI_CONSOLE_API
Crash information is now displayed in both the runtime and crash consoles,
if a crash occurs after the runtime console has been enabled
Enable MULTI_CONSOLE_API by default on qemu builds
FixesARM-software/tf-issues#561
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Allow qemu users to enable stack protection. Since the virt platform
does not provide an RNG, use a basic, timer-based, canary generation,
similarly to FVP.
Increase SRAM size and BL2 size to fit images when stack protection is
enabled.
Notice that stack protection is not enabled by default in qemu.
FixesARM-software/tf-issues#568
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
there are two fix for save/restore watchdog register:
1. watchdog plck will shutdown after secure_watchdog_disable(), so need
to save register before it and restore after secure_watchdog_enable().
2. need write 0x76 to cnt_restart to keep watchdog alive when restore
watchdog register.
Change-Id: I1f6fbceae22186e3b72a87df6332a110adf37479
Signed-off-by: Lin Huang <hl@rock-chips.com>
x3 will be assigned by the folloing instructions.
So the first instruction is not needed any more.
old method:
(ClusterId * FVP_MAX_CPUS_PER_CLUSTER)
+ (CPUId * FVP_MAX_PE_PER_CPU)
+ ThreadId
it should be
(ClusterId * FVP_MAX_CPUS_PER_CLUSTER) * FVP_MAX_PE_PER_CPU
+ (CPUId * FVP_MAX_PE_PER_CPU)
+ ThreadId
which can be simplified as:
(ClusterId * FVP_MAX_CPUS_PER_CLUSTER + CPUId) * FVP_MAX_PE_PER_CPU + ThreadId
Signed-off-by: Wang Feng <feng_feng.wang@spreadtrum.com>
Existing database allows to set only single mode for SDIO.
SDIO can have different groups (8 bit, 4 bit and 1 bit).
As there is only single SDIO group in each pin, it is not
possible to use different mode groups for SDIO.
Extend database in generic way to allow multiuple function
groups in single pin. Add different SDIO groups to pins and
create separate functions for each modes.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Define default DDR location to which ATF has to compiled
if DEBUG option is enabled. This is required now, as the ATF cant fit
in OCM with DEBUG option enabled. The default value is 0x1000 and can be
used till 0x7ffff. User can still override as per wish/requirement
using current commandline options.
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Add pin control APIs which driver can use to query
pin information from firmware. Using these APIs,
driver do not need to maintain hard-coded pin database.
Major changes in patch are:
- Add pin database with pins, functions and function groups
information
- Implement APIs for pin information queries
- Update pin control APIs for get/set functions to use new
pin control database. Remove pin database which was added
earlier.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Add IOCTLs to read/write global general storage and
persistent global general storage registers access.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
- Add clock entries and information to clock database.
- Implement APIs to provide clock topology and other
information to caller.
- Implement APIs to control clocks and PLLs.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
These are empty functions with no logic right now. Code
will be added in subsequent commits.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Implement ioctl APIs which uses MMIO operations
to configure devices. Below IOCTLs are supported
in this patch:
* Set tap delay bypass
* Set SGMII mode
* SD reset
* Set SD/MMC tap delay
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Implement ioctl APIs which uses MMIO operations
to control RPU operations. Below IOCTLs are supported
in this patch:
* Get RPU operation mode
* Set RPU operation mode
* Configure RPU boot address (OCM/TCM)
* Configure TCM combined mode
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Implement pin control APIs which uses MMIO operations
to set/get values of configuration parameters.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Implement pin control APIs which uses MMIO operations
to set/get functions for the given pin.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Add wrappers for pin control APIs. Actual implementation of
these APIs would be done in subsequent changes.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
Add new function and node IDs supported by PMUFW in
function list and node list respectively.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Signed-off-by: Jolly Shah <jollys@xilinx.com>
The FVP platform port for SP_MIN (BL32) didn't map the flash memory
in BL32 for stroring the mem_protect enable state information leading
to synchronous exception. The patch fixes it by adding the region to
the BL32 mmap tables.
Change-Id: I37eec83c3e1ea43d1b5504d3683eebc32a57eadf
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
Boot memory layout is specific for a platform, but should not be
mixed up with other platform specific attributes. A separate file is
much cleaner and better to compare with other platforms. Take a look
at plat/poplar where it is done the same way.
Moved hikey_def.h to system include folder and moved includes from
hikey_def.h to more general platform_def.h.
Signed-off-by: Michael Brandl <git@fineon.pw>
Previously, Juno used to depend on the SSC_GPRETN register to inform
about the reset syndrome. This method was removed when SCP migrated
to the SDS framework. But even the SDS framework doesn't report the
reset syndrome correctly and hence Juno failed to enter Firmware
update mode if BL2 authentication failed.
In addition to that, the error code populated in V2M_SYS_NVFLAGS register
does not seem to be retained any more on Juno across resets. This could
be down to the motherboard firmware not doing the necessary to preserve
the value.
Hence this patch modifies the Juno platform to use the same mechanism to
trigger firmware update as FVP which is to corrupt the FIP TOC on
authentication failure. The implementation in `fvp_err.c` is made common
for ARM platforms and is moved to the new `arm_err.c` file in
plat/arm/common folder. The BL1 and BL2 mmap table entries for Juno
are modified to allow write to the Flash memory address.
Change-Id: Ica7d49a3e8a46a90efd4cf340f19fda3b549e945
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This issue was detected when testing FWU on Juno. The Timer
`timer_ops` was not being initialized before being used by
the SDS driver on Juno. This patch adds the call to
`generic_delay_timer_init()` during bl2u_early_platform_setup().
This is done generically for all ARM platforms because the
cost involved is minimal.
Change-Id: I349cf0bd1db68406eb2298b65f9c729f792cabdc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
plat/hisilicon/hikey/hikey_bl1_setup.c:565:47:
error: value size does not match register size specified by the
constraint and modifier [-Werror,-Wasm-operand-widths]
__asm__ volatile ("mrs %0, cpacr_el1" : "=r"(data));
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
It's unnecessary to call platform driver initialization in image
load driver. We could make bl2_platform_setup() to executing
just before SCP_BL2 by setting flag IMAGE_ATTRIB_PLAT_SETUP.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Since non-TF ROM is used in HiKey960 platform (Hisilicon Hi3660 SoC),
replace BL1 by BL2_EL3 in normal boot mode.
When flush images in recovery mode, keep to use BL1.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Since LOAD_IMAGE_V2 is always enabled in HiKey960 platform. Drop
LOAD_IMAGE v1 to simplify code.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
MAP_TSP_MEM could be either in SRAM or DRAM. When MAP_TSP_MEM is in
DRAM, it's overlapped with MAP_DDR.
Since TSP_MEM is always configured in DRAM case, it means
MAP_OPTEE_PAGEABLE is always disabled. Just remove it.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
The main difference between HiKey960 v1 hardware and HiKey960 v2
hardware is on UART console.
But the function of detecting boardid dumps message before console
ready. So fix it by removing those messages.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Since non-TF ROM is used in HiKey platform (Hisilicon Hi6220 SoC),
replace BL1 by BL2_EL3 in normal boot mode.
When we recovery images in recovery mode, keep to use BL1.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Although SRAM is initialized, DCACHE should be cleaned too.
Because MCU is a parrallel core to access SRAM. We need to make
sure that initialized value is really written to SRAM before
MCU using it.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Since LOAD_IMAGE_V2 is always enabled in HiKey platform. Drop
LOAD_IMAGE v1 to simplify code.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
The register address range of UART1 (crash console) are outside the
address ranges mapped for MMIO, resulting to an MMU abort when the
device registers are accessed.
Increase the size of DEVICE1 memory to include the range of UART1.
FixesARM-software/tf-issues#560
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
This patch removes default platform implementations of sp_min
platform APIs from plat/common/aarch32/plat_common.c. The APIs
are now implemented in `plat_sp_min_common.c` file within the
same folder.
The ARM platform layer had a weak definition of sp_min_platform_setup2()
which conflicted with the weak definition in the common file. Hence this
patch fixes that by introducing a `plat_arm_` version of the API thus
allowing individual boards within ARM platforms to override it if they
wish to.
FixesARM-software/tf-issues#559
Change-Id: I11a74ecae8191878ccc7ea03f12bdd5ae88faba5
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This was correct according to the model specifications , but it seems
that FVP doesn't implement it. It is safer to use the size exposed by
the DTB which is currently used by Linux.
Change-Id: I9aabe3284a50ec2a36ed94966eb7e4ddf37cec3b
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Some generic compatibility functions emit deprecated declaration warnings
even when platforms do not use the deprecated functions directly. This
can be confusing. Suppress these warnings by using:
`#pragma GCC diagnostic ignored "-Wdeprecated-declarations"`
Also emit a runtime warning if the weak plat/common implemntation of
plat_get_syscnt_freq2() is used, as this implies the platform has not
migrated from plat_get_syscnt_freq(). The deprecated declaration warnings
only help detect when platforms are calling deprecated functions, not when
they are defining deprecated functions.
FixesARM-software/tf-issues#550
Change-Id: Id14a92279c2634c1e76db8ef210da8affdbb2a5d
Signed-off-by: Dan Handley <dan.handley@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno LOG_LEVEL=50 all
Change-Id: Ic8f611da734f356566e8208053296e6c62b54709
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I48201c9ef022f6bd42ea8644529afce70f9b3f22
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined.
Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
FVPs that model DynamIQ configuration implements all CPUs in a single
cluster. I.e., such models have a single cluster with more than 4 CPUs.
This differs from existing default build configuration for FVP where up
to 4 CPUs are assumed per cluster.
To allow building for DynamIQ configuration, promote the macro
FVP_MAX_CPUS_PER_CLUSTER as a build option to have it set from the build
command line. The value of the build option defaults to 4.
Change-Id: Idc3853bc95f680869b434b011c2dbd733e40c6ce
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Update qemu_configure_mmu_##_el to add an additional region for code,
marked as MT_CODE | MT_SECURE. Update ro region attributes to NON_EXEC.
Update calls to QEMU_CONFIGURE_BLx_MMU() to pass an additional region for
code. Update calls to pass regions defined in common_def.h.
Increase MAX_MMAP_REGIONS to 10.
Enable SEPARATE_CODE_AND_RODATA by default on QEMU builds.
FixesARM-software/tf-issues#558
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>