During context switching from higher EL (EL2 or higher)
to lower EL can cause incorrect translation in TLB due to
speculative execution of AT instruction using out-of-context
translation regime.
Workaround is implemented as below during EL's (EL1 or EL2)
"context_restore" operation:
1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1
bits for EL1 or EL2 (stage1 and stage2 disabled)
2. Save all system registers except TCR and SCTLR (for EL1 and EL2)
3. Do memory barrier operation (isb) to ensure all
system register writes are done.
4. Restore TCR and SCTLR registers (for EL1 and EL2)
Errata details are available for various CPUs as below:
Cortex-A76: 1165522
Cortex-A72: 1319367
Cortex-A57: 1319537
Cortex-A55: 1530923
Cortex-A53: 1530924
More details can be found in mail-chain:
https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html
Currently, Workaround is implemented as build option which is default
disabled.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0
Dynamic configuration properties are fconf properties. Modify the
compatible string from "arm,.." to "fconf,.." to reflect this.
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change-Id: I85eb75cf877c5f4d3feea3936d4c348ca843bc6c
Our fdtw_read_cells() implementation goes to great lengths to
sanity-check every parameter and result, but leaves a big hole open:
The size of the storage the value pointer points at needs to match the
number of cells given. This can't be easily checked at compile time,
since we lose the size information by using a void pointer.
Regardless the current usage of this function is somewhat wrong anyways,
since we use it on single-element, fixed-length properties only, for
which the DT binding specifies the size.
Typically we use those functions dealing with a number of cells in DT
context to deal with *dynamically* sized properties, which depend on
other properties (#size-cells, #clock-cells, ...), to specify the number
of cells needed.
Another problem with the current implementation is the use of
ambiguously sized types (uintptr_t, size_t) together with a certain
expectation about their size. In general there is no relation between
the length of a DT property and the bitness of the code that parses the
DTB: AArch64 code could encounter 32-bit addresses (where the physical
address space is limited to 4GB [1]), while AArch32 code could read
64-bit sized properties (/memory nodes on LPAE systems, [2]).
To make this more clear, fix the potential issues and also align more
with other DT users (Linux and U-Boot), introduce functions to explicitly
read uint32 and uint64 properties. As the other DT consumers, we do this
based on the generic "read array" function.
Convert all users to use either of those two new functions, and make
sure we never use a pointer to anything other than uint32_t or uint64_t
variables directly.
This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
4 bytes into a uint16_t variable (passed via a void pointer).
Also we change the implementation of the function to better align with
other libfdt users, by using the right types (fdt32_t) and common
variable names (*prop, prop_names).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts
Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch adds code to parse memory range information passed by
coreboot, and a simple helper to test whether a specific address belongs
to a range. This may be useful for coreboot-using platforms that need to
know information about the system's memory layout (e.g. to check whether
an address passed in via SMC targets valid DRAM).
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I3bea326c426db27d1a8b7d6e17418e4850e884b4
bakery_lock_normal.c uses the raw register accessor, read_sctlr(_el3)
to check whether the dcache is enabled.
Using is_dcache_enabled() is cleaner, and a good abstraction for
the library code like this.
A problem is is_dcache_enabled() is declared in the local header,
lib/xlat_tables_v2/xlat_tables_private.h
I searched for a good place to declare this helper. Moving it to
arch_helpers.h, closed to cache operation helpers, looks good enough
to me.
I also changed the type of 'is_cached' to bool for consistency,
and to avoid MISRA warnings.
Change-Id: I9b016f67bc8eade25c316aa9c0db0fa4cd375b79
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Present framework restricts platform to pass desired shareability attribute
for normal memory region mapped in MMU. it defaults to inner shareability.
There are platforms where memories (like SRAM) are not placed at snoopable
region in advaned interconnect like CCN/CMN hence snoopable transaction is
not possible to these memory. Though These memories could be mapped in MMU
as MT_NON_CACHEABLE, data caches benefits won't be available.
If these memories are mapped as cacheable with non-shareable attribute,
when only one core is running like at boot time, MMU data cached could be
used for faster execution. Hence adding support to pass the shareability
attribute for memory regions.
Signed-off-by: Pramod Kumar <pramod.kumar@broadcom.com>
Change-Id: I678cb50120a28dae4aa9d1896e8faf1dd5cf1754
If PLAT_RO_XLAT_TABLES is defined, the base xlat table goes to the
.rodata section instead of .bss section.
This causes a warning like:
/tmp/ccswitLr.s: Assembler messages:
/tmp/ccswitLr.s:297: Warning: setting incorrect section attributes for .rodata
It is practically no problem, but I want to keep the build log clean.
Put the base table into the "base_xlat_table" section to suppress the
assembler warnings.
The linker script determines its final destination; rodata section if
PLAT_RO_XLAT_TABLES=1, or bss section otherwise. So, the result is the
same.
Change-Id: Ic85d1d2dddd9b5339289fc2378cbcb21dd7db02e
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
fconf_dyn_cfg_getter.c calls FCONF_REGISTER_POPULATOR(), which populates
the fconf_populator structure.
However, bl1/bl1.ld.S does not have:
__FCONF_POPULATOR_START__ = .;
KEEP(*(.fconf_populator))
__FCONF_POPULATOR_END__ = .;
So, this is not linked to bl1.elf
We could change either bl1/bl1.lds.S or lib/fconf/fconf.mk to make
them consistent.
I chose to fix up fconf.mk to keep the current behavior.
This is a groundwork to factor out the common code from linker scripts.
Change-Id: I07b7ad4db4ec77b57acf1588fffd0b06306d7293
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
enable_mmu_* has a different function name, so it is not handy in the
shared code. enable_mmu() calls an appropriate one depending on the
exception level.
Change-Id: I0657968bfcb91c32733f75f9259f550a5c35b1c3
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Notify if fw_config dt is either not available or not loaded from fip.
Change-Id: I4dfcbe5032503d97f532a3287c5312c581578b68
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
TPIDR_EL2 is missing from the EL2 state register save/restore
sequence. This patch adds it to the context save restore routines.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I35fc5ee82f97b72bcedac57c791312e7b3a45251
Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
removes the duplicate io_policies and functions definition.
This patch:
- replace arm_io_storage.c with the content of arm_fconf_io_storage.c
- rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
- use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
- propagate DEFINES when parsing dts.
- use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
- set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
of fvp stays the same as it was before the introduction of fconf.
Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
A populate() function essentially captures the value of a property,
defined by a platform, into a fconf related c structure. Such a
callback is usually platform specific and is associated to a specific
configuration source.
For example, a populate() function which captures the hardware topology
of the platform can only parse HW_CONFIG DTB. Hence each populator
function must be registered with a specific 'config_type' identifier.
It broadly represents a logical grouping of configuration properties
which is usually a device tree source file.
Example:
> TB_FW: properties related to trusted firmware such as IO policies,
base address of other DTBs, mbedtls heap info etc.
> HW_CONFIG: properties related to hardware configuration of the SoC
such as topology, GIC controller, PSCI hooks, CPU ID etc.
This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
to register and invoke the appropriate callbacks selectively based on
configuration type.
Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
xlat_tables_v2_helpers.h defines two quite similar macros,
REGISTER_XLAT_CONTEXT_FULL_SPEC and REGISTER_XLAT_CONTEXT_RO_BASE_TABLE.
Only the difference is the section of _ctx_name##_base_xlat_table.
Parameterize it and unify these two macros.
The base xlat table goes into the .bss section by default.
If PLAT_RO_XLAT_TABLES is defined, it goes into the .rodata section.
Change-Id: I8b02f4da98f0c272e348a200cebd89f479099c55
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The denver_enable_dco and denver_disable_dco use register X3 to store
the return address. But X3 gets over-written by other functions,
downstream.
This patch stores the return address to X18 instead, to fix this
anomaly.
Change-Id: Ic40bfc1d9abaa7b90348843b9ecd09521bb4ee7b
Signed-off-by: Kalyani Chidambaram <kalyanic@nvidia.com>
ARM has a weak memory ordering model. This means that without
explicit barriers, memory accesses can be observed differently
than program order. In this case, the cache invalidate instruction
can be observed after the subsequent read to address.
To solve this, a DMB instruction is required between the cache
invalidate and the read. This ensures that the cache invalidate
completes before all memory accesses in program order after the DMB.
This patch updates the 'read_cache_op' macro to issue a DMB after
the cache invalidate instruction to fix this anomaly.
Change-Id: Iac9a90d228c57ba8bcdca7e409ea6719546ab441
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds EL2 registers that are supported up to ARMv8.6.
ARM_ARCH_MINOR has to specified to enable save/restore routine.
Note: Following registers are still not covered in save/restore.
* AMEVCNTVOFF0<n>_EL2
* AMEVCNTVOFF1<n>_EL2
* ICH_AP0R<n>_EL2
* ICH_AP1R<n>_EL2
* ICH_LR<n>_EL2
Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
NOTE: Not all EL-2 system registers are saved/restored.
This subset includes registers recognized by ARMv8.0
Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0
Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location for the coreboot memory console.
This removes the base member from the coreboot specific data structure,
but keeps the struct console_cbmc_t and its size member.
Change-Id: I7f1dffd41392ba3fe5c07090aea761a42313fb5b
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.
The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.
To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.
Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.
The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
The CPUACTLR_EL1 register on Cortex-A57 CPUs supports a bit to enable
non-cacheable streaming enhancement. Platforms can set this bit only
if their memory system meets the requirement that cache line fill
requests from the Cortex-A57 processor are atomic.
This patch adds support to enable higher performance non-cacheable load
forwarding for such platforms. Platforms must enable this support by
setting the 'A57_ENABLE_NONCACHEABLE_LOAD_FWD' flag from their
makefiles. This flag is disabled by default.
Change-Id: Ib27e55dd68d11a50962c0bbc5b89072208b4bac5
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Fixes for the following MISRA violations:
- Missing explicit parentheses on sub-expression
- An identifier or macro name beginning with an
underscore, shall not be declared
- Type mismatch in BL1 SMC handlers and tspd_main.c
Change-Id: I7a92abf260da95acb0846b27c2997b59b059efc4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
Use the firmware configuration framework in arm dynamic configuration
to retrieve mbedtls heap information between bl1 and bl2.
For this, a new fconf getter is added to expose the device tree base
address and size.
Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use fconf to retrieve the `disable_authentication` property.
Move this access from arm dynamic configuration to bl common.
Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
This patch introduces a better separation between the trusted-boot
related properties, and the dynamic configuration DTBs loading
information.
The dynamic configuration DTBs properties are moved to a new node:
`dtb-registry`. All the sub-nodes present will be provided to the
dynamic config framework to be loaded. The node currently only contains
the already defined configuration DTBs, but can be extended for future
features if necessary.
The dynamic config framework is modified to use the abstraction provided
by the fconf framework, instead of directly accessing the DTBs.
The trusted-boot properties are kept under the "arm,tb_fw" compatible
string, but in a separate `tb_fw-config` node.
The `tb_fw-config` property of the `dtb-registry` node simply points
to the load address of `fw_config`, as the `tb_fw-config` is currently
part of the same DTB.
Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use the dtb provided by bl1 as configuration file for fconf.
Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
function is not associated to arm platform anymore, and can be moved
to bl_main if wanted.
Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Introduce the Firmware CONfiguration Framework (fconf).
The fconf is an abstraction layer for platform specific data, allowing
a "property" to be queried and a value retrieved without the requesting
entity knowing what backing store is being used to hold the data.
The default backing store used is C structure. If another backing store
has to be used, the platform integrator needs to provide a "populate()"
function to fill the corresponding C structure.
The "populate()" function must be registered to the fconf framework with
the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
be called inside the "fconf_populate()" function.
A two level macro is used as getter:
- the first macro takes 3 parameters and converts it to a function
call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
- the second level defines a__b_getter(c) to the matching C structure,
variable, array, function, etc..
Ex: Get a Chain of trust property:
1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Fix code that violates the MISRA rule:
MISRA C-2012 Rule 11.9: Literal "0" shall not be used as
null pointer constant.
The fix explicitly checks whether a pointer is NULL.
Change-Id: Ibc318dc0f464982be9a34783f24ccd1d44800551
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
CID 353228: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
The checks on size and offset_address in get_entry always resolve to
false provided those fields are long long int and cannot be greater
than LONG_MAX.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I0fac485a39ac4a40ae8c0d25a706ad74c795e130
This patch adds 'fdtw_read_bytes' and 'fdtw_write_inplace_bytes'
functions for read/write array of bytes from/to a given property.
It also adds 'fdt_setprop_inplace_namelen_partial' to jmptbl.i
files for builds with USE_ROMLIB=1 option.
Change-Id: Ied7b5c8b38a0e21d508aa7bcf5893e656028b14d
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
The Secure Configuration Register is 64-bits in AArch64 and 32-bits in
AArch32. Use u_register_t instead of unsigned int to reflect this.
Change-Id: I51b69467baba36bf0cfaec2595dc8837b1566934
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Since BL31 PROGBITS and BL31 NOBITS sections are going to be
in non-adjacent memory regions, potentially far from each other,
some fixes are needed to support it completely.
1. adr instruction only allows computing the effective address
of a location only within 1MB range of the PC. However, adrp
instruction together with an add permits position independent
address of any location with 4GB range of PC.
2. Since BL31 _RW_END_ marks the end of BL31 image, care must be
taken that it is aligned to page size since we map this memory
region in BL31 using xlat_v2 lib utils which mandate alignment of
image size to page granularity.
Change-Id: I3451cc030d03cb2032db3cc088f0c0e2c84bffda
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
bakery_lock_get() uses DMB LD after lock acquisition and
bakery_lock_release() uses DMB ST before releasing the lock. This is
insufficient in both cases. With just DMB LD, stores in the critical
section can be reordered before the DMB LD which could mean writes in
the critical section completing before the lock has been acquired
successfully. Similarly, with just DMB ST, a load in the critical section
could be reordered after the the DMB ST. DMB is the least expensive
barrier that can provide the required ordering.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@icloud.com>
Change-Id: Ieb74cbf5b76b09e1789331b71f37f7c660221b0e
CPUECTLR_EL1.EXTLLC bit indicates the presense of internal or external
last level cache(LLC) in the system, the reset value is internal LLC.
To cater for the platforms(like N1SDP) which has external LLC present
introduce a new build option 'NEOVERSE_N1_EXTERNAL_LLC' which can be
enabled by platform port.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ibf475fcd6fd44401897a71600f4eafe989921363
Setting errata workarounds for N1 1043202 and 1315703 to 0 since
they should be turned off by default.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I116673a4ddcf64436e90d70133f035a133989ed9
This makes the PSCI SYSTEM_OFF call work on QEMU. It assumes that QEMU has
semihosting enabled, but that is already assumed by the image loader.
Signed-off-by: Andrew Walbran <qwandor@google.com>
Change-Id: I0fb7cf7909262b675c3143efeac07f4d60730b03
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
679db7080129fb48ace43a08873eceabfd092aa1
It is demonstrated in a SafeSide example:
https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cchttps://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
Use end_va and end_pa defined at the beginning of this function.
Change-Id: I0e8b3b35fceb87b5d35397eb892d4fe92ba90b4c
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Since BL31 PROGBITS and BL31 NOBITS sections are going to be
in non-adjacent memory regions, potentially far from each other,
some fixes are needed to support it completely.
1. adr instruction only allows computing the effective address
of a location only within 1MB range of the PC. However, adrp
instruction together with an add permits position independent
address of any location with 4GB range of PC.
2. Since BL31 _RW_END_ marks the end of BL31 image, care must be
taken that it is aligned to page size since we map this memory
region in BL31 using xlat_v2 lib utils which mandate alignment of
image size to page granularity.
Change-Id: Ic745c5a130fe4239fa2742142d083b2bdc4e8b85
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Imported from the LLVM compiler_rt library on master branch as of
30 Oct 2018 (SVN revision: r345645).
This is to get the __popcountsi2(si_int a) and __popcountdi2(di_int a)
builtin which are required by a driver that uses a __builtin_popcount().
Change-Id: I8e0d97cebdd90d224690c8ce1b02e657acdddb25
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
NOTE for platform integrators:
API `plat_psci_stat_get_residency()` third argument
`last_cpu_idx` is changed from "signed int" to the
"unsigned int" type.
Issue / Trouble points
1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places leading to coverity issues.
2. Underlying platform API's return cpu_idx as `unsigned int`
and comparison is performed with platform specific defines
`PLAFORM_xxx` which is not consistent
Misra Rule 10.4:
The value of a complex expression of integer type may only be cast to
a type that is narrower and of the same signedness as the underlying
type of the expression.
Based on above points, cpu_idx is kept as `unsigned int` to match
the API's and low-level functions and platform defines are updated
where ever required
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
Import aeabi_ldivmod.S with divmoddi4.c and divdi3.c from the
LLVM compiler_rt library on master branch as of 30 Oct 2018
(SVN revision: r345645).
This is to get the __aeabi_ldivmod builtin, which is required
by a patch using signed long long division.
Change-Id: Iee4c421deb3175142655e19074cd3732edd82227
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Erratum 1688305 is a Cat B erratum present in r0p0, r0p1 versions
of Hercules core. The erratum can be avoided by setting bit 1 of the
implementation defined register CPUACTLR2_EL1 to 1 to prevent store-
release from being dispatched before it is the oldest.
Change-Id: I2ac04f5d9423868b6cdd4ceb3d0ffa46e570efed
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.
This patch removes:
- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions
Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Provide an SMC interface to the 9p filesystem. This permits
accessing firmware drivers through a common interface, using
standardized read/write/control operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9314662314bb060f6bc02714476574da158b2a7d
EA handlers for exceptions taken from lower ELs at the end invokes
el3_exit function. However there was a bug with sp maintenance which
resulted in el3_exit setting runtime stack to context. This in turn
caused memory corruption on consecutive EL3 entries.
Signed-off-by: Jan Dabros <jsd@semihalf.com>
Change-Id: I0424245c27c369c864506f4baa719968890ce659
Add a FIP driver hooked to debugfs 9p interface. This is an
abstraction of the FIP filesystem layer on top of a mass storage,
or memory block driver.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: If275ea0824763de43ab666dab2a06de5352ff940
The 9p interface provides abstraction layers allowing the software
that uses devices to be independent from the hardware.
This patch provides a file system abstraction to link drivers to their
devices and propose a common interface to expose driver operations to
higher layers. This file system can be used to access and configure a
device by doing read/write operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
This function scans a string backwards from the end for the first
instance of a character.
Change-Id: I46b21573ed25a0ff222eac340e1e1fb93b040763
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Check that entry point information requesting S-EL2
has AArch64 as an execution state during context setup.
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I447263692fed6e55c1b076913e6eb73b1ea735b7
This patch adds support for enabling S-EL2 if this EL is specified in the entry
point information being used to initialise a secure context. It is the caller's
responsibility to check if S-EL2 is available on the system before requesting
this EL through the entry point information.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Change-Id: I2752964f078ab528b2e80de71c7d2f35e60569e1
Same SoC has different personality by creating different number of:
- cores
- clusters.
As a result, the platform specific power domain tree will be created
after identify the personality of the SoC.
Hence, platform specific power domain tree may not be same for all the
personality of the soc.
Thus, psci library code will deduce the 'plat_core_count', while
populating the power domain tree topology and return the number of
cores.
PLATFORM_CORE_COUNT will still be valid for a SoC, such that
psci_plat_core_count <= PLATFORM_CORE_COUNT.
PLATFORM_CORE_COUNT will continued to be defined by platform to create
the data structures.
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Change-Id: I1f5c47647631cae2dcdad540d64cf09757db7185
`unsigned long` should be replaced to
1. `unsigned int` or `unsigned long long` - If fixed,
based on the architecture AArch32 or AArch64
2. `u_register_t` - If it is supposed to be 32-bit
wide in AArch32 and 64-bit wide in AArch64.
Translation descriptors are always 32-bit wide, here
`uint32_t` is used to describe the `exact size` of
translation descriptors instead of `unsigned int` which
guarantees minimum 32-bits
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I6a2af2e8b3c71170e2634044e0b887f07a41677e
Fix a few white space errors and remove #if defined in workaround
for N1 Errata 1542419.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I07ac5a2fd50cd63de53c06e3d0f8262871b62fad
Explicitly disable stack protection via the "-fno-stack-protector"
compiler option when the ENABLE_STACK_PROTECTOR build option is
set to "none" (the default).
This allows the build to complete without link errors on systems where
stack protection is enabled by default in the compiler.
Change-Id: I0a676aa672815235894fb2cd05fa2b196fabb972
Signed-off-by: Simon South <simon@simonsouth.net>
The WARMBOOT_ENABLE_DCACHE_EARLY allows caches to be turned on early during
the boot. But the xlat_change_mem_attributes_ctx() API did not do the required
cache maintenance after the mmap tables are modified if
WARMBOOT_ENABLE_DCACHE_EARLY is enabled. This meant that when the caches are turned
off during power down, the tables in memory are accessed as part of cache
maintenance for power down, and the tables are not correct at this point which
results in a data abort.
This patch removes the optimization within xlat_change_mem_attributes_ctx()
when WARMBOOT_ENABLE_DCACHE_EARLY is enabled.
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I82de3decba87dd13e9856b5f3620a1c8571c8d87
Coherent I-cache is causing a prefetch violation where when the core
executes an instruction that has recently been modified, the core might
fetch a stale instruction which violates the ordering of instruction
fetches.
The workaround includes an instruction sequence to implementation
defined registers to trap all EL0 IC IVAU instructions to EL3 and a trap
handler to execute a TLB inner-shareable invalidation to an arbitrary
address followed by a DSB.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ic3b7cbb11cf2eaf9005523ef5578a372593ae4d6
Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
on a platform build option. The CAS-based implementation used to be
unconditionally selected for all ARM8.1+ platforms.
The previous CAS spinlock implementation had a bug wherein the spin_unlock()
implementation had an `sev` after `stlr` which is not sufficient. A dsb is
needed to ensure that the stlr completes prior to the sev. Having a dsb is
heavyweight and a better solution would be to use load exclusive semantics
to monitor the lock and wake up from wfe when a store happens to the lock.
The patch implements the same.
Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
This patch adds support for ARMv8.3-PAuth in BL1 SMC calls and
BL2U image for firmware updates by programming APIAKey_EL1 registers
and enabling Pointer Authentication in EL3 and EL1 respectively.
Change-Id: I875d952aba8242caf74fb5f4f2d2af6f0c768c08
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This patch changes implementation for disabling Secure Cycle
Counter. For ARMv8.5 the counter gets disabled by setting
SDCR.SCCD bit on CPU cold/warm boot. For the earlier
architectures PMCR register is saved/restored on secure
world entry/exit from/to Non-secure state, and cycle counting
gets disabled by setting PMCR.DP bit.
In 'include\aarch32\arch.h' header file new
ARMv8.5-PMU related definitions were added.
Change-Id: Ia8845db2ebe8de940d66dff479225a5b879316f8
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
This PSCI hook is similar to pwr_domain_on_finish but is
guaranteed to be invoked with the respective core and cluster are
participating in coherency. This will be necessary to safely invoke
the new GICv3 API which modifies shared GIC data structures concurrently.
Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
assert() calls are removed in release builds, and if that assert call is
the only use of a variable, an unused variable warning will be triggered
in a release build. This patch fixes this problem when
CTX_INCLUDE_MTE_REGS by not using an intermediate variable to store the
results of get_armv8_5_mte_support().
Change-Id: I529e10ec0b2c8650d2c3ab52c4f0cecc0b3a670e
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
AArch64 System register SCTLR_EL1[31:0] is architecturally mapped
to AArch32 System register SCTLR[31:0]
AArch64 System register ACTLR_EL1[31:0] is architecturally mapped
to AArch32 System register ACTLR[31:0].
`u_register_t` should be used when it's important to store the
contents of a register in its native size
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I0055422f8cc0454405e011f53c1c4ddcaceb5779
This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
which returns 128-bit value and uses Generic timer physical counter
value to increase the randomness of the generated key.
The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
pauth_disable_el1()` and `pauth_disable_el3()` functions disable
PAuth for EL1 and EL3 respectively;
`pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
`save_gp_registers()` and `pauth_context_save()`;
`restore_gp_pauth_registers()` replaces `pauth_context_restore()`
and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
for 12 uint64_t PAuth registers instead of 10 by removal of macro
CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
in `msr spsel` instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places. This change is to unify the
cpu_idx as `unsigned int` as underlying API;s `plat_my_core_pos`
returns `unsigned int`
It was discovered via coverity issue CID 354715
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I4f0adb0c596ff1177210c5fe803bff853f2e54ce
Zeus supports the SSBS mechanism and also the new MSR instruction to
immediately apply the mitigation. Hence, the new instruction is utilised
in the Zeus-specific reset function.
Change-Id: I962747c28afe85a15207a0eba4146f9a115b27e7
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Sparse warns this:
lib/libc/assert.c:29:6: error: symbol '__assert' redeclared with different type (originally declared at include/lib/libc/assert.h:36) - different modifiers
Add __dead2 to match the header declaration and C definition.
I also changed '__dead2 void' to 'void __dead2' for the consistency
with other parts.
Change-Id: Iefa4f0e787c24fa7e7e499d2e7baf54d4deb49ef
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This patch adds support for the new Memory Tagging Extension arriving in
ARMv8.5. MTE support is now enabled by default on systems that support
at EL0. To enable it at ELx for both the non-secure and the secure
world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
and restoring when necessary in order to prevent register leakage
between the worlds.
Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This patch fixes an issue when secure world timing information
can be leaked because Secure Cycle Counter is not disabled.
For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
bit on CPU cold/warm boot.
For the earlier architectures PMCR_EL0 register is saved/restored
on secure world entry/exit from/to Non-secure state, and cycle
counting gets disabled by setting PMCR_EL0.DP bit.
'include\aarch64\arch.h' header file was tided up and new
ARMv8.5-PMU related definitions were added.
Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
GCC diagnostics were added to ignore array boundaries, instead
of ignoring GCC warning current code will check for array boundaries
and perform and array update only for valid elements.
Resolves: `CID 246574` `CID 246710` `CID 246651`
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: I7530ecf7a1707351c6ee87e90cc3d33574088f57
This patch fixes FVP_Base_AEMv8A model hang issue with
ARMv8.4+ with cache modelling enabled configuration.
Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
LoUIS field, which is required by the architecture to be
zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
FVP_Base_AEMv8A model can be configured with L3 enabled by
setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
to non-zero values, and presence of L3 is checked in
`aem_generic_core_pwr_dwn` function by reading
CLIDR_EL1.Ctype3 field value.
Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Coverity has identified that the __aeabi_imod function will loop forever
if the denominator is not a power of 2, which is probably not the
desired behaviour.
The functions in the rest of the file are compiler implementations of
division if ARMv7 does not implement division which is permitted by the
spec. However, while most of the functions in the file are documented
and referenced in other places online, __aeabi_uimod and __aeabi_imod
are not. For this reason, these functions have been removed from the
code base, which also removes the Coverity error.
Change-Id: I20066d72365329a8b03a5536d865c4acaa2139ae
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This patch simply splits off the increment of next_xlat into a separate
statement to ensure consistent behaviour if the assert was to ever be
removed.
Change-Id: I827f601ccea55f4da9442048419c9b8cc0c5d22e
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This ensures that probe_data starts with a reasonable default, as
opposed to whatever was left on the stack.
Change-Id: I5550efea5e2bec7717f9fa063cb11e6a7005cce5
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)
Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
* changes:
plat/mediatek/mt81*: Use new bl31_params_parse() helper
plat/rockchip: Use new bl31_params_parse_helper()
Add helper to parse BL31 parameters (both versions)
Factor out cross-BL API into export headers suitable for 3rd party code
Use explicit-width data types in AAPCS parameter structs
plat/rockchip: Switch to use new common BL aux parameter library
Introduce lightweight BL platform parameter library
The features of the previously existing gentbl, genvar and genwrappers
scripts were reimplemented in the romlib_generator.py Python script.
This resulted in more readable and maintainable code and the script
introduces additional features that help dependency handling in
makefiles. The assembly templates were separated from the script logic
and were collected in the 'templates' directory.
The targets and their dependencies were reorganized in the makefile and
the dependency handling of included index files is possible now.
Incremental build is available in case of modifying the index files.
Signed-off-by: Imre Kis <imre.kis@arm.com>
Change-Id: I79f65fab9dc5c70d1f6fc8f57b2a3009bf842dc5
This patch adds some common helper code to support a lightweight
platform parameter passing framework between BLs that has already been
used on Rockchip platforms but is more widely useful to others as well.
It can be used as an implementation for the SoC firmware configuration
file mentioned in the docs, and is primarily intended for platforms
that only require a handful of values to be passed and want to get by
without a libfdt dependency. Parameters are stored in a linked list and
the parameter space is split in generic and vendor-specific parameter
types. Generic types will be handled by this code whereas
vendor-specific types have to be handled by a vendor-specific handler
function that gets passed in.
Change-Id: If3413d44e86b99d417294ce8d33eb2fc77a6183f
Signed-off-by: Julius Werner <jwerner@chromium.org>
* changes:
Enable -Wshift-overflow=2 to check for undefined shift behavior
Update base code to not rely on undefined overflow behaviour
Update hisilicon drivers to not rely on undefined overflow behaviour
Update synopsys drivers to not rely on undefined overflow behaviour
Update imx platform to not rely on undefined overflow behaviour
Update mediatek platform to not rely on undefined overflow behaviour
Update layerscape platform to not rely on undefined overflow behaviour
Update intel platform to not rely on undefined overflow behaviour
Update rockchip platform to not rely on undefined overflow behaviour
Update renesas platform to not rely on undefined overflow behaviour
Update meson platform to not rely on undefined overflow behaviour
Update marvell platform to not rely on undefined overflow behaviour
This patch enables MTE for Normal world if the CPU suppors it. Enabling
MTE for secure world will be done later.
Change-Id: I9ef64460beaba15e9a9c20ab02da4fb2208b6f7d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This consists of ensuring that the left operand of each shift is
unsigned when the operation might overflow into the sign bit.
Change-Id: Iddd6f38139a4c6e500468b4fc48d04e0939f574e
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Replacing ISB instructions in each Errata workaround with a single ISB
instruction before the RET in the reset handler.
Change-Id: I08afabc5b98986a6fe81664cd13822b36cab786f
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Neoverse N1 erratum 1275112 is a Cat B erratum [1],
present in older revisions of the Neoverse N1 processor core.
The workaround is to set a bit in the implementation defined
CPUACTLR_EL1 system register, which delays instruction fetch after
branch misprediction.
[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.pjdoc-466751330-10325/index.html
Change-Id: If7fe55fe92e656fa6aea12327ab297f2e6119833
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Neoverse N1 erratum 1262888 is a Cat B erratum [1],
present in older revisions of the Neoverse N1 processor core.
The workaround is to set a bit in the implementation defined
CPUECTLR_EL1 system register, which disables the MMU hardware prefetcher.
[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.pjdoc-466751330-10325/index.html
Change-Id: Ib733d748e32a7ea6a2783f3d5a9c5e13eee01105
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Neoverse N1 erratum 1262606 is a Cat B erratum [1],
present in older revisions of the Neoverse N1 processor core.
The workaround is to set a bit in the implementation defined
CPUACTLR_EL1 system register, which delays instruction fetch after
branch misprediction.
[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.pjdoc-466751330-10325/index.html
Change-Id: Idd980e9d5310232d38f0ce272862e1fb0f02ce9a
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Neoverse N1 erratum 1257314 is a Cat B erratum [1],
present in older revisions of the Neoverse N1 processor core.
The workaround is to set a bit in the implementation defined
CPUACTLR3_EL1 system register, which prevents parallel
execution of divide and square root instructions.
[1] http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.pjdoc-466751330-10325/index.html
Change-Id: I54f0f40ff9043efee40d51e796b92ed85b394cbb
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Manish V Badarkhe
Sandrine Bailleux
Louis Mayencourt
Andre Przywara
Julius Werner
Masahiro Yamada
Mark Dykes
Pramod Kumar
Manish Pandey
Olivier Deprez
Soby Mathew
Madhukar Pappireddy
Kalyani Chidambaram
Varun Wadekar
Max Shvetsov
Petre-Ionut Tudor
joanna.farley
Zelalem
Jimmy Brisson
Alexei Fedorov
Andrew Walbran
Raghu Krishnamurthy
laurenw-arm
Anthony Steinhauser
Lionel Debieve
Deepika Bhavnani
Paul Beesley
Ambroise Vincent
Jan Dabros
Artsem Artsemenka
Achin Gupta
Pankaj Gupta
Simon South
Imre Kis
Justin Chadwell
John Tsichritzis
Balint Dobszay