Change arm_setup_page_tables() to take a variable number of memory
regions. Remove coherent memory region from BL1, BL2 and BL2U as
their coherent memory region doesn't contain anything and
therefore has a size of 0. Add check to ensure this
doesn't change without us knowing.
Change-Id: I790054e3b20b056dda1043a4a67bd7ac2d6a3bc0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
OP-TEE loading is optional on Developerbox controlled via SCP
firmware. To check if OP-TEE is loaded or not, we use DRAM1 region
info passed by SCP firmware.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
This also gets rid of MISRA violations for Rule 8.3 and 8.4.
Change-Id: I45bba011b16f90953dd4b260fcd58381f978eedc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
BL1 is used in recovery mode on HiKey. The TBB implementation
on HiKey is in BL2. It means that user need to build ATF BL2
with TBB and ATF BL1 with non-TBB. It's inconvenient.
So include TBB in BL1, too.
Signed-off-by: Teddy Reed <teddy@prosauce.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
External Aborts while executing in EL3 is fatal in nature. This patch
allows for the platform to define a handler for External Aborts received
while executing in EL3. A default implementation is added which falls
back to platform unhandled exception.
Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Double fault is when the PE receives another error whilst one is being
handled. To detect double fault condition, a per-CPU flag is introduced
to track the status of error handling. The flag is checked/modified
while temporarily masking external aborts on the PE.
This patch routes double faults to a separate platform-defined handler.
Change-Id: I70e9b7ba4c817273c55a0af978d9755ff32cc702
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Uncontainable errors are the most severe form of errors, which typically
mean that the system state can't be trusted any more. This further means
that normal error recovery process can't be followed, and an orderly
shutdown of the system is often desirable.
This patch allows for the platform to define a handler for Uncontainable
errors received. Due to the nature of Uncontainable error, the handler
is expected to initiate an orderly shutdown of the system, and therefore
is not expected to return. A default implementation is added which falls
back to platform unhandled exception.
Also fix ras_arch.h header guards.
Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add support for A8K platform boards
Change-Id: Ife025d930d2ab6cabbc13bbe19b2273cc1c938c8
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add common Marvell ARMADA platform components.
This patch also includes common components for Marvell
ARMADA 8K platforms.
Change-Id: I42192fdc6525a42e46b3ac2ad63c83db9bcbfeaf
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Define the values as unsigned int or unsigned long long based on the
actual size of the register. This prevents subtle issues caused by
having a type that is too small. For example:
#define OPTION_ENABLE 0x3
#define OPTION_SHIFT 32
uint64_t mask = OPTION_ENABLE << OPTION_SHIFT;
Because OPTION_ENABLE fits in an int, the value is considered an int.
This means that, after shifting it 32 places to the left, the final
result is 0. The correct way to define the values is:
#define OPTION_ENABLE ULL(0x3)
#define OPTION_SHIFT U(32)
In this case, the compiler is forced to use a 64 bit value from the
start, so shifting it 32 places to the left results in the expected
value.
Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Non-secure DRAM region shouldn't be protected in the range specified
in the Linux command line with memmap.
This change also increases the size of the Secure DRAM region.
Change-Id: I306e9e443a84b834c99739f54a534a3ca3be2424
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This option allows the Trusted Firmware to pass the correct arguments to
a 32 or 64-bit Linux kernel without the need of an intermediate loader
such as U-Boot.
Change-Id: I2b22e8933fad6a614588ace559f893e97329801f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
FIQs shouldn't be used at all as long as the interrupt routing doesn't
support them properly.
Change-Id: Ib1db7b523a62de2035d41197bc791048337cf791
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove unused variable and set the secure entrypoint correctly.
Change-Id: I7447ea62771092de6be35704077ae28c519d6993
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
It uses the hardware RNG in a similar way as Juno (it gets 128 bits of
entropy and does xor on them).
It is disabled by default.
Change-Id: I8b3adb61f5a5623716e0e8b6799404c68dd94c60
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Note that this is a non-secure RNG. This is only useful for educational
purposes.
Change-Id: If359c8d0f755ef8e416986de7fbca34679a523e1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There is no way to boot BL31 at the addresses specified in the platform
memory map unless an extra loader is used at address 0x00000000. It is
better to remove it to prevent confusion. Having it enabled was a bug.
Change-Id: I3229fbc080f5996cff47efce8e799bae94e0d5cb
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Implement VideoCore mailbox interface driver and use it to get the board
revision identifier.
For now it is only used to print the model for debug purposes.
This wiki contains the documentation of the mailbox interface:
https://github.com/raspberrypi/firmware/wiki
Change-Id: I11943b99b52cc1409f4a195ebe58eb44ae5b1d6c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This implementation doesn't actually turn the system off, it simply
reboots it and prevents it from booting while keeping it in a low power
mode.
Change-Id: I7f72c9f43f25ba0341db052bc2be4774c88a7ea3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add a new default makefile target to concatenate BL1 and the FIP and
generate armstub8.bin. This way it isn't needed to do it manually.
Documentation updated to reflect the changes.
Change-Id: Id5b5b1b7b9f87767db63fd01180ddfea855a7207
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
With commit cf24229e6e ("Run compiler on debug macros for type
checking"), the compiler will now always evaluate INFO() macro
calls, no matter the LOG_LEVEL value. Therefore, any variable
referenced in the macro has to be be defined.
Address this issue by removing the local variable and using the
expression it was assigned directly in the INFO() call.
Change-Id: Iedc23b3538c1e162372e85390881e50718e50bf3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add domain suspend/resume support, Linux kernel
can "echo mem > /sys/power/state" to put system
into suspend mode, all CPUs and cluster will be
powered off and can be waked up if irq pending
in GIC, tested on i.MX8QM MEK board.
Since the power state has been implemented, switch
to use standard power state for CCI operations
instead of private cpu use count in i.MX8QM.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add domain off support for Linux kernel's cpu
hot-plug feature, when there are cpu off request
from Linux kernel, TF-A will send command to
system controller to do CPU power gate accordingly,
tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system reset support for i.MX8QM,
when Linux kernel issues "reboot" command,
TF-A will send command to inform system
controller to reset whole board according
to board design, tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system power off support for i.MX8QM,
when Linux kernel issues "poweroff" command,
TF-A will send command to inform system
controller to power off whole board according
to board design, tested on i.MX8QM MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add domain suspend/resume support, Linux kernel
can "echo mem > /sys/power/state" to put system
into suspend mode, all CPUs and cluster will be
powered off and can be waked up if irq pending
in GIC, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Running optee_test failed because SEC_DRAM0_SIZE is too small. Previous
is 2 MB. We enlarge it to 11 MB for passing the test. Also we reduce
the NS_DRAM0_SIZE from 13MB to 4MB so that the whole section is still
fit in 16MB.
This commit also modified the document to reflect the changes we've
made in code.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Add domain off support for Linux kernel's cpu
hot-plug feature, when there are cpu off request
from Linux kernel, TF-A will send command to
system controller to do CPU power gate accordingly.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system reset support for i.MX8QX,
when Linux kernel issues "reboot" command,
TF-A will send command to inform system
controller to reset whole board according
to board design, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Add system power off support for i.MX8QX,
when Linux kernel issues "poweroff" command,
TF-A will send command to inform system
controller to power off whole board according
to board design, tested on i.MX8QX MEK board.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Implement minimal interrupt routing functions. All interrupts are
treated as non-secure interrupts to be handled by the non-secure world.
Add note to the documentation about disabling FIQs qhen using OP-TEE
with Linux.
Change-Id: I937096542d973925e43ae946c5d0b306d0d95a94
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The plat_arm_mmap variable is already declared in plat_arm.h, which is
included from plat/arm/common/arm_common.c.
Similarly, plat_arm.h declares the 'plat_arm_psci_pm_ops' variable, which
does not need to be declared again in plat/arm/common/arm_pm.c.
The duplication was not compliant with MISRA rule 8.5.
Change-Id: Icc42547cc025023226b1078a7ec4f06d093364b7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
These directives are only used when stabs debugging information
is used, but we use ELF which uses DWARF debugging information.
Clang assembler doesn't support these directives, and removing
them makes the code more compatible with clang.
Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Clang linker doesn't support NEXT. As we are not using the MEMORY command
to define discontinuous memory for the output file in any of the linker
scripts, ALIGN and NEXT are equivalent.
Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno SPD=tspd CSS_USE_SCMI_SDS_DRIVER=1 all
Change-Id: Id732c8df12ef3e20903c41b7ab9a9b55341d68ac
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno SPD=tspd CSS_USE_SCMI_SDS_DRIVER=1 all
Change-Id: Id9dcc6238b39fac6046abc28141e3ef5e7aa998d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: I3ac25096b55774689112ae37bdf1222f9a9ecffb
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch adds experimental support for TRUSTED_BOARD_BOOT to the
Hikey. This is adapted from the RPi3 and QEMU implementations.
Since the Hikey starts from BL2 the TRUSTED_BOARD_BOOT ROT begins there
too. When TRUSTED_BOARD_BOOT is defined, the BL1 build is skipped.
See the following example:
make \
PLAT=hikey \
BL33=u-boot.bin \
SCP_BL2=mcuimage.bin \
TRUSTED_BOARD_BOOT=1 \
MBEDTLS_DIR=../../mbedtls \
GENERATE_COT=1 \
all fip
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
This patch adds support for TBB to rpi3. The ROTPK is generated at build
time and is included into BL1/BL2. The key and content certificates are
read over semihosting.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
The H6 is Allwinner's most recent SoC. It shares most peripherals with the
other ARMv8 Allwinner SoCs (A64/H5), but has a completely different memory
map.
Introduce a separate platform target, which includes a different header
file to cater for the address differences. Also add the new build target
to the documentation.
The new ATF platform name is "sun50i_h6".
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
To wake a core from wfi interrupts must be enabled, in some cases they
may not be and so we can lock up here. Unconditionally enable interrupts
before wfi and then restore interrupt state.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Actions may need to be taken by the last core when all clusters
have been shutdown. Add a top level root domain node to coordinate
this between clusters.
Signed-off-by: Andrew F. Davis <afd@ti.com>
So far we already support booting on two different SoCs, and we will
shortly add a third, so add some code to determine the current SoC type.
This can be later used to runtime detect certain properties.
Also print the SoC name to the console, to give valuable debug information.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
There is nothing we need from the BootROM area, so we also don't need
to map it in EL3.
Remove the mapping and reduce the number of MMAP regions by one.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The DRAM controller supports up to 4GB of DRAM, and there are actually
boards out there where we can use at least 3GB of this.
Relax the PSCI entry point check, to be not restricted to 2GB of DRAM.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The "#ifdef SUNXI_SPC_BASE" guard was meant to allow the build on SoCs
without a Secure Peripherals Controller, so that we skip that part of
the security setup. But in the current position this will trigger a
warning about an unused variable.
Simply move the guard one line up to cover the variable as well.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The "INFO" output in sunxi_cpu_ops.c is quite verbose, so make this more
obvious by changing the log level to "VERBOSE" and so avoiding it to
be printed in a normal (even debug) build.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The relative VER_REG *offset* is the same across all known SoCs, so we
can define this offset near it's user.
Remove it from the memory map.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Some code in sunxi_common.c requires symbols defined in sunxi_private.h,
so add the header to that file.
It was included via another header before, but let's make this explicit.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch is an attempt to run Trusted OS (OP-TEE OS being one of them) along
side BL31 image.
ATF supports multiple SPD's that can take dispatcher name (opteed for OP-TEE OS)
as an input using the 'SPD=<dispatcher name>' option during bl31 build.
Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
Having an active stack while enabling MMU has shown coherency problems.
This patch builds on top of translation library changes that introduces
MMU-enabling without using stacks.
Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while
enabling MMU only because of active stack. Now that we can enable MMU
without using stack, we can enable both MMU and data caches at the same
time.
NOTE: Since this feature depends on using translation table library v2,
disallow using translation table library v1 with HW_ASSISTED_COHERENCY.
FixesARM-software/tf-issues#566
Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currenly the CNTFRQ register and system timer is initialized in BL31 for
use by the normal world. During firmware update, the NS-BL1 or NS-BL2U
may need to access the system timer. Hence this patch duplicates the
CNTFRQ and system timer initialization in BL1 as well.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I1ede78b4ae64080fb418cb93f3e48b26d7b724dc
Set the ability to dynamically disable Trusted Boot Board
authentication to be off by default
Change-Id: Ibd2aa179179f7d9b0e7731c6e450f200a8c67529
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
In the case of the platform max power level being less than the system
power level, make sure to not overrun the array of power states.
This fixes Coverity Scan OVERRUN defect CID 267021.
Change-Id: I52646ab9be2fceeb5c331b5dad7a6267991f4197
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
This is to fix a number of Coverity Scan DEADCODE defects, CID numbers
listed below, as reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 267023
CID 267022
CID 267020
Change-Id: I2963a799b210149e84ccab5c5b9082267ddfe337
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
This patch is an attempt to run Trusted OS (OP-TEE OS being one of them) along
side BL31 image.
ATF supports multiple SPD's that can take dispatcher name (opteed for OP-TEE OS)
as an input using the 'SPD=<dispatcher name>' option during bl31 build.
Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
The file arm_ras.c intended to provide common platform-specific RAS
configuration for Arm platforms. Because this file has symbol
definitions, it's proving difficult to provide a common definition.
This patch therefore renames and makes the file specific to FVP. Other
platforms shall provide their own configuration in similar fashion.
Change-Id: I766fd238946e3e49cdb659680e1b45f41b237901
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add Makefile and plaform definations file.
My thanks to Daniel Thompson and Ard Biesheuvel for the bits and pieces
I've taken from their earlier work regarding build and deploy steps for
Developerbox based on Synquacer SoCs. They deserve much of the credit
for this work although, since I assembled and tested things, any blame
is probably mine.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
PSCI framework uses SCPI driver to communicate to SCP firmware for
various power management operations. Following PSCI operations are
supported:
- CPU ON
- CPU OFF
- CPU STANDBY
- SYSTEM RESET
- SYSTEM OFF
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Retrieve DRAM info from SCP firmware using SCPI driver. Board supports
multiple DRAM slots so its required to fetch DRAM info from SCP firmware
and pass this info to UEFI via non-secure SRAM.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Add System Control and Power Interface (SCPI) driver which provides APIs
for PSCI framework to work. SCPI driver uses MHU driver APIs to communicate
with SCP firmware for various system control and power operations.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Add Message Handling Unit (MHU) driver used to communicate among
Application Processors (AP) and System Control Processor (SCP).
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
BL31 runs from SRAM which is a non-coherent memory on synquacer. So
enable MMU with SRAM memory marked as Non-Cacheable and mark page tables
kept on SRAM as Non-Cacheable via XLAT_TABLE_NC flag. Also add page tables
for Device address space.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
These functions describe the layout of the cores and clusters in order
to support the PSCI framework.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
As this platform supports direct entry to BL31 and no BL2, so
populate BL32 and BL33 entrypoints with static memory load info.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>