Since now the generic console_t structure holds the UART base address as
well, let's use that generic location for the coreboot memory console.
This removes the base member from the coreboot specific data structure,
but keeps the struct console_cbmc_t and its size member.
Change-Id: I7f1dffd41392ba3fe5c07090aea761a42313fb5b
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I7a23327394d142af4b293ea7ccd90b843c54587c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I07a07677153d3671ced776671e4f107824d3df16
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
*All* UART drivers in TF-A are storing their base address as a uintptr_t
pointer in the first location of the UART specific driver data.
Since the base address is a pretty natural and generic data item, we
should integrate this into the generic console_t structure.
That will not only allow to remove a lot of seemingly UART specific data
structures, but also enables to simplify runtime choices between different
UARTs, since they can share the same pointer.
This patch just adds the new member, the existing data structures will
be handled on a per-UART base in follow-up patches.
Change-Id: I59ce49471ccc8f3b870f2cfd8a72ebfd0cb14d12
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I9f8b55414ab7965e431e3e86d182eabd511f32a4
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: Iea6ca26ff4903c33f0fad27fec96fdbabd4e0a91
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I836e26ff1771abf21fd460d0ee40e90a452e9b43
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I89c3ab2ed85ab941d8b38ced48474feb4aaa8b7e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I5c2fe3b6a667acf80c808cfec4a64059a2c9c25f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.
The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.
To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.
Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.
The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
The cookie will be leveraged in the next commit.
Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This new chain of trust defines 2 independent signing domains:
1) One for the silicon firmware (BL1, BL2, BL31) and optionally the
Trusted OS. It is rooted in the Silicon ROTPK, just as in the TBBR
CoT.
2) One for the Normal World Bootloader (BL33). It is rooted in a new key
called Platform ROTPK, or PROTPK for short.
In terms of certificates chain,
- Signing domain 1) is similar to what TBBR advocates (see page 21 of
the TBBR specification), except that the Non-Trusted World Public Key
has been removed from the Trusted Key Certificate.
- Signing domain 2) only contains the Non-Trusted World Content
certificate, which provides the hash of the Non-Trusted World
Bootloader. Compared to the TBBR CoT, there's no Non-Trusted World
Key certificate for simplicity.
Change-Id: I62f1e952522d84470acc360cf5ee63e4c4b0b4d9
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
At each BL entry point, the registers r9 to r12 are used to save info from
the previous BL parameters put in r0 to r3. But zeromem uses r12, leading
to a corruption of arg3. Therefore this change copies r12 to r7 before
zeromem() call and restores r12 afterwards. It may be better to save it
in r7 in el3_arch_init_common and not at the entrypoint as r7 could be used
in other functions, especially platform ones.
This is a fix for Task T661.
Change-Id: Icc11990c69b5d4c542d08aca1a77b1f754b61a53
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This patch modifies the delay timer driver to switch to the ARM
secure physical timer instead of using Tegra's on-chip uS timer.
The secure timer is not accessible to the NS world and so eliminates
an important attack vector, where the Tegra timer source gets switched
off from the NS world leading to a DoS attack for the trusted world.
This timer is shared with the S-EL1 layer for now, but later patches
will mark it as exclusive to the EL3 exception mode.
Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch moves the MHZ_TICKS_PER_SEC macro to utils_def.h
for other platforms to use.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I6c4dc733f548d73cfdb3515ec9ad89a9efaf4407
The CPUACTLR_EL1 register on Cortex-A57 CPUs supports a bit to enable
non-cacheable streaming enhancement. Platforms can set this bit only
if their memory system meets the requirement that cache line fill
requests from the Cortex-A57 processor are atomic.
This patch adds support to enable higher performance non-cacheable load
forwarding for such platforms. Platforms must enable this support by
setting the 'A57_ENABLE_NONCACHEABLE_LOAD_FWD' flag from their
makefiles. This flag is disabled by default.
Change-Id: Ib27e55dd68d11a50962c0bbc5b89072208b4bac5
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Removed duplicate error code present for SMCCC and used
proper error code for "SMCCC_ARCH_WORKAROUND_2" call.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I76fc7c88095f78a7e2c3d205838f8eaf3132ed5c
For platforms that have two or more TZC400 controllers instantiated,
allow the TZC400 driver to be usable with all those instances.
This is achieved by allowing 'arm_tzc400_setup' function to accept
the base address of the TZC400 controller.
Change-Id: I4add470e6ddb58432cd066145e644112400ab924
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>
The base address for second DRAM varies across different platforms.
So allow platforms to define second DRAM by moving Juno/SGM-775 specific
definition of second DRAM base address to Juno/SGM-775 board definition
respectively, SGI/RD specific definition of DRAM 2 base address to SGI
board definition.
Change-Id: I0ecd3a2bd600b6c7019c7f06f8c452952bd07cae
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>
A TZC400 can have upto 4 filters and the number of filters instantiated
within a TZC400 is platform dependent. So allow platforms to define the
value of PLAT_ARM_TZC_FILTERS by moving the existing Juno specific
definition of PLAT_ARM_TZC_FILTERS to Juno board definitions.
Change-Id: I67a63d7336595bbfdce3163f9a9473e15e266f40
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>
Fixes for the following MISRA violations:
- Missing explicit parentheses on sub-expression
- An identifier or macro name beginning with an
underscore, shall not be declared
- Type mismatch in BL1 SMC handlers and tspd_main.c
Change-Id: I7a92abf260da95acb0846b27c2997b59b059efc4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
* changes:
SPMD: enable SPM dispatcher support
SPMD: hook SPMD into standard services framework
SPMD: add SPM dispatcher based upon SPCI Beta 0 spec
SPMD: add support to run BL32 in TDRAM and BL31 in secure DRAM on Arm FVP
SPMD: add support for an example SPM core manifest
SPMD: add SPCI Beta 0 specification header file
This patch adds a rudimentary SPM dispatcher component in EL3.
It does the following:
- Consumes the TOS_FW_CONFIG to determine properties of the SPM core
component
- Initialises the SPM core component which resides in the BL32 image
- Implements a handler for SPCI calls from either security state. Some
basic validation is done for each call but in most cases it is simply
forwarded as-is to the "other" security state.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I7d116814557f7255f4f4ebb797d1619d4fbab590
This patch reserves and maps the Trusted DRAM for SPM core execution.
It also configures the TrustZone address space controller to run BL31
in secure DRAM.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I7e1bb3bbc61a0fec6a9cb595964ff553620c21dc
This patch repurposes the TOS FW configuration file as the manifest for
the SPM core component which will reside at the secure EL adjacent to
EL3. The SPM dispatcher component will use the manifest to determine how
the core component must be initialised. Routines and data structure to
parse the manifest have also been added.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb
Currently sptool generates a single blob containing all the Secure
Partitions, with latest SPM implementation, it is desirable to have
individual blobs for each Secure Partition. It allows to leverage
packaging and parsing of SP on existing FIP framework. It also allows
SP packages coming from different sources.
This patch modifies sptool so that it takes number of SP payload pairs
as input and generates number of SP blobs instead of a single blob.
Each SP blob can optionally have its own header containing offsets and
sizes of different payloads along with a SP magic number and version.
It is also associated in FIP with a UUID, provided by SP owner.
Usage example:
sptool -i sp1.bin:sp1.dtb -o sp1.pkg -i sp2.bin:sp2.dtb -o sp2.pkg ...
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie2db8e601fa1d4182d0a1d22e78e9533dce231bc
At the moment, address demangling is only used by the backtrace
functionality. However, at some point, other parts of the TF-A
codebase may want to use it.
The 'demangle_address' function is replaced with a single XPACI
instruction which is also added in 'do_crash_reporting()'.
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec
On systems that have multiple platform components that can interpret the
SCMI messages, there is a need to support multiple SCMI channels (one
each to those platform components). Extend the existing SCMI interface
that currently supports only a single SCMI channel to support multiple
SCMI channels.
Change-Id: Ice4062475b903aef3b5e5bc37df364c9778a62c5
Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>
In order to allow the MHUv2 driver to be usable with multiple MHUv2
controllers, use the base address of the controller from the platform
information instead of the MHUV2_BASE_ADDR macro.
Change-Id: I4dbab87b929fb0568935e6c8b339ce67937f8cd1
Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>
Multi-chip platforms have two or more identical chips connected using a
high speed coherent link. In order to identify such platforms,
add chip_id and multi_chip_mode information in the platform variant
info structure. The values of these two new elements is populated
during boot.
Change-Id: Ie6e89cb33b3f0f408814f6239cd06647053e23ed
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Currently, an IO setup failure will be ignored on arm platform release
build. Change this to panic instead.
Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change the return type of "arm_io_is_toc_valid()" and
"plat_arm_bl1_fwu_needed()" to bool, to match function behavior.
Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use the firmware configuration framework to store the io_policies
information inside the configuration device tree instead of the static
structure in the code base.
The io_policies required by BL1 can't be inside the dtb, as this one is
loaded by BL1, and only available at BL2.
This change currently only applies to FVP platform.
Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use the firmware configuration framework in arm dynamic configuration
to retrieve mbedtls heap information between bl1 and bl2.
For this, a new fconf getter is added to expose the device tree base
address and size.
Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use fconf to retrieve the `disable_authentication` property.
Move this access from arm dynamic configuration to bl common.
Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
This patch introduces a better separation between the trusted-boot
related properties, and the dynamic configuration DTBs loading
information.
The dynamic configuration DTBs properties are moved to a new node:
`dtb-registry`. All the sub-nodes present will be provided to the
dynamic config framework to be loaded. The node currently only contains
the already defined configuration DTBs, but can be extended for future
features if necessary.
The dynamic config framework is modified to use the abstraction provided
by the fconf framework, instead of directly accessing the DTBs.
The trusted-boot properties are kept under the "arm,tb_fw" compatible
string, but in a separate `tb_fw-config` node.
The `tb_fw-config` property of the `dtb-registry` node simply points
to the load address of `fw_config`, as the `tb_fw-config` is currently
part of the same DTB.
Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Use the dtb provided by bl1 as configuration file for fconf.
Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
function is not associated to arm platform anymore, and can be moved
to bl_main if wanted.
Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Introduce the Firmware CONfiguration Framework (fconf).
The fconf is an abstraction layer for platform specific data, allowing
a "property" to be queried and a value retrieved without the requesting
entity knowing what backing store is being used to hold the data.
The default backing store used is C structure. If another backing store
has to be used, the platform integrator needs to provide a "populate()"
function to fill the corresponding C structure.
The "populate()" function must be registered to the fconf framework with
the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
be called inside the "fconf_populate()" function.
A two level macro is used as getter:
- the first macro takes 3 parameters and converts it to a function
call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
- the second level defines a__b_getter(c) to the matching C structure,
variable, array, function, etc..
Ex: Get a Chain of trust property:
1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
In case of ROT_KEY specified - generates a new hash and replaces the
original.
Note: Juno board was tested by original feature author and was not tested
for this patch since we don't have access to the private key. Juno
implementation was moved to board-specific file without changing
functionality. It is not known whether byte-swapping is still needed
for this platform.
Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
This patch adds a header file with defines based on the SPCI Beta 0 spec.
It will be used by the SPM dispatcher component which will be introduced
in subsequent patches.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: Ia8a196cd85ebc14731f24801698d0a49a97b6063
This patch adds 'fdtw_read_bytes' and 'fdtw_write_inplace_bytes'
functions for read/write array of bytes from/to a given property.
It also adds 'fdt_setprop_inplace_namelen_partial' to jmptbl.i
files for builds with USE_ROMLIB=1 option.
Change-Id: Ied7b5c8b38a0e21d508aa7bcf5893e656028b14d
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
In order to access MG SRAM, the amb bridge needs to be configured which is
done in bl2 platform init.
For MG CM3, the image is only loaded to its SRAM and the CM3 itself is
left in reset. It is because the next stage bootloader (e.g. u-boot)
will trigger action which will take it out of reset when needed. This
can happen e.g. when appropriate device-tree setup (which has enabled
802.3 auto-neg) will be chosen. In other cases the MG CM3 should not be
running.
Change-Id: I816ea14e3a7174eace068ec44e3cc09998d0337e
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
This patch adds 'calc_hash' function using Mbed TLS library
required for Measured Boot support.
Change-Id: Ifc5aee0162d04db58ec6391e0726a526f29a52bb
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
The Secure Configuration Register is 64-bits in AArch64 and 32-bits in
AArch32. Use u_register_t instead of unsigned int to reflect this.
Change-Id: I51b69467baba36bf0cfaec2595dc8837b1566934
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
the build to require that ARM_BL31_IN_DRAM is enabled as well.
Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
Memory map for BL31 NOBITS region also has to be created.
Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
CPUECTLR_EL1.EXTLLC bit indicates the presense of internal or external
last level cache(LLC) in the system, the reset value is internal LLC.
To cater for the platforms(like N1SDP) which has external LLC present
introduce a new build option 'NEOVERSE_N1_EXTERNAL_LLC' which can be
enabled by platform port.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ibf475fcd6fd44401897a71600f4eafe989921363
Currently, the end address macros are defined per BL, like BL2_END,
BL31_END, BL32_END. They are not handy in the common code shared
between multiple BL stages.
This commit introduces BL_END, which is equivalent to BL{2,31,32}_END,
and will be useful for the BL-common code.
Change-Id: I3c39bf6096d99ce920a5b9fa21c0f65456fbfe8a
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This makes the PSCI SYSTEM_OFF call work on QEMU. It assumes that QEMU has
semihosting enabled, but that is already assumed by the image loader.
Signed-off-by: Andrew Walbran <qwandor@google.com>
Change-Id: I0fb7cf7909262b675c3143efeac07f4d60730b03
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
679db7080129fb48ace43a08873eceabfd092aa1
It is demonstrated in a SafeSide example:
https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cchttps://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
Device size could be more than 4GB, we must
define size as unsigned long long.
Change-Id: I52055cf5c1c15ff18ab9e157aa9b73c8b4fb7b63
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Add the standard CLAMP macro. It ensures that
x is between the limits set by low and high.
If low is greater than high the result is undefined.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: Ia173bb9ca51bc8d9a8ec573bbc15636a94f881f4
SPI-NOR framework is based on SPI-MEM framework using
spi_mem_op execution interface.
It implements read functions and allows NOR configuration
up to quad mode.
Default management is 1 data line but it can be overridden
by platform.
It also includes specific quad mode configuration for
Spansion, Micron and Macronix memories.
Change-Id: If49502b899b4a75f6ebc3190f6bde1013651197f
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
This framework supports SPI-NAND and is based on the
SPI-MEM framework for SPI operations. It uses a common high
level access using the io_mtd.
It is limited to the read functionalities.
Default behavior is the basic one data line operation
but it could be overridden by platform.
Change-Id: Icb4e0887c4003a826f47c876479dd004a323a32b
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
The raw NAND framework supports SLC NAND devices.
It introduces a new high level interface (io_mtd) that
defines operations a driver can register to the NAND framework.
This interface will fill in the io_mtd device specification:
- device_size
- erase_size
that could be used by the io_storage interface.
NAND core source file integrates the standard read loop that
performs NAND device read operations using a skip bad block strategy.
A platform buffer must be defined in case of unaligned
data. This buffer must fit to the maximum device page size
defined by PLATFORM_MTD_MAX_PAGE_SIZE.
The raw_nand.c source file embeds the specific NAND operations
to read data.
The read command is a raw page read without any ECC correction.
This can be overridden by a low level driver.
No generic support for write or erase command or software
ECC correction.
NAND ONFI detection is available and can be enabled using
NAND_ONFI_DETECT=1.
For non-ONFI NAND management, platform can define required
information.
Change-Id: Id80e9864456cf47f02b74938cf25d99261da8e82
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
Implements a way to add platform specific power off code to a
Marvell Armada 8K platform.
Marvell Armada 8K boards can now add a board/system_power.c file
that contains a system_power_off() function.
This function can now send a command to a power management MCU or
other board periferals before shutting the board down.
Signed-off-by: Luka Kovacic <luka.kovacic@sartura.hr>
Cc: Luka Perkov <luka.perkov@sartura.hr>
Change-Id: Iaba20bc2f603195679c54ad12c0c18962dd8e3db
---
I am working on a device that will be ported later, which has a
custom power management MCU that handles LEDs, board power and fans
and requires this separation.
IO seek offset can be set to values above UINT32_MAX, this change
changes the seek offset argument from 'ssize_t' to 'signed long long'.
Fixing platform seek functions to match the new interface update.
Change-Id: I25de83b3b7abe5f52a7b0fee36f71e60cac9cfcb
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
NOTE for platform integrators:
API `plat_psci_stat_get_residency()` third argument
`last_cpu_idx` is changed from "signed int" to the
"unsigned int" type.
Issue / Trouble points
1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places leading to coverity issues.
2. Underlying platform API's return cpu_idx as `unsigned int`
and comparison is performed with platform specific defines
`PLAFORM_xxx` which is not consistent
Misra Rule 10.4:
The value of a complex expression of integer type may only be cast to
a type that is narrower and of the same signedness as the underlying
type of the expression.
Based on above points, cpu_idx is kept as `unsigned int` to match
the API's and low-level functions and platform defines are updated
where ever required
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
In further patches, we aim to enable -Wredundant-decls by default.
This rearragement of helper macros is necessary to make Coverity
tool happy as well as making sure there are no redundant function
declarations for PMF related declarations.
Also, PMF related macros were added to provide appropriate function
declarations for helper APIs which capture PSCI statistics.
Change-Id: I36273032dde8fa079ef71235ed3a4629c5bfd981
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The SCU connects one to four Cortex-A5/Cortex-A9 processors
to the memory system through the AXI interfaces.
The SCU functions are to:
- maintain data cache coherency between the Cortex-A5/Cortex-A9
processors
- initiate L2 AXI memory accesses
- arbitrate between Cortex-A5/Cortex-A9 processors requesting
L2 accesses
- manage ACP accesses.
Snoop Control Unit will enable to snoop on other CPUs caches.
This is very important when it comes to synchronizing data between
CPUs. As an example, there is a high chance that data might be
cache'd and other CPUs can't see the change. In such cases,
if snoop control unit is enabled, data is synchoronized immediately
between CPUs and the changes are visible to other CPUs.
This driver provides functionality to enable SCU as well as enabling
user to know the following
- number of CPUs present
- is a particular CPU operating in SMP mode or AMP mode
- data cache size of a particular CPU
- does SCU has ACP port
- is L2CPRESENT
Change-Id: I0d977970154fa60df57caf449200d471f02312a0
Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
On some platforms the UART might have already been initialised, for
instance by firmware running before TF-A or by a separate management
processor. In this case it would not be need to initialise it again
(doing so could create spurious characters). But more importantly this
saves us from knowing the right baudrate and the right base clock rate
for the UART. This can lead to more robust and versatile firmware builds.
Allow to skip the 16550 UART initialisation and baud rate divisor
programming, by interpreting an input clock rate of "0" to signify this
case. This will just skip the call to console_16550_core_init, but still
will register the console properly.
Users should just pass 0 as the second parameter, the baudrate (third
parameter) will then be ignored as well.
Fix copy & paste typos in comments for the console_16550_register()
function on the way.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I9f8fca5b358f878fac0f31dc411358fd160786ee
Some platforms are extremely memory constrained and must split BL31
between multiple non-contiguous areas in SRAM. Allow the NOBITS
sections (.bss, stacks, page tables, and coherent memory) to be placed
in a separate region of RAM from the loaded firmware image.
Because the NOBITS region may be at a lower address than the rest of
BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
region, or el3_entrypoint_common would attempt to invalidate the dcache
for the entire address space. New symbols __NOBITS_{START,END}__ are
added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
NOBITS region is invalidated separately.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
Erratum 1688305 is a Cat B erratum present in r0p0, r0p1 versions
of Hercules core. The erratum can be avoided by setting bit 1 of the
implementation defined register CPUACTLR2_EL1 to 1 to prevent store-
release from being dispatched before it is the oldest.
Change-Id: I2ac04f5d9423868b6cdd4ceb3d0ffa46e570efed
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Add additional field definitions for
Cortex_A72 L2 Control registers
Change-Id: I5ef3a6db41cd7c5d9904172720682716276b7889
Signed-off-by: Sheetal Tigadoli <sheetal.tigadoli@broadcom.com>
The contents of this header have been merged into the spm_mm_svc.h
header file.
Change-Id: I01530b2e4ec1b4c091ce339758025e2216e740a4
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Before adding any new SPM-related components we should first do
some cleanup around the existing SPM-MM implementation. The aim
is to make sure that any SPM-MM components have names that clearly
indicate that they are MM-related. Otherwise, when adding new SPM
code, it could quickly become confusing as it would be unclear to
which component the code belongs.
The secure_partition.h header is a clear example of this, as the
name is generic so it could easily apply to any SPM-related code,
when it is in fact SPM-MM specific.
This patch renames the file and the two structures defined within
it, and then modifies any references in files that use the header.
Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.
This patch removes:
- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions
Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.
Before: ENABLE_SPM=1 is required for using either implementation.
By default, the SPCI-based implementation is enabled and
this is overridden if SPM_MM=1.
After: ENABLE_SPM=1 enables the SPCI-based implementation.
SPM_MM=1 enables the MM-based implementation.
The two build flags are mutually exclusive.
Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.
Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Provide an SMC interface to the 9p filesystem. This permits
accessing firmware drivers through a common interface, using
standardized read/write/control operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9314662314bb060f6bc02714476574da158b2a7d
Ported the pmf asm macros and the asm code in the bl31 entrypoint
necessary for the instrumentation to AArch32.
Since smc dispatch is handled by the bl32 payload on AArch32, we
provide this service only if AARCH32_SP=sp_min is set.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Id33b7e9762ae86a4f4b40d7f1b37a90e5130c8ac
The 9p interface provides abstraction layers allowing the software
that uses devices to be independent from the hardware.
This patch provides a file system abstraction to link drivers to their
devices and propose a common interface to expose driver operations to
higher layers. This file system can be used to access and configure a
device by doing read/write operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
SIZE_MAX was mistakenly redefined from UINT32_MAX to UINT64_MAX
on AArch32 when the arch-specific headers were merged.
This value is not currently used by upstream TF-A source code,
so no functionality should be affected.
Change-Id: I2acf7f8736423697c7377e8ed4b08843ced26e66
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Previously, the A64/H5 and H6 platforms' PMIC setup code was entirely
independent. However, some H6 boards also need early regulator setup.
Most of the register interface and all of the device tree traversal code
can be reused between the AXP803 and AXP805. The main difference is the
hardware bus interface, so that part is left to the platforms. The
remainder is moved into a driver.
I factored out the bits that were obviously specific to the AXP803;
additional changes for compatibility with other PMICs can be made as
needed.
The only functional change is that rsb_init() now checks the PMIC's chip
ID register against the expected value. This was already being done in
the H6 version of the code.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: Icdcf9edd6565f78cccc503922405129ac27e08a2
This adds the new regulator list, as well as changes to make the switch
(equivalent to DC1SW on the AXP803) work on both PMICs.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: I9a1eac8ddfc54b27096c10a8eebdd51aaf9b8311
When a Firmware is complied as Position Independent Executable it needs
to request GDT fixup by passing size of the memory region to
el3_entrypoint_common macro.
The Global descriptor table fixup will be done early on during cold boot
process of primary core.
Currently only BL31 supports PIE, but in future when BL2_AT_EL3 will be
compiled as PIE, it can simply pass fixup size to the common el3
entrypoint macro to fixup GDT.
The reason for this patch was to overcome the bug introduced by SHA
330ead806 which called fixup routine for each core causing
re-initializing of global pointers thus overwriting any changes
done by the previous core.
Change-Id: I55c792cc3ea9e7eef34c2e4653afd04572c4f055
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Add the support needed to enable using CryptoCell integration with
with RSA 3K support.
Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com>
Change-Id: I95527cb0c41ae012109e8968dd20a4ae9fe67f17
This function scans a string backwards from the end for the first
instance of a character.
Change-Id: I46b21573ed25a0ff222eac340e1e1fb93b040763
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
C99 standard: "What constitutes an access to an object that has
volatile-qualified type is implementation-defined".
GCC is not considering the cast to void of volatile structures as an
access and so is not actually issuing reads.
Clang does read those structures by copying them on the stack, which in
this case creates an overflow because of their large size.
This patch removes the cast to void and instead uses the USED attribute
to tell the compiler to retain the static variables.
Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Zelalem Aweke <zelalem.aweke@arm.com>
Previously the .init section was created even when the reclaim flag was
manually set to 0.
Change-Id: Ia9e7c7997261f54a4eca725d7ea605192f60bcf8
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Zelalem Aweke <zelalem.aweke@arm.com>
Check that entry point information requesting S-EL2
has AArch64 as an execution state during context setup.
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I447263692fed6e55c1b076913e6eb73b1ea735b7
This patch adds support for enabling S-EL2 if this EL is specified in the entry
point information being used to initialise a secure context. It is the caller's
responsibility to check if S-EL2 is available on the system before requesting
this EL through the entry point information.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Change-Id: I2752964f078ab528b2e80de71c7d2f35e60569e1
Consolidate the definition of size_t to one header per AArch, and
the definition of NULL to one header
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Iecfbad2cf360cfb705ce7aaa981700fd16219b82
As supporting architectures aside from AArch32 and AArch64 is not a
concern, keeping identical definitions in two places for a large part
of the libc seems counterproductive
The int128 types were left un-unified as __int128 is not supported by
gcc on AArch32
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Idf08e6fab7e4680d9da62d3c57266ea2d80472cf
Conceptually, these are supposed to be the largest integers
representable in C, but GCC and Clang define them as long long for
compatibility.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: I7c0117f3be167342814d260a371889120dcf6576
From AArch64 state, arguments are passed in registers W0-W7(X0-X7)
and results are returned in W0-W7(X0-X7) for SMC32(SMC64) calls.
From AArch32 state, arguments are passed in registers R0-R7 and
results are returned in registers R0-R7 for SMC32 calls.
Most of the functions and macros already existed to support using
upto 8 registers for passing/returning parameters/results. Added
few helper macros for SMC calls from AArch32 state.
Link to the specification:
https://developer.arm.com/docs/den0028/c
Change-Id: I87976b42454dc3fc45c8343e9640aa78210e9741
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Add support to configure GIC-600's multichip routing table registers.
Introduce a new gic600 multichip structure in order to support platforms
to pass their GIC-600 multichip information such as routing table owner,
SPI blocks ownership.
This driver is currently experimental and the driver api may change in
the future.
Change-Id: Id409d0bc07843e271ead3fc2f6e3cb38b317878d
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Earlier PIE support was enabled for all arm platforms when
RESET_TO_BL31=1, but later on it was restricted only to FVP with patch
SHA d4580d17 because of n1sdp platform.
Now it has been verified that PIE does work for n1sdp platform also, so
enabling it again for all arm platforms.
Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
ARM platform can have a non-contiguous GICR frames. For instance, a
multi socket platform can have two or more GIC Redistributor frames
which are 4TB apart. Hence it is necessary for the `gicv3_rdistif_probe`
function to probe all the GICR frames available in the platform.
Introduce `plat_arm_override_gicr_frames` function which platforms can
use to override the default gicr_frames which holds the GICR base
address of the primary cpu.
Change-Id: I1f537b0d871a679cb256092944737f2e55ab866e
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
The function has to use read_cntpct_el0() to update the counter, and not
read_cntfrq_el0().
Change-Id: I9c676466e784c3122e9ffc2d87e66708797086e7
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Currently the MDCR_EL3 initialisation implicitly disables
MDCR_EL3.SPME by using mov_imm.
This patch makes the SPME bit more visible by explicitly
disabling it and documenting its use in different versions
of the architecture.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: I221fdf314f01622f46ac5aa43388f59fa17a29b3
Coherent I-cache is causing a prefetch violation where when the core
executes an instruction that has recently been modified, the core might
fetch a stale instruction which violates the ordering of instruction
fetches.
The workaround includes an instruction sequence to implementation
defined registers to trap all EL0 IC IVAU instructions to EL3 and a trap
handler to execute a TLB inner-shareable invalidation to an arbitrary
address followed by a DSB.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ic3b7cbb11cf2eaf9005523ef5578a372593ae4d6
Introduce timeout_init_us/timeout_elapsed() delay tracking with CNTPCT.
timeout_init_us(some_timeout_us); returns a reference to detect
timeout for the provided microsecond delay value from current time.
timeout_elapsed(reference) return true/false whether the reference
timeout is elapsed.
Cherry picked from OP-TEE implementation [1].
[1] commit 33d30a74502b ("core: timeout detection support")
Minor:
- Remove stm32mp platform duplicated implementation.
- Add new include in marvell ble.mk
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: Iaef6d43c11a2e6992fb48efdc674a0552755ad9c
Use size_t for length parameter in header file, as in .c file.
Change-Id: I310f2a6159cde1c069b4f814f6558c2488c203ec
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Add the missing flag for aarch32 XIP memory mode. It was
previously added in aarch64 only.
Minor: Correct the aarch64 missing flag.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: Iac0a7581a1fd580aececa75f97deb894858f776f
* changes:
stm32mp1: add authentication support for stm32image
bsec: move bsec_mode_is_closed_device() service to platform
crypto: stm32_hash: Add HASH driver
* changes:
Migrate ARM platforms to use the new GICv3 API
Adding new optional PSCI hook pwr_domain_on_finish_late
GICv3: Enable multi socket GIC redistributor frame discovery
This patch changes implementation for disabling Secure Cycle
Counter. For ARMv8.5 the counter gets disabled by setting
SDCR.SCCD bit on CPU cold/warm boot. For the earlier
architectures PMCR register is saved/restored on secure
world entry/exit from/to Non-secure state, and cycle counting
gets disabled by setting PMCR.DP bit.
In 'include\aarch32\arch.h' header file new
ARMv8.5-PMU related definitions were added.
Change-Id: Ia8845db2ebe8de940d66dff479225a5b879316f8
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Mark Dykes
Andre Przywara
Petre-Ionut Tudor
Sandrine Bailleux
joanna.farley
Yann Gautier
Varun Wadekar
Manish V Badarkhe
Suyash Pathak
Zelalem
Jimmy Brisson
Olivier Deprez
Achin Gupta
Manish Pandey
Alexei Fedorov
Aditya Angadi
Vijayenthiran Subramaniam
Louis Mayencourt
Max Shvetsov
Grzegorz Jaszczyk
Soby Mathew
Madhukar Pappireddy
Masahiro Yamada
Andrew Walbran
Anthony Steinhauser
Lionel Debieve
Luka Kovacic
Deepika Bhavnani
Vishnu Banavath
Samuel Holland
Sheetal Tigadoli
Paul Beesley
György Szing
Ambroise Vincent
Bence Szépkúti
Gilad Ben-Yossef
Artsem Artsemenka
Balint Dobszay
laurenw-arm
Imre Kis