This patch provides an option to specify a interrupt routing model
where non-secure interrupts (IRQs) are routed to EL3 instead of S-EL1.
When such an interrupt occurs, the TSPD arranges a return to
the normal world after saving any necessary context. The interrupt
routing model to route IRQs to EL3 is enabled only during STD SMC
processing. Thus the pre-emption of S-EL1 is disabled during Fast SMC
and Secure Interrupt processing.
A new build option TSPD_ROUTE_NS_INT_EL3 is introduced to change
the non secure interrupt target execution level to EL3.
FixesARM-software/tf-issues#225
Change-Id: Ia1e779fbbb6d627091e665c73fa6315637cfdd32
This patch allows the secure payload (BL3-2) to be loaded in the
DRAM region secured by the TrustZone controller (top 16 MB of DRAM1).
The location of BL3-2 can be selected at build time by setting the
build flag FVP_TSP_RAM_LOCATION to one of the following options:
- 'tsram' : Trusted SRAM (this is the default option)
- 'tdram' : Trusted DRAM
- 'dram' : Secure region in DRAM1 (top 16MB configured by the
TrustZone controller)
The number of MMU tables in BL3-2 depends on its location in
memory: 3 in case it is loaded in DRAM, 2 otherwise.
Documentation updated accordingly.
FixesARM-software/tf-issues#212
Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a
This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.
FixesARM-Software/tf-issues#106
Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773
Patch 20d51ca moved the shared data page from the top of the
Trusted SRAM to the bottom, changing the load addresses of BL3-1
and BL3-2.
This patch updates BL3-1 and BL3-2 addresses in the instructions
to run the Trusted Firmware on FVP using BL3-1 as reset vector.
This patch is similar to but distinct from bfb1dd5 and 7ea4c43.
Change-Id: I6b467f9a82360a5e2181db99fea881487de52704
Previously, the User Guide recommended launching the Foundation
FVP with the parameter --no-secure-memory, which disabled security
control of the address map. This was due to missing support for
secure memory regions in v1 of the Foundation FVP. This is no longer
needed as secure memory is now supported on the Foundation FVP.
This patch updates the User Guide to recommend enabling secure
memory instead.
Change-Id: Ifae53c10ff6e1c7c6724af20e05a3d3a88f6a5ad
This patch allows to define the name of the FIP at build time by
defining the FIP_NAME variable. If FIP_NAME is not defined, default
name 'fip.bin' is used.
Documentation updated accordingly.
Change-Id: Ic41f42aac379b0c958b3dfd02863ba8ba7108710
This patch deprecates the build option to relocate the shared data
into Trusted DRAM in FVP. After this change, shared data is always
located at the base of Trusted SRAM. This reduces the complexity
of the memory map and the number of combinations in the build
options.
FixesARM-software/tf-issues#257
Change-Id: I68426472567b9d8c6d22d8884cb816f6b61bcbd3
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
FixesARM-software/tf-issues#233
Change-Id: I6843fc32ef90aadd3ea6ac4c7f314f8ecbd5d07b
This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.
This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.
FixesARM-software/tf-issues#244FixesARM-software/tf-issues#245
Change-Id: I3ebe1d4901f8b857e8bb51372290978a3323bfe7
* Fix broken link to SCP download.
* Remove requirement to install `ia32-libs`. This package is no
longer available in current versions of Ubuntu and is no
longer required when using the Linaro toolchain.
Change-Id: I9823d535a1d69136685754b7707b73e1eef0978d
This patch gathers miscellaneous minor fixes to the documentation, and comments
in the source code.
Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Co-Authored-By: Dan Handley <dan.handley@arm.com>
This patch makes the Trusted Firmware build instructions in the
user guide platform independent.
FVP specific instructions have been grouped together under a new
section dedicated to FVP.
Juno specific instructions to build and run the Trusted Firmware,
UEFI and Linux have been added.
Change-Id: I9bfb1b9d732b1f73abbe29f68ac931e1773a4fd5
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#100 (commit 186c1d4). This is distinct
from the similar issue fixed in commit bfb1dd5.
Also clarify the dependence on the FVP_SHARED_DATA_LOCATION and
FVP_TSP_RAM_LOCATION build options, and tidy up the "Notes
regarding Base FVP configuration options" section.
Change-Id: I6b03452a71f0c69efa169852712bcb184242696e
Move up the version numbers of the following Trusted Firmware
dependencies in the user guide:
* Foundation and Base FVPs (latest publically available
versions).
* EDK2 implementation. The guide now uses the latest version from
https://github.com/ARM-software/edk2.git. This requires the
`iasl` package to also be installed.
* Linux kernel. The guide now uses the latest version from
https://github.com/ARM-software/linux.git.
* Linaro OpenEmbedded file system.
* ARM Development Studio 5.
Change-Id: I95bb863a61e47b9ef8be3d110f7087375ee78add
This patch groups the current contents of the Trusted DRAM region at
address 0x00_0600_0000 (entrypoint mailboxes and BL3-1 parameters) in
a single shared memory area that may be allocated to Trusted SRAM
(default) or Trusted DRAM at build time by setting the
FVP_SHARED_DATA_LOCATION make variable. The size of this shared
memory is 4096 bytes.
The combination 'Shared data in Trusted SRAM + TSP in Trusted DRAM'
is not currently supported due to restrictions in the maximum number
of mmu tables that can be created.
Documentation has been updated to reflect these changes.
FixesARM-software/tf-issues#100
Change-Id: I26ff04d33ce4cacf8d770d1a1e24132b4fc53ff0
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#117 (commit a1b6db6).
FixesARM-software/tf-issues#237
Change-Id: I764eb17c66034511efb984c0e7cfda29bd99198f
Create new LOG_LEVEL build option, which controls the amount of
console output compiled into the build. This should be one of the
following:
0 (LOG_LEVEL_NONE)
10 (LOG_LEVEL_NOTICE)
20 (LOG_LEVEL_ERROR)
30 (LOG_LEVEL_WARNING)
40 (LOG_LEVEL_INFO)
50 (LOG_LEVEL_VERBOSE)
All log output up to and including the log level is compiled into the
build. The default value is 40 in debug builds and 20 in release
builds.
Complement the existing INFO, WARN and ERROR console output macros
with NOTICE and VERBOSE macros, which are conditionally compiled in
depending on the value of LOG_LEVEL.
FixesARM-software/tf-issues#232
Change-Id: I951e2f333e7b90fc4b1060741d9a6db699d5aa72
Secure ROM at address 0x0000_0000 is defined as FVP_TRUSTED_ROM
Secure RAM at address 0x0400_0000 is defined as FVP_TRUSTED_SRAM
Secure RAM at address 0x0600_0000 is defined as FVP_TRUSTED_DRAM
BLn_BASE and BLn_LIMIT definitions have been updated and are based on
these new memory regions.
The available memory for each bootloader in the linker script is
defined by BLn_BASE and BLn_LIMIT, instead of the complete memory
region.
TZROM_BASE/SIZE and TZRAM_BASE/SIZE are no longer required as part of
the platform porting.
FVP common definitions are defined in fvp_def.h while platform_def.h
contains exclusively (with a few exceptions) the definitions that are
mandatory in the porting guide. Therefore, platform_def.h now includes
fvp_def.h instead of the other way around.
Porting guide has been updated to reflect these changes.
Change-Id: I39a6088eb611fc4a347db0db4b8f1f0417dbab05
Tests show a slight reduction in code size compared to 13.11.
User guide updated.
FixesARM-software/tf-issues#207
Change-Id: I9b80a5d7820cdfd443cac4d4b63f925b74a8c3a3
This patch adds support for BL3-2 initialization by asynchronous
method where BL3-1 transfers control to BL3-2 using world switch.
After BL3-2 initialization, it transfers control to BL3-3 via SPD
service handler. The SPD service handler initializes the CPU context
to BL3-3 entrypoint depending on the return function indentifier from
TSP initialization.
FixesARM-software/TF-issues#184
Change-Id: I7b135c2ceeb356d3bb5b6a287932e96ac67c7a34
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.
FixesARM-software/tf-issues#95
Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
- Add support for loading a BL3-0 image in BL2. Information about
memory extents is populated by platform-specific code. Subsequent
handling of BL3-0 is also platform specific.
The BL2 main function has been broken down to improve readability.
The BL3-2 image is now loaded before the BL3-3 image to align with
the boot flow.
- Build system: Add support for specifying a BL3-0 image that will be
included into the FIP image.
- IO FIP driver: Add support for identifying a BL3-0 image inside a
FIP image.
- Update the documentation to reflect the above changes.
Change-Id: I067c184afd52ccaa86569f13664757570c86fc48
Refactor the FVP gic code in plat/fvp/fvp_gic.c to be a generic ARM
GIC driver in drivers/arm/gic/arm_gic.c. Provide the platform
specific inputs in the arm_gic_setup() function so that the driver
has no explicit dependency on platform code.
Provide weak implementations of the platform interrupt controller
API in a new file, plat/common/plat_gic.c. These simply call through
to the ARM GIC driver.
Move the only remaining FVP GIC function, fvp_gic_init() to
plat/fvp/aarch64/fvp_common.c and remove plat/fvp/fvp_gic.c
FixesARM-software/tf-issues#182
Change-Id: Iea82fe095fad62dd33ba9efbddd48c57717edd21
This patch makes the console crash dump of processor register
state optional based on the CRASH_REPORTING make variable.
This defaults to only being enabled for DEBUG builds. This can
be overridden by setting a different value in the platform
makefile or on the make command line.
Change-Id: Icfa1b2d7ff0145cf0a85e8ad732f9cee7e7e993f
Update documentation with BL3-1 hardening interface
changes and for using BL3-1 as a reset vector feature
Change-Id: Iafdd05e7a8e66503409f2acc934372efef5bc51b
Update the Linux kernel, Linaro file system, FVP and DS-5 versions used for the
v0.4 release in user-guide.md.
Change-Id: I2265fc17c229d4b8cc52165d6583a4a579cdcee3
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
to 'runtime_exceptions.S'
Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
Change-Id: I04780757a149eeb5482a12a61e821be947b882c0
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
FixesARM-software/tf-issues#149
Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe
At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.
FixesARM-software/tf-issues#148
Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e
If a platform doesn't specify a BLx_SOURCE variable, then building
of the corresponding bootloader isn't attempted. Also allow BL3-3 to
be omitted from the FIP.
Note, this change also removes support for PLAT=all and the 'fip' target
from the 'all' recipe.
FixesARM-software/tf-issues#30
Change-Id: Ibdfead0440256eaf364617ecff65290ca6fe6240
Signed-off-by: Jon Medhurst <tixy@linaro.org>
Move the firmware design documentation out of user-guide.md
and into a new file - firmware-design.md. Reformat the
section headers.
Change-Id: I664815dd47011c7c1cf2202aa4472a8fd78ebb92
1. Update user-guide.md with the latest versions of dependent
components required by the tested configurations of ARM Trusted
Firmware. This includes the tested versions of Fixed Virtual
Platforms (FVPs), toolchain, EFI Development Kit 2(EDK2),
Linux kernel and Linux file system.
2. Remove the instructions to configure the Cortex Base FVP
with the legacy GICv2 memory map as this is no longer supported
since version 5.3 of the Base FVPs.
3. General tidyup of "Using the software" section.
Change-Id: If8264cd29036b59dc5ff435b5f8b1d072dd36ef0
danh-arm
Soby Mathew
Juan Castillo
Sandrine Bailleux
Joakim Bech
Vikram Kanigiri
Andrew Thoelke
Achin Gupta
Jeenu Viswambharan
Harry Liebel
Jon Medhurst