For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The current functions to disable and enable Dynamic Code Optimizer
(DCO) assume that all denver cores are in the same cluster. They
ignore AFF1 field of the mpidr_el1 register, which leads to
incorect logical core id calculation.
This patch calls the platform handler, plat_my_core_pos(), to get
the logical core id to disable/enable DCO for the core.
Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>
Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds me to various maintainer activities in the ATF tree
associated with the NXP i.MX7 generally and WaARP7 in particular.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch describes the boot-flow and building of the WaRP7 TF-A port.
What it describes is booting and unsigned TF-A.
A very brief section has been added on signing BL2 which is in no-way
comprehensive. For a comprehensive description of the signing process try
the Boundary Devices blog on the matter.
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.
After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.
The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.
Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.
If the board has been set into secure mode, then only a signed binary can
be used to recover the board.
Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds entries to the mem params array for
- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID
BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.
In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.
[bod: squashing several patches from Rui, Jun and bod]
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The watchdog block on the IMX is mercifully simple. This patch maps the
various registers and bits associated with the block.
We are mostly only really interested in the power-down-enable (PDE) bits in
the block for the purposes of ATF.
The i.MX7 Solo Applications Processor Reference Manual details the PDE bit
as follows:
"Power Down Enable bit. Reset value of this bit is 1, which means the power
down counter inside the WDOG is enabled after reset. The software must
write 0 to this bit to disable the counter within 16 seconds of reset
de-assertion. Once disabled this counter cannot be enabled again. See
Power-down counter event for operation of this counter."
This patch does that zero write in-lieu of later phases in the boot
no-longer have the necessary permissions to rewrite the PDE bit directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines the most basic part of the CAAM and the only piece of
the CAAM silicon we are really interested in, in ATF, the CAAM control
structure.
The CAAM itself is a huge address space of some 32k, way out of scope for
the purpose we have in ATF.
This patch adds a simple CAAM init function that assigns ownership of the
CAAM job-rings to the non-secure MID with the ownership bit set to
non-secure.
This will allow later logic in the boot process such as OPTEE, u-boot and
Linux to assign job-rings as appropriate, restricting if necessary but
leaving open the main functionality of the CAAM to the Linux NS runtime.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The QEMU platform has only been used with LOAD_IMAGE_V2=1 for some time
now and bit rot has occurred for LOAD_IMAGE_V2=0. To ease the
maintenance make LOAD_IMAGE_V2=1 mandatory and remove the platform
specific code for LOAD_IMAGE_V2=0.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Enable ARM_XLAT_TABLES_LIB_V1 as ZynqMP is using
v1 library of translation tables.
With upstream patch d323af9e3d,
the usage of MAP_REGION_FLAT is referring to definition in file
include/lib/xlat_tables/xlat_tables_v2.h but while preparing
xlat tables in lib/xlat_tables/xlat_tables_common.c it is referring
to include/lib/xlat_tables/xlat_tables.h which is v1 xlat tables.
Also, ZynqMP was using v1 so defined ARM_XLAT_TABLES_LIB_V1 to
use v1 xlat tables everywhere.
This fixes the issue of xlat tables failures as it takes v2
library mmap_region structure in some files and v1 in other
files.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
The High Assurance Boot or HAB is an on-chip method of providing a
root-of-trust from the reset vector to subsequent stages in the bootup
flow of the Cortex-A7 on the i.MX series of processors.
This patch adds a simple header file with pointer offsets of the provided
set of HAH API callbacks in the BootROM.
The relative offset of the function pointers is a constant and known
quantum, a software-contract between NXP and an implementation which is
defined in the NXP HAB documentation.
All we need is the correct base offset and then we can map the set of
function pointers relative to that offset.
imx_hab_arch.h provides the correct offset and the imx_hab.h hooks the
offset to the pre-determined callbacks.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
In order to enable compile time differences in HAB interaction, we should
split out the definition of the base address of the HAB API.
Some version of the i.MX series have different offsets from the BootROM
base for the HAB callback table.
This patch defines the header into which we will define the i.MX7 specific
offset. The offset of the i.MX7 function-callback table is simultaneously
defined.
Once done, we can latch a set of common function pointer locations from the
offset given here and if necessary change the offset for different
processors without any other code-change.
For now all we support is i.MX7 so the only offset being defined is that
for the i.MX7.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds snvs.c with a imx_snvs_init() function.
imx_snvs_init() sets up permissions of the RTC via the SNVS HPCOMR.
During previous work with OPTEE on the i.MX7 part we discovered that prior
to switching from secure-world to normal-world it is required to apply more
permissive permissions than are defaulted to in order for Linux to be able
to access the RTC and CAAM functionality in general.
This patch pertains to fixing the RTC permissions by way of the
HPCOMR.NPSWA_EN bit.
Once set non-privileged code aka Linux-kernel code has permissions to
access the SNVS where the RTC resides.
Perform that permissions fix in imx_snvs_init() now, with a later patch making
the call from our platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit defines two things.
- The basic SNVS memory map. At the moment that is total overkill for the
permission bits we need to set inside the SNVS but, for the sake of
completeness define the whole SNVS area as a struct.
- The bits of the HPCOMR register
A permission fix will need to be applied to the SNVS block prior to
switching on TrustZone. All we need to do is waggle a bit in the HPCOMR
register. To do that waggle we first need to define the bits of the
HPCOMR register.
- A imx_snvs_init() function definition
Declare the snvs_init() function so that it can be called from our
platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an initial AHB-to-IP TrustZone (AIPS-TZ) initialization
routine. Setting up the AIPSTZ controller is required to inform the SoC
interconnect fabric which bus-masters can read/write and if the read/writes
are buffered.
For our purposes the initial configuration is for everything to be open. We
can lock-down later on as necessary.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch defines:
- The full range of IO-mux register offsets relative to the base address of
the IO-mux block base address.
- The bits for muxing the UART1 TX/RX lines.
- The bits for muxing the UART6 TX/RX lines.
- The pad control pad bits for the UART
Two functions are provided to configure pad muxes:
- void io_muxc_set_pad_alt_function(pad_mux_offset, alt_function)
Takes a pad_mux_offset and sets the alt_function bit-mask supplied.
This will have the effect of switching the pad into one of its defined
peripheral functions. These peripheral function modes are defined in the
NXP documentation and need to be referred to in order to correctly
configure a new alternative-function.
- void io_muxc_set_pad_features(pad_feature_offset, pad_features)
Takes a pad_feature_offset and applies a pad_features bit-mask to the
indicated pad.
This function allows the setting of PAD drive-strength, pull-up values,
hysteresis glitch filters and slew-rate settings.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an internal UART init routine that gets called from the
external facing clock init function.
In the first pass this call does an explicit disable of all UART
clock-gates. Later changes will enable only the UART clock-gates we care
about.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This set of patches adds a very minimal layer of USB enabling patches to
clock.c. Unlike the watchdog or UART blocks the USB clocks pertain to PHYs,
the main USB clock etc, not to different instances of the same IP block.
As a result this patch-set takes the clock CCGR clock identifier directly
rather than as an index of an instance of blocks of the same type.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a set of functions to enable the clock for each of the
watchdog IP blocks.
Unlike the MMC and UART blocks, the watchdog blocks operate off of the one
root clock, only the clock-gates are enable/disabled individually.
As a consequence the function clock_set_wdog_clk_root_bits() is used to set
the root-slice just once for all of the watchdog blocks.
Future implementations may need to change this model but for now on the one
supported processor and similar NXP SoCs this model should work fine.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an API to configure up the base USDHC clocks, taking a
bit-mask of silicon specific bits as an input from a higher layer in order
to direct the necessary clock source.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds an API to configure up the base UART clocks, taking a
bit-mask of silicon specific bits as an input from a higher layer in order
to direct the necessary clock source.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit:
- Defines a clock stub with a conjoined header defining the clock
memory map.
- Defines the CCM Clock Gating Register which comes in a quadrumvirate
register set to read, set, clear and toggle individual clock gates into
one of four states based bitmask.
00: Domain clocks not needed
01: Domain clocks needed when in RUN
10: Domain clocks needed when in RUN and WAIT
11: Domain clocks needed all the time
- Defines clock control register bits
There are various quadrumvirate register blocks target-root, misc-root,
post-root, pre-root in the CCM.
The number of registers is huge but the four registers in each
quadrumvirate block contain the same bits, so the number of bit
definitions is actually quite low.
- Defines clock identifiers
An array of clock gates is provided in the CCM block. In order to index
that array and thus enable/disable clock gates for the right components,
we need to provide meaningful names to the indices.
Section 5.2.5 of the i.MX7 Solo Application Processor Reference Manual
Rev 0.1 provides the relevant details.
- Defines target mux select bits
This is a comprehensive definition of the target clock mux select bits.
These bits are required to correctly select the clock source. Defining
all of the bits up-front even for unused blocks in ATF means we can
switch on any block we want at a later date without having to write new
code in the clock-mux layer.
- Defines identifier indices into root-slice array
The root-slice array of control registers has a specific set of indices,
which differ from the clock-gate indices.
- Provides a clock gate enable/disable routine
Provides a clock-gate enable/disable routine via the set/clr
registers in a given clock-gate control register block.
This index passed should be one of the enums associated with CCM and
depending on enable/disable being passed either set or clr will be
written to.
The Domain0 bits are currently the only bits targeted by this write, more
work may need to be done on the domain bits in subsequent patches as a
result.
- imx: Adds set/clr routines to clock layer
Adds a set and clr routine to the clock layer. These routines allow us to
access the set and clear registers of the "target" block registers. These
are the registers where we select the clock source from the available list.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to have some common code shared between similar SOCs its pretty
common to have IP blocks reused. In reusing those blocks we frequently need
to map compatible blocks to different addresses depending on the SOC.
This patch adds a basic memory map of the i.MX7 based on the "Cortex-A7
Memory Map" section 2.12 of "i.MX7Solo Applications Processor Reference
Manual, Rev 0.1 08/2016"
In memory map terms the i.MX7S and i.MX7D are identical with the D
variant containing two Cortex-A7 cores plus a Cortex-M core and the S
variant containing one Cortex-A7 and one Cortex-M.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Add USDHC driver to support boot EMMC. Only initialization
and single/multiple block read are tested.
[bod: fixed checkpatch.pl complaints]
[bod: changed name to imx_usdhc for namespace consistency]
[bod: squashed antecedent fixes into this one patch]
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds ATF support for AES data blob encrypt/decrypt.
ATF establishes a path to send the address of the structure
to the xilsecure, so that it will pick addresses of the data
and performs the requested operation (encrypt/decrypt) and puts
the result in load address.
where structure contains
- Data blob src address
- load address
- IV address
- Key address - this will actual key addr in case of KUP
else it will be zero.
- Data-size
- Aes-op type
- KeySrc
Signed-off-by: Kalyani Akula <kalyani.akula@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Correct function header of pm_api_clock_getparent() and
pm_api_clock_setparent().
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Acked-by: Will Wong <WILLW@xilinx.com>
PLL type clock is enabled by FSBL on boot-up. PMUFW enable/disable
them based on their user count. So, it should not be handled from ATF.
Put PLL type clock into bypass and reset mode only while changing
PLL rate (FBDIV).
Signed-off-by: Tejas Patel <tejas.patel@xilinx.com>
Acked-by: Will Wong <WILLW@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
CCF has already provision to enable clock during registration
through CLK_IS_CRITICAL flag. Use CLK_IS_CRITICAL instead of
init_enable attribute.
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Jolly Shah <jolly.shah@xilinx.com>
WDT used by APU is FPD_WDT. FPD WDT clock is controlled by
FPD_SLCR.WDT_CLK_SEL register. Correct the same in WDT clock
database.
As per FPD_SLCR.WDT_CLK_SEL register, there can be only two
parents of WDT clock not three. Fix the same by correcting it's
parents in clock database.
Signed-off-by: Tejas Patel <tejas.patel@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Jolly Shah <jolly.shah@xilinx.com>
Add support for writing to AFI registers.
So that after writing a bitstream the interface can be programmed.
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Signed-off-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Since the MMIO read/write APIs are removed from Linux user space,
Linux cannot directly write to the Global General Storage Register 4
any more to set healthy boot status.
Create an IOCTL to allow Linux to set boot health status.
Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Acked-by: Will Wong <willw@xilinx.com>
Add missing response type for SWITCH command and STOP_TRANSMISSION
so that controller can be configured accordingly.
[bod: ported this change from Jun's eMMC patches to the MMC driver]
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
The R3 response type definition should be (1 << 0). Make sure we define the
expected response code in the appropriate fashion.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Add response flag into ID definition so that driver does not
need to handle it again.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To make ULPI transceiver work, a HIGH - LOW - HIGH pulse needs
to be given to resetb pin of ULPI chip. In ZYNQMP, this resetb
pin is being driven by BOOT MODE PIN 1. The BOOT MODE PIN's
are controlled by BOOT_PIN_CTRL register present in CRL_APB
address region. Since CRL_APB can be resticted to secure access,
this pin should be controlled by ATF.
This patch adds the support for the same.
Signed-off-by: Anurag Kumar Vulisha <anuragku@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>