Rework the "Memory layout on FVP platforms" section in the Firmware
Design document. Add information about where the TSP image fits
in the memory layout when present.
Add documentation for the base addresses of each bootloader image
in the porting guide.
Change-Id: I4afb2605e008a1cb28c44a697804f2cb6bb4c9aa
Currently the platform code gets to define the base address of each
boot loader image. However, the linker scripts couteract this
flexibility by enforcing a fixed overall layout of the different
images. For example, they require that the BL3-1 image sits below
the BL2 image. Choosing BL3-1 and BL2 base addresses in such a way
that it violates this constraint makes the build fail at link-time.
This patch requires the platform code to now define a limit address
for each image. The linker scripts check that the image fits within
these bounds so they don't rely anymore on the position of a given
image in regard to the others.
FixesARM-software/tf-issues#163
Change-Id: I8c108646825da19a6a8dfb091b613e1dd4ae133c
BL1 RO and RW base address used to be fixed, respectively to the first
address of the Trusted ROM and the first address of the Trusted RAM.
Introduce new platform defines to configure the BL1 RO and RW base
addresses.
Change-Id: If26616513a47798593a4bb845a4b0fb37c867cd6
At present BL3-1 has access to all of the SRAM, including
regions that are mapped as read-only and non-cacheable by other
firmware images.
This patch restricts BL3-1 to only be able to read/write from
memory used for its own data sections
Change-Id: I26cda1b9ba803d91a9eacda768f3ce7032c6db94
Conflicts:
plat/fvp/bl31_plat_setup.c
The TSP has a number of entrypoints used by the TSP on different
occasions. These were provided to the TSPD as a table of function
pointers, and required the TSPD to read the entry in the table,
which is in TSP memory, in order to program the exception return
address.
Ideally, the TSPD has no access to the TSP memory.
This patch changes the table of function pointers into a vector
table of single instruction entrypoints. This allows the TSPD to
calculate the entrypoint address instead of read it.
FixesARM-software/tf-issues#160
Change-Id: Iec6e055d537ade78a45799fbc6f43765a4725ad3
Implements support for Non Secure Interrupts preempting the
Standard SMC call in EL1. Whenever an IRQ is trapped in the
Secure world we securely handover to the Normal world
to process the interrupt. The normal world then issues
"resume" smc call to resume the previous interrupted SMC call.
FixesARM-software/tf-issues#105
Change-Id: I72b760617dee27438754cdfc9fe9bcf4cc024858
The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
drivers/io/io_fip.c.
Also update the porting guide to reflect this change.
The BL3-2 platform definitions remain non-configurably present
in the FVP port.
FixesARM-software/tf-issues#68
Change-Id: Iea28b4e94d87a31f5522f271e290919a8a955460
This patch enables secure physical timer during TSP initialisation and
maintains it across power management operations so that a timer
interrupt is generated every half second.
FixesARM-software/tf-issues#104FixesARM-software/tf-issues#134
Change-Id: I66c6cfd24bd5e6035ba75ebf0f047e568770a369
This patch adds support in the TSPD for registering a handler for
S-EL1 interrupts. This handler ferries the interrupts generated in the
non-secure state to the TSP at 'tsp_fiq_entry'. Support has been added
to the smc handler to resume execution in the non-secure state once
interrupt handling has been completed by the TSP.
There is also support for resuming execution in the normal world if
the TSP receives a EL3 interrupt. This code is currently unused.
Change-Id: I816732595a2635e299572965179f11aa0bf93b69
This patch adds support in the TSP to handle FIQ interrupts that are
generated when execution is in the TSP. S-EL1 interrupt are handled
normally and execution resumes at the instruction where the exception
was originally taken. S-EL3 interrupts i.e. any interrupt not
recognized by the TSP are handed to the TSPD. Execution resumes
normally once such an interrupt has been handled at EL3.
Change-Id: Ia3ada9a4fb15670afcc12538a6456f21efe58a8f
This patch adds support in the TSP for handling S-EL1 interrupts
handed over by the TSPD. It includes GIC support in its platform port,
updates various statistics related to FIQ handling, exports an entry
point that the TSPD can use to hand over interrupts and defines the
handover protocol w.r.t what context is the TSP expected to preserve
and the state in which the entry point is invoked by the TSPD.
Change-Id: I93b22e5a8133400e4da366f5fc862f871038df39
This patch adds support in the TSP to program the secure physical
generic timer to generate a EL-1 interrupt every half second. It also
adds support for maintaining the timer state across power management
operations. The TSPD ensures that S-EL1 can access the timer by
programming the SCR_EL3.ST bit.
This patch does not actually enable the timer. This will be done in a
subsequent patch once the complete framework for handling S-EL1
interrupts is in place.
Change-Id: I1b3985cfb50262f60824be3a51c6314ce90571bc
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
to 'runtime_exceptions.S'
Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
This patch introduces a set of functions which allow generic firmware
code e.g. the interrupt management framework to access the platform
interrupt controller. APIs for finding the type and id of the highest
pending interrupt, acknowledging and EOIing an interrupt and finding
the security state of an interrupt have been added. It is assumed that
the platform interrupt controller implements the v2.0 of the ARM GIC
architecture specification. Support for v3.0 of the specification for
managing interrupts in EL3 and the platform port will be added in the
future.
Change-Id: Ib3a01c2cf3e3ab27806930f1be79db2b29f91bcf
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649
This patch adds an API to write to any bit in the SCR_EL3 member of
the 'cpu_context' structure of the current CPU for a specified
security state. This API will be used in subsequent patches which
introduce interrupt management in EL3 to specify the interrupt routing
model when execution is not in EL3.
It also renames the cm_set_el3_elr() function to cm_set_elr_el3()
which is more in line with the system register name being targeted by
the API.
Change-Id: I310fa7d8f827ad3f350325eca2fb28cb350a85ed
This patch lays the foundation for using the per-cpu 'state' field in
the 'tsp_context' structure for other flags apart from the power state
of the TSP.
It allocates 2 bits for the power state, introduces the necessary
macros to manipulate the power state in the 'state' field and
accordingly reworks all use of the TSP_STATE_* states.
It also allocates a flag bit to determine if the TSP is handling a
standard SMC. If this flag is set then the TSP was interrupted due to
non-secure or EL3 interupt depending upon the chosen routing
model. Macros to get, set and clear this flag have been added as
well. This flag will be used by subsequent patches.
Change-Id: Ic6ee80bd5895812c83b35189cf2c3be70a9024a6
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
Change-Id: I04780757a149eeb5482a12a61e821be947b882c0
The TSP used to execute from secure DRAM on the FVPs because there was
not enough space in Trusted SRAM to fit it in. Thanks to recent RAM
usage enhancements being implemented, we have made enough savings for
the TSP to execute in SRAM.
However, there is no contiguous free chunk of SRAM big enough to hold
the TSP. Therefore, the different bootloader images need to be moved
around to reduce memory fragmentation. This patch keeps the overall
memory layout (i.e. keeping BL1 R/W at the bottom, BL2 at the top and
BL3-1 in between) but moves the base addresses of all the bootloader
images in such a way that:
- memory fragmentation is reduced enough to fit BL3-2 in;
- new base addresses are suitable for release builds as well as debug
ones;
- each image has a few extra kilobytes for future growth.
BL3-1 and BL3-2 are the images which received the biggest slice
of the cake since they will most probably grow the most.
A few useful numbers for reference (valid at the time of this patch):
|-----------------------|-------------------------------
| image size (debug) | extra space for the future
--------|-----------------------|-------------------------------
BL1 R/W | 20 KB | 4 KB
BL2 | 44 KB | 4 KB
BL3-1 | 108 KB | 12 KB
BL3-2 | 56 KB | 8 KB
--------|-----------------------|-------------------------------
Total | 228 KB | 28 KB = 256 KB
--------|-----------------------|-------------------------------
Although on FVPs the TSP now executes from Trusted SRAM by default,
this patch keeps the option to execute it from Trusted DRAM. This is
controlled by the build configuration 'TSP_RAM_LOCATION'.
FixesARM-Software/tf-issues#81
Change-Id: Ifb9ef2befa9a2d5ac0813f7f79834df7af992b94
The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.
This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.
Change-Id: I9450f2d8b32d74bd00b6ce57a0a1542716ab449c
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
FixesARM-software/tf-issues#149
Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe
This change adds optional reset vector support to BL3-1
which means BL3-1 entry point can detect cold/warm boot,
initialise primary cpu, set up cci and mail box.
When using BL3-1 as a reset vector it is assumed that
the BL3-1 platform code can determine the location of
the BL3-2 images, or load them as there are no parameters
that can be passed to BL3-1 at reset.
It also fixes the incorrect initialisation of mailbox
registers on the FVP platform
This feature can be enabled by building the code with
make variable RESET_TO_BL31 set as 1
FixesARM-software/TF-issues#133FixesARM-software/TF-issues#20
Change-Id: I4e23939b1c518614b899f549f1e8d412538ee570
The issues addressed in this patch are:
1. Remove meminfo_t from the common interfaces in BL3-x,
expecting that platform code will find a suitable mechanism
to determine the memory extents in these images and provide
it to the BL3-x images.
2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x
code as the images use link-time information to determine
memory extents.
meminfo_t is still used by common interface in BL1/BL2 for
loading images
Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
This patch is based on spec published at
https://github.com/ARM-software/tf-issues/issues/133
It rearranges the bl31_args struct into
bl31_params and bl31_plat_params which provide the
information needed for Trusted firmware and platform
specific data via x0 and x1
On the FVP platform BL3-1 params and BL3-1 plat params
and its constituents are stored at the start of TZDRAM.
The information about memory availability and size for
BL3-1, BL3-2 and BL3-3 is moved into platform specific data.
Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9
This patch reworks the handover interface from: BL1 to BL2 and
BL2 to BL3-1. It removes the raise_el(), change_el(), drop_el()
and run_image() functions as they catered for code paths that were
never exercised.
BL1 calls bl1_run_bl2() to jump into BL2 instead of doing the same
by calling run_image(). Similarly, BL2 issues the SMC to transfer
execution to BL3-1 through BL1 directly. Only x0 and x1 are used
to pass arguments to BL31. These arguments and parameters for
running BL3-1 are passed through a reference to a
'el_change_info_t' structure. They were being passed value in
general purpose registers earlier.
Change-Id: Id4fd019a19a9595de063766d4a66295a2c9307e1
This patch introduces macros (SPSR_64 and SPSR_32) to
create a SPSR for both aarch32 and aarch64 execution
states. These macros allow the user to set fields
in the SPSR depending upon its format.
The make_spsr() function which did not allow
manipulation of all the fields in the aarch32 SPSR
has been replaced by these new macros.
Change-Id: I9425dda0923e8d5f03d03ddb8fa0e28392c4c61e
Addresses were declared as "unsigned int" in drivers/arm/peripherals/pl011/pl011.h and in function init_xlation_table. Changed to use "unsigned long" instead
FixesARM-software/tf-issues#156
At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.
FixesARM-software/tf-issues#148
Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e
At present, various build options are initialized at various places in
the Makefile. This patch gathers all build option declarations at the
top of the Makefile and assigns them default values.
Change-Id: I9f527bc8843bf69c00cb754dc60377bdb407a951
This patch introduces two convenience functions to the build system:
- assert_boolean: asserts that a given option is assigned either 0 or
1 as values
- add_define: helps add/append macro definitions to build tool command
line. This also introduces the variable DEFINES which is used to
collect and pass all relevant configurations to build tools
Change-Id: I3126894b034470d39858ebb3bd183bda681c7126
SCR_EL3.RW was not updated immediately before exiting bl31_main() and
running BL3-3. If a AArch32 Secure-EL1 Payload had just been
initialised, then the SCR_EL3.RW bit would be left indicating a
32-bit BL3-3, which may not be correct.
This patch explicitly sets SCR_EL3.RW appropriately based on the
provided SPSR_EL3 value for the BL3-3 image.
FixesARM-software/tf-issues#126
Change-Id: Ic7716fe8bc87e577c4bfaeb46702e88deedd9895
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.
This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.
panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.
The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.
FixesARM-software/tf-issues#79 Improve reporting of unhandled exception
Change-Id: I260791dc05536b78547412d147193cdccae7811a
Dan Handley
Andrew Thoelke
Sandrine Bailleux
Soby Mathew
Achin Gupta
Juan Castillo
Vikram Kanigiri
Lin Ma
Harry Liebel
Jeenu Viswambharan