This change implements SCMI channels for reading a SCMI message from a
shared memory and call the SCMI message drivers to route the message
to the target platform services.
SMT refers to the shared memory management protocol which is used
to get/put message/response in shared memory. SMT is a 28byte header
stating shared memory state and exchanged protocol data.
The processing entry for a SCMI message can be a secure interrupt
or fastcall SMCCC invocation.
SMT description in this implementation is based on the OP-TEE
project [1] itself based in the SCP-firmware implementation [2].
Link: [1] a58c4d706d
Link: [2] https://github.com/ARM-software/SCP-firmware.git
Change-Id: I416c7dab5c67954c6fe80bae8d8cdfdcda66873e
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Adds SCMI reset domain protocol support in the SCMI message drivers
as defined in SCMI specification v2.0 [1]. Not all the messages
defined in the specification are supported.
scmi_msg_get_rd_handler() sanitizes the message_id value
against any speculative use of reset domain ID as a index since by
SCMI specification, IDs are indices.
This implementation is based on the OP-TEE project implementation [2]
itself based on the SCP-firmware implementation [3] of the SCMI
protocol server side.
Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] 56a1f10ed9
Link: [3] https://github.com/ARM-software/SCP-firmware.git
Change-Id: If7cf13de40a815dedb40dcd5af8b6bb6725d9078
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Adds SCMI clock protocol support in the SCMI message drivers as
defined in SCMI specification v2.0 [1] for clock protocol messages.
Platform can provide one of the plat_scmi_clock_*() handler for the
supported operations set/get state/rate and others.
scmi_msg_get_clock_handler() sanitizes the message_id value
against any speculative use of clock ID as a index since by
SCMI specification, IDs are indices.
This implementation is based on the OP-TEE project implementation [2]
itself based on the SCP-firmware implementation [3] of the SCMI
protocol server side.
Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] a7a9e3ba71
Link: [3] https://github.com/ARM-software/SCP-firmware.git
Change-Id: Ib56e096512042d4f7b9563d1e4181554eb8ed02c
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
This change introduces drivers to allow a platform to create a basic
SCMI service and register handlers for client request (SCMI agent) on
system resources. This is the first piece of the drivers: an entry
function, the SCMI base protocol support and helpers for create
the response message.
With this change, scmi_process_message() is the entry function to
process an incoming SCMI message. The function expect the message
is already copied from shared memory into secure memory. The message
structure stores message reference and output buffer reference where
response message shall be stored.
scmi_process_message() calls the SCMI protocol driver according to
the protocol ID in the message. The SCMI protocol driver will call
defined platform handlers according to the message content.
This change introduces only the SCMI base protocol as defined in
SCMI specification v2.0 [1]. Not all the messages defined
in the specification are supported.
The SCMI message implementation is derived from the OP-TEE project [2]
itself based on the SCP-firmware implementation [3] of the SCMI protocol
server side.
Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] ae8c806809
Link: [3] https://github.com/ARM-software/SCP-firmware/tree/v2.6.0
Change-Id: I639c4154a39fca60606264baf8d32452641f45e9
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
with sha 44f1aa8, support for Silicon Provider(SiP) owned Secure
Partition(SP) was added for dualroot CoT. This patch extends this
support for tbbr CoT.
Earlier tbbr CoT for SPs was left to avoid adding new image types in
TBBR which could possibly be seen as deviation from specification.
But with further discussions it is understood that TBBR being a
*minimal* set of requirements that can be extended as long as we don't
violate any of the musts, which is the case with adding SP support.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1b9e3ebdd7d653f1fd4cc3bd910a69871b55ecbb
with sha 0792dd7, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f
The RK3368 has two clusters of 4 cores and it's cluster id starts at
bit 8 of the MPIDR. To convert from the cluster id (0 or 1) to the
lowest CPU-ID in the respective cluster, we thus need to shift by 6
(i.e. shift by 8 to extract the cluster-id and multiply by 4).
This change is required to ensure the PSCI support can index the
per-cpu entry-address array correctly.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: I64a76038f090a85a47067f09f750e96e3946e756
The Denver CPUs implement support for PMUv3 for ARMv8.1 and expect the
PMCR_EL0 to be saved in non-secure context.
This patch disables cycle counter when event counting is prohibited
immediately on entering the secure world to avoid leaking useful
information about the PMU counters. The context saving code later
saves the value of PMCR_EL0 to the non-secure world context.
Verified with 'PMU Leakage' test suite.
******************************* Summary *******************************
> Test suite 'PMU Leakage'
Passed
=================================
Tests Skipped : 2
Tests Passed : 2
Tests Failed : 0
Tests Crashed : 0
Total tests : 4
=================================
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I3675e2b99b44ed23d86e29a5af1b496e80324875
Using the fconf framework, the Group 0 and Group 1 secure interrupt
descriptors are moved to device tree and retrieved in runtime. This
feature is enabled by the build flag SEC_INT_DESC_IN_FCONF.
Change-Id: I360c63a83286c7ecc2426cd1ff1b4746d61e633c
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The only difference between GIC-500 and GIC-600 relevant to TF-A is the
differing power management sequence.
A certain GIC implementation is detectable at runtime, for instance by
checking the IIDR register. Let's add that test before initiating the
GIC-600 specific sequence, so the code can be used on both GIC-600 and
GIC-500 chips alike, without deciding on a GIC chip at compile time.
This means that the GIC-500 "driver" is now redundant. To allow minimal
platform support, add a switch to disable GIC-600 support.
Change-Id: I17ea97d9fb05874772ebaa13e6678b4ba3415557
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.
To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.
The CoT for secure partition look like below.
+------------------+ +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key |
+------------------+ | Certificate |
| (Auth Image) |
/+-------------------+
/ |
/ |
/ |
/ |
L v
+------------------+ +-------------------+
| Trusted World |------>| SiP owned SPs |
| Public Key | | Content Cert |
+------------------+ | (Auth Image) |
/ +-------------------+
/ |
/ v|
+------------------+ L +-------------------+
| SP_PKG1 Hash |------>| SP_PKG1 |
| | | (Data Image) |
+------------------+ +-------------------+
. .
. .
. .
+------------------+ +-------------------+
| SP_PKG8 Hash |------>| SP_PKG8 |
| | | (Data Image) |
+------------------+ +-------------------+
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f
* changes:
plat: intel: Additional instruction required to enable global timer
plat: intel: Fix CCU initialization for Agilex
plat: intel: Add FPGAINTF configuration to when configuring pinmux
plat: intel: set DRVSEL and SMPLSEL for DWMMC
plat: intel: Fix clock configuration bugs
There are additional instruction needed to enable the global timer.
This fixes the global timer initialization
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Idaf2d23359aacc417e2b7d8cdf1688b5cd17ca98
The CCU initialization loop uses the wrong units, this fixes that. This
also fixes snoop filter register set bits should be used instead of
overwriting the register
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Ia15eeeae5569b00ad84120182170d353ee221b31
The size of buffer currently used to store the FDT passed from U-Boot as
a platform parameter is not large enough to store some RK3399 device
trees. The largest RK3399 device tree currently in U-Boot (for the
Pinebook Pro) is about 70KB in size when passed to TF-A, so increase the
buffer size to 128K which gives some headroom for possibly larger FDTs
in future.
Signed-off-by: Hugh Cole-Baker <sigmaris@gmail.com>
Change-Id: I414caf20683cd47c02ee470dfa988544f3809919
FPGAINTF wasn't enabled when configuring pinmux. This fixes the issue.
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: I5a6aacd504901b8f7327b2f4854b8a77d0c37019
DRVSEL and SMPLSEL needs to be set so that it can properly go into full
speed mode. This needs to be done in EL3 as the registers are secured.
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: Ia2f348e7742ff7b76da74d392ef1ce71e2f41677
This fixes a few issues on the Agilex clock configuration:
- Set clock manager into boot mode before configuring clock
- Fix wrong divisor used when calculating vcocalib
- PLL sync configuration should be read and then written
- Wait PLL lock after PLL sync configuration is done
- Clear interrupt bits instead of set interrupt bits after configuration
Signed-off-by: Tien Hock Loh <tien.hock.loh@intel.com>
Change-Id: I54c1dc5fe9b102e3bbc1237a92d8471173b8af70
To support secure boot of SP's update cert tool arguments while
generating sp_gen.mk which in turn is consumed by build system.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I2293cee9b7c684c27d387aba18e0294c701fb1cc
Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.
A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.
Following new options added to cert_tool:
--sip-sp-cert --> SiP owned Secure Partition Content Certificate
--sp-pkg1 --> Secure Partition Package1 file
--sp-pkg2
.....
--sp-pkg8
Trusted world key pair is used for signing.
Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
As per "include/export/README", TF-A code should never include export
headers directly. Instead, it should include a wrapper header that
ensures the export header is included in the right manner.
"tbbr_img_def_exp.h" is directly included in TF-A code, this patch
replaces it with its wrapper header "tbbr_img_def.h".
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I31c1a42e6a7bcac4c396bb17e8548567ecd8147d
Current value is 16, count the MAP_REGION calls gets us at least 17,
so increase the max value to 20 to have a bit of a margin.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Change-Id: I93d0324f3d483758366e758f8f663545d365e03f
64KB was not enouth to handle fdt, bl2 shows
following error message.
"ERROR: Invalid Device Tree at 0x10000000000: error -3"
This patch increases the size to 1MB to address above error.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Change-Id: I0726a0cea95087175451da0dba7410acd27df808
Use ETZPC driver to configure secure aware interfaces to assign
them to non-secure world. Sp_min also configures BootROM resources
and SYSRAM to assign both to secure world only.
Define stm32mp15 SoC identifiers for the platform specific DECPROT
instances.
Change-Id: I3bec9f47b04bcba3929e4df886ddb1d5ff843089
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Add a node for the ETZPC device so that driver initializes during
stm32mp15* boot sequence.
Change-Id: I84bf10572e5df7b8f450163c79bcfe6956fc838f
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
ETZPC stands for Extended TrustZone Protection Controller. It is a
resource conditional access device. It is mainly based on Arm TZPC.
ST ETZPC exposes memory mapped DECPROT cells to set access permissions
to SoC peripheral interfaces as I2C, SPI, DDR controllers, and some
of the SoC internal memories.
ST ETZPC exposes memory mapped TZMA cells to set access permissions
to some SoC internal memories.
Change-Id: I47ce20ffcfb55306dab923153b71e1bcbe2a5570
Co-developed-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
This patch enables the stream ID for the SD/MMC
controllers via dedicated unit register. Thanks to this
change it is possible to configure properly the
IOMMU in OS and use the SD/MMC interface in a guest
Virtual Machine.
Change-Id: I99cbd2c9882eb558ba01405d3d8a3e969f06e082
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: Tomasz Nowicki <tn@semihalf.com>
BL31_CACHE_DISABLE flag was introduced as a work-around
for the older SoC revisions. Since it is not relevant in the
newest versions, toggle it to be disabled by default.
One can still specify it by adding 'BL31_CACHE_DISABLE=1'
string to the build command.
Change-Id: I11b52dade3ff7f8ee643b8078c6e447c45946570
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Enhanced Counter Virtualization, ECV, is an architecture extension introduced
in ARMv8.6. This extension allows the hypervisor, at EL2, to setup
self-synchronizing views of the timers for it's EL1 Guests. This patch pokes the
control register to enable this extension when booting a hypervisor at EL2.
Change-Id: I4e929ecdf400cea17eff1de5cf8704aa7e40973d
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Etienne Carriere
Etienne Carriere
Manish Pandey
Madhukar Pappireddy
Philipp Tomsich
Varun Wadekar
Mark Dykes
Andre Przywara
Sandrine Bailleux
Tien Hock Loh
Hugh Cole-Baker
Heiko Stuebner
Lauren Wehrmeister
Masahisa Kojima
Marcin Wojtas
Jimmy Brisson