The set_routing_model() function in the Interrupt Management
Framework calls the context management library to update the
SCR_EL3 register. This context management library assumes that
the context has been previously initialized. Consequently, if
a Secure Payload Dispatcher (SPD) tries to set the routing model
before initializing the context, the system will fail (in debug
mode, an assertion will be raised).
This patch fixes the issue by checking if the context has been
initialized before updating SCR_EL3. If a valid context is not
available, SCR_EL3 update will be done when the SPD calls the
context initialization function. This function will call
get_scr_el3_from_routing_model() to obtain the SCR_EL3 value.
If the SPD does not call the context initialization function
then it is SPD's responsibility to obtain SCR_EL3 from the IMF
and update the context accordingly.
FixesARM-software/tf-issues#327
Change-Id: Ic2f1c6e899e578a8db858ec43747c63a8539c16f
This patch adds an optional API to the platform port:
void plat_error_handler(int err) __dead2;
The platform error handler is called when there is a specific error
condition after which Trusted Firmware cannot continue. While panic()
simply prints the crash report (if enabled) and spins, the platform
error handler can be used to hand control over to the platform port
so it can perform specific bookeeping or post-error actions (for
example, reset the system). This function must not return.
The parameter indicates the type of error using standard codes from
errno.h. Possible errors reported by the generic code are:
-EAUTH : a certificate or image could not be authenticated
(when Trusted Board Boot is enabled)
-ENOENT : the requested image or certificate could not be found
or an IO error was detected
-ENOMEM : resources exhausted. Trusted Firmware does not use
dynamic memory, so this error is usually an indication
of an incorrect array size
A default weak implementation of this function has been provided.
It simply implements an infinite loop.
Change-Id: Iffaf9eee82d037da6caa43b3aed51df555e597a3
Currently, if no make goal is specified in the command line, 'all'
is assumed by default, but the dependency files are not generated.
This might lead to a successful but inconsistent build. This patch
provides a fix to the problem.
Change-Id: I0148719e114dbdbe46f8a57c7d05da7cbc212c92
This patch is a complete rework of the main Makefile. Functionality
remains the same but the code has been reorganized in sections in
order to improve readability and facilitate adding future extensions.
A new file 'build_macros.mk' has been created and will contain common
definitions (variables, macros, etc) that may be used from the main
Makefile and other platform specific makefiles.
A new macro 'FIP_ADD_IMG' has been introduced and it will allow the
platform to specify binary images and the necessary checks for a
successful build. Platforms that require a BL30 image no longer need
to specify the NEED_BL30 option. The main Makefile is now completely
unaware of additional images not built as part of Trusted Firmware,
like BL30. It is the platform responsibility to specify images using
the macro 'FIP_ADD_IMG'. Juno uses this macro to include the BL30
image in the build.
BL33 image is specified in the main Makefile to preserve backward
compatibility with the NEED_BL33 option. Otherwise, platform ports
that rely on the definition of NEED_BL33 might break.
All Trusted Board Boot related definitions have been moved to a
separate file 'tbbr_tools.mk'. The main Makefile will include this
file unless the platform indicates otherwise by setting the variable
'INCLUDE_TBBR_MK := 0' in the corresponding platform.mk file. This
will keep backward compatibility but ideally each platform should
include the corresponding TBB .mk file in platform.mk.
Change-Id: I35e7bc9930d38132412e950e20aa2a01e2b26801
Currently all ARM CSS platforms which include css_helpers.S use the same
strong definition of `plat_arm_calc_core_pos`. This patch allows these CSS
platforms to define their own strong definition of this function.
* Replace the strong definition of `plat_arm_calc_core_pos` in
css_helpers.S with a utility function `css_calc_core_pos_swap_cluster`
does the same thing (swaps cluster IDs). ARM CSS platforms may choose
to use this function or not.
* Add a Juno strong definition of `plat_arm_calc_core_pos`, which uses
`css_calc_core_pos_swap_cluster`.
Change-Id: Ib5385ed10e44adf6cd1398a93c25973eb3506d9d
This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.
It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.
Change-Id: I1228477346d3876151c05b470d9669c37fd231be
This patch redefines the values of IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED to match the corresponding definitions in
errno.h:
#define IO_FAIL (-ENOENT)
#define IO_NOT_SUPPORTED (-ENODEV)
#define IO_RESOURCES_EXHAUSTED (-ENOMEM)
NOTE: please note that the IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED definitions are considered deprecated
and their usage should be avoided. Callers should rely on errno.h
definitions when checking the return values of IO functions.
Change-Id: Ic8491aa43384b6ee44951ebfc053a3ded16a80be
This patch introduces a new API that allows to specify command
line options in the Chain of Trust description. These command line
options may be used to specify parameters related to the CoT (i.e.
keys or certificates), instead of keeping a hardcoded list of
options in main.c.
Change-Id: I282b0b01cb9add557b26bddc238a28253ce05e44
The certificate generation tool currently checks if all command
line options required to create all certificates in the CoT have
been specified. This prevents using the tool to create individual
certificates when the whole CoT is not required.
This patch improves the checking function so only those options
required by the certificates specified in the command line are
verified.
Change-Id: I2c426a8e2e2dec85b15f2d98fd4ba949c1aed385
This patch adds an optional API to the platform port:
void bl1_plat_prepare_exit(void);
This function is called prior to exiting BL1 in response to the
RUN_IMAGE_SMC request raised by BL2. It should be used to perform
platform specific clean up or bookkeeping operations before
transferring control to the next image.
A weak empty definition of this function has been provided to
preserve platform backwards compatibility.
Change-Id: Iec09697de5c449ae84601403795cdb6aca166ba1
This patch does the following reorganization to psci power management (PM)
handler setup for ARM standard platform ports :
1. The mailbox programming required during `plat_setup_psci_ops()` is identical
for all ARM platforms. Hence the implementation of this API is now moved
to the common `arm_pm.c` file. Each ARM platform now must define the
PLAT_ARM_TRUSTED_MAILBOX_BASE macro, which in current platforms is the same
as ARM_SHARED_RAM_BASE.
2. The PSCI PM handler callback structure, `plat_psci_ops`, must now be
exported via `plat_arm_psci_pm_ops`. This allows the common implementation
of `plat_setup_psci_ops()` to return a platform specific `plat_psci_ops`.
In the case of CSS platforms, a default weak implementation of the same is
provided in `css_pm.c` which can be overridden by each CSS platform.
3. For CSS platforms, the PSCI PM handlers defined in `css_pm.c` are now
made library functions and a new header file `css_pm.h` is added to export
these generic PM handlers. This allows the platform to reuse the
adequate CSS PM handlers and redefine others which need to be customized
when overriding the default `plat_arm_psci_pm_ops` in `css_pm.c`.
Change-Id: I277910f609e023ee5d5ff0129a80ecfce4356ede
The AArch64 synchronous exception vector code in BL1 is almost
reaching its architectural limit of 32 instructions. This means
there is very little space for this code to grow.
This patch reduces the size of the exception vector code by
moving most of its code in a function to which we branch from
SynchronousExceptionA64.
Change-Id: Ib35351767a685fb2c2398029d32e54026194f7ed
The CASSERT() macro introduces a typedef for the sole purpose of
triggering a compilation error if the condition to check is false.
This typedef is not used afterwards. As a consequence, when the
CASSERT() macro is called from withing a function block, the compiler
complains and outputs the following error message:
error: typedef 'msg' locally defined but not used [-Werror=unused-local-typedefs]
This patch adds the "unused" attribute for the aforementioned
typedef. This silences the compiler warning and thus makes the
CASSERT() macro callable from within function blocks as well.
Change-Id: Ie36b58fcddae01a21584c48bb6ef43ec85590479
This patch fixes the relative path to the 'bl1_private.h' header file
included from 'arm_bl1_setup.c'. Note that, although the path was
incorrect, it wasn't causing a compilation error because the header
file still got included through an alternative include search path.
Change-Id: I28e4f3dbe50e3550ca6cad186502c88a9fb5e260
This patch fixes a copy and paste issue that resulted in the cluster
indexes not being checked as intended. Note that this fix applies to
the deprecated CCI-400 driver, not the unified one.
Change-Id: I497132a91c236690e5eaff908f2db5c8c65e85ab
TLK sends the "preempted" event to the NS world along with an
identifier for certain use cases. The NS world driver is then
expected to take appropriate action depending on the identifier
value. Upon completion, the NS world driver then sends the
results to TLK (via x1-x3) with the TLK_RESUME_FID function ID.
This patch uses the already present code to pass the results
from the NS world to TLK for the TLK_RESUME_FID function ID.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch fixes an issue in the PSCI framework where the affinity info
state of a core was being set to OFF even when the SPD had denied the
CPU_OFF request. Now, the state remains set to ON instead.
FixesARM-software/tf-issues#323
Change-Id: Ia9042aa41fae574eaa07fd2ce3f50cf8cae1b6fc
This patch adds PM handlers to TLKD for the system suspend/resume and
system poweroff/reset cases. TLK expects all SMCs through a single
handler, which then fork out into multiple handlers depending on the
SMC. We tap into the same single entrypoint by restoring the S-EL1
context before passing the PM event via register 'x0'. On completion
of the PM event, TLK sends a completion SMC and TLKD then moves on
with the PM process.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The generic delay timer driver expects a pointer to a timer_ops_t
structure containing the specific timer driver information. It
doesn't make a copy of the structure, instead it just keeps the
pointer. Therefore, this pointer must remain valid over time.
The SP804 driver doesn't satisfy this requirement. The
sp804_timer_init() macro creates a temporary instanciation of the
timer_ops_t structure on the fly and passes it to the generic
delay timer. When this temporary instanciation gets deallocated,
the generic delay timer is left with a pointer to invalid data.
This patch fixes this bug by statically allocating the SP804
timer_ops_t structure.
Change-Id: I8fbf75907583aef06701e3fd9fabe0b2c9bc95bf
When a platform port does not define PLAT_PERCPU_BAKERY_LOCK_SIZE, the total
memory that should be allocated per-cpu to accommodate all bakery locks is
calculated by the linker in bl31.ld.S. The linker stores this value in the
__PERCPU_BAKERY_LOCK_SIZE__ linker symbol. The runtime value of this symbol is
different from the link time value as the symbol is relocated into the current
section (.bss). This patch fixes this issue by marking the symbol as ABSOLUTE
which allows it to retain its correct value even at runtime.
The description of PLAT_PERCPU_BAKERY_LOCK_SIZE in the porting-guide.md has been
made clearer as well.
Change-Id: Ia0cfd42f51deaf739d792297e60cad5c6e6e610b
This patch adds a device driver which can be used to program the following
aspects of ARM CCN IP:
1. Specify the mapping between ACE/ACELite/ACELite+DVM/CHI master interfaces and
Request nodes.
2. Add and remove master interfaces from the snoop and dvm
domains.
3. Place the L3 cache in a given power state.
4. Configuring system adress map and enabling 3 SN striping mode of memory
controller operation.
Change-Id: I0f665c6a306938e5b66f6a92f8549b529aa8f325
Currently, the non-overlapping video memory carveout region is cleared after
disabling the MMU at EL3. If at any exception level the carveout region is being
marked as cacheable, this zeroing of memory will not have an affect on the
cached lines. Hence, we first invalidate the dirty lines and update the memory
and invalidate again so that both caches and memory is zeroed out.
Change-Id: If3b2d139ab7227f6799c0911d59e079849dc86aa
On the ARMv8 architecture, cache maintenance operations by set/way on the last
level of integrated cache do not affect the system cache. This means that such a
flush or clean operation could result in the data being pushed out to the system
cache rather than main memory. Another CPU could access this data before it
enables its data cache or MMU. Such accesses could be serviced from the main
memory instead of the system cache. If the data in the sysem cache has not yet
been flushed or evicted to main memory then there could be a loss of
coherency. The only mechanism to guarantee that the main memory will be updated
is to use cache maintenance operations to the PoC by MVA(See section D3.4.11
(System level caches) of ARMv8-A Reference Manual (Issue A.g/ARM DDI0487A.G).
This patch removes the reliance of Trusted Firmware on the flush by set/way
operation to ensure visibility of data in the main memory. Cache maintenance
operations by MVA are now used instead. The following are the broad category of
changes:
1. The RW areas of BL2/BL31/BL32 are invalidated by MVA before the C runtime is
initialised. This ensures that any stale cache lines at any level of cache
are removed.
2. Updates to global data in runtime firmware (BL31) by the primary CPU are made
visible to secondary CPUs using a cache clean operation by MVA.
3. Cache maintenance by set/way operations are only used prior to power down.
NOTE: NON-UPSTREAM TRUSTED FIRMWARE CODE SHOULD MAKE EQUIVALENT CHANGES IN
ORDER TO FUNCTION CORRECTLY ON PLATFORMS WITH SUPPORT FOR SYSTEM CACHES.
FixesARM-software/tf-issues#205
Change-Id: I64f1b398de0432813a0e0881d70f8337681f6e9a
This patch corrects the watchdog register setting. To update watchdog
register, the watchdog mode key must be set to make the register
configurable.
Change-Id: I9ca98ea4012f7f220b116013461030de4638ce0b
Signed-off-by: Jimmy Huang <jimmy.huang@mediatek.com>
This patch update Mediatek port to use the `DEFINE_BAKERY_LOCK` macro instead of
specifying the exact data structure to use for a bakery lock and the input
linker section that it should be allocated to.
Change-Id: I2116dbe27010bb46d7cc64fafef55c7240c4c721
This patch updates ARM platform ports to use the new unified bakery locks
API. The caller does not have to use a different bakery lock API depending upon
the value of the USE_COHERENT_MEM build option.
NOTE: THIS PATCH CAN BE USED AS A REFERENCE TO UPDATE OTHER PLATFORM PORTS.
Change-Id: I1b26afc7c9a9808a6040eb22f603d30192251da7
This patch unifies the bakery lock api's across coherent and normal
memory implementation of locks by using same data type `bakery_lock_t`
and similar arguments to functions.
A separate section `bakery_lock` has been created and used to allocate
memory for bakery locks using `DEFINE_BAKERY_LOCK`. When locks are
allocated in normal memory, each lock for a core has to spread
across multiple cache lines. By using the total size allocated in a
separate cache line for a single core at compile time, the memory for
other core locks is allocated at link time by multiplying the single
core locks size with (PLATFORM_CORE_COUNT - 1). The normal memory lock
algorithm now uses lock address instead of the `id` in the per_cpu_data.
For locks allocated in coherent memory, it moves locks from
tzfw_coherent_memory to bakery_lock section.
The bakery locks are allocated as part of bss or in coherent memory
depending on usage of coherent memory. Both these regions are
initialised to zero as part of run_time_init before locks are used.
Hence, bakery_lock_init() is made an empty function as the lock memory
is already initialised to zero.
The above design lead to the removal of psci bakery locks from
non_cpu_power_pd_node to psci_locks.
NOTE: THE BAKERY LOCK API WHEN USE_COHERENT_MEM IS NOT SET HAS CHANGED.
THIS IS A BREAKING CHANGE FOR ALL PLATFORM PORTS THAT ALLOCATE BAKERY
LOCKS IN NORMAL MEMORY.
Change-Id: Ic3751c0066b8032dcbf9d88f1d4dc73d15f61d8b
Currently, on ARM platforms(ex. Juno) non-secure access to specific
peripheral regions, config registers which are inside and outside CSS
is done in the soc_css_security_setup(). This patch separates the CSS
security setup from the SOC security setup in the css_security_setup().
The CSS security setup involves programming of the internal NIC to
provide access to regions inside the CSS. This is needed only in
Juno, hence Juno implements it in its board files as css_init_nic400().
Change-Id: I95a1fb9f13f9b18fa8e915eb4ae2f15264f1b060
Juan Castillo
danh-arm
David Wang
Juan Castillo
Soby Mathew
Sandrine Bailleux
Varun Wadekar
Achin Gupta
Vikram Kanigiri
Jimmy Huang
yt.lee
Andrew Thoelke